Manualshelf

H06.06 Release Version Update Compendium

ManualsBrandsHP ManualsServerHP Integrity NonStop Release and Migration
21222324252627282930
Manageability Products
H06.06 Release Version Update Compendium542486-001
6-2
Encryption
Encryption
If PASSWORD-ALGORITHM is set to DES or PASSWORD-ENCRYPT is set to OFF,
the password (DES-encrypted or in clear text, respectively) is written to both the
existing L/USERID and the new L/USERAX files. This approach allows for direct
fallback to earlier versions of Safeguard and Standard Security.
If you enable the new HMAC256 encryption option, each subsequently changed
password is encrypted using HMAC with the SHA256 algorithm and stored in
L/USERAX. Because earlier versions of the security products do not understand
HMAC, fallback requires extra steps. For additional information, see Fallback in a
Safeguard Environment on page 6-3 and Fallback With Standard Security (Safeguard
Not Installed) on page 6-3.
To assist fallback after PASSWORD-ALGORITHM is set to HMAC256, the DES or
clear-text version of each preexisting password is retained in L/USERID. When you
change your password, the old password in L/USERID is marked as expired as of that
date. For a new user added to the system after the algorithm is changed to HMAC256,
the password in L/USERID file is no longer retained.
Migration in a Safeguard Environment
Follow these migration steps:
1. Use VPROC to determine the current versions of:
OSMP
OSMON
SAFEART
SAFECOM
2. Back up current Safeguard files ($*.SAFE.* and $SYSTEM.SYSTEM.USERID).
3. Use SAFECOM to build an OBEY file to save the current policy. To create an
OBEY file, perform these steps in SAFECOM:
TACL> safecom/out $system.safe.safevalu/
=display as commands on
=info safeguard, detail
The output from these commands is retained in a file name SAFEVALU located at
$SYSTEM.SAFE.
4. When the new version of Safeguard is installed and you want to retain your original
Safeguard values, obey the SAFEVALU file created in Step 3 in SAFECOM.
If you do not follow these migration steps or if you do not want to accept the new
default values, use SAFECOM to modify the appropriate attributes after the new
version is installed.
For more details, see Chapter 10 of the Safeguard Administrator's Manual.