Manualshelf

H06.09 Software Installation and Upgrade Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop Release and Migration
61626364656667686970
H06.09 Installation, Migration, and Fallback
Considerations
H06.09 Software Installation and Upgrade Guide544316-002
2-17
New Safeguard Attribute Defaults
New Safeguard Attribute Defaults
The default values of certain attributes have been changed in the H03 version of
Safeguard and Standard Security in order to increase the “out of box” password
security. Customers who do not wish to adopt the new defaults can follow the normal
migration steps for Safeguard. Customers using Standard Security alone are impacted
by this change.
Attributes specific to Safeguard configuration are:
Attributes specific to the PASSWORD utility of Standard Security are:
All attributes are applied as each user changes their password.
Safeguard Password Encryption
The H03 and later versions of Safeguard and Standard Security improve the cryptology
of the user passwords in the Integrity NonStop server environments.
If PASSWORD-ALGORITHM is DES or PASSWORD-ENCRYPT is OFF, the password
(DES-encrypted or in clear text, respectively) is written to both the existing L/USERID
and the new L/USERAX files. This approach allows for direct fallback to prior versions
of Safeguard and Standard Security.
If you enable the new HMAC256 encryption option, each subsequently changed
password is encrypted using HMAC with the SHA256 algorithm and stored in
L/USERAX. Because earlier versions of the security products do not understand
HMAC, fallback requires extra steps. For additional information, see Fallback in a
Safeguard Environment on page 2-18 and Fallback With Standard Security (Safeguard
Not Installed) on page 2-19. To assist fallback after PASSWORD-ALGORITHM is set to
HMAC256, the DES or clear text version of each preexisting password is retained in
L/USERID. When users change their password, the old password in L/USERID is
marked as expired as of that date. For a new user added to the system after the
algorithm is changed to HMAC256, the password in L/USERID file is deleted.
Attribute
Previous
Default Value
New
Default Value
PASSWORD-ENCRYPT OFF ON
PASSWORD-MINIMUM-LENGTH 0 6
Attribute
Previous
Default Value
New
Default Value
ENCRYPTPASSWORD OFF ON
MINPASSWORDLEN 0 6
PROMPTPASSWORD OFF BLIND