Manualshelf

H06.25 Software Installation and Upgrade Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop Release and Migration
41424344454647484950
Safeguard Password Encryption
The H03 and later versions of Safeguard and Standard Security improve the cryptology of the user
passwords in the NonStop server environments.
If PASSWORD-ALGORITHM is DES or PASSWORD-ENCRYPT is OFF, the password (DES-encrypted
or in clear text, respectively) is written to both the existing L/USERID and the new L/USERAX files.
This approach allows for direct fallback to prior versions of Safeguard and Standard Security.
If you enable the new HMAC256 encryption option, each subsequently changed password is
encrypted using HMAC with the SHA256 algorithm and stored in L/USERAX. Because earlier
versions of the security products do not understand HMAC, fallback requires extra steps. For
additional information, see and “Fallback With Standard Security (Safeguard Not Installed)”
(page 47). To assist fallback after PASSWORD-ALGORITHM is set to HMAC256, the DES or clear
text version of each preexisting password is retained in L/USERID. When users change their
password, the old password in L/USERID is marked as expired as of that date. For a new user
added to the system after the algorithm is changed to HMAC256, the password in L/USERID file
is deleted.
Migration in a Safeguard Environment
The following procedure is intended to handle any unexpected failures that might occur during
Safeguard migration. The procedure preserves the user/password database, which is necessary
to restore the original system user/alias database.
1. Use VPROC to determine the current versions of:
OSMP
OSMON
SAFEART
SAFECOM
2. Back up current Safeguard files ($*.SAFE.*, $SYSTEM.SYSTEM.USERID, and
$SYSTEM.SYSTEM.USERAX).
3. Use SAFECOM to build an OBEY file to save the current policy. To create an OBEY file, do
the following in SAFECOM:
TACL> safecom/out $system.safe.safevalu
=display as commands on
=info safeguard, detail
The output from these commands is retained in a file named SAFEVALU located in
$SYSTEM.SAFE.
4. To restore the original settings, run the OBEY file SAFEVALU, created in step 3, in SAFECOM.
If you do not follow the preceding migration steps and you do not want to accept the new default
values, then after the new version is installed, use SAFECOM to modify the appropriate attributes.
For more details, see the Safeguard Administrator's Manual.
Fallback in a Safeguard Environment
Because of the new password encryption algorithm, fallback requires advance planning.
In all cases, fall back to the previous version of security software.
If PASSWORD-ENCRYPT is OFF or PASSWORD-ALGORITHM is set to DES, no extra fallback steps
are required.
If PASSWORD-ENCRYPT is HMAC256, extra fallback steps are required. When users first change
their password after HMAC256 is enabled, they must remember their immediate previous password.
This is especially important for the system administrator. After installing the previous version of
Safeguard and Standard Security:
46 Installation, Migration, and Fallback Considerations