G06.31 Software Installation and Upgrade Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

G06.31 Installation and Fallback Alerts

G06.31 Software Installation and Upgrade Guide—544626-002

2-18

Safeguard Password Enhancements (G06.29)

Attributes specific to the PASSWORD utility of Standard Security are:

All attributes are applied as each user changes their password.

Password Encryption

If PASSWORD-ALGORITHM is DES or PASSWORD-ENCRYPT is OFF, the password

(DES-encrypted or in clear text, respectively) is written to both the existing L/USERID

and the new L/USERAX files. This approach allows for direct fallback to earlier

versions of Safeguard and Standard Security.

If you enable the new HMAC256 encryption option, each subsequently changed

password is encrypted using HMAC with the SHA256 algorithm and stored in

L/USERAX. Because earlier versions of the security products do not understand

HMAC, fallback requires extra steps. For additional information, see Fallback

Considerations on page 2-19 and Fallback With Standard Security (Safeguard Not

Installed) on page 2-20. To assist fallback after PASSWORD-ALGORITHM is set to

HMAC256, the DES or clear-text version of each preexisting password is retained in

L/USERID. When users change their password, the old password in L/USERID is

marked as expired as of that date. For a new user added to the system after the

algorithm is changed to HMAC256, the password in L/USERID file is deleted.

Migration Considerations

The following procedure is intended to handle any unexpected failures that might occur

during Safeguard migration. The procedure preserves the user/password database,

which is necessary to restore the original system user/alias database.

1. Use VPROC to determine the current versions of:

•

OSMP

•

OSMON

•

SAFEART

•

SAFECOM

2. Back up current Safeguard files ($*.SAFE.*, $SYSTEM.SYSTEM.USERID, and

$SYSTEM.SYSTEM.USERAX).

3. Use SAFECOM to build an OBEY file to save the current policy. To create an

OBEY file, enter these SAFECOM commands:

TACL> safecom/out $system.saef.safevalu

=display as commands on

=info safeguard, detail

Attribute

Default Value

New

Default Value

ENCRYPTPASSWORD OFF ON

MINPASSWORDLEN 0 6

PROMPTPASSWORD OFF BLIND