Migrate OpenSSO Passwords / Secret Q&A

This topic has 1 reply, 2 voices, and was last updated 4 years, 11 months ago by Andy Cory.

  • Author
  • #19387


    We have a customer that will be migrating OpenSSO 8 / DSEE 6.3.1 users and are wondering if Passwords and/or Secret Questions and Answers will need to be reset when moving to OpenAM 13.5.1 / OpenDJ 3.5.2.

    AFAIK this should only be hashed and not encrypted and moreover should be portable.

    Can someone please corroborate/confirm. Thank You!


     Andy Cory

    Hi Nikolaos

    Provided that the older hashing scheme for your customer’s DSEE is still supported by DJ 3.5.2 (say, MD5), then you should be able to migrate the values ‘as is’. Better still, set up DJ to use the old scheme as a deprecated scheme and set a newer algorithm as the default, and DJ will silently re-encode the password to the new scheme when each user binds for the first time.

    The encrypted answers are potentially more of an issue – my understanding is that the scheme used for these in OpenDJ is not configurable. As part of the migration you may have to get the users to set them up again. Maybe make a virtue of necessity and call it an increased security measure, using new questions to which the answers are less easy to guess or socially engineer. If the current platform is that old, chances are the questions are the old ‘mothers maiden name’ and ‘favourite colour’ variety!


Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?