October 30, 2017 at 4:24 pm #19387Nikolaos GiannopoulosParticipant
We have a customer that will be migrating OpenSSO 8 / DSEE 6.3.1 users and are wondering if Passwords and/or Secret Questions and Answers will need to be reset when moving to OpenAM 13.5.1 / OpenDJ 3.5.2.
AFAIK this should only be hashed and not encrypted and moreover should be portable.
Can someone please corroborate/confirm. Thank You!
–NikolaosOctober 30, 2017 at 4:40 pm #19388Andy CoryParticipant
Provided that the older hashing scheme for your customer’s DSEE is still supported by DJ 3.5.2 (say, MD5), then you should be able to migrate the values ‘as is’. Better still, set up DJ to use the old scheme as a deprecated scheme and set a newer algorithm as the default, and DJ will silently re-encode the password to the new scheme when each user binds for the first time.
The encrypted answers are potentially more of an issue – my understanding is that the scheme used for these in OpenDJ is not configurable. As part of the migration you may have to get the users to set them up again. Maybe make a virtue of necessity and call it an increased security measure, using new questions to which the answers are less easy to guess or socially engineer. If the current platform is that old, chances are the questions are the old ‘mothers maiden name’ and ‘favourite colour’ variety!
You must be logged in to reply to this topic.