Password encryption properties
Password encryption properties are used to configure password encryption.
Table 1 defines the properties used to configure password encryption.
enrole.encryption.algorithm Do not modify this property key and value.
Specifies the cipher suite to use for encryption. For example, AES.
Example (default).
enrole.encryption.algorithm=AESenrole.encryption.password Do not modify this property key and value. This value is specified during IBM Security Identity Manager installation.
The value of the enrole.encryption.password property is moved into the encryptionKey property file. The value is encoded by default and is stored in the encryptionKey property file.
Specifies the keystore password, in encrypted format, when AES is the encryption algorithm. For non-PBE based encryption algorithms (used for new IBM Security Identity Manager Version 5.0 installations), the password is used to encrypt the keystore that stores the private key. For more information about this property, see the enrole.encryption.keystore property. This value is specified during IBM Security Identity Manager installation.
enrole.encryption.passwordDigest Do not modify this property key and value.
Specifies the type of password digest used for an IBM Security Identity Manager password. Upgrading Tivoli Identity Manager from Version 4.6 continues to use the original hash algorithm until users change their passwords. This original algorithm is defined by the property enrole.pre50.encryption.passwordDigest. Valid values are.
- SHA-256 – Federal Information Processing Standards (FIPS)-approved hashing algorithm used by IBM Tivoli Identity Manager Version 5.0 for passwords. A random salt value is added to the data before it is hashed.
- SHA-384 – Federal Information Processing Standards (FIPS)-approved hashing algorithm, providing 384 bits of security (by truncating the output of the SHA-512 algorithm). A random salt value is added to the data before it is hashed.
- SHA-512 – Federal Information Processing Standards (FIPS)-approved hashing algorithm, providing 512 bits of security. A random salt value is added to the data before it is hashed.
Example (default).
enrole.encryption.passwordDigest=SHA-256enrole.pre50.encryption.passwordDigest Do not modify this property key and value. Upgrading ISIM from Version 4.6 adds this property dynamically to this properties file..
Specifies the type of password digest used for IBM Security Identity Manager password data from IBM Security Identity Manager versions before 5.0. The lack of a ":" in an encrypted IBM Security Identity Manager password value is used to identify such migrated data. All new passwords, including changed migrated passwords, are stored with the enrole.encryption.passwordDigest algorithm.
Example (default for migrated installations, not present for new installations).
enrole.pre50.encryption.passwordDigest=MD5enrole.encryption.keystore Do not modify this property key and value.
Specifies the keystore file name used to contain the randomly generated secret key for non-PBE based encryption algorithms, such as AES. This keystore file is protected with the enrole.encryption.password value. This file is in ISIM_HOME\data\keystore directory.
Example (default).
enrole.encryption.keystore=itimKeystore.jceksParent topic: System property configuration in enRole.properties