Previous Topic: Re-encrypt the Policy Store Data

Next Topic: Migration Roadmap—Configure FIPS-Only Mode

Verify that Password Blobs are Re-encrypted

You verify that the Policy Server has re-encrypted every Password Blob in the user store to prevent users from losing their password history and being locked out by Password Services.

When you configured the user store connection for password policies, you specified the Password Data user profile attribute. This value represents where Password Blobs are stored in the user store and is the value you use to identify Password Blobs that are not re-encrypted.

To verify that Password Blobs are re-encrypted

  1. Using the directory server or database-specific tool, search for Password Data entries that are not prefixed with:
    {AES}
    

    Example: If "audio" is the value you specified in the Password Data field when configuring the user store connection, search for all entries stored in "audio" that are not prefixed with {AES}.

  2. Identify the users whose Password Blobs are not prefixed with {AES}. The Policy Server has not re-encrypted these Password Blobs.
  3. Notify these users that they must either log in or change their password.

    Note: How the password policy is configured determines when the Policy Server re-encrypts the Password Blob:

Important! Password Services locks out users whose Password Blobs are not re-encrypted when the Policy Server is operating in FIPS-only mode. A user cannot regain access until you have deleted the Password Blob and cleared any disabled flags. Deleting the Password Blob results in the loss of the user's password history.


Copyright © 2010 CA. All rights reserved. Email CA about this topic