(Show Contents)

How to Change Password Encryption

To change encodings, the System Administrator does the following:

Step 1: Migrate system accounts to the new password encoding

1. Specify the new password encoder as passwordEncoderMigrateTo bean with properties:
   WEB-INF/config/context/security/afm_users/password-manager.xml

• For example, if you are migrating to SHA encryption, passwordEncoderMigrateTo bean definition will look like:

	<bean id="passwordEncoderMigrateTo"
class="org.springframework.security.providers.encoding.ShaPasswordEncoder">
<!-- The default strength for the SHA encoding is SHA-1. -->
<constructor-arg value="1" />
</bean>

        

2. Start Web Central with the default password encoder.
3. Load the Change Password Encoding wizard in Web Central.
   
   
4. This form has grid with restriction console. The default restriction is for user accounts with ARCHIBUS SYSTEM ADMINISTRATOR role. The form allows editing of the clear-text passwords. The form does not allow editing of the GUEST password.
5. Edit the passwords for one or more system accounts by using the Change Password button. This action will show a pop-up dialog to get your entry and save it in the form. Regardless of your current encryption method, this dialog will save the new password in plain text.
6. The Migrate User Accounts action uses a plaintext password as its starting point to encrypt it. The action cannot migrate an already encrypted value (as depending on your encryption, there may not be any method of reverse-engineering such an encrypted value).
7. The Migrate User Accounts action will not be active until you have changed the encryption (as until then, there is no encrypted form for the program to migrate the passwords to).
8. It is essential to know the passwords to one or more system accounts, as otherwise, once you change the default encoding on startup as per step 5, you will not be able to log in again.
4. Select some of the system accounts, and click the Migrate User Accounts button to migrate the encryption for these system accounts.
5. Specify the new default password encoder in WEB-INF/config/context/security/afm_users/password-encoder/archibus/password-encoder.xml.
6. For example, if you are migrating to SHA encryption, passwordEncoder bean definition will look like:

<bean id="passwordEncoder"
class="org.springframework.security.providers.encoding.ShaPasswordEncoder">
<!-- The default strength for the SHA encoding is SHA-1. -->
<constructor-arg value="1" />
</bean>

            

6. Restart Web Central to have this default encoder take effect.
7. If you used plaintext passwords, you can use the Change Password Encoding form to encode all of your non-system user passwords.
8. If you used passwords encrypted with a previous encryption method, you must reissue passwords to all users.

Step 2: Reissue Passwords

Now that you have changed the default encoding, you need to reissue passwords to users to get each user a password encrypted using new encryption settings.

1. To do so load the Reissue Passwords Wizard in Web Central.
   
   

You might want to use the console to filter for all users of a particular role to reissue their passwords at one time.  By default, the console filters out all ARCHIBUS SYSTEM ADMINISTRATOR accounts -- as you migrated these passwords previously -- and the GUEST account, which should not have its password set. 

2. Select a number of users, then choose Next.
   
   
3. Now you can run a the following actions on all selected user accounts: 

• Reset Passwords. Generates new plain text passwords for these accounts.  This action shows a popup that prompts you for the key phrase to use as a seed value to hash with the user name, making the resulting password difficult to reverse engineer.
  
  
• Send Passwords by Email.  Sends these plaintext passwords to users by email.  The email urges the user to log in and change the password as soon as possible.
• Encrypt Passwords.  Encrypts the plaintext passwords in the database -- after you have sent the email to the user.

Considerations

Some considerations for reissuing passwords are these:

• Guest Account.  If you use the GUEST account, you should not change the �GUEST� password, which must be empty. If, however, you wish to disable the GUEST account, simply provide it with any password value.
• Sample Headquarters Database.  If you are working with sample HQ.DB, two accounts should be excluded from the password reset and re-encryption:
  • GUEST account (password must be empty; hard-coded in login form)
  • AFM (so that the system administrator can always login and see important processes assigned).  You can re-encrypt this value, but you should not reset it.