How to Utilize the Superseded Digest Settings for a Period of Migration

Utilizing the superseded digest settings means you are migrating your existing digested passwords to a new crypto configuration (e.g. new salt) and would like Cúram user passwords automatically migrated for a period of time. This applies to Cúram internal and external users, but does not apply to users managed by third-party security systems such as LDAP.

The process to do this is:

  1. Choose a time when your Cúram system can be down and with the Cúram system not running.
  2. Copy the existing digest property names and values in CryptoConfig.properties and rename the properties to the new superseded property names.
  3. Modify the existing digest property names in CryptoConfig.properties.
  4. Set the curam.security.convertsupersededpassworddigests.enabled property to 'true'.
  5. Set the curam.security.crypto.upgrade.start property to help you track when you introduced the updated configuration. This value can be used below to help manage unmigrated user passwords.
  6. Restart the application server, but note the following.
Note: The Cúram default web services user (WEBSVCS), or any user not processed via the CuramLoginModule, is not available for automatic password migration. You must reset these users before restarting the application server. To do this:
  1. Obtain the new digest password value via the Ant digest target (e.g. ant digest -Dpassword=password).
  2. Update the password value in the database, which is easily done via SQL (e.g. UPDATE USERS SET PASSWORD='<new digest value>' WHERE USERNAME='WEBSVCS';).
  3. You can now start the application server

After a period of time (e.g. weeks or months) when you consider the migration period to be over set the curam.security.convertsupersededpassworddigests.enabled property to 'false' and unset the curam.security.crypto.upgrade.start property.

Users who did not login during the migration period will now see their logins fail due to password mismatches. You have two approaches for addressing the passwords not updated during the migration period:

  1. Require these users to contact your internal support to have their password reset via the admin user interface.
  2. Manually identify the users in the Cúram USERS table who were not updated during the migration period and either manually set new default password either via SQL (see the digest target described in the Cúram Server Developer's Guide to obtain new digest password values) or via the admin user screens. For example, using the following query: SELECT username FROM users WHERE lastwritten between timestamp('2013-06-01 15:00:00') AND timestamp('2013-09-01 00:00:00')

You should not leave curam.security.convertsupersededpassworddigests.enabled set to true indefinitely because:

  1. It's meaningless to have gone to the trouble of upgrading from configuration 'A' to configuration 'B' and leave the original 'A' configuration active;
  2. It leaves potentially weaker crypto settings active in the system; and
  3. In order to use this functionality for a future upgrade, say from configuration 'B' to 'C', you would have to have upgraded all the 'A' passwords to at least 'B'.
Note: Any files, e.g. DMX, with stored digests need to be considered with respect to your migration strategy so they reflect the correct values.
Note: Any use of the Cúram Transport Manager (CTM) during a migration needs to be considered in terms of ensuring compatible settings and expectations between the source and target systems.

Related topics:

Parent topic: Customizing Cryptography