Replacing the Password Encryption and Decryption Scheme

If you alter your password encryption and decryption scheme, any encrypted passwords stored in the Sign-on Table (SNT) must be decrypted using the old scheme and then re-encrypted with the new scheme. A utility program called dfhpcryp is supplied to assist in this conversion.

The procedure for moving to a new encryption scheme is described below. In this procedure, you introduce your new encryption module to the system as dfhucryp.so. You then run the dfhpcryp utility, which uses the existing module (dfhucryp) and your new one to perform the conversion. When the conversion is complete, you replace the existing module with your new one.

Before you make any changes, take a backup copy of the following:

To run dfhpcryp:

  1. Compile the new encryption module to .so.
    Note:

    Do not replace the existing dfhucryp.so at this stage. Your new module must only replace the existing dfhucryp.so after you have run the dfhpcryp utility to perform the conversion.

  2. Rename your new encryption module to dfhucryu.so and copy it into the same directory as the existing dfhucryp.
  3. Ensure that no part of MSS is active.
  4. Run the dfhpcryp utility.
  5. When dfhpcryp completes, remove dfhucryp and rename dfhucryu to dfhucryp.
  6. Back up the modified Resource Definition File.

MSS is now ready to run with the new encryption and decryption scheme.

The backups taken during this process are important in case you want to return to the old encryption and decryption scheme for any reason.