Create a Superuser Administrator for the DSA using different hashing Algorithm "SHA-256", "SHA-512", "SSHA-512"

book

Article ID: 16566

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



 

Create a Superuser Administrator Password for DSA using Advanced hash algorithm such as "SHA-256", "SHA-512", "SSHA-512" via JXplorer:

If I create a user in the directory using JXplorer and use "SHA" as the password hash method, then I can then perform a dxsearch or an ldapsearch using this user and password. However if I use any other password hash method (e.g. "SHA-256", "SHA-512", "SSHA-512"), then when I try to perform the exact same dxsearch or ldapsearch, then it fails with an error message of "invalid credentials".

Environment

Release:
Component: SMSSO

Resolution

There is a known bug in JXplorer, that does not handle non SHA1 entries correctly and adds whitespace in the middle of the userPassword hash value:

https://communities.ca.com/message/241904039?commentID=241904039#comment-241904039

A workaround is :

1. Open Jxplorer, open a connection to the DSA

2. Select the 'User' -> go to "userPassword" attribute.

3. Change the hashing algorithm to use "SHA-512" or higher encryption algorithm

4. Go to "Advanced Editor" and remove whitespaces (in the middle of) in the "ldap value", click OK.

5. Submit.

6. Reconnect to JXplorer using the user credentials. (or) perform a dxsearch or an ldapsearch using this user and password.

Or an alternatively another LDAP client such as Apache DS could be used.