AIX Endpoints Cannot Use sha256/sha512 Password Encryption
search cancel

AIX Endpoints Cannot Use sha256/sha512 Password Encryption


Article ID: 224937


Updated On:


CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)


After configuring AIX for SHA256/SHA512 encryption, setting passwd_local_encryption_method to the same value in seos.ini, and changing the password on the master endpoint, users cannot log into the AIX endpoint.

When looking in /etc/security/passwd, the password is confirmed to be encrypted.

        password = ######


Privileged Identity Manager 12.8
PAM Server Control 14.0,14.1


AIX SHA256/SH512 encryption is different than other Linux operating systems. When a password is encrypted on AIX, their password will look similar to the following in /etc/security/passwd. 

        password = {ssha512}######

With the default password distribution configuration, the master PIM endpoint will encrypt the password and distribute the encrypted password to the subscribers. Since the password is already encrypted, the subscribers will not encrypt them locally.


AIX can be configured to be compatible with passwords encrypted by other Linux versions. If that is not an option, follow the steps below to configure the environment so the passwords will be re-encrypted on the local endpoints.

On the master endpoint:

1- Stop all daemons.
2- Open seos.ini for editing.
3- Set passwd_distribution_encryption_mode to 3
4- Set passwd_format to NT
5- Save the file.
6- Start all daemons.

On each subscriber:

1- Stop all daemons.
2- Open seos.ini for editing.
3- Change passwd_distribution_encryption_mode to 3 and save the file.
4- Start all daemons.

Additional Information

IBM Documentation on How to Make AIX Compatible with SHA256/SHA512 Passwords Hashed on Other OS's: