• Release: UIM 20.3.3
• Component: UIM OPERATOR CONSOLE - ACCOUNT ADMIN
• hub v9.34 or higher

• hub package defect
• new hub feature was introduced in UIM 20.3.3 but was not working as expected

Background:

Description and symptoms of the login and password change problem:

UIM 20.33, Nimbus account password reset issue
Customer created nimbus accounts through the Infrastructure Manager (IM). For these nimbus accounts if they want to reset the password through the Operator Console there is No 'password reset' option. So, when they tried to reset the password for the NimBUS account using the Admin Console (via 'Manage Users'). then they tried to re-login with the new password, it throws the following error:

"Unable to Sign In.
The user name or password is incorrect, or your account is locked. Try again later, and if you still have trouble, contact your administrator."

This issue did NOT occur in the customer's TEST environment. It ONLY occurred in their PRODUCTION environment.

Admin Console logs showed:

Nov 19 07:41:48:876 ERROR [https-jsse-nio-8443-exec-1, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] login() User 'xxxxxxx' login failed
Nov 19 07:45:13:753 ERROR [https-jsse-nio-8443-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] login() User 'xxxxxxxx' login failed
Nov 19 07:45:28:210 ERROR [https-jsse-nio-8443-exec-8, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] login() User 'xxxxxxxx' login failed

Various NimBUS user account details were overwritten (or emptied), but we also saw that the ACL was changed from "<XXX> Administrator" to Superuser.

• Behaviour-> Essentially, when the customer changes the password for a NimBUS user via the Admin Console (AC) afterwards, they cannot login.
• Failure to login ONLY occurred when the password is changed via the AC. It works fine when everything is done via the Infrastructure Manager (IM).

As it turns out, some time ago in UIM 20.3.3, a new hub feature/function to encrypt user account and password information was created. The customer also was not aware that the hub configuration had been changed. Also, th customer did not know who made those changes in the customer's environment, no one ever mentioned during several webexes including the webex where we saw the user info was definitely getting encrypted.

Also, it is not a well-known, commonly-used feature and there were no other cases reporting this issue at the time. Upon request, fortunately, the customer searched back and found a backup of their hub security.cfg file so they could restore the previous cfg.

The changes made to the hub.cfg were as follows:

   psv2_password = yes
   encrypt_user_info = yes

The encryption keys listed above were configured/present ONLY in the hub.cfg of the PRIMARY core hub.

Upon review of the tech docs, we noticed that the addition of the new feature "enhanced security.cfg" was not mentioned anywhere in the Release Notes. Only a passing comment regarding a different case/issue, but no detailed description of the new function. We found the details about 'enhanced security.cfg' in the UIM 20.3 documentation:

IMPORTANT!!!

It is extremely important to read/review and understand everything about this Enhanced Security feature introduced in UIM 20.3 BEFORE implementing it including the SECTIONS titled:

   - Parameters
   - Considerations
   - Scenarios.

and it should be tested thoroughly in a TEST environment before trying it in Production.

Enhanced security.cfg
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/20-3/installing/additional-topics/Enhanced-security-cfg.html 

The issue is due to some side-effects/some unexpected results when the hub.cfg contains encryption parameters to encrypt the password and user info:

   psv2_password = yes
   encrypt_user_info = yes

For example, the ACL associated with the NimBUS user is changed (it falls back to 'Superuser' from the customer-defined ACL 'RIM Administrator') and the user info is emptied/wiped out, hence the user cannot login. This was evidenced by examining the password and user info in the security.cfg file 'before and after' changing the password via the Admin Console versus changing the password via IM. If you changed the password for the NimBUS user via the Infrastructure Manager (IM), the NimBUS user can login again. 

This feature was retested, and a hotfix version of the hub package for 9.34 was created.

The customer deployed the attached NEW hub package.

After resetting the password from the Admin Console, login to both IM / Admin Console was working now for new/existing user accounts as expected without issue. 
Also changes done to the user account from IM or Admin Console are properly replicated in both UI and the security.cfg file WITH encryption.

Hub package version in UIM v20.4 is also 9.34 and this new hub package is also v9.34.

When the GA version is released the hub package version will be corrected.

hub-9.34-20220215.145008-18.zip which contains the hotfix, is attached to this KB Article.

Download and import this hub package into you local archive on the Primary hub and drag and drop it onto the hub and then retest the issue.

Login should then work as expected when a NimBUS account user changes their password via the Admin Console through 'Manage Users.'