Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Jazz Authorization Server does not recognize user password after a change

Questions
Tags
Users
Badges
Karen Steele
(1.2k5141150) edited
Aug 22 '22, 12:56 p.m.
We are awaiting an AD to tie jazz authorization server to.  In the meantime, we are using the basic user registry.

I have 4 accounts specified - all of which are admins
By way of example I added my self SteeleK - assigned myself a cleartext password
I was able to login without error with this iinformation

When the time came for the 90 day reminder from other system, I proceeded to do the following :
1. went to the JAS server
2. Stopped the server
3. Edited the localuserregistry.xml
4. updated my password against the SteeleK entity
5. restarted the JAS server

Login at the RTC instance no longer recognizes my account and claims invalid password ...

I have the same issue when I adjust other users .. am I missing something here ?  It shoudl be pretty straight forward

... log files say "specified principal name SteeleK is not found in the back-end repository" ... when all I did was change the cleartext password

0 votes

Comments
Ian Barnard
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Aug 23 '22, 4:47 a.m.

Cleartext password e.g.


        <user name="ibm" password="ibm"/>

are automatically written back by Liberty hashed (obfuscated) i.e.

        <user name="ibm" password="{aes}AFPECwrAiTrycSRkWmib7TPhrvQoNVWDCDtaS+SQpKZF"/>

Where the tag {aes} tells Liberty what the hash method is.

When you update the password in cleartext, you should have removed the tag {aes}? 

Or can you restore a backup of the XML to temporarily get back to your original password?

Karen Steele
Aug 23 '22, 5:57 a.m.

and where exactly is that tag - I'm merely looking at the localuserregistry.xml file ... there is no such tag in that file.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Aug 23 '22, 6:11 a.m.

This is how the file usually looks like. I highlighted the tag.


Karen Steele
Aug 23 '22, 6:21 a.m.
this presumes the passwords are encoded - I have cleartext e.g. Passw0rd in there not an encoded value

I'm given to understand, whilst we have the files for basicuseregistry that its actually not supported (sigh) - let me try encoding the passwords and see if that fixes it .. its really does appear to be 50/50 as two other entries all with cleartext passwords are working correctly.

Karen Steele
Aug 23 '22, 7:28 a.m.
so I've encoded the values and they still don't work - out of the 5 accounts only 3 work encoded or plain text .. the log is saying the same principal account name X is not found in the back end repository - the account worked before we changed its password so its definitely in there

With trial and error, removing, restarting the server, then adding back it now accepts them all with encoded - thanks for the inputs

Ian Barnard
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Aug 23 '22, 7:12 a.m.

 AFAIK there's no need to encode the password, Liberty will notice a cleartext password and write it back to the user registry XML hashed and with {aes} prefixed, just like it did when you put your original cleartext password in. If you need to update the password remove the {aes} and put the new cleartet password in. After Liberty has startred it should update the file with the hashed value.


Yes basic user registry is just how its name reads - it's not suitable for any form of production use.

Karen Steele
Aug 23 '22, 7:31 a.m.
thanks Ian ... as you can see from my other comments I got it working .. tedious but its working ... I'd zap the lot and take out JAS but we already have 90k of records that is just too much to repopulate.

Thanks for you input.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Aug 23 '22, 7:55 a.m.

Some comments from me: I am aware that some of the customer use Basic User Registry together with LDAP, to be able to manage the "user password expiration" enforced by IT on LDAP.

I have recently seen that the file was corrupted on an image by whatever means, so a backup is suggested.

showing 5 of 8 show 3 more comments
1 answer
853 views
0 votes

Accepted answer

Permanent link
Karen Steele
(1.2k5141150) Aug 23 '22, 7:29 a.m.

so its been a bit of a trial and error - the only way I could get it to work effectively is by removing the "account" restarting the server and then adding them back with the new password - a little tedious but if that's the way I have to do it till I get the AD then so be it.

Ralph Schoon selected this answer as the correct answer

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,496
× 1,326
× 162

Question asked: Aug 22 '22, 12:49 p.m.

Question was seen: 853 times

Last updated: Aug 23 '22, 7:55 a.m.

Related questions
Confirmation Cancel Confirm