It's all about the answers!

Ask a question

Jazz Authorization Server does not recognize user password after a change

Karen Steele (1.2k2136141) | asked Aug 22 '22, 12:49 p.m.
edited Aug 22 '22, 12:56 p.m.
We are awaiting an AD to tie jazz authorization server to.  In the meantime, we are using the basic user registry.

I have 4 accounts specified - all of which are admins
By way of example I added my self SteeleK - assigned myself a cleartext password
I was able to login without error with this iinformation

When the time came for the 90 day reminder from other system, I proceeded to do the following :
1. went to the JAS server
2. Stopped the server
3. Edited the localuserregistry.xml
4. updated my password against the SteeleK entity
5. restarted the JAS server

Login at the RTC instance no longer recognizes my account and claims invalid password ...

I have the same issue when I adjust other users .. am I missing something here ?  It shoudl be pretty straight forward

... log files say "specified principal name SteeleK is not found in the back-end repository" ... when all I did was change the cleartext password

Ian Barnard commented Aug 23 '22, 4:39 a.m. | edited Aug 23 '22, 4:47 a.m.

Cleartext password e.g.

        <user name="ibm" password="ibm"/>

are automatically written back by Liberty hashed (obfuscated) i.e.

        <user name="ibm" password="{aes}AFPECwrAiTrycSRkWmib7TPhrvQoNVWDCDtaS+SQpKZF"/>

Where the tag {aes} tells Liberty what the hash method is.

When you update the password in cleartext, you should have removed the tag {aes}? 

Or can you restore a backup of the XML to temporarily get back to your original password?

Karen Steele commented Aug 23 '22, 5:57 a.m.

and where exactly is that tag - I'm merely looking at the localuserregistry.xml file ... there is no such tag in that file.

Ralph Schoon commented Aug 23 '22, 6:11 a.m.

This is how the file usually looks like. I highlighted the tag.

Karen Steele commented Aug 23 '22, 6:21 a.m.
this presumes the passwords are encoded - I have cleartext e.g. Passw0rd in there not an encoded value

I'm given to understand, whilst we have the files for basicuseregistry that its actually not supported (sigh) - let me try encoding the passwords and see if that fixes it .. its really does appear to be 50/50 as two other entries all with cleartext passwords are working correctly.

Karen Steele commented Aug 23 '22, 7:09 a.m. | edited Aug 23 '22, 7:28 a.m.
so I've encoded the values and they still don't work - out of the 5 accounts only 3 work encoded or plain text .. the log is saying the same principal account name X is not found in the back end repository - the account worked before we changed its password so its definitely in there

With trial and error, removing, restarting the server, then adding back it now accepts them all with encoded - thanks for the inputs

Ian Barnard commented Aug 23 '22, 7:11 a.m. | edited Aug 23 '22, 7:12 a.m.

 AFAIK there's no need to encode the password, Liberty will notice a cleartext password and write it back to the user registry XML hashed and with {aes} prefixed, just like it did when you put your original cleartext password in. If you need to update the password remove the {aes} and put the new cleartet password in. After Liberty has startred it should update the file with the hashed value.

Yes basic user registry is just how its name reads - it's not suitable for any form of production use.

Karen Steele commented Aug 23 '22, 7:31 a.m.
thanks Ian ... as you can see from my other comments I got it working .. tedious but its working ... I'd zap the lot and take out JAS but we already have 90k of records that is just too much to repopulate.

Thanks for you input.

Ralph Schoon commented Aug 23 '22, 7:55 a.m.

Some comments from me: I am aware that some of the customer use Basic User Registry together with LDAP, to be able to manage the "user password expiration" enforced by IT on LDAP.

I have recently seen that the file was corrupted on an image by whatever means, so a backup is suggested.

showing 5 of 8 show 3 more comments

Accepted answer

permanent link
Karen Steele (1.2k2136141) | answered Aug 23 '22, 7:29 a.m.

so its been a bit of a trial and error - the only way I could get it to work effectively is by removing the "account" restarting the server and then adding them back with the new password - a little tedious but if that's the way I have to do it till I get the AD then so be it.

Ralph Schoon selected this answer as the correct answer

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.