This article applies to BoKS Manager 6.7.0, 6.7.1 and 7.0.0.

Description

IBM has added support for a Linux-compatible SHA512 password hashing algorithm on AIX 7.1 and 6.1. However, as this was not originally supported, BoKS does not support it on these platforms.

Resolution / Workaround

Apply hotfix HFBM-0120 for BoKS Manager 6.7 and HFBM-0121 for BoKS 7.0. These are available for download from the HelpSystems Community Portal.

These hotfixes add support for the Linux-compatible SHA512 password hashing algorithm on AIX 6.1, and 7.1.

NOTE: If any passwords in /etc/security/passwd are already in the Linux-compatible SHA512 password hash format (they start with $6$), this hotfix must be installed before running $BOKS_sbin/setup, otherwise setup will complain that there are unsupported password hashing algorithms present.

If this hotfix is installed after BoKS has been set up, you must restart BoKS (using Boot) so the newly-installed boks_clntd_helper is running.

If the AIX support for the Linux-compatible SHA512 password hashing algorithm has been installed, you must run:

chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=6

to enable it and make BoKS store password hashes in this format. You can check if it is enabled using:

lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm

this command should return usw pwd_algorithm=6 if the algorithm is enabled.

The following TL are required for SHA512 support on AIX:

AIX 6.1 requires TL 6100-09-07-1614
AIX 7.1 requires TL 7100-04-00-0000

You must also apply the pwmod Licensed Program Product (LPP) package, which is available at: https://www.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp.

Additional instructions for getting LPA to run on AIX 6:

** Instructions on getting bos.rte.libc up to 6.1.9.101:

Make sure you have java installed and accessible in you web browser.

  1. Go to http://www-01.ibm.com/support/docview.wss?uid=isg1fileset-870201775
  2. Click on the fix pack for 6100-09-07-1614
  3. Verify that you are presented with the Service pack 6100-09-07-1614 and click 'continue'
  4. Fill in your machine type and serial number
  5. Download files and install with smit or smitty


** Getting & installing Loadable Password Algorithm(LPA)

  1. Go to https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=pwmod&cp=UTF-8&dlmethod=http
  2. Install with smit or smitty

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018