Starting from IGEL Universal Management Suite (UMS) version 12.12.100, the UMS allows to hash passwords for OS 12 devices defined in the IGEL UMS Web App with BCrypt instead of SHA-512.
It is only possible to perform this change before any device was registered or profile was created in the IGEL UMS.
BCrypt hashing is only available for OS 12 devices and only in the IGEL UMS WebApp.
Changing the hashing algorithm to BCrypt is not FIPS-compliant.
Prerequisites
-
The UMS needs to be installed, see IGEL UMS Installation.
How to activate BCrypt password hashing
In case you install a Distributed or High Availability (HA) UMS environment, the workflow below needs to be followed once on the first server installed.
-
Start the UMS.
-
Open the SQL Console in the UMS Administrator or in the UMS Console.
-
Set the global configuration with the following command:
update config_settings set cs_value = 'true' where cs_key = 'BCRPYT_REPLACE_FOR_SHA512'
If you get an error, insert the global configuration with the following command:
insert into config_settings (cs_key, cs_value) values ('BCRPYT_REPLACE_FOR_SHA512', 'true') -
Check if the global configuration was set with the following command:
select * from config_settings where cs_key = 'BCRPYT_REPLACE_FOR_SHA512' -
Stop the UMS Server and restart it again.
Verify Password Values in the Database
Once you have set the global parameter, create a profile including a password parameter or directly set a password for a device. You can then check the values in the database with the following command:
select * from (
select classname, pvalue from profilesettings p
union all
select classname, pvalue from profileinstancesettings p
union all
select classname, pvalue from thinclientsettings p
union all
select classname, pvalue from thinclientinstancesettings p
) a
where classname like '%password'
and pvalue like '<$%'
The result should only contain values starting with ‘$2b$’, which indicates the BCrypt version ‘2b’.