Encryption of operator passwords

The HPE Service Manager server encrypts all operator passwords stored on the database using a SHA512 one-way encryption process that cannot be decrypted. The server automatically encrypts existing passwords on your system the first time they are accessed. You can also do a mass update of the operator table to convert all passwords at once.

You need to update the SQL mapping for the password field to accept a larger character limit. The data policy settings are as follows.

Database object	Requirement
Table	operator
Field	password
Data type	VARCHAR
Size	136 characters

Automatic operator password encryption replaces the legacy data policy encryption option that was controlled by the encryptionkey parameter. To convert to the automatic operator password encryption scheme in legacy systems, you must first turn off the existing data policy encryption. The server updates the password encryption the next time it reads the operator record.

Service Manager clients use a two-way encryption process (PBE with MD5, DES in non-FIPS mode, and AES in FIPS mode) to secure operator passwords when communicating with the server. The server decrypts the password sent from the client and then one-way encrypts it to compare the results to the encrypted value stored in the database. The server never stores the operator password in an unencrypted form.

If your Service Manager implementation uses LDAP authentication, the server must still send an unencrypted operator password to the directory service because LDAP servers are unaware of Service Manager's encryption scheme. If you require encryption between Service Manager and the LDAP server, you can configure OpenSSL or another standard encryption scheme between the two servers.