PingDS 8.0.0

PBKDF2-HMAC-SHA512T256 Password Storage Scheme (LEGACY)

LEGACY since 8.0.0: The key truncation used is non-standard. Alternative: A strong hash-based scheme such as PBKDF2-HMAC-SHA512.

The PBKDF2-HMAC-SHA512T256 Password Storage Scheme provides a mechanism for encoding user passwords using the PBKDF2-HMAC-SHA512T256 message digest algorithm.

This scheme contains an implementation for the user password syntax, with a storage scheme name of "PBKDF2-HMAC-SHA512T256". The derived key is truncated at 256 bits in a non-standard way, and is only recommended for use when interoperating with other systems requiring this behavior.

Parent

The PBKDF2-HMAC-SHA512T256 Password Storage Scheme object inherits from PBKDF2 Password Storage Scheme.

PBKDF2-HMAC-SHA512T256 Password Storage Scheme properties

You can use configuration expressions to set property values at startup time. For details, see Property value substitution.

Basic Properties Advanced Properties

enabled
pbkdf2-iterations
rehash-policy

java-class
remote-password-hashing-base-uri
remote-password-hashing-connection-timeout
remote-password-hashing-enabled
remote-password-hashing-max-connections
remote-password-hashing-request-timeout

Basic properties

Use the --advanced option to access advanced properties.

enabled

Synopsis

Indicates whether the Password Storage Scheme is enabled for use.

Default value

None

Allowed values

true

false

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

pbkdf2-iterations

Synopsis

The number of algorithm iterations to make.

Description

By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and write the new hash to the user’s entry on disk. Changing the number of iterations therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this settings results in more secure passwords at the expense of longer response times and lower throughput.

Default value

10000

Allowed values

An integer.

Lower limit: 1.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

rehash-policy

Synopsis

Indicates whether the server should rehash passwords after the cost has been changed.

Description

Passwords will be rehashed when a user successfully authenticates. Note that rehashing will increase the write load on the server.

Default value

never

Allowed values

  • never: Never rehash passwords when the cost changes. Only rehash passwords when the password is modified.

  • only-decrease: Only rehash passwords when the cost has been decreased (downgrade the security of the hashed password).

  • only-increase: Only rehash passwords when the cost has been increased (do not downgrade the security of the hashed password).

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

Advanced properties

Use the --advanced option to access advanced properties.

java-class

Synopsis

Specifies the fully-qualified name of the Java class that provides the PBKDF2-HMAC-SHA512T256 Password Storage Scheme implementation.

Default value

org.opends.server.extensions.PBKDF2HmacSHA512T256PasswordStorageScheme

Allowed values

A Java class that extends or implements:

  • org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

Yes

Read-only

No

remote-password-hashing-base-uri

Synopsis

Specifies the base URI to connect to the password hashing microservice.

Default value

None

Allowed values

A string.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

remote-password-hashing-connection-timeout

Synopsis

Specifies the timeout to use when connecting to the password hashing microservice.

Default value

10 s

Allowed values

Uses duration syntax.

Lower limit: 0 seconds.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

remote-password-hashing-enabled

Synopsis

Specifies whether to delegate password hashing to a dedicated microservice.

Default value

false

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

remote-password-hashing-max-connections

Synopsis

Specifies the maximum number of connections to the password hashing microservice.

Default value

64

Allowed values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

remote-password-hashing-request-timeout

Synopsis

Specifies the timeout for a request to the password hashing microservice.

Default value

10 s

Allowed values

Uses duration syntax.

Lower limit: 0 seconds.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No