Portability of stored passwords

Passwords stored in a config.bog as hashes or the legacy format are “portable”. This means when the config.bog is used by another host, these passwords continue to work as they did on the original host. Note station users (all User components under the station’s User Service) use password hashing.

However (in update releases) all “client” passwords stored in a config.bog in the new encrypted format are not portable. If the config.bog is used by a host that doesn’t have the encryption key that was used to store them originally, these passwords will not be usable, at least as-is. However, if you copy (install) that station file to a new host, start the station, then re-enter those client password values, the encrypted storage is properly “re-keyed”, and those passwords will then work.

In AX-3.8, improvements were made in the portability of client passwords in a station that is used in different hosts, making such operations unnecessary. See Improvements and changes in AX-3.8.

The importance of portability arises in the two different methods to archive a station:

Station backup

This is initiated from either Workbench or a Supervisor’s Provisioning mechanism, or directly from the BackupService in the station. A station backup results in a single distribution (.dist) file.
Station copy

This is done using the platform Station Copier tool. A station copy results in a config.bog file, plus typically other files, all under the station’s folder (file space).

The difference is that backup .dist files contain the key for the encrypted passwords, whereas station copies (config.bog) files do not.

Be sure to keep backup .dist files in a secure location. They have always contained sensitive information, for example a station’s config.bog file. They may also contain sensitive host platform information. In 2013 update releases (AX-3.7u1, AX-3.6u4, AX-3.5u4) or later, this includes files mentioned above.

When using an update release to perform station archives (backups, copies) and restoring the same, you should keep this difference in mind. Note in some cases it is desirable to transfer the encryption key along with the station database (for example, restoring or replacing to the same host). Yet in other cases, this is an unacceptable weakening of security. For more details, see Station archiving changes.

In a AX-3.8 system working with AX-3.8 hosts, these station archiving considerations do not apply. Station backups and copies are more straightforward. See Improvements and changes in AX-3.8.