Security Guide for Siebel Business Applications > Security Adapter Authentication > Configuring Password Hashing >
Usage Guidelines for Password Hashing
Guidelines for using password hashing for Siebel Business Applications include the following:
- The password hashing utility, hashpwd.exe, does not automatically store hashed passwords in the Siebel Database or LDAP/ADS directory. The administrator is responsible for defining and storing the hashed passwords. A hashed password is stored in one of the following locations:
- In a database authentication environment, it is set as the valid password for the database account.
- In an LDAP/ADSI authentication environment, it is stored in the attribute specified for the user's password.
- The unhashed version of the password is given to a user to use when logging in.
- Stored passwords must first be hashed with the same hashing algorithm (typically, RSA SHA-1) that will be applied to the passwords in the authentication process.
- However, database credentials passwords stored outside of the Siebel Database should be stored in unhashed form, because such passwords will be hashed during the authentication process.
- With database authentication, Siebel Server components that log into the database must use the hashed password value stored in the Siebel Database. Otherwise, component login will fail.
For example, when you run the Generate Triggers (GenTrig) component, the value provided for the
PrivUserPass parameter (used along with the
PrivUser parameter) must be the hashed password value.
To determine if a Siebel Server component uses a hashed password, select the component from the Enterprise Component Definition View and query for the component parameter OM - Data Source. If the value that OM - Data Source references has DSHashAlgorithm set to a hashing algorithm and DSHashUserPwd set to TRUE, it means that the component can accept an unhashed password and hash it using the specified parameters.
- Password hashing must be specified consistently for all Siebel Enterprise components that will work together. For example, all Siebel Servers subject to AOM load balancing must use the same security adapter settings, including those for password hashing, or component login will fail.
- For the Siebel Mobile Web Client, password hashing for the local database password has the following requirements:
- The parameter
Encrypt client Db password (alias
EncryptLocalDbPwd) must have been set to
TRUE for the server component Database Extract (alias DbXtract) at the time the user's local database was extracted. See Siebel Remote and Replication Manager Administration Guide for details.
- The database security adapter must be in effect for the Mobile Web Client, and the
DSHashAlgorithm parameters must be set appropriately for the data source specified for the security adapter. For more information, see Configuring Database Authentication and Siebel Application Configuration File Parameters.