Siebel Security Guide > Security Adapter Authentication > Process of Configuring User and Credentials Password Hashing >
Guidelines for Password Hashing
This topic describes the factors you have to consider if you choose to implement password hashing with Siebel Business Applications.
This task is a step in Process of Configuring User and Credentials Password Hashing.
Guidelines for using password hashing with Siebel Business Applications include the following:
- The password hashing utility, hashpwd.exe, does not automatically store hashed passwords in the Siebel database or LDAP or ADSI directory. The administrator is responsible for defining and storing the hashed passwords. A hashed password is stored in one of the following locations:
- In a database authentication environment, the hashed password is set as the valid password for the database account.
- In an LDAP or ADSI authentication environment, the hashed password is stored in the attribute specified for the user's password.
- The unhashed version of the password is given to a user to use when logging in.
- Stored passwords must first be hashed with the same hashing algorithm (typically, RSA SHA-1) that will be applied to the passwords in the authentication process.
- However, database credentials passwords stored outside of the Siebel database must be stored in unhashed form, because such passwords are hashed during the authentication process.
- With database authentication, the Siebel Server components that log in to the database must use the hashed password value stored in the Siebel database. Otherwise, the component login fails.
For example, when you run the Generate Triggers (GenTrig) component, the value provided for the PrivUserPass parameter (used along with the PrivUser parameter) must be the hashed password value.
To determine if a Siebel Server component uses a hashed password, select the component from the Enterprise Component Definition View and query for the component parameter OM - Data Source. If the value that OM - Data Source references has DSHashAlgorithm set to a hashing algorithm and DSHashUserPwd set to TRUE, it means that the component can accept an unhashed password and hash it using the specified parameters.
- Password hashing must be specified consistently for all Siebel Enterprise components that will work together. For example, all Siebel Servers subject to AOM load balancing must use the same security adapter settings, including those for password hashing, or component login fails.
- For the Siebel Mobile Web Client, password hashing for the local database password has the following requirements:
- The parameter Encrypt client Db password (alias EncryptLocalDbPwd) must have been set to TRUE for the server component Database Extract (alias DbXtract) at the time the user's local database was extracted. See Siebel Remote and Replication Manager Administration Guide for details.
- The database security adapter must be in effect for the Mobile Web Client, and the DSHashUserPwd and DSHashAlgorithm parameters must be set appropriately for the data source specified for the security adapter. For more information, see Configuring Database Authentication and Siebel Application Configuration File Parameters.