Bookshelf v7.5: Upgrading to RC2 Encryption

Upgrade Guide for UNIX > Postupgrade Tasks >

Upgrading to RC2 Encryption

Release 7.5 delivers a new default encryption method based on the RC2 standard. The previous default encryption method (the Release 6.x or 7.x standard encryptor) is no longer supported, and data that used the standard encryptor cannot be read by 7.5 applications unless you upgrade your encryption method to RC2. Use the Encryption Upgrade Utility to convert unencrypted data and data that was encrypted using the standard encryptor to the RC2 encryption method.

CAUTION: Using a non-RC2 encryption method in a Unicode environment results in irrecoverable data loss.

Perform the following procedures to upgrade your encryption method:

Verify that all prerequisites are met. See Prerequisites for Upgrading to RC2 Encryption.
Make sure that the input file includes every column that you want to upgrade. See Modifying the Input File.
If you customized business component fields to use the old encryption method, verify that you have the correct user property definitions. See Changing User Properties.
Run keydbmgr.exe to change the password or add a new key to the database. See Changing the Password or Adding a New Key to a Database.
Determine which encryption you are going to use: 128-bit or 56-bit encryption.

If you are upgrading to 128-bit encryption, follow the instructions for upgrading to 128-bit encryption, To upgrade to 128-bit encryption (for the Strong Encryption Pack) and then continue with the upgrade to 56-bit encryption.
If you are upgrading to 56-bit encryption, see To upgrade to 56-bit encryption.

Prerequisites for Upgrading to RC2 Encryption

In order to upgrade to the RC2 encryption method, the following prerequisites must be fulfilled:

The Siebel Gateway and Siebel Server are installed.
The repository has been upgraded to the Release 7.5 schema, so that a new column has been created to store the key index for the encrypted column.
If you created or customized columns to use the old encryption method (the standard encryptor), for each encrypted column that you want to upgrade, you need to create a new column to store the key index.
If you have custom extension columns and you used the old encryption method (the standard encryptor), for each encrypted column that you want to upgrade, you need to
Verify that column sizes for custom extension columns are large enough to hold the new RC2 values.
NOTE: If you encounter the error, "ORA-01401: inserted value too large for column," then you need to increase your column sizes.

The key database (keyfile.bin) must already exist. (A default keyfile was created in the $SIEBEL_ROOT/siebsrvr/admin directory when you installed the Siebel Server.)
The password must be stored in the database.

Modifying the Input File

The input file encrypt_colums.inp indicates the table and column that store the encrypted data, and the table and column that store the key index. The input file is located in $SIEBEL_ROOT/ dbsrvr/bin directory. If you wish to execute the utility from the command line, place this file in the $SIEBEL_ROOT/ siebsrvr//bin directory.

The input file must include every column that you want to upgrade. The first line of the input file indicates a table name with brackets around it. The table name should be followed on subsequent lines by all the columns to be upgraded for that table. Each column requires a table column to store the key index, so this is specified after the column name; for example:

[TABLE_NAME]
COLUMN_NAME TABLE_NAME_FOR_KEY COLUMN_NAME_FOR_KEY

After each table, skip a line, and continue with subsequent tables. Here is a sample input file:

[S_ORDER]
CC_NUMBER S_ORDER CCNUM_ENCRPKEY_REF

[S_DOC_ORDER]
CC_NUMBER S_DOC_ORDER CCNUM_ENCRPKEY_REF

[S_PER_PAY_PRFL]
PAY_ACCNT_NUM S_PER_PAY_PRFL CCNUM_ENCRPKEY_REF

To support upgrade of non-encrypted field to RC2 encryption, add the letter N to the end of the column; for example:

[S_NEW_TABLE]
NAME S_NEW_TABLE NAME_KEY_INDEX N

Changing User Properties

If you customized business component fields to use the old encryption method (the standard encryptor), make sure that your custom buscomp field user properties are defined with the values provided in the table below. (An example is provided for the Quote business component.)

NOTE: By default, data encrypted using the old encryption method uses ROW_ID as the Encrypt Key Field. You may need to create a calculated field on each business component for the Encrypt Read Only Field.

Field User Property

Value

Example for the Quote BusComp

Encrypted

Y

Y

Encrypt Service Name

RC2 Encryptor

RC2 Encryptor

Encrypt Key Field

Key Index Field

Credit Card Number Key Index

Encrypt Read Only Field

Read Only Field

Credit Card Number Read Only

Changing the Password or Adding a New Key to a Database

If you need to change the password or add a new key to your database, perform the following steps.

To change the password or add a new key

Run keydbmgr.exe to change the password or add a new key to your database.
From $SIEBEL_ROOT/siebsrvr/bin, enter the following command:
keydbmgr.exe /U USERNAME /P PASSWORD /C CONFIGURATION_FILE_NAME /L LANGUAGE

where:

USERNAME = user name
PASSWORD = password
CONFIGURATION_FILE_NAME = name of the configuration file (the default is siebel.cfg). Make sure that the configuration file is pointing to the correct database.
LANGUAGE = The base language for your installation (the default is enu)
Example

keydbmgr.exe /u sadmin /p PASSWORD /c siebel.cfg /l enu

NOTE: Use the default password kdbpass to log in and change the password.

Upgrading Your Encryption Method

Follow the instructions below for the encryption you are going to use: 56-bit encryption or 128-bit encryption.

If you purchased the Strong Encryption Pack for 128-bit encryption, follow the instructions, To upgrade to 128-bit encryption (for the Strong Encryption Pack), and then continue with the upgrade to 56-bit encryption.
NOTE: Verify encryption requirements and constraints for your deployment before you upgrade your encryption to 128-bit.

If you perform the standard encryption upgrade to 56-bit encryption, skip the upgrade to 128-bit encryption, and go directly to the instructions To upgrade to 56-bit encryption.

To upgrade to 128-bit encryption (for the Strong Encryption Pack)

Backup your existing keyfile.
Run the keydbmgr.exe utility to change the keyfile password. See Changing the Password or Adding a New Key to a Database.
Install the Strong Encryption Pack that you purchased separately.
Run keydbupgrade.exe to upgrade to 128-bit encryption.
From $SIEBEL_ROOT/siebsrvr/bin, enter the following command:
keydbupgrade.exe /U USERNAME /P PASSWORD /C CONFIGURATION_FILE_NAME /L LANGUAGE

where:

USERNAME = user name
PASSWORD = password
CONFIGURATION_FILE_NAME = name of the configuration file (the default is siebel.cfg)
LANGUAGE = base language for your installation (the default is enu)
Example

keydbupgrade.exe /u sadmin /p PASSWORD /c siebel.cfg /l enu

Continue by upgrading to 56-bit encryption. See To upgrade to 56-bit encryption.
Use srvrmgr to update entparam in the Siebel Gateway:
change entparam password=db_password

Restart the server.
Repeat these steps on each machine that has an existing Strong Encryption Pack installed.

To upgrade to 56-bit encryption

Verify that the input file encrypt_colums.inp includes all columns that you want to upgrade. If necessary, review Modifying the Input File.
Run encryptupg.exe to upgrade to 56-bit encryption.
From $SIEBEL_ROOT/siebsrvr/bin, enter the following command:
encryptupg.exe /U USERNAME /P PASSWORD /C ODBC_CONNECT_STRING /D TABLEOWNER /J INPUT_FILE /N "REPOSITORY_NAME" /K KEY_FILE_NAME /L LOG_FILE

where:

USERNAME = user name for the database
PASSWORD = password for the database
ODBC_CONNECT_STRING = ODBC connect string for the database
TABLEOWNER = tableowner for the database
INPUT_FILE = name of your input file
(The default name is encrypt_columns.inp.)
"REPOSITORY_NAME" = name of the repository entered in quotation marks
(The default name is Siebel Repository.)
KEY_FILE_NAME = absolute path to the key file
(The default location is siebsrvr\admin\keyfile.bin.)
LOG_FILE = name of the log file
(The default name is encryptupg.log.)
NOTE: If you have custom encrypted fields, you can validate that all business component fields are pointing to the same column by appending the command with "/v y". For example,
encryptupg.exe /UUSERNAME /P PASSWORD /C ODBC_CONNECT_STRING /D TABLEOWNER /J INPUT_FILE /N REPOSITORY_NAME /K KEY_FILE_NAME /L LOG_FILE /v yBut, some business components may not use the same column intentionally.

Repeat Step 2, encryptupg.exe, for each additional database. For each database, use the appropriate user name, password, ODBC connect string, and tableowner.
After the upgrade is complete, compile a new Siebel repository file. See Producing a New Custom Configuration File.

Troubleshooting the Upgrade to RC2 Encryption

If you fail to change user properties, you may get one or more of the following repository validation error messages. Examples of possible errors and sample remedies are provided below:

Possible Error: Validation failed for Personal Payment Profile buscomp, Account Number field does not have field user property Encrypt Key Field defined or activated.
Sample Fix: Go to the Personal Payment Profile business component, Account Number field, and verify that the following field user properties exist:

Encrypted = Y

Encrypt Key Field = KEY_INDEX_FIELD

Encrypt Service Name = RC2 Encryptor

Possible Error: Validation failed for S_PER_PAY_PRFL table, PAY_ACCNT_NUM column. User properties for Personal Payment Profile buscomp, Account Number field does not match FS Invoice buscomp, Credit Card Number field.
Sample Fix: Go to FS Invoice buscomp, Credit Card Number field and make sure the three required field user properties match the ones in Personal Payment Profile buscomp, Account Number field.

Possible Error: Validation failed. Personal Payment Profile buscomp, Payment Key Index index field's table and column name does not match FS Invoice buscomp, Credit Card Key Index index field.
Sample Fix: Go to the Personal Payment Profile buscomp, and make sure that the Payment Key Index field points to the same column as the Credit Card Key Index field in the FS Invoice buscomp.

Field User Property	Value	Example for the Quote BusComp
Encrypted	`Y`	`Y`
Encrypt Service Name	`RC2 Encryptor`	`RC2 Encryptor`
Encrypt Key Field	`Key Index Field`	`Credit Card Number Key Index`
Encrypt Read Only Field	`Read Only Field`	`Credit Card Number Read Only`

Upgrade Guide for UNIX
Published: 20 October 2003