|
Oracle® Business Intelligence Enterprise Edition Deployment Guide > Oracle BI Presentation Services Credential Store > Credential Store Storage Types >
File System Store (XML File Store)
BI Presentation Services supports an XML file store that may contain the following items: - References to certificates and private keys on disk
- Username and password based credentials embedded inline
The XML file is in proprietary format. - The namespace for all elements in the XML file is com.siebel.analytics.web.credentialStore/v1.
- The prefix for the namespace is sawcs.
- Different types of XML nodes are used to specify the locations of the various files, and to associate each credential with an alias. The file format supports encrypted key files, as well as encrypted passwords.
- The root node for the XML file is credentialStore. The possible sub-nodes are credential, trustedCertificate and trustedCertificateDir.
A default credential store in XML file format, credentialstore.xml, is provided. credentialstore.xml is located in one of the following directories: - Windows: OracleBIData_HOME\web\config
- Linux or UNIX: OracleBIData_HOME/web/config
A utility called CryptoTools is provided for the XML file manipulation. CryptoTools is located in one of the following directories: - Windows: OracleBI_HOME\web\bin
- Linux or UNIX: OracleBI_HOME/web/bin
For more information about the usage and syntax of the CryptoTools utility, see Using the CryptoTools Utility. The XML file structure is described in the following topics. The Credential Element
The credential element defines one of several credentials stored within the credential store file. Two types of credentials are supported: - X.509 credentials, which are made up of a public certificate and a private key
- Username/password based credentials
Table 5 lists the attributes of the credential element.
Table 5. credential Element Attributes
|
|
|
type |
Yes |
Credential type. Possible values:
|
alias |
Yes |
This is the alias associated with this credential |
Username Password Credentials
A username password credential of type usernamePassword contains two sub-elements: username and password. - username: This element contains text which identifies a username known to the system. No attributes are specified for this element. The username should be specified as a text node(s) within the element.
- password: The password element supports storage of plain text and encrypted passwords. When storing a password in plain text, the password should be specified as text node(s) within the element. When storing an encrypted password, the schema specified by the W3C XML Encryption Syntax and Processing standard is used.
In addition, the attributes used to specify a decryption passphrase are also permitted. If no passphrase is supplied here and one is required (that is, if the password is found to be encrypted), then any passphrase supplied in general credential store configuration will be used. For example, if a passphrase is supplied on the CredentialStorage node of the instanceconfig.xml file then this passphrase will be used if an encrypted password is encountered. If no passphrase is supplied in the CredentialStorage node of instanceconfig.xml, then BI Presentation Services will look for the passphrase to be supplied in the CredentialStore element of instanceconfig.xml The following are examples of the usernamePassword credential type in the XML file credential store. NOTE: In the following example of the usernamePassword credential type in the instanceconfig.xml, the alias for the credential is "impersonation" and the username is "Impersonator". The password is encrypted using a passphrase "password" and the passphrase is stored inline. BI Presentation Services will use the passphrase to decrypt the password.
<?xml version="1.0" encoding="utf-8" ?>
<sawcs:credentialStore xmlns:sawcs="com.siebel.analytics.web.credentialStore/v1"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:pkcs-5="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#">
<!--
This is a username password credential with an encrypted password that is required. In this example, the passphrase is shown inline.
-->
<sawcs:credential type="usernamePassword" alias="impersonation">
<sawcs:username>Impersonator</sawcs:username>
<sawcs:password passphrase="password">
<xenc:EncryptedData>
<xenc:EncryptionMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
<pkcs-5:PBES2-params Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2">
<pkcs-5:KeyDerivationFunc>
<pkcs-5:Parameters>
<pkcs-5:IterationCount>1024</pkcs-5:IterationCount>
</pkcs-5:Parameters>
</pkcs-5:KeyDerivationFunc>
<pkcs-5:EncryptionScheme Algorithm="http://www.w3.org/2001/04/
xmlenc#tripledes-cbc"/>
</pkcs-5:PBES2-params>
</xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>Ab76239KdhJiklj8967</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</sawcs:password>
</sawcs:credential>
<!--
This is a username password credential with an encrypted password. No passphrase is supplied, so any passphrase specified earlier would need to be used.
-->
<sawcs:credential type="usernamePassword" alias="testuser">
<sawcs:username>testuser</sawcs:username>
<sawcs:password>
<xenc:EncryptedData>
<xenc:EncryptionMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
<pkcs-5:PBES2-params Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2">
<pkcs-5:KeyDerivationFunc>
<pkcs-5:Parameters>
<pkcs-5:IterationCount>1024</pkcs-5:IterationCount>
</pkcs-5:Parameters>
</pkcs-5:KeyDerivationFunc>
<pkcs-5:EncryptionScheme Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</pkcs-5:PBES2-params>
</xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>VwEp5qS69bwC8tGl+RmE+l0/1TZc4q0+</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</sawcs:password>
</sawcs:credential>
</sawcs:credentialStore>
X.509 Credentials
An X.509 credential element contains two sub-elements: key and certificate. The key element describes a private key. See Table 6. All passphrase-related attributes specified in Table 4 are also supported for the key element.
Table 6. X.509 Credential Key Attributes
|
|
|
|
path |
Yes |
|
The file on disk where the private key is stored. |
encoding |
Yes |
Based on filename. |
Encoding for the file. May be one of PEM or ASN1. |
The certificate element describes a public certificate. See Table 7.
Table 7. certificate Element Attributes
|
|
|
|
path |
Yes |
|
The file on disk where the certificate is stored. |
encoding |
No |
Based on filename. |
Encoding for the file. May be one of PEM or ASN1. |
The trustedCertificateDir element describes a directory which contains CA certificates. All valid certificate files within this directory will be read and assumed to be CAs. No alias can be assigned to these certificates, and encoding is inferred from file extensions. The trustedCertificateDir has one required attribute called path. This attribute specifies the path to the directory containing the CAs. See Table 8.
Table 8. trustedCertificate Element Attributes
|
|
|
|
alias |
No |
|
The (optional) alias for this certificate. |
path |
Yes |
|
The file on disk where the certificate is stored. |
encoding |
No |
Based on filename. |
Encoding for the file. May be one of PEM of ASN1. |
The following is an example of a credential store XML file. NOTE: The credential has an alias of "testuser" and a username of "testuser". The password is encrypted using a passphrase. The passphrase itself has not stored been stored in the file. Therefore, BI Presentation Services will use the passphrase supplied in the instanceconfig.xml file to decrypt the password. If a passphrase has been specified as an attribute of the credentialStorage element that describes this credential store, then that passphrase will be used. Otherwise, the passphrase specified as an attribute of the credential node of the instanceconfig.xml file will be used.
<?xml version="1.0" encoding="utf-8" ?>
<sawcs:credentialStore xmlns:sawcs="com.siebel.analytics.web.credentialStore/v1"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:pkcs-5="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#">
<!--
For this key, the passphrase is provided inline. Care should be taken to protect this XML file suitably.
-->
<sawcs:credential type="x509" alias="obips">
<sawcs:key
encoding="pem"
passphrase="password"
path="d:/temp/certificates/obips.pem"/>
<sawcs:certificate encoding="pem" path="d:/temp/certificates/obips.crt"/>
</sawcs:credential>
<!--
For this key, the passphrase is provided in a file. Care should be taken to protect the passphrase file suitably.
-->
<sawcs:credential type="x509" alias="obi_isapi">
<sawcs:key
encoding="pem"
passphraseFile="d:/temp/certificates/obi_isapi_pwd.txt"
path="d:/temp/certificates/obi_isapi.pem"/>
<sawcs:certificate encoding="pem" path="d:/temp/certificates/obi_isapi.crt"/>
</sawcs:credential>
<!--
For this credential, execute the command line specified by passphraseLoader and assume that the program writes out the entire passphrase to standard output. If the program execution results in a non-zero return code, then this is considered an error, and the output will be ignored. Any leading/trailing whitespace in the passphrase will be trimmed out. The passphrase may only be composed of printable ASCII characters.
-->
<sawcs:credential type="x509" alias="obijavahost">
<sawcs:key
encoding="pem"
passphraseLoader="d:/temp/certificates/getpassphrase.exe"
path="d:/temp/certificates/ obijavahost.pem"/>
<sawcs:certificate encoding="pem" path="d:/temp/certificates/ obijavahost.crt"/>
<!-- Individual CA certificates. -->
<sawcs:trustedCertificate alias="obica" encoding="pem" path="d:/temp/certificates/obica.crt"/>
<sawcs:trustedCertificate alias="verisign" encoding="pem" path="d:/temp/certificates/verisign.crt"/>
<sawcs:trustedCertificate alias="thawte" encoding="pem" path="d:/temp/certificates/thawte.crt"/>
<!--
Directory with CA certificate files. Use file extension to guess encoding and no alias.-->
<sawcs:trustedCertificateDir path="d:/temp/certificates/cacerts"/>
</sawcs:credentialStore>
| 
