A DB Password Encryption

Note:

This appendix has been updated in its entirety for JD Edwards EnterpriseOne Tools Release 9.1 Update 3.

THIS APPENDIX IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. This publication could include technical inaccuracies or typographical errors. This publication does not make recommendations, implied or actual. It provides guidelines; however, due the wide variety of networking, hardware and software configurations found in JD Edwards EnterpriseOne installations, no guarantees can be made that specific results are achievable in any particular installation. Changes are periodically added to the information herein. These changes will be incorporated in new editions of the publication. Oracle may make improvements and changes at any time to the products and programs described in this publication.

This appendix contains the following topics:

This appendix is intended for an administrator who is going to apply the EnterpriseOne Tools Release at the customer site. It is assumed that the reader has knowledge of JD Edwards EnterpriseOne and CNC technology.

A.1 Understanding the Problem

Starting with the JD Edwards EnterpriseOne Tools 9.1.3, the algorithm used to encrypt EnterpriseOne passwords has been changed to a one-way hash. This enhancement addresses the vulnerability that exists when storing passwords in the database and the associated installation/migration issues. The solution updates the passwords stored in the database to a higher encryption standard.

A.1.1 Converting Security

This EnterpriseOne Tools 9.1.3 enhancement improves the security of passwords stored in the database by replacing existing password encryption with one-way hash encryption. This conversion from the old encryption to the one-way hash encryption occurs in these instances:

  • When a user login occurs AND the following setting is in the Enterprise Server jde.ini file:

    [SECURITY]

    ONTHEFLYMIGRATION=1

    During the user login, the security kernel checks whether the user record in the security table is stored using the old encryption. If it is stored using the old encryption, the kernel updates all user records in security tables to one-way hash encryption. Since this happens only once, the impact to the login process is minimal.

    Important:

    This setting is not available in Server Manager. An administrator must add this setting to the Enterprise Server jde.ini setting to enable one-way hash encryption for existing user passwords.
  • When the administrator adds a user to EnterpriseOne.

    When the administrator adds a user record, a message is sent to the security kernel for processing. The security kernel encrypts the password using one-way hash encryption and inserts the user records in the security tables.

In summary, starting with EnterpriseOne Tools 9.1.3, new users added to EnterpriseOne will have their passwords encrypted with one-way hash. For existing users, EnterpriseOne will use one-way hash for password encryption only if you add the ONTHEFLYMIGRATION=1 setting to the Enterprise Server jde.ini file.

A.1.2 Understanding the Impacted Components

Starting with EnterpriseOne Tools 9.1.3, the security kernel has been updated to detect the old encryption and to re-encrypt records using one-way hash encryption.

The EnterpriseOne Tools Release 9.1.3 must be deployed on all Enterprise Servers sharing the same F98OWSEC table.

A.1.3 Configuring New Encryption

After this update is installed on Enterprise Servers, the security kernel stores passwords in the security tables using one-way hash encryption, and there is no way to disable the encryption for new EnterpriseOne users or revert to the old configuration.

A.2 Preparing for Installation

Before starting the pre-installation process, make sure you create a backup copy of the F98OWSEC table, for example F98OWSECBK. This backup copy can be in the same data source or a different one. You only use this backup in the event that you need to roll back the EnterpriseOne Tools Release.

A.2.1 Special Instructions for Multiple Enterprise Servers Sharing the Same F98OWSEC Table

If you have more than one EnterpriseOne Enterprise Server sharing the same F98OWSEC table, you have to update all of them to EnterpriseOne Tools 9.1 Update 3 to support one-way hash encryption.

If you do not want to update all EnterpriseOne Enterprise Servers to EnterpriseOne Tools 9.1 Update 3, then you need to create two Security Server data sources: one for Enterprise Servers on Tools 9.1 Update 3 and one for EnterpriseOne servers on a release below Tools 9.1 Update 3. In this scenario, only the Enterprise Servers on Tools 9.1 Update 3 will support one-way hash encryption.

A.2.1.1 Creating a Separate Security Server Data Source

If you have multiple Enterprise Servers sharing the same F98OWSEC table and you are not updating all of them to Tools 9.1 Update 3, create two Security Server data sources:

  • One for Enterprise Servers on Tools 9.1 Update 3 (and above).

  • One for Enterprise Servers on releases below Tools 9.1 Update 3.

Note:

If you are not using multiple Enterprise Servers (including multiple foundation) that share the same F98OWSEC table on different EnterpriseOne Tools releases, your existing data source is sufficient.

Configuring these data sources helps avoid data conflicts due to overlap between new and old Enterprise Servers.

The following task describes how to copy security tables to a new data source. These tables are used as a secondary location to support the one-way hash encryption.

Complete the following steps BEFORE installing the EnterpriseOne Tools Release.

Caution:

Do not create any OCM mappings (client or server) that point to the newly created data source. Doing so will result in system errors.

To copy security tables to a new data source: 

  1. Log on to the Deployment Server in the appropriate environment.

  2. Create a new data source.

  3. Open OMW and copy all the tables in the Security data source to the new data source.

The new client and server data source must contain a copy of the following tables from the System-910 or System-900 data source: F0092, F00921, F00927, F0093, F00941, F9312, F98OWPU, and F98OWSEC. See "Setting Up Data Sources" in the Configurable Network Computing Guide for instructions on how to use the Data Sources application (P986115) to create a new client and server data source.

For each EnterpriseOne Enterprise Server on Tools release 9.1.3.0 or above, set the DataSource setting in the SECURITY settings to the new client and server data source.

For each EnterpriseOne Enterprise Server on Tools release prior to 9.1.3.0, set the DataSource setting in the SECURITY settings to "System - 910" or "System - 900".

See Also:

A.3 Updating JD Edwards EnterpriseOne

To complete this update, you must update all the servers and workstations in your EnterpriseOne environment. Complete the tasks below that are relevant to your configuration when installing EnterpriseOne Tools Release 9.1.3 or above.

See Also:

The EnterpriseOne Tools Release must be deployed on all Enterprise Servers sharing the same F98OWSEC table as well as all clients that communicate with these servers.

  1. Deployment Server

    Follow the instructions in the "Installing a Tools Release on the Deployment Server" section of the JD Edwards EnterpriseOne Deployment Server Reference Guide.

  2. Enterprise Server

    1. Follow the instructions in section "Change a Managed EnterpriseOne Software Component" in the JD Edwards EnterpriseOne Tools Server Manager Guide to install the EnterpriseOne Tools Release to the appropriate host installation.

    2. If you copied the tables in the Security data source to a new data source during the pre-installation process, update the jde.ini file on the Enterprise Server with the following changes before starting the network services:

      [SECURITY]

      DataSource=<new data source name>

      This is the new data source defined in the pre-installation process.

    3. Verify that you can run PORTTEST successfully.

  3. Follow the instructions in the JD Edwards EnterpriseOne HTML Server Reference Guide to install the HTML Server changes.

  4. Deploy a client package for the EnterpriseOne Tools Release:

    1. Modify the Deployment Server update package created by the ESU process (see the Deployment Server section above). Create the foundation to include the EnterpriseOne Tools Release 9.1.3 or above.

    2. Make sure this package is defined for clients.

    3. Build and deploy the package to all workstations.

  5. Run the web client and Microsoft Windows client to make sure users can log in.

  6. Run the security administration application to make sure a new user can be added and passwords for existing users can be modified.

A.4 Reviewing the Installation

Review the following considerations after the system is updated:

  1. If the setting ONTHEFLYMIGRATION=1 is in the Enterprise Server jde.ini file, user records are encrypted with one-way hash encryption when the user logs in. There is no way to disable the encryption or revert back to the old security configuration.

  2. There is no procedure to rollback user records to the old encryption nor is there a procedure for converting all user records to the new encryption. The backup copy of the F98OWSEC table can be used to reset the user data.

  3. If the customer has multiple Enterprise Servers at different EnterpriseOne Tools Release levels, make sure each of them is pointing to the correct security data sources:

    • If an Enterprise Server running an older EnterpriseOne Tools Release accesses data encrypted using one-way hash encryption, authentication will fail and users will not be able to log in.

    • If an EnterpriseOne user signs into an Enterprise Server running EnterpriseOne Tools Release 9.1.3 or above, and the user's password is encrypted using the old encryption, the Enterprise Server updates the user's records in the Security tables to the one-way hash encryption. This only occurs if the setting ONTHEFLYMIGRATION=1 is in the Enterprise Server jde.ini.

    • If a new EnterpriseOne user is added using EnterpriseOne Tools Release 9.1.3 or above, the new user password is stored using one-way hash encryption. Consequently, this user will NOT be able to sign in to older EnterpriseOne Tools Releases that share the same F98OWSEC table.

    • If a new EnterpriseOne user is added using an EnterpriseOne Tools Release prior to 9.1.3, the new user password is stored using the old encryption. Therefore, this user can sign in to any EnterpriseOne Tools Release sharing the same F98OWSEC table, as long as the Enterprise Server jde.ini files do NOT include the setting ONTHEFLYMIGRATION=1.

  4. If the customer has multiple Enterprise Servers at different EnterpriseOne Tools Release levels, a dual maintenance procedure for users and passwords is required. Once all the foundations are running an EnterpriseOne Tools Release 9.1.3 or above:

    1. The jde.ini setting for SECURITY Data Source can be changed to point to the same data source for all servers running EnterpriseOne Tools Release 9.1.3 or above.

    2. Save the backup copy of the F98OWSEC table in case you need to roll back the EnterpriseOne Tools Release as described in Section A.5, "Rolling Back the Software.".

A.5 Rolling Back the Software

The improved encryption will be part of all future EnterpriseOne Tools Releases and it can not be disabled. If you decide to roll back to a previous EnterpriseOne Tools Release, complete these steps:

  1. Follow the installation instructions to roll back the Enterprise Server and client workstations.

  2. Restore the backup F98OWSEC table in the appropriate data source from the backup copy (for example F98OWSECBK).

  3. Change the INI setting for SECURITY data source to point to the correct data source with the restored F98OWSEC table.

  4. Run PORTTEST on the Enterprise Server to make sure users can log in.

A.6 Copyright

/* ====================================================================
 * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */