Siebel Security Guide > Communications and Data Encryption >

Configuring Encryption and Search on Encrypted Data

This topic describes how to use Siebel Tools to enable encryption for a column in a database table. In addition, it describes how you can enable search on the encrypted column.

NOTE:  Do not encrypt columns in database tables without the assistance of Oracle's Application Expert Services. For help with encrypting a column in a database table, you must contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance from Oracle's Application Expert Services.

You encrypt a column and its data by specifying values for certain parameters of the column in the database table. You can also enable search on the encrypted data by creating an additional column (hash column) that stores the result of applying the RSA SHA-1 algorithm to the plaintext value of the encrypted data. Search can be case-sensitive or case-insensitive depending on how you configure search.

The following procedure describes how to encrypt data and, optionally, how to enable search on this data. Before carrying out the procedure, note the following points:

• The encrypted column, hash column, and the column that stores the index number to the key file must come from the same database table.
• You cannot encrypt a column that has a denormalized column, because this feature is not supported. For example, column NAME of account table S_ORG_EXT has a denormalized column in: S_ACCNT_POSTN.ACCOUNT_NAME.
• The encrypted column and the hash column must be of type String (VARCHAR), while the column that stores the index number to the key file must be of type Integer. For more information on requirements for data encryption, see About Data Encryption.

To encrypt a column and enable search on the encrypted column in a database table

1. Start Siebel Tools.
2. Select the column in the database table that contains the data you want to encrypt.
3. Add values to the following parameters of the column you selected in Step 2:
   • Computation Expression

     Specify the algorithm to encrypt data in the column. Valid values are SiebelEncrypt.RC2 ([ColumnName]) or SiebelEncrypt.AES ([ColumnName]). To use AES, you require the Siebel Strong Encryption Pack. For more information, see About the Siebel Strong Encryption Pack.

   • Encrypt Key Specifier

     Specify the column that stores the index number to the key file.

4. If you want to allow search on encrypted data, create another column with a name of your choice or with the following name format:

   C_HASH_NAME

   where Name is the name of the column you selected in Step 2.

   C_HASH_NAME stores the value that results from applying the RSA SHA-1 algorithm to the plain text values of the column you selected in Step 2.

   The following table lists the syntax for a number of encryption and search scenarios.

   Scenario	Enter these values
   Encrypt data in column C_SSI using the RC2 algorithm	For Computation Expression, enter: SiebelEncrypt.RC2 ([C_SSI]) For Encrypt Key Specifier, specify the column that stores the index key for the key file. For example: C_KeyIndex
   Encrypt data in column C_SSI using the AES algorithm	For Computation Expression, enter: SiebelEncrypt.AES ([C_SSI]) For Encrypt Key Specifier, specify the column that stores the index key for the key file. For example: C_KeyIndex
   To enable case-sensitive search on the data that you encrypt in column C_SSI, you create an additional column C_HASH_SSI	Enter the following syntax in the field for the Computation Expression of column C_HASH_SSI: SiebelHash.SHA1 ([C_SSI])
   To enable case-insensitive search on the data that you encrypt in column C_SSI, you create an additional column C_HASH_SSI	Enter the following syntax in the field for the Computation Expression of column C_HASH_SSI: SiebelHash.SHA1CI ([C_SSI])

   Now do one of the following:

   • If the column that you have enabled for encryption does not yet contain data, there are no further steps to perform.
   • If the column that you have enabled for encryption does contain data, proceed to Step 5.
5. If the database column that you have enabled for encryption previously contained data, run the Encryption Upgrade utility (encryptupg.exe) to encrypt the existing data and, if applicable, to create searchable hash values for the preexisting data.

   Encrypt existing data immediately after you configure a column for encryption. You can create searchable hash values for the column at a later time if you choose. For information on using the encryptupg.exe utility, see Running the Encryption Upgrade Utility.