Security Guide for Siebel eBusiness Applications > Security Adapter Authentication >

Configuring Password Hashing

User passwords or database credentials passwords can be hashed for greater security.

Unlike encryption that involves two-way algorithms (encryption and decryption), hashing uses a one-way algorithm. A clear-text version of a password is hashed using a Siebel utility, then stored in the database or in an external directory such as LDAP/ADS. During login, a clear-text version of a password is provided (such as by a user), which is then hashed and compared to the stored hashed password.

Password hashing is used in the following contexts:

• User password hashing. When you are using security adapter authentication (including database, LDAP/ADSI, or custom security adapters), user passwords can be hashed.

  An unexposed, hashed password is maintained for each user, while the user logs in with an unhashed (clear-text) version of the password. This password is hashed during login.

• Database credentials password hashing. When you are using security adapter authentication other than database authentication (including LDAP/ADSI or custom security adapters), or using Web SSO authentication, database credentials passwords can be hashed.

  An unexposed, hashed password for a database account is maintained, while an unhashed (clear-text) version of the password is stored in the external directory, such as LDAP or ADS. This password is hashed during login.

Password hashing is a critical tool for preventing unauthorized users from bypassing Siebel applications and logging directly into the Siebel Database using an RDBMS tool such as SQL*Plus. It also prevents passwords intercepted over the network from being used to access the applications, because an intercepted hashed password will itself be hashed when login is attempted, leading to a failed login.

Credentials password hashing prevents users from being able to log into the Siebel Database directly using a password obtained through unauthorized access to the external directory, because the unhashed password will not match the hashed version stored in the database.

For more information about configuring each type of password hashing, see Configuring User and Credentials Password Hashing.

Siebel Systems provides a password hashing utility called hashpwd.exe. The default hashing algorithm is RSA SHA-1. For example, using the default option rsasha1 for the hashpwd.exe utility, siebel is hashed as 6sxr7MWJDyNiMfW2f0cyo+gOVcs=. For information about running hashpwd.exe, see Running the Password Hashing Utility.

NOTE:  New customers are required to use RSA-SHA1, and existing customers are strongly recommended to migrate to RSA-SHA1 promptly.

Configuration parameters for all Siebel-provided security adapters, and for custom security adapters you implement, specify the password hashing settings in effect. For each security adapter, parameters specify whether password hashing should be used for user passwords and/or credentials passwords, and, if so, which hashing algorithm to use.

For database authentication, the relevant parameters are specified for a data source referenced from the database security adapter, rather than specified directory for the security adapter.

For existing customers, the Siebel proprietary hashing algorithm (the mangle algorithm, formerly available through the utility encrypt.exe) is still available as an option for the hashpwd.exe utility. This option, called siebelhash, can also be specified as the value for the applicable configuration parameter. These parameters include HashAlgorithm for LDAP/ADSI security adapters and DSHashAlgorithm for data sources (used with database authentication).

For more information about parameters for password hashing, see Configuration Parameters Related to Authentication.

For more information about upgrading your Siebel applications, see Upgrade Guide for the operating system you are using.

NOTE:  For information about managing encrypted passwords in the eapps.cfg file, see Managing Encrypted Passwords in the eapps.cfg File. The password encryption mechanism described there is unrelated to the password hashing mechanism described in this section.