Bookshelf Home | Contents | Index | Search | PDF

Security Guide for Siebel eBusiness Applications > Authentication Details > Authentication Options >

User Password Encryption

---

User password encryption allows you to maintain an unexposed, encrypted password for each user while the user logs in with an unencrypted version of the password.

User password encryption can be implemented in the following authentication strategies:

Database authentication
Siebel security adapter authentication

NOTE:  You can implement user password encryption with the Siebel encryption utility. This utility and applicable installation instructions are available from Siebel Technical Support.

Password encryption has the following implications for Siebel Server components:

With database authentication, encrypted passwords are stored in the Siebel Database. Siebel Server components that log into the database must use the encrypted password value stored in the database. For example, when you run the Generate Triggers (GenTrig) component, the value provided for the PrivUserPass parameter (used with the PrivUser parameter) must be the encrypted password value. Otherwise, component login will fail.
If Application Encrypt Password is set to TRUE at the server level, the password must also be encrypted for the Server Request Broker and Server Request Processor components. Otherwise, component login will fail.

User password encryption supports the following principles:

Each password is first encrypted. For example, siebel is encrypted as T>?Be.
The encrypted version is stored in one of the following locations:
In a database authentication environment, it is set as the valid password for the database account.
In an external authentication environment, it is stored in the attribute specified for the user's password.
The unencrypted version of the password is given to a user to use when logging in.

A user is logged into the database by the following process:

The user logs in with user credentials that include the unencrypted password.
The authentication manager receives the user credentials, and passes them to the Application Object Manager.
The Application Object Manager encrypts the password (T>?Be).
In an external authentication environment:
The user credentials, including the encrypted password are passed to the security adapter through the authentication manager.
The security adapter verifies that the encrypted password matches the encrypted password stored in the directory for the user, and then returns the database account and the Siebel user ID to the Application Object Manager through the authentication manager.
In a database authentication environment, the Application Object Manager verifies that the database account identified by the user credentials exists and that the encrypted user password matches the password for the database account (T>?Be).
The Application Object Manager connects the user to the database and the Siebel application.

To implement user password encryption

For each user, create and record a username and a password.
Do one or more of the following:
To encrypt an individual password, enter and run the following command at a command prompt:

encrypt password

The utility encrypts the argument and verifies the results. For example, to encrypt the password "siebel," enter:

encrypt siebel

The confirmation from the utility is similar to:

Encoding String => siebel <= to => T>?Be <=

Verify encoding => T>?Be <= to => siebel <=

To encrypt multiple passwords at the command prompt, use the following command-line syntax:

encrypt password1 password2 password3 ...

To encrypt multiple passwords using a batch file:

Enter the passwords into a batch file (in this instance, the file is named passwords.txt), and then use the following command-line syntax:

encrypt @passwords.txt

For each user, do one of the following:
In a database authentication environment, set the credentials for a database account to the username and the encrypted password.

For information about setting credentials for database accounts, see your RDBMS documentation.

In an external authentication environment, set the values in the directory attributes for username and password to the username and the encrypted password.
Set the Application Encrypt Password parameter in the Name Server to TRUE at one of the following levels.
To implement user password encryption for a single application, set the parameter at the component level for the Application Object Manager, such as Call Center Object Manager.
To implement user password encryption for all applications on a particular Siebel Server, set the parameter at the server level for the particular Siebel Server.

For information about setting Name Server parameters, see Name Server Parameters.

If you encrypted the password for the anonymous user, you must also modify the AnonPassword parameter in the eapps.cfg file.
Provide the username and unencrypted password to the user for logging in.

User password encryption is discussed in a usage context in Implementing Database Authentication and in Security Adapter Deployment Options.

Bookshelf Home | Contents | Index | Search | PDF