Bookshelf Home | Contents | Index | Search | PDF

Security Guide for Siebel eBusiness Applications > Authentication Details > Authentication Options >

Credentials Password Encryption

---

Credentials password encryption allows you to maintain an unexposed, encrypted password to a database account, while an unencrypted version of the password is used in other phases of the authentication process.

Credentials password encryption can be implemented in the following authentication strategies:

Siebel security adapter authentication
Web SSO

NOTE:  You can implement credentials password encryption with the Siebel encryption utility. This utility and applicable installation instructions are available from Siebel Technical Support.

Credentials password encryption supports the following principles:

For each database account, a password is first encrypted. For example, siebel is encrypted as T>?Be.
The encrypted version is stored as the valid password for the database account.
The unencrypted version of the password is stored in the attribute containing the database account for each applicable user in the directory.

A user is logged into the database by the following process:

The authenticated user's database account, stored in the directory, is passed to the authentication manager by the security adapter.
The Application Object Manager receives the user credentials from the authentication manager.
The Application Object Manager encrypts the password (T>?Be).
The Application Object Manager verifies that the database account identified by the user credentials exists and has a password that matches the encrypted version (T>?Be).
The Application Object Manager connects the user to the database and the Siebel application.

NOTE:  You cannot implement credentials password encryption if the data source you are connecting to is undocked. A data source is undocked if Docked = FALSE for the data source in the application's configuration file.

To implement credentials password encryption

For each database account, create and record the login name and a password.
Do one or more of the following:
To encrypt an individual password, enter and run the following command at a command prompt:

encrypt password

The utility encrypts the argument and verifies the results. For example, to encrypt the password "siebel," enter:

encrypt siebel

The confirmation from the utility is similar to:

Encoding String => siebel <= to => T>?Be <=

Verify encoding => T>?Be <= to => siebel <=

To encrypt multiple passwords at the command prompt, use the following command-line syntax:

encrypt password1 password2 password3 ...

To encrypt multiple passwords using a batch file:

Enter the passwords into a batch file (in this instance, the file is named passwords.txt), and then use the following command-line syntax:

encrypt @passwords.txt

Assign the encrypted passwords to their corresponding database accounts.

For information about assigning passwords to database accounts, see your RDBMS documentation.

For each Siebel application that implements credentials password encryption, set the following parameter value in the application's configuration file. For example, edit the eservice.cfg file for Siebel eService.

In the [adapter_name] section, for example [LDAP]:

EncryptCredentialsPassword = TRUE

For information about setting Siebel application configuration file parameters, see Siebel Application Configuration File Parameters.

Make sure that the attribute in the directory that contains the database account contains the unencrypted version of the database password.

For information about required attributes in the directory, see Requirements for Directory.

Credentials password encryption is discussed in a usage context in Security Adapter Deployment Options.

Bookshelf Home | Contents | Index | Search | PDF