Bookshelf Home | Contents | Index | PDF     

Siebel Security Guide > Security Adapter Authentication > Process of Configuring User and Credentials Password Hashing >

Guidelines for Password Hashing

This topic describes the factors to consider if you choose to implement password hashing with Siebel Business Applications.

This task is a step in Process of Configuring User and Credentials Password Hashing.

Guidelines for using password hashing with Siebel Business Applications include the following:

  • The password hashing utility, hashpwd.exe, does not automatically store hashed passwords or salt values in the Siebel database, LDAP directory, or Active Directory. The administrator is responsible for defining and storing the hashed passwords and salt values. A hashed password is stored in one of the following locations:
    • In a database authentication environment, the hashed password is set as the valid password for the database account.
    • In an LDAP or Active Directory authentication environment, the hashed password is stored in the attribute specified for the user's password. The password salt value is stored in the attribute specified for the salt value.
  • The unhashed version of the password is given to a user to use when logging in.
  • Stored passwords must first be hashed (after salt values are added, if applicable) with the same hashing algorithm (typically, RSA SHA-1) that is applied to the passwords in the authentication process.
  • Database credentials passwords stored outside of the Siebel database must be stored in unhashed form, because such passwords are hashed during the authentication process. For additional information, see About Password Hashing.
  • With database authentication, the Siebel Server components that log in to the database must use the hashed password value stored in the Siebel database. Otherwise, the component login will fail.

    For example, when you run the Generate Triggers (GenTrig) component, the value provided for the PrivUserPass parameter (used along with the PrivUser parameter) must be the hashed password value.

    To determine if a Siebel Server component uses a hashed password, select the component from the Enterprise Component Definition View and query for the component parameter OM - Data Source. If the value that OM - Data Source references has DSHashAlgorithm set to a hashing algorithm and DSHashUserPwd set to TRUE, then it means that the component can accept an unhashed password and hash it using the specified parameters.

  • Password hashing and use of salt values must be specified consistently for all Siebel Enterprise components that will work together. For example, all Siebel Servers subject to Application Object Manager load balancing must use the same security adapter settings, including those for password hashing, or component login will fail.
  • For the Siebel Mobile Web Client, password hashing for the local database password has the following requirements:
    • The parameter Encrypt client Db password (alias EncryptLocalDbPwd) must have been set to TRUE for the server component Database Extract (alias DbXtract) at the time the user's local database was extracted. See Siebel Remote and Replication Manager Administration Guide for details.
    • The database security adapter must be in effect for the Mobile Web Client, and the DSHashUserPwd and DSHashAlgorithm parameters must be set appropriately for the data source specified for the security adapter. For more information, see About Database Authentication and Siebel Application Configuration File Parameters.
    
Siebel Security Guide Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices.