This chapter contains the following topics:
Section 6.1, "Understanding the Encryption of Sensitive Data Used by EnterpriseOne"
Section 6.3, "Commands for Encrypting Passwords Used by RUNUBE and RUNUBEXML"
Some configuration files used by EnterpriseOne contain sensitive data, such as passwords, that should not be accessible to users. EnterpriseOne uses 128 bit AES encryption to store the sensitive data in these files in an encrypted format.
For initialization (ini) files, sensitive data is encrypted when you use Server Manager to update the ini setting. For example, if you use Server Manager to update the WRIPassword setting in the Enterprise Server jde.ini file, Server Manager encrypts the password so that it cannot be read by anyone who opens the ini file manually.
Sensitive data can also be found in files used by the RUNUBE and RUNUBEXML commands, which are used to generate reports from an EnterpriseOne Windows client. For these files, you can use commands to encrypt the sensitive data so that data stored in these files is not compromised.
An administrator can still choose to manually access ini or configuration files and edit the passwords in plain text. Regardless, EnterpriseOne can read passwords whether they are encrypted or in plain text.
Oracle recommends that you use Server Manager to update ini file settings that contain sensitive data. If you use Server Manager to enter and save settings that contain passwords, the system encrypts the sensitive data in the ini file.
You can view a password as you enter it in Server Manager to verify the password before you save it. However, after saving the changes in Server Manager and refreshing the browser, the system masks the password so that it is not revealed in the Server Manager interface.
The following table contains a list of server ini files settings that can be encrypted when entered or updated through Server Manager:
| ini File | Server | Settings |
|---|---|---|
| jde.ini | Enterprise Server | [SECURITY]
Password= [WORKFLOW] WRIPassword= [TRUSTED NODE] NodePassword= |
| jas.ini | HTML Server | [OWWEB]
FtpPwd= [EVENTS] jndiuser= jndipassword= |
| jdbj.ini | HTML Server, Transaction Server, and Business Services Server | [JDBj-BOOTSTRAP SESSION]
password= [JDBj-SPEC DATA SOURCE] password= |
| jdeinterop.ini | Transaction Server and Business Services Server | [KEYSTORE]
keystorepasswd= certificatepasswd= [TRUST_STORE] truststorepasswd= [MEDIAOBJECT] FtpPwd= |
| tokengen.ini | HTML Server | [TOKENGEN]
NodePwd= |
Note:
You cannot use Server Manager to update ini file settings on the Deployment Server and EnterpriseOne Windows clients. However, Oracle provides a utility to encrypt sensitive data in the jde.ini file on these machines. See Encrypting ini File Settings on the Deployment Server and EnterpriseOne Windows Clients for more information.When a user uses the RUNUBE command to generate a report on an EnterpriseOne Windows client, the system uses the user ID and password from a text file to access EnterpriseOne and run the report. This user ID and password are in clear text. Oracle recommends that you use a command to encrypt the password in the text file to protect the sensitive information. Use the following RUNUBE command to encrypt the password in the text file the first time you generate a report:
runube -Fe <text_file>
Any subsequent RUNUBE invocation that uses the text file will use the encrypted password.
RUNUBEXML uses an XML file that contains a user ID and password in clear text. The password in this XML file needs to be encrypted as well, so Oracle provides a command that encrypts the password the first time you run the RUNUBEXML. Any subsequent run of the RUNUBEXML that uses this xml file will use the encrypted password. Use the following command to encrypt the password in the XML file when you generate a report:
runubexml E ENCRYPT_V1 <template_file>
For more information about the commands that you can use to run reports with RUNUBE or RUNUBEXML, see "Submitting at the Command Line" in the JD Edwards EnterpriseOne Tools Batch Versions Guide.
Oracle provides a command line utility called E1iniEncrypt for encrypting sensitive data in ini files on the Deployment Server and EnterpriseOne Windows clients. You can use the utility to encrypt the following jde.ini settings on these machines:
[WORKFLOW]
WRIPassword=
You can also use this utility on an EnterpriseOne Windows client to encrypt ini file password setting on other EnterpriseOne servers.
To view a list of options for encrypting ini file settings, enter the following in a command prompt:
E1IniEncrypt -<options> <path to ini>
where options include:
-jde : Encrypt password in JDE.INI
-inter : Encrypt password in JDEINTEROP.INI
-jas : Encrypt password in JAS.INI
-jdbj : Encrypt password in JDBJ.INI
-tok : Encrypt password in TOKENEGEN.INI
Important:
You must have administrative rights on the EnterpriseOne Windows client machine to run this utility. For example, to encrypt the password in jde.ini, you can type:E1IniEncrypt -jde C:\windows