8 Encrypting Sensitive Data in EnterpriseOne

This chapter contains the following topics:

8.1 Understanding the Encryption of Sensitive Data in EnterpriseOne

EnterpriseOne uses 128 bit AES encryption for the encryption of certain sensitive data (such as passwords) stored in the database and sensitive data stored in the following EnterpriseOne configuration (INI) files on EnterpriseOne servers:

  • jde

  • jdbj

  • jas

  • tokengen

  • jdeinterop

A system administrator uses Server Manager to configure the settings in these server configuration files. If a system administrator updates a configuration setting that contains sensitive data such as a password, the encryption system encrypts the data so that it cannot be read by anyone who opens a configuration file manually. See Table 8-1 for a complete list of INI files and the settings that contain sensitive data.

You can set up encryption before an EnterpriseOne installation using a command line utility program on the Deployment Server. See Encrypting Sensitive INI File Data Using the Deployment Server. You can also set up encryption after an installation through Server Manager. Both methods involve using a site key for encryption as described later in this chapter.

Note:

Although not recommended, an administrator can still choose to manually access configuration files and edit the passwords in plain text. Regardless, EnterpriseOne can read passwords whether they are encrypted or in plain text.

8.1.1 Sensitive Data in INI Files Managed by Server Manager

The following table contains a list of server INI files settings that are encrypted when entered or updated through Server Manager:

Table 8-1 Sensitive Data in Configuration Files Managed by Server Manager

ini File Server Settings

jde.ini

Enterprise Server

[SECURITY]

Password=

[WORKFLOW]

WRIPassword=

[TRUSTED NODE]

NodePassword=

jas.ini

HTML Server

[OWWEB]

FtpPwd=

[EVENTS]

jndiuser=

jndipassword=

jdbj.ini

HTML Server, Transaction Server, and Business Services Server

[JDBj-BOOTSTRAP SESSION]

password=

[JDBj-SPEC DATA SOURCE]

password=

jdeinterop.ini

Transaction Server and Business Services Server

[KEYSTORE]

keystorepasswd=

certificatepasswd=

[TRUST_STORE]

truststorepasswd=

[MEDIAOBJECT]

FtpPwd=

tokengen.ini

HTML Server

[TOKENGEN]

NodePwd=


8.2 Understanding the Generation of Site Keys for Use with AES Encryption

Starting with EnterpriseOne Tools Release 9.2, the EnterpriseOne encryption system uses a site key to add a higher level of security for sensitive data stored in configuration files and databases. The site key is combined with other values to create an AES key. The encryption system then uses the AES key to encrypt individual data items. Encryption using AES is the industry-standard for achieving a highly secure encryption.

The site key is unique for each customer. A random value is selected for each data item to be encrypted. The site key is combined with the random value and version-based values within the EnterpriseOne system to generate a 128-bit AES key. That AES key is then used to encrypt that data item. With different random values for each data item, it is possible to have up to 16 million different AES keys associated with each site key.

Oracle provides a command line "sitekey" utility program on the Security Server for generating and storing site keys in the JDE.INI file on the Security Server. When sensitive data is entered in Server Manager, Server Manager accesses the site key in the JDE.INI file and uses the site key to encrypt the data item.

Server Manager uses JDENet to retrieve the site key from the main Security Server defined for Server Manager. If the Security Server is not running, Server Manager will retrieve the site key directly from that Security Server's JDE.INI file.

To create a site key value, a system administrator enters a unique password in the sitekey program. The sitekey program generates a site key from this password. The site key program:

  • Uses a hashing function to convert the password into a site key value.

    Note:

    Based on the hashing, it is not possible to recover the password from the site key value.
  • Encrypts the site key value and encodes it within a text string.

  • Stores the site key text string in the [SITE KEYS] section of the Security Server JDE.INI file. Example 8-1 shows an example of a text string of a site key value in the SITE KEYS section.

Using site key values for data encryption provides the following benefits:

  • Because site key values are generated from unique passwords, it is highly unlikely that two customers will have the same values.

  • The encryption and encoding of the site keys use randomized parameters, so multiple text representations of the same site key will almost always be different.

  • The site key values are not stored in the program code. Because site keys are stored in the JDE.INI file, each customer has their own site key, which provides a higher level of security.

8.2.1 Site Key Settings in the JDE.INI File

The sitekey program stores a site key in the following settings in the [SITE_KEYS] section of the JDE.INI file:

  • CurrentKey. This contains the text string of the site key value used to encrypt new data items.

  • PreviousKey. This contains the text string of the site key value used to decrypt previously encrypted data items; it is never used for the encryption of new data items. If the current site key is changed, the encryption system uses the previous site key to decrypt old data items, after which the new current site key is used to re-encrypt these data items.

Example 8-1 shows an example of site key entries in the JDE.INI file.

Example 8-1 Example of Site Key Entries in the JDE.INI

[SITE_KEYS]
 
CurrentKey=ADOtRLI/Y93Hhgmx9Me23fCJB5j0/RtMNA+cWtZXtpB6Y2CMJ/le0dl2ntXiPeIkybDAQievK3Rqj89tVsSac=
 
PreviousKey=ADk/sKxVveqYH1gnk8wodNmzNfD07PcQN0K9M4rqqVIBhBDCjsRmATp9m5QU6iYAS1eQJuQmlxrFq2AScnA4c=

8.2.2 Changing the Site Key Settings

The purpose of the site key is to provide an encryption system that uses different encryption keys from one customer site to another. Each site key is used to derive a unique set of AES encryption keys. Therefore, there is not a lot of benefit to frequently changing the site key value. When a site key is changed, it requires the decryption and re-encryption of existing encrypted data.

Data is always encrypted using the "CurrentKey" site key. Data will be decrypted using either the "CurrentKey" site key or the "PreviousKey" sitekey, which allows data items to be decrypted using an old site key, and then encrypted using a new site key.

If you change the site key value, all previously encrypted data should be re-encrypted using the new site key value. After you convert all encrypted data using the new site key, then you can use a text editor to manually delete or comment out the "PreviousKey" entry in the JDE.INI.

Only one "PreviousKey" entry is allowed at one time. If at a later time you need to decrypt old data encrypted with the previous site key, you can manually re-add (or uncomment) the "PreviousKey" entry in the JDE.INI. Then the encryption system will decrypt the data and then re-encrypt the data using the "CurrentKey" site key.

8.2.3 Data Encryption for Merged Systems

You might have a scenario in which data from two different EnterpriseOne systems is merged. The data in the combined database might have had different current site keys. The first system can continue to use its current site key. For the second system merged with the first EnterpriseOne system, you must enter its site key text value into the PreviousKey setting in the JDE.INI file of the first system. At that point, the data from both systems can be decrypted. The data from the second system should then have its data re-encrypted using the current site key.

After all the data in the second system is re-encrypted, only the current site key is required for future encryption; the previous site key entry can be manually deleted from the JDE.INI. It cannot be programmatically removed because the programs cannot determine if there is additional data somewhere that is still encrypted with the previous site key.

8.3 Prerequisites

Before you can use site keys for encryption, you must:

Caution:

The Security Server must be defined in the Server Manager Console and the SITEKEY must be configured in Security Server jde.ini for the encryption of sensitive data to occur. Otherwise, passwords in the INI files will not be encrypted and will appear as plain text.

Also, all servers managed by an instance of Server Manager must use the same site key. For example, if you want to have a production environment with servers that use one site key and a test environment with servers that use a different site key, then you would need to install two separate Server Manager Consoles, one for all servers in the production environment and one for all servers in the test environment.

8.4 Setting Up Site Keys on the Security Server

Use the sitekey program on the Security Server to generate a site key value for the Security Server's JDE.INI file.

A site key value is generated from a unique password that you enter in the sitekey program. Entering a unique, strong password ensures that the site key material that is used for the encryption is unique for each customer site. Follow these password rules to create a strong password:

  • Enter a minimum of 8 characters and a maximum of 40 characters.

  • Include both upper case and lower case letters.

  • Include numbers (0, 1, 2, 3, 4, 5, 6, 7, 8, 9).

  • Include the special underline (_) character. No other special characters are allowed.

  • Use a letter for the first character.

  • Use a letter or a number for the last character.

  • At a minimum, use two upper case letters, two lower case letters, two numbers, and two special underline characters.

Only one site key is allowed in an EnterpriseOne system. If your system configuration includes more than one Security Server, after you create a site key, you must manually copy the site key text string from the [SITEKEY] section in JDE.INI file to all other JDE.INI files on the other Security Servers.

Caution:

A site key is cached upon first usage, therefore, you must restart all EnterpriseOne systems to store a new site key in the cache. If you do not refresh the cache, your system could be using two different site keys at the same time, which is problematic because data encrypted with one site key cannot be decrypted with a different site key.

The following tasks describe how to use the commands in the sitekey program. A description of the commands is available in the sitekey program Action Menu:

C:\builds\e900\system\bin32>sitekey
        ACTION MENU
 d   Display site key entries found in JDE.INI
 c   Current site key - will prompt for password to be hashed
 p   Previous site key - will prompt for password to be hashed
Enter letter for action to take:

To create a current site key value:

  1. Launch the sitekey program from the system/bin32 directory on the Security Server.

  2. In the sitekey program, enter -c to access the password prompt, for example:

    $ sitekey -c

  3. At the "Enter Password:" prompt, enter a password for the site key and then press Enter.

    The sitekey program converts the password into a site key value that is wrapped, encoded, and converted to a text string that is stored in the [SITEKEY] section in the JDE.INI file.

    It is important to remember this password in case the generated site key text string is accidentally deleted. For more information, see "Recovering Site Key Values."

  4. If you have multiple Security Servers, manually copy the site key text string into the JDE.INI files on each Security Server.

  5. Restart all EnterpriseOne systems including Enterprise Servers, Server Manager Console, the HTML Server, and other types of servers.

    A site key is cached upon first usage, so you must restart all systems to store a new site key in the cache. To ensure that the new site key is cached in all systems, they should be restarted in the following order:

    1. Security Server (Enterprise Server) configured in Server Manager console.

    2. Server Manager Console.

    3. Other Enterprise Servers.

    4. All other managed instances, including HTML Servers.

    Note:

    Server Manager agents do not need to be restarted.

To create a previous site key value:

If the current site key is changed, the encryption system uses the previous site key to decrypt old data items so that the new current site key can re-encrypt the date items.

If a new current site key is added, the "current" site key will become the "previous" site key in the JDE.INI settings. If encrypted data is being merged from a system that had used a different site key, then that site key can be added to the JDE.INI by entering its password for the "previous" key. An alternative method would be to copy the site key text from the INI of the merged system, and entering it as a "previous" key directly in the INI.

  1. In the sitekey program, enter -p to access the password prompt, for example:

    $ sitekey -p

  2. At the Enter Password prompt, enter the password that was used for the former "current" site key, and then press Enter.

    The sitekey program converts the password into a site key value that is wrapped, encoded, and converted to a text string that is stored in the [SITEKEY] section in the JDE.INI file.

  3. Restart all EnterpriseOne systems in the same order as described in the preceding steps for creating a current site key.

To display site key entries stored in the [SITEKEY] section in the JDE.INI file:

In the sitekey program, enter -d, for example:

$ sitekey -d

This confirms that the site key text is in a valid format. It also determines if a current site key and a previous site key came from the same password. Because the site key text uses random numbers for encoding, the text will always be different even for text that stores the same site key value.

8.5 Recovering Site Key Values

If a site key value is accidentally deleted from the JDE.INI file, you can recover it by running the sitekey program and entering the same password that you used to create the site key the first time. The hash of the same password will result in the same hash value, which defines the site key value. The site key text string displayed in the [SITE_KEYS] section will look different than the text string of the original site key value because the process uses random values to convert the site key value to a text string.

If you cannot remember the original password for generating the site key, you can recover the site key by opening a service request (SR) through My Oracle Support:

https://support.oracle.com/

In the service request, include the header portion of an encrypted data item. The header portion is the first 14 characters if it is a text encryption, and it is the first 20 hexadecimal digits if it is a binary encryption. Oracle provides you with a new text string version of the site key that you can manually place in the [SITE KEY] section of the JDE.INI file on the Security Server. The new text string contains the site key required to decrypt the given encrypted data item. It will also decrypt all data items that were originally encrypted with the same site key.

As an alternative to entering a service request, if you are using the encryption only for sensitive data in INI files, you can simply enter a new password in the sitekey program to create a new site key. Then in the Server Manager Console, re-enter all password values, and then re-start all EnterpriseOne systems.

Caution:

This alternate method cannot be used if you have encrypted data stored in the database (such as encrypted data for applications).

8.6 Encrypting Sensitive INI File Data Using the Deployment Server

As an alternative to using Server Manager, Oracle provides a command line utility program called E1IniEncrypt for encrypting sensitive data in the INI files. Server Manager is the preferred method for encrypting passwords in the INI files, but E1IniEncrypt may be used during EnterpriseOne Tools release upgrades if Server Manager is not available. See Table 8-1 for a list of INI data that can be encrypted using E1IniEncrypt.

Oracle recommends running the E1IniEncrypt program on the Deployment Server, but it will run on any EnterpriseOne Windows client machine.

Caution:

You must have administrative rights on the EnterpriseOne Windows client machine to run this program.

You use the following command in the E1IniEncrypt program to encrypt sensitive data in INI files:

E1IniEncrypt -<options> <path to ini>

Where <options> include:

        -jde    : Encrypt passwords in JDE.INI
        -inter  : Encrypt passwords in JDEINTEROP.INI
        -jas    : Encrypt passwords in JAS.INI
        -jdbj   : Encrypt passwords in JDBJ.INI
        -tok    : Encrypt passwords in TOKENEGEN.INI

And where <path to ini> contains the path to the INI file.

The following example command line shows the command for encrypting passwords in a JDE.INI file:

E1IniEncrypt -jde C:\tempini

The E1IniEncrypt program encrypts the password depending on the type of value in the original password entry:

  • If the value is a plain text password, the program encrypts the password. The encrypted value is represented as a text string.

  • If the value is an encrypted value from EnterpriseOne Tools 9.1.4 or 9.1.5, then it re-encrypts the value using the latest encryption method (AES encryption with site keys) and then represents the new encrypted value as a text string.

  • If the password field contains a value that has already been encrypted using the latest method, it remains unchanged.

Before running E1IniEncrypt, a site key must be set up on the Security Server. See Setting Up Site Keys on the Security Server for instructions on how to set up the site key.

To use the E1IniEncrypt program to encrypt sensitive data in an INI file:

  1. Locate the INI file, for example the JDE.INI on an Enterprise Server or the jas.ini on the HTML Server, and copy it to a temporary folder on the Deployment Server such as C:\tempini.

  2. From the JDE.INI of the Security Server, copy the [SITE_KEYS] block with all of its key values into the JDE.INI used by the Deployment Server. The JDE.INI file is typically located at C:\Windows\JDE.INI.

  3. Use the following command for each INI file to convert the passwords to the latest encryption:

    E1IniEncrypt -<options> <path to ini>

    Where <options> include:

            -jde    : Encrypt passwords in JDE.INI
            -inter  : Encrypt passwords in JDEINTEROP.INI
            -jas    : Encrypt passwords in JAS.INI
            -jdbj   : Encrypt passwords in JDBJ.INI
            -tok    : Encrypt passwords in TOKENEGEN.INI
    

    And where <path to ini> is the path to the temporary folder containing the INI files.

  4. Check the INI files to verify that the password encryptions succeeded.

    The original passwords in plain text or in EnterpriseOne Tools 9.1.5 format (which begin with "AC") should now be in EnterpriseOne Tools 9.2 format (which begin with "AD"). Any passwords that were already in the EnterpriseOne Tools 9.2 format should remain unchanged.

  5. Copy the INI files with the encrypted passwords back to their original locations. For example, copy the JDE.INI back to the Enterprise Server or jas.ini back to the HTML Server.

8.6.1 Encrypting Sensitive INI File Data for the Deployment Server and EnterpriseOne Windows Client Machines

If you are using a site key for the encryption of INI file data in other EnterpriseOne Server configuration files, you can use the same site key to encrypt the password in the following WRIPassword setting in the JDE.INI files used by the Deployment Server and EnterpriseOne Windows clients:

[WORKFLOW]
WRIPassword=

To encrypt the data in this setting in the JDE.INI on the Deployment Server:

  1. Copy the JDE.INI, typically located at C:\Windows\JDE.INI, into a temporary folder.

  2. If the WRIPassword setting is blank, add the plain-text password.

  3. From the JDE.INI of the Security Server, copy the [SITE_KEYS] block with all of its key values into the JDE.INI used by the Deployment Server. The JDE.INI file is typically located at C:\Windows\JDE.INI.

  4. Use the following command for each INI file to convert the passwords to the latest encryption:

    E1IniEncrypt -<options> <path to ini>

    Where <options> include:

            -jde    : Encrypt passwords in JDE.INI
            -inter  : Encrypt passwords in JDEINTEROP.INI
            -jas    : Encrypt passwords in JAS.INI
            -jdbj   : Encrypt passwords in JDBJ.INI
            -tok    : Encrypt passwords in TOKENEGEN.INI
    

    And where <path to ini> is the path to the temporary folder containing the INI files.

  5. Verify that the value in the WRIPassword setting has been encrypted with the Tools 9.2 encryption (which begin with "AD"). The remainder of the JDE.INI should remain unchanged.

  6. Copy the JDE.INI from the temporary folder back to its original location.

For the JDE.INI to be used by the EnterpriseOne Windows clients, follow the same steps as above, but copy and convert the JDE.INI located in the Windows client installation folder on the Deployment Server. This installation folder contains the JDE.INI that is used for the installation of new Windows clients.

8.7 Encrypting Database Proxy User Passwords (Release 9.2.1)

Starting with EnterpriseOne Tools Release 9.2.1.0, the EnterpriseOne encryption system uses a site key to add a higher level of security for sensitive data stored in a database. Hence, all of the JD Edwards EnterpriseOne database proxy users added by the Work With System Users program (P980001) will be stored with new encryption scheme in the System User Security table (F98OWPU).

The enhanced encryption scheme is used to store and retrieve database proxy user passwords from the System User Security (F98OWPU) table.

Caution:

If you have not set up site keys for data encryption, you cannot add new database proxy users.

8.7.1 Encrypting Database Proxy User Password Considerations

  • Ensure that Site Key is already configured in the Enterprise Server's JDE.INI file, as Site Key is a prerequisite.

  • Because the encryption scheme is AES encryption with site key, you can identify this Encryption Type as 3 and Encryption Type 4 for unknown encryption.

  • If ONTHEFLYMIGRATION= true or 1 is set under [Security] section of the Enterprise Server's JDE.INI file, then all the existing database proxy user (encrypted with old scheme such as 3DES or XOR) stored in the System User Security table (F98OWPU) will be converted into AES encryption dynamically.

  • If you add a proxy user from Deployment Server, make sure to create the Site Key first and then add this new site key to the local JDE.INI file of the Deployment Server under the [SITE KEY] section as systems without an available Security Server, such as Deployment Server, the site keys are read directly from the local JDE.INI file and not from server's JDE.INI file.

8.8 Commands for Encrypting Passwords Used by RUNUBE and RUNUBEXML

When a user uses the RUNUBE command to generate a report on an EnterpriseOne Windows client, the system uses the user ID and password from a text file to access EnterpriseOne and run the report. This user ID and password are in clear text. Oracle recommends that you use a command to encrypt the password in the text file to protect the sensitive information. Use the following RUNUBE command to encrypt the password in the text file the first time you generate a report:

runube -Fe <text_file>

Any subsequent RUNUBE invocation that uses the text file will use the encrypted password.

RUNUBEXML uses an XML file that contains a user ID and password in clear text. The password in this XML file needs to be encrypted as well, so Oracle provides a command that encrypts the password the first time you run the RUNUBEXML. Any subsequent run of the RUNUBEXML that uses this xml file will use the encrypted password. Use the following command to encrypt the password in the XML file when you generate a report:

runubexml E ENCRYPT_V1 <template_file>

For more information about the commands that you can use to run reports with RUNUBE or RUNUBEXML, see "Submitting at the Command Line" in the JD Edwards EnterpriseOne Tools Batch Versions Guide.