Skip Headers
Siebel CRM Siebel Security Guide
Siebel Innovation Pack 2015
E24814-01
  Go to Documentation Home
Home		 Go To Table Of Contents
Contents		 Go To Index
Index
Previous
Previous 		 Next
Next		     View PDF

Process of Configuring User and Credentials Password Hashing

This topic describes how to implement password hashing for user passwords or for database credentials, how to implement the use of salt values for user passwords, and how to specify the default hashing algorithm.

Configuration parameters for all security adapters provided with Siebel Business Applications, and for custom security adapters you implement, specify the password hashing settings in effect. For LDAP or ADSI authentication, parameters are specified for the security adapter. For database authentication, the relevant parameters are specified for a data source referenced from the database security adapter, rather than specified directly for the security adapter.

To configure password hashing, perform the following tasks:

  1. Review "Guidelines for Password Hashing"

  2. Perform either or both of the following tasks, as appropriate:

Guidelines for Password Hashing

This topic describes the factors to consider if you choose to implement password hashing with Siebel Business Applications.

This task is a step in "Process of Configuring User and Credentials Password Hashing".

Guidelines for using password hashing with Siebel Business Applications include the following:

  • The password hashing utility, hashpwd.exe, does not automatically store hashed passwords or salt values in the Siebel database, LDAP directory, or Active Directory. The administrator is responsible for defining and storing the hashed passwords and salt values. A hashed password is stored in one of the following locations:

    • In a database authentication environment, the hashed password is set as the valid password for the database account.

    • In an LDAP or Active Directory authentication environment, the hashed password is stored in the attribute specified for the user's password. The password salt value is stored in the attribute specified for the salt value.

  • The unhashed version of the password is given to a user to use when logging in.

  • Stored passwords must first be hashed (after salt values are added, if applicable) with the same hashing algorithm (typically, RSA SHA-1) that is applied to the passwords in the authentication process.

  • Database credentials passwords stored outside of the Siebel database must be stored in unhashed form, because such passwords are hashed during the authentication process. For additional information, see "About Password Hashing".

  • With database authentication, the Siebel Server components that log in to the database must use the hashed password value stored in the Siebel database. Otherwise, the component login will fail.

    For example, when you run the Generate Triggers (GenTrig) component, the value provided for the PrivUserPass parameter (used along with the PrivUser parameter) must be the hashed password value.

    To determine if a Siebel Server component uses a hashed password, select the component from the Enterprise Component Definition View and query for the component parameter OM - Data Source. If the value that OM - Data Source references has DSHashAlgorithm set to a hashing algorithm and DSHashUserPwd set to TRUE, then it means that the component can accept an unhashed password and hash it using the specified parameters.

  • Password hashing and use of salt values must be specified consistently for all Siebel Enterprise components that will work together. For example, all Siebel Servers subject to Application Object Manager load balancing must use the same security adapter settings, including those for password hashing, or component login will fail.

  • For the Siebel Mobile Web Client, password hashing for the local database password has the following requirements:

    • The parameter Encrypt client Db password (alias EncryptLocalDbPwd) must have been set to TRUE for the server component Database Extract (alias DbXtract) at the time the user's local database was extracted. See Siebel Remote and Replication Manager Administration Guide for details.

    • The database security adapter must be in effect for the Mobile Web Client, and the DSHashUserPwd and DSHashAlgorithm parameters must be set appropriately for the data source specified for the security adapter. For more information, see "About Database Authentication" and "Siebel Application Configuration File Parameters".

Configuring User Password Hashing

The procedure in this topic describes how to configure user password hashing with Siebel Business Applications.

This task is a step in "Process of Configuring User and Credentials Password Hashing".

To implement user password hashing 

  1. For each user, create and record a user name and a password.

  2. To hash one or more passwords, run the hashpwd.exe utility at a command prompt. For command syntax options, see "Running the Password Hashing Utility".

  3. For each user, do one of the following:

    • In a database authentication environment, set the credentials for a database account to the user name and the hashed password. For information about setting credentials for database accounts, see your RDBMS documentation.

    • In an LDAP or ADSI authentication environment, set the values in the directory attributes for user name, password, and salt to the user name, hashed password, and salt value returned by the hashpwd.exe utility.

  4. Using Siebel Server Manager, configure the security adapter for user password hashing as follows:

    • For the database security adapter (typically, DBSecAdpt):

      • Set the DataSourceName parameter to the name of the applicable data source (for example, ServerDataSrc).

      • For the applicable data source, set the DSHashUserPwd parameter to TRUE.

      • For the applicable data source, set the DSHashAlgorithm parameter to RSASHA1 (this is the default value) or SIEBELHASH (the Siebel proprietary algorithm).

    • For the LDAP or ADSI security adapter (typically, LDAPSecAdpt or ADSISecAdpt):

      • Set the HashUserPwd parameter to TRUE.

      • Set the HashAlgorithm parameter to RSASHA1 (this is the default value) or SIEBELHASH (the Siebel proprietary algorithm).

      • (Optional) Set the SaltUserPwd parameter to TRUE to specify that salt values can be added to user passwords.

      • (Optional) Set the SaltAttributeType parameter to specify the attribute that is to store the salt value.

  5. Provide each user with the user name and the clear-text password for logging in.

Related Topics

"About Password Hashing"

"Configuring Password Hashing of Database Credentials"

Configuring Password Hashing of Database Credentials

The procedure in this topic describes how to configure database credentials password hashing with Siebel Business Applications.

This task is a step in "Process of Configuring User and Credentials Password Hashing".

To implement database credentials password hashing 

  1. For each applicable database account, create and record a login name and a password.

  2. To hash one or more passwords, run the hashpwd.exe utility at a command prompt. For command syntax options, see "Running the Password Hashing Utility".

  3. For each database account, assign the hashed passwords to their corresponding database accounts.

    For information about setting credentials for database accounts, see your RDBMS documentation.

  4. In the LDAP directory or Active Directory, specify the unhashed version of the password for the attribute that contains the database account.

    The database credentials password must be stored in unhashed form in the directory because the password is hashed during the authentication process. Users cannot log into the Siebel database using a password obtained through unauthorized access to the directory because the unhashed password in the directory will not match the hashed version stored in the database.

    As an additional security measure, however, you can define an access control list (ACL) to restrict access to the directory attribute containing the unhashed version of the password or, if you are implementing a shared database account, the shared database login name and hashed password can be specified as profile parameters for the LDAP or ADSI Security Adapter profiles.

    For information about required attributes in the directory, see "Requirements for the LDAP Directory or Active Directory". For information on setting up directory ACLs, see your directory vendor documentation.

  5. Using Siebel Server Manager, configure the security adapter for credentials password hashing. For the LDAP or ADSI security adapter:

    • Set the HashDBPwd parameter to TRUE.

    • The hash algorithm is based on the setting you previously made for the HashAlgorithm parameter when you configured user password hashing.

Related Topics

"About Password Hashing"

"Configuring User Password Hashing"

  Previous
Previous 		 Next
Next
  Go to Documentation Home
Home		 Go To Table Of Contents
Contents		 Go To Index
Index