Encrypting Sensitive INI File Data Using the Deployment Server

As an alternative to using Server Manager, Oracle provides a command line utility program called E1IniEncrypt for encrypting sensitive data in the INI files. Server Manager is the preferred method for encrypting passwords in the INI files, but E1IniEncrypt may be used during EnterpriseOne Tools release upgrades if Server Manager is not available. See sensitive-data-ini-files-managed-server-manager.html#GUID-EE49780B-73CF-4BA9-B25B-0EAC4D45CDED__CIHBHBED for a list of INI data that can be encrypted using E1IniEncrypt.

Oracle recommends running the E1IniEncrypt program on the Deployment Server, but it will run on any EnterpriseOne Windows client machine.

Caution: You must have administrative rights on the EnterpriseOne Windows client machine to run this program.

You use the following command in the E1IniEncrypt program to encrypt sensitive data in INI files:

E1IniEncrypt -<options> <path to ini>

Where <options> include:

        -jde    : Encrypt passwords in JDE.INI
        -inter  : Encrypt passwords in JDEINTEROP.INI
        -jas    : Encrypt passwords in JAS.INI
        -jdbj   : Encrypt passwords in JDBJ.INI
        -tok    : Encrypt passwords in TOKENEGEN.INI

And where <path to ini> contains the path to the INI file.

The following example command line shows the command for encrypting passwords in a JDE.INI file:

E1IniEncrypt -jde C:\tempini

The E1IniEncrypt program encrypts the password depending on the type of value in the original password entry:

  • If the value is a plain text password, the program encrypts the password. The encrypted value is represented as a text string.

  • If the value is an encrypted value from EnterpriseOne Tools 9.1.4 or 9.1.5, then it re-encrypts the value using the latest encryption method (AES encryption with site keys) and then represents the new encrypted value as a text string.

  • If the password field contains a value that has already been encrypted using the latest method, it remains unchanged.

Before running E1IniEncrypt, a site key must be set up on the Security Server. See Setting Up Site Keys on the Security Server for instructions on how to set up the site key.

To use the E1IniEncrypt program to encrypt sensitive data in an INI file:

  1. Locate the INI file, for example the JDE.INI on an Enterprise Server or the jas.ini on the HTML Server, and copy it to a temporary folder on the Deployment Server such as C:\tempini.

  2. From the JDE.INI of the Security Server, copy the [SITE_KEYS] block with all of its key values into the JDE.INI used by the Deployment Server. The JDE.INI file is typically located at C:\Windows\JDE.INI.

  3. Use the following command for each INI file to convert the passwords to the latest encryption:

    E1IniEncrypt -<options> <path to ini>

    Where <options> include:

            -jde    : Encrypt passwords in JDE.INI
            -inter  : Encrypt passwords in JDEINTEROP.INI
            -jas    : Encrypt passwords in JAS.INI
            -jdbj   : Encrypt passwords in JDBJ.INI
            -tok    : Encrypt passwords in TOKENEGEN.INI
    

    And where <path to ini> is the path to the temporary folder containing the INI files.

  4. Check the INI files to verify that the password encryptions succeeded.

    The original passwords in plain text or in EnterpriseOne Tools 9.1.5 format (which begin with "AC") should now be in EnterpriseOne Tools 9.2 format (which begin with "AD"). Any passwords that were already in the EnterpriseOne Tools 9.2 format should remain unchanged.

  5. Copy the INI files with the encrypted passwords back to their original locations. For example, copy the JDE.INI back to the Enterprise Server or jas.ini back to the HTML Server.