Configuring Server Encryption

In this section:

The server supports encryption of passwords in configuration files, as well as SSL encryption for the HTTP Listener and encryption of data passed between a hub server and a remote server or cluster server.


Top of page

x
Encrypting Passwords Stored in Configuration Files

How to:

You can select an encryption algorithm for passwords stored in configuration files.



x
Procedure: How to Encrypt Passwords Stored in Configuration Files
  1. From the Web Console menu bar, choose Access Control.
  2. Right-click Password Settings in the navigation pane, and select Configure.

    The Access Control - Password Settings page opens.

  3. To define the cipher used to encrypt passwords in configuration files, click the drop-down list for cfgfile_cipher and select:
    • DES for Data Encryption Standard. This is the default.
    • 3DES for Triple Data Encryption Standard.
    • AES 128 bits for Advanced Encryption Standard (key size 128 bits).
    • AES 256 bits for Advanced Encryption Standard (key size 256 bits).
    • user defined program to specify your own encryption and decryption programs.
  4. Click the Apply and Restart Server button.

Top of page

x
User-Defined Password Encryption and Decryption

How to:

You can configure the Reporting Server to employ user-defined password encryption and decryption programs.

User-defined encryption and decryption are available from the Settings option on the Web Console Access Control navigation tree. Right-click Access Control (the top level of the tree to open the Access Control - Settings page. Set the parameter cfgfile_cipher to user defined program, which enables you to specify your password encryption and decryption programs by entering them in the cfgfile_cipher_encrypt and cfgfile_cipher_decrypt text boxes.

Note: If you choose to use password encryption outside the server, only the path to the decryption program needs to be specified.

In cases where a password is encrypted outside of the server, the encrypted password string (or label) must be used, instead of the password in server and adapter configurations. When user-defined program is chosen, all passwords for registered user in the admin.cfg file, all adapter connections in the edasprof.prf file (or user, group and role profiles), passphrases in the odin.cfg file, and pooled user passwords need to be encrypted using the same encryption program. They will be decrypted using the same decryption program. Remote Server connections in the odin.cfg file do not support the user-defined encryption option. If user-defined encryption is chosen, the Cluster Manager Feature should not be enabled.



x
Procedure: How to Set Up User-Defined Password Encryption and Decryption
  1. Select Access Control from the Web Console menu bar.
  2. On the Access Control navigation tree, right-click Access Control and select Settings.

    The Access Control - Settings page opens.

  3. Select user defined program from the cfgfile_cipher drop-down menu, as shown in the following image.

    Two additional parameters are displayed.

  4. Enter the full paths to the encryption and decryption programs in the cfgfile_cipher_encrypt and cfgfile_cipher_decrypt fields respectively, as shown in the following image.

  5. Click Apply and Restart Server.

Top of page

x
Configuring Secure Socket Layer (SSL) Encryption for the HTTP Listener

How to:

You can enable SSL for the HTTP Listener to encrypt all traffic between the server and any client application, such as the WebFOCUS Client, a remote server, or a cluster server.



x
Procedure: How to Enable SSL
  1. From the menu bar, select Workspace.
  2. Open the Special Services and Listeners folder, right-click HTTP, and select Properties.

    The Listener Configuration page opens.

  3. Open the Advanced pane, scroll down, and select Yes (OpenSSL) or Yes (Microsoft) from the Enable HTTPS drop-down list.

    Note that OpenSSL libraries libeay32.dll and ssleay32.dll must be in the path to enable SSL.

  4. Enter the following values:
    SSL_CERTIFICATE

    Contains the certificate chain in order, starting with the certificate for the listener and ending with the root CA certificate. Each of these entries must be in PEM format.

    Note that the administrator at the installation site must acquire valid security certificates (self signed or commercial).

    SSL_PRIVATE_KEY

    Defines the file that contains the private key of the listener. It must correspond to the public key embedded within in the certificate and must be in PEM format.

    SSL_PASSPHRASE

    If the file defined in SSL_PRIVATE_KEY is encrypted, a passphrase must be provided here to decrypt the private key.

    SSL_CA_CERTIFICATE

    Defines the name of a file containing a trusted CA certificate in PEM format. It is used to verify the client certificate. If the client fails to send a certificate or verification fails, connections are rejected. More than one CA certificate may be present in the file.

  5. Click the Apply and Restart Server button.

Top of page

x
Configuring Data Encryption for a Remote Server

How to:

You can enable encryption of data passed between the server and a remote server or cluster server.



x
Procedure: How to Configure Data Encryption for a Remote Server
  1. You can access the Remote Server Configuration page by selecting Adapters on the Web Console menu bar. Remote Servers is an item in the Available folder.
  2. Right-click Remote Servers on the Adapter page and select Configure.

    The Remote Server Configuration page opens.

  3. Click the ENCRYPTION drop-down list for and select:
    • 0 for no encryption.
    • DES for 56-bit fixed-key Data Encryption Standard in Electronic Code Book (ECB) mode. The same key is used in all connections with no key exchange between client and server.
    • ADVANCED to select an encryption cipher (3DES, AES128, AES192 or AES256), encryption mode (ECB or CBC), and RSA key length (512 or 1024 bits). In advanced mode, the client randomly generates a new RSA key pair (public and private keys of the specified length) and sends the public key to the server. Upon receipt of the public key, the server generates a random secret key. The length of the secret key depends on the chosen cipher strength. The secret key is encrypted with the public RSA key and sent back to the client, which decrypts it with its private RSA key. After the exchange, the client and the server both share the same secret key, and use it to encrypt and decrypt all communications between them.

      The following encryption ciphers are available:

      • 3DES for triple Data Encryption Standard.
      • AES128 for Advanced Encryption Standard (key size 128 bits).
      • AES192 for Advanced Encryption Standard (key size 192 bits).
      • AES 256 bits for Advanced Encryption Standard (key size 256 bits).

      The following encryption modes are available:

      • ECB for Electronic Code Book mode. This is the default mode.
      • CBC for Cipher Block Chaining mode.

      The following RSA key lengths are available:

      • 512 bits.
      • 1024 bits.
    • IBCRYPT for a user-defined algorithm. The key is 512-bit RSA-encrypted.
  4. Click the Save button.

iWay Software