How do we hash, mask, or encrypt the database credentials in an external security directory (ADSI or LDAP)?

(Doc ID 563663.1)

Last updated on JANUARY 17, 2016

Applies to:

Siebel Financial Services CRM - Version: 7.7.1 SIA [18306] to 8.0.0.2 [20412] - Release: V7 to V8
Information in this document applies to any platform.

Goal

We are using external security directory authentication (ADSI or LDAP) with the Siebel standard security adapters (ADSISecAdpt or LDAPSecAdpt).  We are using the Shared Credentials user approach to storing the database login and password.  As discussed in the Security Guide on Bookshelf, this requires us to store the plain text password in the Credentials attribute (typically either physicalDeliveryOfficeName or mail) in the Active Directory or LDAP server.  Since anyone with access to the Active Directory can see this database login and password in plain text, our corporate security team insists that we somehow hide or encrypt this value.

We have done the following to implement password hashing:

(1) Use hashpwd.exe to hash the password.
(2) Have the DBA assign the hashed version of the password to the shared login at the database level.
(3) Set the HashUserPwd parameter for the ADSI Security Adapter to "True".
(4) Restart Siebel Server, Gateway Server, and Web Server services.

This does not, however, address the issue with the password being in plain text within the external security directory.  How do we hash, mask, or encrypt the database credentials in an external security directory (ADSI or LDAP)?

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms