How do we hash, mask, or encrypt the database credentials in an external security directory (ADSI or LDAP)?
Last updated on JANUARY 17, 2016
Applies to:Siebel Financial Services CRM - Version: 7.7.1 SIA  to 18.104.22.168  - Release: V7 to V8
Information in this document applies to any platform.
We are using external security directory authentication (ADSI or LDAP) with the Siebel standard security adapters (ADSISecAdpt or LDAPSecAdpt). We are using the Shared Credentials user approach to storing the database login and password. As discussed in the Security Guide on Bookshelf, this requires us to store the plain text password in the Credentials attribute (typically either physicalDeliveryOfficeName or mail) in the Active Directory or LDAP server. Since anyone with access to the Active Directory can see this database login and password in plain text, our corporate security team insists that we somehow hide or encrypt this value.
We have done the following to implement password hashing:
(1) Use hashpwd.exe to hash the password.
(2) Have the DBA assign the hashed version of the password to the shared login at the database level.
(3) Set the HashUserPwd parameter for the ADSI Security Adapter to "True".
(4) Restart Siebel Server, Gateway Server, and Web Server services.
This does not, however, address the issue with the password being in plain text within the external security directory. How do we hash, mask, or encrypt the database credentials in an external security directory (ADSI or LDAP)?
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms