WebFOCUS Encryption

WebFOCUS Encryption is a configurable feature used to protect sensitive information throughout WebFOCUS.

By default, WebFOCUS Encryption is set to Default Encryption (for both the CGI/ISAPI and Servlet implementations of the WebFOCUS Client). You can optionally configure other encryption providers. For the Servlet implementation of the WebFOCUS Client, the WFENCR setting in the WebFOCUS Web application deployment descriptor file (web.xml) specifies the encryption provider to use.

Four built-in encryption providers are available for the WFServlet. For information about configuring these encryption providers, see Optional Built-in Encryption Providers.

You can also build your own encryption provider. For information on building and configuring your own encryption provider, see Implementing Your Own Encryption Algorithm.

The CGI/ISAPI implementation of the WebFOCUS Client does not provide any built-in encryption providers. However, you can build your own encryption provider. For information, call Customer Support Services.

Optional Built-in Encryption Providers

How to:

Reference:

WebFOCUS provides four optional encryption providers based on the DES and Triple DES algorithms. To activate one of these providers, set the WFENCR context parameter.

The WFENCR context parameter specifies an override of the default encryption class used to protect the following:

WebFOCUS cookies.
Managed Reporting passwords.
Business Intelligence Dashboard public passwords.
Business Intelligence Dashboard WebFOCUS Reporting Server credentials.
The ticket used in a trusted Managed Reporting sign-on.

These optional encryption providers use Sun Java Cryptography Extension (JCE) library and are supported only with the Java Servlet (WFServlet) implementation of the WebFOCUS Client. The Triple DES providers use the stronger Cypher Block Chaining (CBC) mode option. You can specify an external encryption key for both provider types.

Note: For information about configuring ReportCaster for DES and Triple DES encryption, see Optional Encryption Providers for ReportCaster in ReportCaster Security in the ReportCaster Development and Administration manual.

Top of page

Procedure: How to Enable DES and Triple DES Encryption Without an External Key

Modify the WFENCR context parameter in the Web application (for example, in the \ibi\WebFOCUS\webapps\webfocus\WEB-INF\web.xml file or using your Application Server Administration interface). The value of this parameter should be the name of one of the following encryption classes (including the Java package):

Algorithm

External Key

Class Name

DES

No

ibi.webfoc.wfsecurity.encryption.wiredes.
WFWireDES

Triple DES

No

ibi.webfoc.wfsecurity.encryption.wiretripledes.
WFWireTripleDES

Algorithm	External Key	Class Name
DES	No	ibi.webfoc.wfsecurity.encryption.wiredes. WFWireDES
Triple DES	No	ibi.webfoc.wfsecurity.encryption.wiretripledes. WFWireTripleDES

Reload the WebFOCUS Web application for the new setting to take effect.

Top of page

Procedure: How to Enable DES and Triple DES Encryption With an External Key

Algorithm

External Key

Class Name

DES

Yes

ibi.webfoc.wfsecurity.encryption.wiredes.
WFWireDESKeyFile

Triple DES

Yes

ibi.webfoc.wfsecurity.encryption.wiretripledes.
WFWireTripleDESKeyFile

Algorithm	External Key	Class Name
DES	Yes	ibi.webfoc.wfsecurity.encryption.wiredes. WFWireDESKeyFile
Triple DES	Yes	ibi.webfoc.wfsecurity.encryption.wiretripledes. WFWireTripleDESKeyFile

To use an encryption key stored in an external file, you must also add the context parameter WFENCR_KEY_INFO. The value of this parameter is the fully qualified path of the plain text file containing the external key data (for example: c:\ibi\keyfile.dat).

Create the key file on disk and input 8 or 24 hexadecimal bytes, depending on the encryption algorithm. The following is an example of 24 hexadecimal bytes:

5468658A6C617A7920646F67206A756D7073206F7665723F

Save the key file as a plain text file.

Reload the WebFOCUS Web application for the new settings to take effect.

Top of page

Reference: Enabling Triple DES Encryption With an External Key

The resulting code in your deployment descriptor should look like this:

<context-param>
<param-name>WFENCR</param-name>
<param-value> 
ibi.webfoc.wfsecurity.encryption.wiretripledes.WFWireTripleDESKeyFile 
</param-value>
</context-param>
<context-param>
<param-name>WFENCR_KEY_INFO</param-name>
<param-value>c:\ibi\keyfile.dat</param-value>
</context-param>

Top of page

Reference: Key File Format

The encryption key information is stored in a plain text file and is represented by a sequence of bytes in hexadecimal notation. A hexadecimal byte is represented by two digits. Each digit is either a number (0-9) or a letter (A-F). The key file must contain eight hexadecimal bytes for a DES key and 24 hexadecimal bytes for a Triple DES key.

It may seem that more data is specified in the key file than is required (8 bits per byte times 24 bytes is 192 bits, which is greater than the 168 bits usually required for Triple DES). The reason is that the Triple DES algorithm only uses 168 bits (3 keys of 56 bits) and the remaining 3 bytes (24 bits) are used for parity and not used for encryption.

Top of page

Procedure: How to Change Encryption Providers

WFENCR is used to encrypt both transient data (WebFOCUS cookies and Managed Reporting sign-on tickets) and persisted data (Managed Reporting passwords). Changing an encryption algorithm or an encryption key renders persisted data unreadable. If you are using the built-in Managed Reporting Repository for authentication or are storing Dashboard credentials for the Public View or for WebFOCUS Reporting Server authentication, you must reset those passwords after adding or changing a WFENCR or WFENCR_KEY_INFO setting.

To reset passwords in the built-in Managed Reporting user directory (user.htm) after changing WebFOCUS encryption settings, do the following:

Make a backup copy of basedir/user.htm.
Edit user.htm and locate the anchor tag for a Managed Reporting Administrator account. For example, the line beginning with: <A HREF='admin.htm' NAME='admin'.
On this line, remove the PASSWORD=encrypted_string keyword/value from the anchor line.
Save the file and reload your WebFOCUS Web application.
Now log in as the administrator whose password you just removed.
Use the Managed Reporting User Administration tool to assign a password to the currently logged in administrator account. This password will now be written to user.htm in encrypted form using the current WebFOCUS encryption settings.
Next, reset the password of each user to an initial value.
Instruct your users to change their passwords as appropriate, from the Managed Reporting or Dashboard logon page.

This process is tedious so consider your implementation choices carefully. For example, configure WebFOCUS with a strong encryption provider from the start so you do not have to change it later. Consider also using the Managed Reporting Realm Driver to authenticate users to an external directory such as Active Directory or LDAP. In this case, passwords are not maintained in the user.htm file.

Note: In a future release, Information Builders plans to create separate settings for encrypting transient and persisted data. This will allow for the possibility of a dynamically generated internal key, external key store, and key rotation.

Top of page

Reference: Sun JCE Provider Support

The DES and Triple DES algorithms were developed with Sun Java Cryptography Extension (JCE) framework and currently implement only the Sun JCE provider class. The cipher specification for DES is DES/CBC/PKCS5Padding and for Triple DES is DESede/CBC/PKCS5Padding. Review the following scenarios to verify support for your Application server:

If you are running WebFOCUS inside a Java Application server (or servlet engine) that runs on Sun J2SDK 1.4.1 or higher, you do not need to take any action. The Sun JCE provider is included.
If you are running J2SDK 1.4.1 or higher of another vendor, check their documentation to see if the Sun JCE provider is available in that implementation. For example, WebSphere 5.1 for HP-UX ships with a version of HP J2SDK 1.4.1 that has both the Sun and IBM JCE providers. However, WebSphere 5.1 for AIX ships with an IBM J2SDK 1.4.1 that has only the IBM JCE provider and is therefore not currently supported by the optional encryption providers supplied by Information Builders.
If your Java Application server is running on J2SDK 1.3.x (from any vendor), you must download and configure Sun JCE 1.2.2. For example, WebSphere 5.0 on AIX ships with IBM J2SDK 1.3.1, which is only supported when you download and configure the Sun JCE.
You can obtain the Sun JCE 1.2.2 software and installation documentation by accessing the JCE Downloads section on Sun Java Technology Web site.

Implementing Your Own Encryption Algorithm

How to:

Build and Enable an Alternate Encryption Provider

WebFOCUS comes with several encryption providers, for example DES and Triple DES. However, if your WebFOCUS Client path is the Servlet and you have a different encryption algorithm that you want to use for encrypting and decrypting WebFOCUS cookies and Managed Reporting passwords in the basedir/user.htm file, you can implement your encryption algorithm using the WebFOCUS Servlet Alternate Encryption Exit.

Note:

If you are using Managed Reporting and you switch encryption algorithms, WebFOCUS will not be able to decrypt your existing Managed Reporting passwords. If you are not using a Managed Reporting driver, you must manually remove the passwords from the basedir/user.htm file and then either recreate passwords for the users via the User Administration tool or instruct users to create their own passwords from the logon page. To remove passwords from the user.htm file, make a backup copy of the file and carefully remove all the PASSWORD=' ... ' strings from the file.
ReportCaster currently does not support alternate encryption algorithms. If you are using ReportCaster, you cannot override the standard WFENCR setting.

Top of page

Procedure: How to Build and Enable an Alternate Encryption Provider

To build the alternate encryption provider, you must add the \ibi\WebFOCUS\webapps\webfocus\WEB-INF\lib\webfoc.jar file to the build classpath for your WebFOCUS Servlet Alternate Encryption project.
To enable the alternate encryption provider, add WFENCR as a context parameter to the WebFOCUS Web application so that it will be available for WebFOCUS, Managed Reporting, and Dashboard. The change is made to the deployment descriptor file, \ibi\WebFOCUS\webapps\webfocus\WEB-INF\web.xml:
```
<web-app>  ...  ...  <context-param>  <param-name>WFENCR</param-name>  <param-value>ENCRYPTION EXIT CLASS NAME GOES HERE</param-value> </context-param>
```

Top of page

Example: Using Your Alternate Encryption Provider

The following sample code overrides WebFOCUS built-in encryption and encodes the WebFOCUS cookie. This sample does not provide any encryption algorithm.

package exits.wf;
import ibi.webfoc.wfutil.WFEncryptionInterface;
 
public class WfEncryptionExit implements WFEncryptionInterface
{
/**
 * Constructor for WfEncryptionExit.
 */
public WfEncryptionExit()
{
super();
}
 
/**
 * Apply custom encryption algorithm.
 * @param cookie
 * @return Encrypted cookie string
 */
 
public String encrypt(String cookie)
{String rCookie;
rCookie= java.net.URLEncoder.encode(cookie);
return rCookie;
}
/**
 * Apply custom decryption algorithm,
 * @param cookie
 * @return Decrypted cookie string
 */

public String decrypt(String cookie)
{
String rCookie;
rCookie= java.net.URLDecoder.decode(cookie);
return rCookie;
}
 
/**
 * Determines if a EBCIDIC to ASCII translation is performed.
 * @param cookie
 * @param convert
 * @return String
 */
public String decrypt(String cookie, boolean convert)
{
String rCookie;
rCookie= java.net.URLDecoder.decode(cookie);
return rCookie;
}
}