Configuring Server Encryption

In this section:

The server supports encryption of passwords in configuration files as well as SSL encryption for the HTTP Listener and encryption of data passed between the a hub server and a remote server or cluster server.

Top of page
x
Encrypting Passwords Stored in Configuration Files

How to:

You can select an encryption algorithm for passwords stored in configuration files.

x
Procedure: How to Encrypt Passwords Stored in Configuration Files
  1. From the Web Console menu bar, choose Workspace, then Access Control.
  2. Right-click General Settings in the navigation pane, and select Configure.

    The Access Control - General Settings page opens.

  3. To define the cipher used to encrypt passwords in configuration files, click the drop-down list for cfgfile_cipher and select:
    • DES for Data Encryption Standard. This is the default.
    • 3DES for Triple Data Encryption Standard.
    • AES 128 bits for Advanced Encryption Standard (key size 128 bits).
    • AES 256 bits for Advanced Encryption Standard (key size 256 bits).
  4. Click the Apply and Restart Server button.
Top of page
x
Configuring Secure Socket Layer (SSL) Encryption for the HTTP Listener

How to:

You can enable SSL for the HTTP Listener to encrypt all traffic between the server and any client application, such as the WebFOCUS Client, a remote server, or a cluster server.
x
Procedure: How to Enable SSL
  1. From the Web Console menu bar, choose Workspace, then Configuration/Monitor.
  2. Right-click HTTP under Special Services and Listeners, and select Properties. The Agent Configuration page opens.

  3. Open the Advanced pane, scroll down, and check Enable SSL. Note that OpenSSL libraries libeay32.dll and ssleay32.dll must be in the path to enable SSL
  4. Enter the following values:
    SSL_CERTIFICATE

    Contains the certificate chain in order, starting with the certificate for the listener and ending with the root CA certificate. Each of these entries must be in PEM format.

    Note that the administrator at the installation site must acquire valid security certificates (self signed or commercial).

    SSL_PRIVATE_KEY

    Defines the file that contains the private key of the listener. It must correspond to the public key embedded within in the certificate and must be in PEM format.

    SSL_PASSPHRASE

    If the file defined in SSL_PRIVATE_KEY is encrypted, a passphrase must be provided here to decrypt the private key.

    SSL_CA_CERTIFICATE

    Defines the name of a file containing a trusted CA certificate in PEM format. It is used to verify the client certificate. If the client fails to send a certificate or verification fails, connections are rejected. More than one CA certificate may be present in the file.

  5. Click the Apply and Restart Server button.
Top of page
x
Configuring Data Encryption for a Remote Server

How to:

You can enable encryption of data passed between the server and a remote server or cluster server.
x
Procedure: How to Configure Data Encryption for a Remote Server
  1. From the Web Console menu bar, choose Workspace, then Configuration/Monitor.
  2. Right-click the remote server or cluster server name, and select Properties. The Remote Server Configuration page opens.

  3. Click the ENCRYPTION drop-down list for and select:
    • 0 for no encryption.
    • DES for 56-bit fixed-key Data Encryption Standard in Electronic Code Book (ECB) mode. The same key is used in all connections with no key exchange between client and server.
    • ADVANCED to select an encryption cipher (3DES, AES128, AES192 or AES256), encryption mode (ECB or CBC), and RSA key length (512 or 1024 bits). In advanced mode, the client randomly generates a new RSA key pair (public and private keys of the specified length) and sends the public key to the server. Upon receipt of the public key, the server generates a random secret key. The length of the secret key depends on the chosen cipher strength. The secret key is encrypted with the public RSA key and sent back to the client, which decrypts it with its private RSA key. After the exchange, the client and the server both share the same secret key, and use it to encrypt and decrypt all communications between them.

      The following encryption cyphers are available:

      • 3DES for triple Data Encryption Standard.
      • AES128 for Advanced Encryption Standard (key size 128 bits).
      • AES192 for Advanced Encryption Standard (key size 192 bits).
      • AES 256 bits for Advanced Encryption Standard (key size 256 bits).

      The following encryption modes are available:

      • ECB for Electronic Code Book mode. This is the default mode.
      • CBC for Cipher Block Chaining mode.

      The following RSA key lengths are available:

      • 512 bits.
      • 1024 bits.
    • IBCRYPT for a user-defined algorithm. The key is 512-bit RSA-encrypted.
  4. Click the Save button.
iWay Software