In this section: |
WebFOCUS Encryption is a configurable feature used to protect sensitive information throughout WebFOCUS.
By default, WebFOCUS Encryption is set to Default Encryption (for both the CGI/ISAPI and Servlet implementations of the WebFOCUS Client). You can optionally configure other encryption providers. For the Servlet implementation of the WebFOCUS Client, the WFENCR setting in the WebFOCUS Web application deployment descriptor file (web.xml) specifies the encryption provider to use.
Additional built-in encryption providers are available for the WFServlet. For information about configuring these encryption providers, see Optional Built-in Encryption Providers.
You can also build your own encryption provider. For information on building and configuring your own encryption provider, see Implementing Your Own Encryption Algorithm.
The CGI/ISAPI implementation of the WebFOCUS Client does not provide any built-in encryption providers. However, you can build your own encryption provider. For information, call Customer Support Services.
How to:
Reference: |
WebFOCUS offers optional encryption providers based on the AES, DES, and Triple DES algorithms. To activate one of these providers, set the WFENCR context parameter.
The WFENCR context parameter specifies an override of the default encryption class used to protect the following:
Note: For information about configuring ReportCaster for AES, DES, or Triple DES encryption, see Optional Encryption Providers for ReportCaster in the ReportCaster Administration manual.
Algorithm |
External Key |
Class Name |
---|---|---|
AES128 |
No |
ibi.webfoc.wfsecurity.encryption.wireaes. WFWireAES128
|
AES192 |
No |
ibi.webfoc.wfsecurity.encryption.wireaes. WFWireAES192
|
AES256 |
No |
ibi.webfoc.wfsecurity.encryption.wireaes. WFWireAES256
|
DES |
No |
ibi.webfoc.wfsecurity.encryption.wiredes. WFWireDES
|
Triple DES |
No |
ibi.webfoc.wfsecurity.encryption.wiretripledes. WFWireTripleDES
|
Algorithm |
External Key |
Class Name |
---|---|---|
AES128 |
Yes |
ibi.webfoc.wfsecurity.encryption.wireaes. WFWireAES128KeyFile
|
AES192 |
Yes |
ibi.webfoc.wfsecurity.encryption.wireaes. WFWireAES192KeyFile
|
AES256 |
Yes |
ibi.webfoc.wfsecurity.encryption.wireaes. WFWireAES256KeyFile
|
DES |
Yes |
ibi.webfoc.wfsecurity.encryption.wiredes. WFWireDESKeyFile
|
Triple DES |
Yes |
ibi.webfoc.wfsecurity.encryption.wiretripledes. WFWireTripleDESKeyFile
|
Save the key file as a plain text file.
The resulting code in your deployment descriptor should look like this:
<context-param> <param-name>WFENCR</param-name> <param-value> ibi.webfoc.wfsecurity.encryption.wiretripledes.WFWireTripleDESKeyFile </param-value> </context-param> <context-param> <param-name>WFENCR_KEY_INFO</param-name> <param-value>c:\ibi\keyfile.dat</param-value> </context-param>
The encryption key information is stored in a plain text file and is represented by a sequence of bytes in hexadecimal notation. A hexadecimal byte is represented by two digits. Each digit is either a number (0-9) or a letter (A-F).
The following table specifies the number of hexadecimal bytes required for encryption keys for the AES, DES, and Triple DES algorithms.
Number of hexadecimal bytes |
Sample string |
Algorithm |
---|---|---|
8 |
2011ADFB98765421
|
DES |
16 |
5468658A6C617A795468658A6C617A79
|
AES128 |
24 |
5468658A6C617A7920646F67206A756D7073206F76 65723F
|
AES192, Triple DES |
32 |
5468658A6C617A7920646F67206A756D7073206F76 65723F5468658A6C617A79
|
AES256 |
It may seem that more data is specified in the key file than is required (8 bits per byte times 24 bytes is 192 bits, which is greater than the 168 bits usually required for Triple DES). The reason is that the Triple DES algorithm only uses 168 bits (3 keys of 56 bits) and the remaining 3 bytes (24 bits) are used for parity and not used for encryption.
WFENCR is used to encrypt both transient data (WebFOCUS cookies and Managed Reporting sign-on tickets) and persisted data (Managed Reporting passwords). Changing an encryption algorithm or an encryption key renders persisted data unreadable. If you are using the built-in Managed Reporting Repository for authentication or are storing Dashboard credentials for the Public View or for WebFOCUS Reporting Server authentication, you must reset those passwords after adding or changing a WFENCR or WFENCR_KEY_INFO setting.
To reset passwords in the built-in Managed Reporting user directory (user.htm) after changing WebFOCUS encryption settings, do the following:
This process is tedious so consider your implementation choices carefully. For example, configure WebFOCUS with a strong encryption provider from the start so you do not have to change it later. Consider also using the Managed Reporting Realm Driver to authenticate users to an external directory such as Active Directory or LDAP. In this case, passwords are not maintained in the user.htm file.
Note: In a future release, Information Builders plans to create separate settings for encrypting transient and persisted data. This will allow for the possibility of a dynamically generated internal key, external key store, and key rotation.
The DES and Triple DES algorithms were developed with Sun Java Cryptography Extension (JCE) framework and currently implement only the Sun JCE provider class. The cipher specification for DES is DES/CBC/PKCS5Padding and for Triple DES is DESede/CBC/PKCS5Padding. Review the following scenarios to verify support for your Application server:
You can obtain the Sun JCE 1.2.2 software and installation documentation by accessing the JCE Downloads section on Sun Java Technology Web site.
To run AES192 or AES256 under the Sun JVM, you must install the unlimited strength JCE policy files, or else the key length will not be supported. These may be downloaded from the JCE Downloads section on the Sun Java Technology Web site.
How to: |
WebFOCUS comes with several encryption providers, for example, AES, DES, and Triple DES. However, if your WebFOCUS Client path is the Servlet and you have a different encryption algorithm that you want to use for encrypting and decrypting WebFOCUS cookies and Managed Reporting passwords in the basedir/user.htm file, you can implement your encryption algorithm using the WebFOCUS Servlet Alternate Encryption Exit.
Note:
<web-app> ... ... <context-param> <param-name>WFENCR</param-name>
<param-value>ENCRYPTION EXIT CLASS NAME GOES HERE</param-value> </context-param>
The following sample code overrides WebFOCUS built-in encryption and encodes the WebFOCUS cookie. This sample does not provide any encryption algorithm.
package exits.wf; import ibi.webfoc.wfutil.WFEncryptionInterface; public class WfEncryptionExit implements WFEncryptionInterface { /** * Constructor for WfEncryptionExit. */ public WfEncryptionExit() { super(); } /** * Apply custom encryption algorithm. * @param cookie * @return Encrypted cookie string */ public String encrypt(String cookie) {String rCookie; rCookie= java.net.URLEncoder.encode(cookie); return rCookie; } /** * Apply custom decryption algorithm, * @param cookie * @return Decrypted cookie string */
public String decrypt(String cookie) { String rCookie; rCookie= java.net.URLDecoder.decode(cookie); return rCookie; } /** * Determines if a EBCIDIC to ASCII translation is performed. * @param cookie * @param convert * @return String */ public String decrypt(String cookie, boolean convert) { String rCookie; rCookie= java.net.URLDecoder.decode(cookie); return rCookie; } }
WebFOCUS |