2 Replies Latest reply on Sep 21, 2018 10:58 AM by Orkan

    Database authenticator - DBMS_CRYPTO salt and hash

    Orkan

      Hi comunity,

       

      i'm prototyping on how OBIEE could be implemented in our system for a few days now.

      Given is that we need to use the user and role concept implemented in the database.

      Every user password in our db is first encrypted by DBMS_CRYPTO then salted and hashed.

      As the OBIEE documentation mentions weblogic expects the Password to be only hashed in SHA-1 which we dont use.

      Is there any possibility that weblogic can use our stored users and pw for athentification?

       

      I read so much on the net and got only little input.

       

      Maybe anyone can help?

      Thanks!

        • 1. Re: Database authenticator - DBMS_CRYPTO salt and hash
          Robert Angel

          Excerpt from the OBIEE documentation that I take it that you are alluding to; -

           

          "If your password column is in plain text (that is, if the result of the query supplied for the SQL Get Users Password column is not hashed or encrypted), select the Plaintext Password Enabled option.

          If the Plaintext Password Enabled option is cleared, the SQLAuthenticator expects passwords to have been hashed using SHA-1 (default encryption algorithm). For more information on the supported encryption algorithms, see the documentation for the base SQLAuthenticator Mbean PasswordAlgorithm attribute."

           

          The last paragraph is the kicker though; - For more information on the supported encryption algorithms, see the documentation for the base SQLAuthenticator Mbean PasswordAlgorithm attribute.

          I too have searched for anything on the supported encryption algorithms and found this mention in the WebLogic documentation

           

          "

          The message digest algorithm used to hash passwords for storage. The name is a standard algorithm name and must be recognized by a Java Cryptography Extension (JCE) provider that is available at runtime. The Java Cryptography Architecture (JCA) defines the standard algorithm specifications.

          MBean Attribute:
          SQLAuthenticatorMBean.PasswordAlgorithm

          Which I am guess takes me to this; -

           

          https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html

           

          But here I find nothing that gives me any context to clarify exactly what might be the supported algorithms.

          Reading between the lines though; "must be recognized by a JCE provider available at runtime" - I would suspect that your encrypt / salt etc would not be a 'JCE Provider' - what you are doing is not standard, is it?

           

          Can either of our resident superheroes confirm? Gianni Ceresa - does your detailed security presentation cover this at all??

          • 2. Re: Database authenticator - DBMS_CRYPTO salt and hash
            Orkan

            "But here I find nothing that gives me any context to clarify exactly what might be the supported algorithms.

            Reading between the lines though; "must be recognized by a JCE provider available at runtime" - I would suspect that your encrypt / salt etc would not be a 'JCE Provider' - what you are doing is not standard, is it?"

             

            thanks for the research Robert. Thats about how far I got with mine.

            Yes, what we're doing is not standard. We have our own db procedure to save, check and change the user account's passwords.

             

            is there any other posibilty how the db stored users could be used for OBI?