RSS

How are Credentials Stored In OBIEE 11G and WebLogic Infrastructure?

03 May

It is very important to know that how are credentials (passwords) of different “system” accounts stored?

In particular:

  1. the credentials of users in Credential Store (like credential of BISystem user)
  2. the credentials of AD principal users in configuration of Active Directory Authenticator (implement integration with Active Directory)
  3. the credentials of users in default WebLogic LDAP (Identity Store); for example, WebLogic users

From an OBIEE standpoint, the Presentation Server and BI Server do not store or cache any passwords. The Job Manager/Scheduler stores the password in an encrypted format. All application-to-application communication of passwords is always done using the same encryption mechanism.

An unencrypted password is stored in the user’s configuration file for optional replication processes, which rely on file/firewall security as directed by your own business requirements.

1. The credentials of users in Credential Store

In 11.1.1.5.0, file based credential store used a wallet to store the credential which is an obfuscated file and relies on file system security to prevent physical access to it.

If credentials are stored in an LDAP credential store provider, it is possible to enable Oracle Internet Directory (OID) encryption which uses an AES symmetric key to encrypt the credentials. In DB provider, entries are always stored encrypted using the same encryption algorithm.

2. The credentials of AD principal users in configuration of Active Directory Authenticator

The administration password used in configuration of AD authenticator. It is stored in config.xml and encrypted with Advanced Encryption Standard (AES) algorithm.

3. Credentials of users in default WebLogic LDAP (Identity Store)

If this is referring to the Embedded LDAP on WebLogic, the passwords are stored like this:
{ssha}83dtF/fkuHImacfvNw2qmwTDVRUhkp/Q
ssha means salted SHA. The exact hash mechanism used is SHA-1.

Reference: Oracle Metalink document ID: 1371058.1

Thanks,

Shiva

Advertisements
 
1 Comment

Posted by on May 3, 2012 in BI Publisher, OBI EE, OBIEE 11g

 

Tags: , ,

One response to “How are Credentials Stored In OBIEE 11G and WebLogic Infrastructure?

  1. J

    October 18, 2013 at 10:20 pm

    You have some great posts. What is meant by passwords being stored like:

    {ssha}83dtF/fkuHImacfvNw2qmwTDVRUhkp/Q

    I’ve setup external table authentication and it works fine with plain text passwords, but I cannot figure out how the passwords are being hashed. Turning off plain text passwords and storing them as SHA-1 encrypted passwords causes an authentication error. If a salt is used, do you know what that salt is? Thanks for any help.

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: