It is very important to know that how are credentials (passwords) of different “system” accounts stored?
- the credentials of users in Credential Store (like credential of BISystem user)
- the credentials of AD principal users in configuration of Active Directory Authenticator (implement integration with Active Directory)
- the credentials of users in default WebLogic LDAP (Identity Store); for example, WebLogic users
From an OBIEE standpoint, the Presentation Server and BI Server do not store or cache any passwords. The Job Manager/Scheduler stores the password in an encrypted format. All application-to-application communication of passwords is always done using the same encryption mechanism.
An unencrypted password is stored in the user’s configuration file for optional replication processes, which rely on file/firewall security as directed by your own business requirements.
1. The credentials of users in Credential Store
In 18.104.22.168.0, file based credential store used a wallet to store the credential which is an obfuscated file and relies on file system security to prevent physical access to it.
If credentials are stored in an LDAP credential store provider, it is possible to enable Oracle Internet Directory (OID) encryption which uses an AES symmetric key to encrypt the credentials. In DB provider, entries are always stored encrypted using the same encryption algorithm.
2. The credentials of AD principal users in configuration of Active Directory Authenticator
The administration password used in configuration of AD authenticator. It is stored in config.xml and encrypted with Advanced Encryption Standard (AES) algorithm.
3. Credentials of users in default WebLogic LDAP (Identity Store)
If this is referring to the Embedded LDAP on WebLogic, the passwords are stored like this:
ssha means salted SHA. The exact hash mechanism used is SHA-1.
Reference: Oracle Metalink document ID: 1371058.1