WebFOCUS Online Help > WebFOCUS Administration Console > WebFOCUS Encryption Features > WebFOCUS Encryption

WebFOCUS Encryption

In this section:

WebFOCUS Encryption is a configurable feature used to protect sensitive information throughout WebFOCUS.

By default, WebFOCUS Encryption is set to Default Encryption (for both the CGI/ISAPI and Servlet implementations of the WebFOCUS Client). You can optionally configure other encryption providers. For the Servlet implementation of the WebFOCUS Client, the WFENCR setting in the WebFOCUS Web application deployment descriptor file (web.xml) specifies the encryption provider to use.

Four built-in encryption providers are available for the WFServlet. For information about configuring these encryption providers, see Optional Built-in Encryption Providers.

You can also build your own encryption provider. For information on building and configuring your own encryption provider, see Implementing Your Own Encryption Algorithm.

The CGI/ISAPI implementation of the WebFOCUS Client does not provide any built-in encryption providers. However, you can build your own encryption provider. For information, call Customer Support Services.

Top of page
Optional Built-in Encryption Providers

WebFOCUS provides four optional encryption providers based on the DES and Triple DES algorithms. To activate one of these providers, set the WFENCR context parameter.

The WFENCR context parameter specifies an override of the default encryption class used to protect the following:

These optional encryption providers use Sun Java Cryptography Extension (JCE) library and are supported only with the Java Servlet (WFServlet) implementation of the WebFOCUS Client. The Triple DES providers use the stronger Cypher Block Chaining (CBC) mode option. You can specify an external encryption key for both provider types.

Note: For information about configuring ReportCaster for DES and Triple DES encryption, see Optional Encryption Providers for ReportCaster in the ReportCaster Security chapter in the ReportCaster Development and Administration manual.

Top of page
Procedure: How to Enable DES and Triple DES Encryption Without an External Key
  1. Create a WFENCR context parameter in the Web application (for example, in the \ibi\WebFOCUS76\webapps\webfocus76\WEB-INF\web.xml file or using your Application Server Administration interface). The value of this parameter should be the name of one of the following encryption classes (including the Java package):

    Algorithm

    External Key

    Class Name

    DES

    No

    ibi.webfoc.wfsecurity.encryption.wiredes.
    WFWireDES

    Triple DES

    No

    ibi.webfoc.wfsecurity.encryption.wiretripledes.
    WFWireTripleDES

  2. Reload the WebFOCUS Web application for the new setting to take effect.
Top of page
Procedure: How to Enable DES and Triple DES Encryption With an External Key
  1. Create a WFENCR context parameter in the Web application (for example, in the \ibi\WebFOCUS76\webapps\webfocus76\WEB-INF\web.xml file or using your Application Server Administration interface). The value of this parameter should be the name of one of the following encryption classes (including the Java package):

    Algorithm

    External Key

    Class Name

    DES

    Yes

    ibi.webfoc.wfsecurity.encryption.wiredes.
    WFWireDESKeyFile

    Triple DES

    Yes

    ibi.webfoc.wfsecurity.encryption.wiretripledes.
    WFWireTripleDESKeyFile

  2. To use an encryption key stored in an external file, you must also add the context parameter WFENCR_KEY_INFO. The value of this parameter is the fully qualified path of the plain text file containing the external key data (for example: c:\ibi\keyfile.dat).
  3. Create the key file on disk and input 8 or 24 hexadecimal bytes, depending on the encryption algorithm. The following is an example of 24 hexadecimal bytes:

    5468658A6C617A7920646F67206A756D7073206F7665723F

    Save the key file as a plain text file.

  4. Reload the WebFOCUS Web application for the new settings to take effect.
Top of page
Reference: Enabling Triple DES Encryption With an External Key

The resulting code in your deployment descriptor should look like this: 

<context-param>
<param-name>WFENCR</param-name>
<param-value> 
ibi.webfoc.wfsecurity.encryption.wiretripledes.WFWireTripleDESKeyFile 
</param-value>
</context-param>
<context-param>
<param-name>WFENCR_KEY_INFO</param-name>
<param-value>c:\ibi\keyfile.dat</param-value>
</context-param>
Top of page
Reference: Key File Format

The encryption key information is stored in a plain text file and is represented by a sequence of bytes in hexadecimal notation. A hexadecimal byte is represented by two digits. Each digit is either a number (0-9) or a letter (A-F). The key file must contain eight hexadecimal bytes for a DES key and 24 hexadecimal bytes for a Triple DES key.

It may seem that more data is specified in the key file than is required (8 bits per byte times 24 bytes is 192 bits, which is greater than the 168 bits usually required for Triple DES). However, 192 bits are required when using a plain text file with these algorithms.

Top of page
Procedure: How to Change Encryption Providers

WFENCR is used to encrypt both transient data (WebFOCUS cookies and Managed Reporting sign-on tickets) and persisted data (Managed Reporting passwords). Changing an encryption algorithm or an encryption key renders persisted data unreadable. If you are using the built-in Managed Reporting Repository for authentication or are storing Dashboard credentials for the Public View or for WebFOCUS Reporting Server authentication, you must reset those passwords after adding or changing a WFENCR or WFENCR_KEY_INFO setting.

To reset passwords in the built-in Managed Reporting user directory (user.htm) after changing WebFOCUS encryption settings, do the following:

  1. Make a backup copy of basedir/user.htm.
  2. Edit user.htm and locate the anchor tag for a Managed Reporting Administrator account. For example, the line beginning with: <A HREF='admin.htm' NAME='admin'.
  3. On this line, remove the PASSWORD=encrypted_string keyword/value from the anchor line.
  4. Save the file and reload your WebFOCUS Web application.
  5. Now log in as the administrator whose password you just removed.
  6. Use the Managed Reporting User Administration tool to assign a password to the currently logged in administrator account. This password will now be written to user.htm in encrypted form using the current WebFOCUS encryption settings.
  7. Next, reset the password of each user to an initial value.
  8. Instruct your users to change their passwords as appropriate, from the Managed Reporting or Dashboard logon page.

This process is tedious so consider your implementation choices carefully. For example, configure WebFOCUS with a strong encryption provider from the start so you do not have to change it later. Consider also using the Managed Reporting Realm Driver to authenticate users to an external directory such as Active Directory or LDAP. In this case, passwords are not maintained in the user.htm file.

Note: In a future release, Information Builders plans to create separate settings for encrypting transient and persisted data. This will allow for the possibility of a dynamically generated internal key, external key store, and key rotation.

Top of page
Reference: Sun JCE Provider Support

The DES and Triple DES algorithms were developed with Sun Java Cryptography Extension (JCE) framework and currently implement only the Sun JCE provider class. Review the following scenarios to verify support for your Application server:

  • If you are running WebFOCUS inside a Java Application server (or servlet engine) that runs on Sun J2SDK 1.4.1 or higher, you do not need to take any action. The Sun JCE provider is included.
  • If you are running J2SDK 1.4.1 or higher of another vendor, check their documentation to see if the Sun JCE provider is available in that implementation. For example, WebSphere 5.1 for HP-UX ships with a version of HP J2SDK 1.4.1 that has both the Sun and IBM JCE providers. However, WebSphere 5.1 for AIX ships with an IBM J2SDK 1.4.1 that has only the IBM JCE provider and is therefore not currently supported by the optional encryption providers supplied by Information Builders.
  • If your Java Application server is running on J2SDK 1.3.x (from any vendor), you must download and configure Sun JCE 1.2.2. For example, WebSphere 5.0 on AIX ships with IBM J2SDK 1.3.1, which is only supported when you download and configure the Sun JCE.

    You can obtain the Sun JCE 1.2.2 software and installation documentation by accessing the JCE Downloads section on Sun Java Technology Web site.

Top of page
Implementing Your Own Encryption Algorithm

WebFOCUS comes with several encryption providers, for example DES and Triple DES. However, if your WebFOCUS Client path is the Servlet and you have a different encryption algorithm that you want to use for encrypting and decrypting WebFOCUS cookies and Managed Reporting passwords in the basedir/user.htm file, you can implement your encryption algorithm using the WebFOCUS Servlet Alternate Encryption Exit.

Note:

Top of page
Procedure: How to Build and Enable an Alternate Encryption Provider
  • To build the alternate encryption provider, you must add the \ibi\WebFOCUS76\webapps\webfocus76\WEB-INF\lib\webfoc.jar file to the build classpath for your WebFOCUS Servlet Alternate Encryption project.
  • To enable the alternate encryption provider, add WFENCR as a context parameter to the WebFOCUS Web application so that it will be available for WebFOCUS, Managed Reporting, and Dashboard. The change is made to the deployment descriptor file, \ibi\WebFOCUS76\webapps\webfocus76\WEB-INF\web.xml: 
    <web-app>  ...  ...  <context-param>  <param-name>WFENCR</param-name>  <param-value>ENCRYPTION EXIT CLASS NAME GOES HERE</param-value> </context-param>
Top of page
Example: Using Your Alternate Encryption Provider

The following sample code overrides WebFOCUS built-in encryption and encodes the WebFOCUS cookie. This sample does not provide any encryption algorithm. 

package exits.wf;
import ibi.webfoc.wfutil.WFEncryptionInterface;
 
public class WfEncryptionExit implements WFEncryptionInterface
{
/**
 * Constructor for WfEncryptionExit.
 */
public WfEncryptionExit()
{
super();
}
 
/**
 * Apply custom encryption algorithm.
 * @param cookie
 * @return Encrypted cookie string
 */
 
public String encrypt(String cookie)
{String rCookie;
rCookie= java.net.URLEncoder.encode(cookie);
return rCookie;
}
/**
 * Apply custom decryption algorithm,
 * @param cookie
 * @return Decrypted cookie string
 */
public String decrypt(String cookie)
{
String rCookie;
rCookie= java.net.URLDecoder.decode(cookie);
return rCookie;
}
 
/**
 * Determines if a EBCIDIC to ASCII translation is performed.
 * @param cookie
 * @param convert
 * @return String
 */
public String decrypt(String cookie, boolean convert)
{
String rCookie;
rCookie= java.net.URLDecoder.decode(cookie);
return rCookie;
}
}
WebFOCUS