TIBCO WebFOCUS Encryption Features

In this section:

Reference:

WebFOCUS uses encryption and encryption services in multiple ways, including:

An important element of security is confidentiality, which ensures privacy by encrypting sensitive information. When files are encrypted, they are secure from unauthorized examination. You use a key file to decrypt an encrypted file. Various forms of encryption include data, network session, and file-based encryption. You can optionally encrypt the WebFOCUS script files (.wfs), among the configuration files, by using the Client Settings and the Redirection Settings in the Administration Console. You can also encrypt the communication between the WebFOCUS Client and the WebFOCUS Server.

For more information about WebFOCUS Client settings, see Encryption Settings. For more information about Redirection settings, see Understanding Redirection Settings.

WebFOCUS 8 has its own encryption algorithm, but can also be configured to use the Advanced Encryption Standard (AES encryption), which is the industry standard. Legacy applications may require native WebFOCUS encryption.

Default TIBCO WebFOCUS Encryption and AES Encryption

WebFOCUS software supports the following forms of encryption:

  • Default WebFOCUS encryption.

  • AES (Advanced Encryption Standard) encryption.

    You can enable alternate AES encryption providers in the Administration Console. The key length may be 128 bits, 192 bits, or 256 bits.

For information about configuring ReportCaster for AES encryption, see Using the Zip Encryption Protection Default Plug-in in the TIBCO WebFOCUS® ReportCaster Guide.

Note: Previous versions of WebFOCUS software supported custom security encryption providers based on custom algorithms. This feature has been deprecated in favor of AES encryption. If you require the use of a custom algorithm, consult Customer Support Services.

Reference: Key File Format

The encryption key information is stored in a plain text file and is represented by a sequence of characters in hexadecimal notation. Each eight bits of a key (or one byte) is represented by two hexadecimal characters. For example, a 64-bit (or 8-byte) key is represented by 16 hexadecimal characters. Each character is either a number (0-9) or a letter (A-F).

The following table specifies the number of hexadecimal characters required for encryption keys for the AES algorithm.

Key length in bits

Number of hexadecimal characters

Sample string

Algorithm

128

32

5468658A6C617A795468658A6C617A79

AES128

192

48

5468658A6C617A7920646F67206A756D

7073206F7665723F

AES192

256

64

5468658A6C617A7920646F67206A756D

7073206F7665723F5468658A6C617A79

AES256

Configuring Encryption in the TIBCO WebFOCUS Client

How to:

You can use the Administration Console to enable alternate encryption providers, configure external security tokens, encrypt WebFOCUS configuration files, and encrypt the trusted connection between the WebFOCUS Client and the WebFOCUS Server.

Note: If you are using an encryption key greater than 128 bits, the JVM used by your product installation must be using an unlimited strength Java Cryptography Extension (JCE) Jurisdiction Policy File. For more information, see the Oracle documentation at:

 

http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

Procedure: How to Enable an Alternate AES Encryption Provider

You can use the Administration Console to enable an alternate AES encryption provider and to specify an internal or external key.

  1. Sign in as an administrator, and open the Administration Console.
  2. Under the Application Settings folder, click Encryption.
  3. Click the appropriate encryption provider in the Provider (IBI_ENCRYPTION_PROVIDER) list, as shown in the following table. If a key file is not listed, an internal key file will be used.

    Encryption Algorithm

    Option

    AES 128 Encryption with Internal Key

    ibi.webfoc.wfsecurity.encryption.wireaes.

    WFWireAES128

    AES 128 Encryption with External Key

    ibi.webfoc.wfsecurity.encryption.wireaes.

    WFWireAES128KeyFile

    AES 192 Encryption with Internal Key

    ibi.webfoc.wfsecurity.encryption.wireaes.

    WFWireAES192

    AES 192 Encryption with External Key

    ibi.webfoc.wfsecurity.encryption.wireaes.

    WFWireAES192KeyFile

    AES 256 Encryption with Internal Key

    ibi.webfoc.wfsecurity.encryption.wireaes.

    WFWireAES256

    AES 256 Encryption with External Key

    ibi.webfoc.wfsecurity.encryption.wireaes.

    WFWireAES256KeyFile

    If you are using an internal key, proceed to step 7. If you are using an external key, proceed to step 4. If you are using a security token, proceed to step 6.

  4. Create the key file and save it as a plain text file.

    For more information on hexadecimal keys, see Key File Format.

    If you are using a security token to enable trusted communication between the WebFOCUS Client and other software, proceed to step 5. Otherwise, proceed to step 7.

  5. If you are using a security token to enable trusted communication between the WebFOCUS Client and another application, enter the value of the token in the Token Key (IBI_WF_TOKEN_KEY) setting and click Save.
  6. Specify the value of the security token in the other application.

    Consult the appropriate documentation for the other application you are using for more information on configuring the security token.

  7. In the Administration Console, click the Security tab, and under the Security folder, click Advanced.
  8. Enter one or more of the following server account credentials:
    • IBI_WFRS_Service_Pass
    • IBI_Anonymous_WFRS_Pass
    • IBI_Admin_Pass
    • IBI_Magnify_Repos_DB_Password
  9. Restart the Application server.

    The startup process automatically encrypts all new passwords in the configuration files.

Procedure: How to Encrypt the Trusted Connection Between the WebFOCUS Client and the WebFOCUS Server

You can use the Administration Console to encrypt the trusted connection between the WebFOCUS Client and the WebFOCUS Server. For more information about configuring the trusted connection, see How to Configure the WebFOCUS Client to Make a Trusted Connection to the WebFOCUS Reporting Server.

  1. Sign in as an administrator, and open the Administration Console.
  2. On the Configuration tab, expand the Reporting Servers folder and then expand the Server Connections folder.
  3. Select the desired Server node.

    The Client Configuration page appears.

  4. Expand the Advanced node.
  5. Click one of the following Encryption list options, and then click Save.
    • 0. Off.
    • cipher(x)[-mode]

      where:

      cipher

      Is the encryption algorithm used, such as AES128 or AES256.

      x

      Optionally defines an RSA key length of 1024 bits. If unspecified, the default value used is 512 bits.

      mode

      Optionally, specifies the mode of operation, Electronic Code Book (ECB) or Cipher Block Chaining (CBC). If unspecified, the default value used is ECB.

  6. Click Save.
  7. When you receive the Saved Successfully message, click OK.
  8. Specify the value of the security token in the other application.

    Consult the appropriate documentation for the other application you are using for more information on configuring the security token.

  9. Re-enter one or more of the following server account credentials in the configuration file:
    • IBI_WFRS_Service_Pass
    • IBI_Anonymous_WFRS_Pass
    • IBI_Admin_Pass
    • IBI_Magnify_Repos_DB_Password
  10. Restart the Application server.

    The startup process automatically encrypts all new passwords in the configuration files.