How to encrypt Harvest data
search cancel

How to encrypt Harvest data


Article ID: 134271


Updated On:


CA Harvest Software Change Manager CA Harvest Software Change Manager - OpenMake Meister


We need to ensure 

1) Password complexity standards are adhered to, and 

2) Idle Oracle database connections are terminated, which means that Harvest will need to detect that the connection has been terminated and re-establish it, and 

3) All data in transit must be encrypted. 


Release : 13.0.3, 14.x



Data security requirements demand it


Requirement #1 - Password complexity

LDAP controls password complexity for LDAP-authenticated users. 

For internally authenticated users, the password complexity can be set from the command line utilities hppolget and hppolset. Hppolget gets the existing default password configuration file. Any complexity can be introduced into this policy, and then the policy can be set using hppolset command line formulation. For more details on how to run these utilities, please refer to the below command line utilities docops link. 

hppolget Command-Get Password Policy

hppolset Command-Set Password Policy


Requirement # 2 - Idle database connections terminated:

There is no provision to determine the idle database connections on Oracle, but there is a provision to identify an idle HServer process from the Harvest side and kill it. Idle HServers can be detected and set to shutdown after a pre-determined timeline. You can use the -killperiod option to set the HServer idle time limit (the period of inactivity after which the broker shuts down “temporary” servers. For more details, please refer to the below link

Configure the Broker and Server Communication on Windows

Topic: How the Broker Manages Server Processes on Windows


Requirement #3 - all data in transit must be encrypted:

Existing Harvest Encryption enablement methods include:

  • FIPS Mode can be enabled for the SCM Server and the SCM Agent to encrypt data passed between the SCM Server (broker/HServer), the agent, and the client components (workbench, etc.) (There is a known issue related to this in the Release notes: Known Issues, Topic: Login Fails for a FIPS-Enabled Broker from a Computer With CA SSA) 
  • CAPKI - This utility encrypts username and password when passing between clients (like Workbench) and the broker/HServer/agent
  • SSL and TLS can be used to further encrypt information passing between HServer and the LDAP server for userid/password authentication 
  • Encryption between Oracle/SQL Server database and SCM Broker/HServer is possible at the ODBC level. This encrypts the data between the database and the server.
  • With Harweb, HTTPS can encrypt communication across the network between the Harweb server and the browser on the client machines.

Oracle database encryption on Windows:

If the server is on the Windows platform, you may refer to the article below.

How to enable encryption for ODBC connections to Oracle databases?

Oracle database encryption on Non-windows:

This is possible on Non-Windows using the below-specified methods

[c]The encryption methods available in DataDirect ODBC drivers are applicable here

We can add EncryptionMethod=X in the odbc.ini file

X can be of levels 1,2,3,4 and 5

Valid Values 0 | 1 | 3 | 4 | 5

If set to 0 (No Encryption), data is not encrypted.

If set to 1 (SSL), data is encrypted using SSL. If the server supports protocol negotiation, the driver and server negotiate the use of TLS v1, SSL v3, or SSL v2 in that order.

If set to 3 (SSL3), the driver uses SSL3 data encryption.

If set to 4 (SSL2), the driver uses SSL2 data encryption.

If set to 5 (TLS1), the driver uses TLS1 data encryption.

Default 0 (No Encryption)


The CAPKI option is automatic, and the rest must be enabled and configured according to your needs.

Additional Information

Further details on the TLS versions supported by the DataDirect for ODBC driver:
TLS versions supported for encryption between Harvest and Oracle