Can attribute encryption in directory.xml be used for passwords with database as user store?

book

Article ID: 39074

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

Question:

Can Attribute encryption be configured for passwords in the directory.xml when a database is used as a user store ?

 

Answer:

Using attribute level encryption for passwords is not advised when other applications require access to the password (such as SiteMinder).

LDAP user stores hash password automatically. So encryption on the application level is not needed. So when the LDAP server needs to authenticate it does a has compare which works for IM and any other application using the information, like SiteMinder.

Adding attribute level encryption on top of this breaks this as the private key is with Identity Manager only.

 

With databases as user stores, this is roughly the same. Originally the ability to hash the password field was not present in databases, and it was up to the application level to apply the encryption. This means that only Identity Manager application can digest the password and no other application can use the password attribute.

Today database vendor have added the level of encryption similar to the one used in LDAP servers. So the applications read and write in clear text and the database is handling the encryption. So again, in this scenario it is not advised to use attribute level encryption if other applications need to use the password data.

Environment

Release: CAIDMB99000-12.6.3-Identity Manager-B to B
Component: