How does CA Business Service Insight (BSI) authenticate the user id and password when a user attempts to login?

Is it the Open API interface and the encrypted passwords are stored in the BSI database?

CA Business Service Insight 8.x and 9.x

The BSI Application receives the login request and validates the credentials against the BSI Oracle database.

All passwords are encrypted in the database.

When a user is authenticated, a secure session token is generated for all application access. OpenApi interface is used for webservices and it uses  the same authentication mechanism