Can attribute encryption in directory.xml be used for passwords with database as user store?

Document ID : KB000039074
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

Can Attribute encryption be configured for passwords in the directory.xml when a database is used as a user store ?

 

Answer:

Using attribute level encryption for passwords is not advised when other applications require access to the password (such as SiteMinder).

LDAP user stores hash password automatically. So encryption on the application level is not needed. So when the LDAP server needs to authenticate it does a has compare which works for IM and any other application using the information, like SiteMinder.

Adding attribute level encryption on top of this breaks this as the private key is with Identity Manager only.

 

With databases as user stores, this is roughly the same. Originally the ability to hash the password field was not present in databases, and it was up to the application level to apply the encryption. This means that only Identity Manager application can digest the password and no other application can use the password attribute.

Today database vendor have added the level of encryption similar to the one used in LDAP servers. So the applications read and write in clear text and the database is handling the encryption. So again, in this scenario it is not advised to use attribute level encryption if other applications need to use the password data.