(Show Contents)

Password Encoding Overview

ARCHIBUS Web Central can use different password encodings:

• Plaintext.  This is the default encoding that ARCHIBUS ships with so that the sample database and new projects load and run. 
• ARCHIBUS-encoding.  This is the ARCHIBUS 2.0 encoding that has been in use for all of the Web Central releases. 
• SHA.  (Secure Hash Algorithm) A one-way hash devised by the National Security Agency and published by the National Institute of Science and Technology as a Federal Information Processing Standard.  The default strength used is SHA-1, although you can change the strength to SHA-256, SHA-384, and SHA-512.
• Tailored encoding.  If you are familiar with Spring Security, you can substitute your own encoding (e.g. MD5).

Other Notes

• ARCHIBUS Client/Server.  If you are using security on ARCHIBUS Client/Server against the same project database, you must use the Plaintext or ARCHIBUS-encoding.
• Mixed Encodings.  ARCHIBUS Web Central V17.1 and earlier allows you to use Plaintext encoding for some user accounts and ARCHIBUS-encoding for others.  However, ARCHIBUS Web Central V17.2 and later require you to use a consistent encoding.  If you have a mixed encoding, you should run follow the procedure for changing encodings to encrypt your passwords consistently.
• Old Encoding.  The current ARCHIBUS-encoding is known as v2.0.  Prior to Web Central, ARCHIBUS databases supported an earlier encryption method (v1.0), which Web Central does not support.  If you are upgrading an older database to use Web Central, you must re-enter plaintext passwords for users, and then re-encrypt them.

Changing Encodings

In order to enforce consistent password policies, ARCHIBUS requires you to have one consistent encoding for all passwords.  You establish this encoding in the password-encoder.xml before you start Web Central, and at that point, all legal passwords must be in that current encoding.

In order to achieve the desired level of security on passwords, ARCHIBUS also now supports encodings that cannot be reversed, meaning that once a password is encrypted, you cannot retrieve the original password.  As such, in order to change encodings, you must issue a new password to all users.

For this reason, ARCHIBUS has features to:

• Bulk-generate unique plaintext password for each user
• Email plaintext passwords that must be changed on first login
• Bulk-encrypt plaintext passwords

In particular, the following are typical transitions and the method you would use:

• Plaintext to ARCHIBUS-encoding.  Since your current passwords are not encrypted, you can simply encrypt them.  End users can log in with the same passwords (as the storage format of the password has changed, but not the original password itself).
• Plaintext to SHA. Again, since your current passwords are not encrypted, you can simply encrypt them.  End users can log in with the same passwords.
• ARCHIBUS-encoding to SHA.  Since your passwords are encrypted, you must generate new passwords for your users, email them to your users, then encrypt the new passwords.
• SHA to ARCHIBUS-encoding.  Again, since your passwords are encrypted, you must generate new passwords for your users, email them to your users, then encrypt the new passwords.