Monday, April 13, 2015

How to encrypt the SQL connection string passwords in WebCenter Forms Recognition

This walkthrough will show an example of using WFR's INI File Encryption features as described in section 5.14 of the 11.1.1.8 installation guide.

The Install guide has a good walkthrough of the steps, but it's not 100% specific to the AP Solution. It does require a few decisions not included in the document.

1. You should have your own XML-formate RSA key pair. Brainware states to receive this keypair directly from Brainware support, but Oracle's doc does not include that statement. I've found that the easiest way to generate the key is to use a simple java app to format it as needed. I'll attach a link to the java app at the bottom. Note that this is using java.security, but BouncyCastle should be usable as well, if desired. You can also use the sample keypair provided in the doc, but this should not be used for production as it it not secure (the private key is published in the doc!)

2. Take your ini file and remove the password from the SQL_VL_##_ConnectionString   . The way the encryption works is to decrypt the password, then it will append it back to the ConnectionString before the script actually attempts to create a db connection with it

3. Create a matching SQL_VL_##_ConnectionPassword=<my encrypted password> entry in the ini file. we'll cover how to create the encrypted password a few steps down

4. Open your sdp in Designer. Show Scripts. Go to Sheet #2.

5. Enable the CdrCrypt Reference (figure 5-3 in the install doc)

6. Take the supplied sample script and update to your Private key (be sure to remove any line feeds!), or use the supplied if POC/DEV

7. Paste the script into the fnSetDBConnection (or create your own function and call the function from this location); place it as follows:

On Error GoTo lbl_error

<ADD SCRIPT HERE>

fnSetDBConnection =1
blFoundEmptyConnection = False

8. In a command prompt, cd to <wfr_home>/bin/bin

9. Run the following command to get the encrypted string used in step #3:

DstCrypt.exe /text "MyClearTextPassword" /key "<myPUBLICkey>" >> my_enc_password.txt

10. find your encrypted string at the end of the output:

Text <cleartextpassword> encoded to XBj9I3tuiu+f/XZBH1qIENWGFdoNkmFdtvc3L8LMdBH[...]

11. Paste your enc password into the ini file as stated in #3

12. Save and verify your sdp changes

13. Test!

Troubleshooting tips:
** You can use the script to place file outputs to verify each step of the way.
** If you notice nothing is happening, comment out the "On Error GoTo lbl_error" line; this will allow the errors to output to the RTS console
** If you're getting object errors on the .decrypt function call; make sure you have patched your WFR 11g instance with the two Web Verifier patches; the name of the patch states "Web Verifier", but Patch #2 contains patches for the core products. Also, be sure to deploy both patches since they are not cumulative. Even if you're not using Web Verifier, go ahead and apply these patches.


Oracle may be providing a script sample for this in the future. I'll be sure to update to reflect the supported method. But, as of 2015/04/12, nothing has been published.


Hope that helps!
-ryan