EasyCrypt


This procedure is intended exclusively for customers using the On Premise Product name - ev itsm.png version. SaaS customers should submit a change request to the Logo - EasyVista.png Support Team to enable encryption or to force reinitialization for employee passwords.

EasyCrypt is a user interface that can be used to perform key encryption (standard mode) or cryptographic hash functions (SHA256 mode) on a string of characters for any password. Using an algorithm, passwords are made unintelligible and are practically impossible to decipher should unauthorized users access the files or tables where they are stored.

  • Encryption can be carried out on a string of characters or in a batch processing on all of the passwords stored in a CSV file. 
  • In Product name - ev itsm.png all administration passwords and employee passwords can be encrypted -  Open url.png see  Description of the types of passwords
  • Product name - ev itsm.png will identify whether or not encryption is enabled when the password is used.

Notes

  • We recommend that you use EasyCrypt for employee passwords when user authentication is not delegated to a corporate directory or when you create user accounts for external service providers so that they can access Product name - ev itsm.png without being referenced in the EasyVista directory.
  • EasyCrypt offers two types of encryption:
    • Standard mode based on an internal encryption algorithm.
    • SHA256 mode (Note: From Product name - ev itsm.png 2015.1 patch onwards) which is irreversible. The password is hashed before being stored in the database and can no longer be decrypted and converted back to plain text. This provides additional security as compared with the standard mode.
  • On all user interfaces:
    • Users will always enter passwords in plain text.
    • Encryption is performed automatically and transparently before the password is stored in the database.
  • Encrypting a file:
    • The file must be in CSV format and must contain two columns, one for the employee ID and the other for the non-encrypted passwords.
    • The CSV results file is created in the same folder as the initial file with the suffix _crypted. Non-encrypted passwords will be replaced with encrypted ones.

Caution

  • For administration passwords and passwords for connecting to external databases, you should use the standard encryption mode only. As the server will expect a password in plain text, this mode enables you to decrypt the password when logging in to the database.
  • You should use the SHA256 mode only for employee passwords. When logging in to Product name - ev itsm.png, the password entered by users is hashed and compared with the hashed password stored in the database. Access is authorized when both hash values match.
  • You can use both encryption modes for employee passwords.

Screen description

Note: Only the standard mode is described below.

Access: C:\easyvista\tools\servers\MSSQL\EasyCrypt.exe
         EasyCrypt.png

Manual section:

  • String: String of characters in plain text corresponding to the password to be encrypted. Click [ CRYPT ] to run the encryption algorithm.
  • Crypted: Encrypted password.

Automatic section:

  • File: Folder and name of the CSV file containing the passwords to be encrypted. Click [ LOAD FILE ] to download the file. Next, click [ CRYPT FILE ] to run the encryption algorithm.

     

Password encryption in Product name - ev itsm - big.pngev Service Manager

Passwords for administration

Passwords are stored in the configuration files of EasyVista services and in certain tables in the EVO_ADMIN and EVO_DATA databases -  Open url.png see  List of files and tables

  • No specific configuration is required for implementing encryption. Passwords can be encrypted on the fly using EasyCrypt and then stored manually in files or tables -  Open url.png see  Procedure
  • Certain passwords are already encrypted during the installation of Product name - ev itsm.png

Passwords for employees

Employee passwords are stored in the AM_EMPLOYEE table in the EVO_DATA database. They ensure secure access to Product name - ev itsm.png as well as other functions that require authentication, e.g. technical support agent, web services, etc.

  • Product name - ev itsm.png is able to manage both encrypted and non-encrypted passwords in the AM_EMPLOYEE table.
  • You can implement password encryption at any time.
    • During the installation of the functionality, all existing passwords are considered to be non-encrypted.
    • Once the functionality is installed, all new passwords are automatically encrypted.

Principle of password encryption

  • You must configure a parameter in the A_COMPANY table prior to installing the encryption functionality.
  • You can then use one of the two methods to encrypt existing passwords:
    • Best Practice icon.png You can reinitialize and replace them with a generic encrypted password. You can then force the expiration of all passwords. The next time users log in to Product name - ev itsm.png, they will be asked to enter a new password -  Open url.png see  Procedure
    • You can keep and encrypt passwords as a batch. The next time users log in to Product name - ev itsm.png, they can reuse their existing password -  Open url.png see  Procedure

Note: You can apply either method to all existing passwords or to selected passwords (using WHERE clauses in SQL queries) in order to update passwords gradually over a period of time. Open url.png see  Example 

Caution

  • Only the first method where existing passwords are reinitialized and replaced with a generic encrypted password is supported by the Logo - EasyVista.png Support Team.
  • Although it is described in the procedure, the second method where existing passwords are kept and encrypted is not supported by the Logo - EasyVista.png Support Team because it may result in the loss of all passwords in the event of a manipulation error. Furthermore, this method requires you to use an intermediate file containing the existing passwords which may be accessed by unauthorized users.
  • You should always perform a backup of the EVO_DATA database before implementing the encryption of employee passwords.

Procedures

How to use EasyCrypt

1. Start EasyCrypt.

  • Go to the C:\easyvista\tools\servers\MSSQL folder.
  • Run EasyCrypt.exe.

2. To encrypt a string of characters:

  • Enter the string of characters in plain text in the Manual section > String field.
  • Click [ CRYPT ]. The result will appear in the Crypted field.

3. To perform batch encryption for passwords in a file:

  • In the Automatic section, click [ LOAD FILE ] and select the CSV file you want.
             EasyCrypt - CSV File.png
  • Click [ CRYPT FILE ]. A new file will be created in the same folder as the initial file with the suffix _crypted. All initial passwords will be encrypted.
             EasyCrypt - CSV File crypted.png 

 

How to encrypt administration passwords

1. Run EasyCrypt and perform the administration password encryption:

  • Enter the string of characters in plain text in the Manual section > String field.
  • Click [ CRYPT ]. The result will appear in the Crypted field.

2. Copy and paste the contents of the Crypted field in the file or table you want.

 

How to enable the encryption functionality for employee passwords

Note: <EasyVista account> identifies the account used to encrypt passwords.
         Example documentation icon EN.png  EVO_DATA<EasyVista account> for account 50004 ==> the database affected will be production database EVO_DATA50004

1. Start SQL Server Management Studio and run the following query to configure the encryption in the A_COMPANY table in the EVO_ADMIN database:

UPDATE [EVO_ADMIN].[EZV_ADMIN].[A_COMPANY]
SET    crypt_pass=1
WHERE  company_account=<easyvista account> 

2. Restart the EasyVista services.

Best Practice icon.png

  • For restarting Windows services on an application server, usually scripts are available on the desktop (start EZV, stop EZV and restart EZV). First use this otherwise you may use a service manager to.
  • We recommend that you follow the order below when stopping or restarting services.

    When stopping services

  • net stop smoScheduler
  • net stop smoAstService
  • net stop smoPrintServer
  • net stop TSmoMonitoringService
  • net stop EasyVistaKernel
  • net stop EasyVistaServer
  • net stop SMO_Server
  • net stop SMOBroker

    When restarting services

  • net start SMOBroker
  • net start SMO_Server
  • net start EasyVistaServer
  • net start EasyVistaKernel
  • net start TSmoMonitoringService
  • net start smoPrintServer
  • net start smoAstService
  • net start smoScheduler

 

Best Practice icon.png How to replace existing employee passwords with a generic encrypted password

Note: <EasyVista account> identifies the account used to encrypt passwords.
         Example documentation icon EN.png  EVO_DATA<EasyVista account> for account 50004 ==> the database affected will be production database EVO_DATA50004

1. In order to be able to restore the initial passwords in the event of a problem, you should perform a backup of the EVO_DATA<EasyVista account> database.

2. Enable the encryption functionality for employee passwords.

3. Reinitialize the existing employee passwords and replace them with a generic encrypted password. Note: If you want to keep and encrypt the existing passwords, Open url.png see  Procedure

  • Run EasyCrypt and perform the encryption of the generic password:
    • Enter the string of characters in plain text in the Manual section > String field.
    • Click [ CRYPT ]. The result will appear in the Crypted field.
  • Start SQL Server Management Studio and replace all existing passwords in the PASSWD column in the AM_EMPLOYEE table with the generic encrypted password by running the following query:
UPDATE [EVO_DATA<EasyVista account>].[AM_EMPLOYEE]
SET    passwd=<contenu du champ crypted> 

Note: If you want to update only certain passwords, you can add a WHERE clause to the query to select specific employees. Run the query for each target you want -  Open url.png see  Example 

4. Force the expiration of all existing user passwords.

Note: If you updated only certain passwords in the previous step, you should manually force the expiration for the selected employees. Run the query for each target you want -  Open url.png see  Example

  • Select Administration > Access Management > Employees in the menu and run the Definition of password policies wizard. Caution: The configuration performed in the wizard applies automatically to all users, even if you only make a partial selection of users from the list.
             Password Policies wizard.png
  • Select the Enforce All Password Expiration box.
  • Specify the other options based on your password policy and click [ TERMINER ]. The last update date for the password found in the PASSWD_LAST_UPDATE_UT column in the AM_EMPLOYEE table will be reset to a blank value.

5. Send an email to all employees informing them of their new password.

6. The next time AM-EMPLOYEE users log in to an Product name - ev itsm.png application or function that requires authentication, they will be asked to enter a new password.

  • User should enter the generic password sent by email in the Previous password field.
  • The last update date for the password will be refreshed.
             Password - New.png

 

How to keep and encrypt existing employee passwords

Caution: This method is not supported by the Logo - EasyVista.png Support Team because it may result in the loss of all passwords in the event of a manipulation error. Furthermore, this method requires you to use an intermediate file containing the existing passwords which may be accessed by unauthorized users.

Note: <EasyVista account> identifies the account used to encrypt passwords.
         Example documentation icon EN.png  EVO_DATA<EasyVista account> for account 50004 ==> the database affected will be production database EVO_DATA50004

1. In order to be able to restore the initial passwords in the event of a problem, you should perform a backup of the EVO_DATA<EasyVista account> database.

2. Enable the encryption functionality for employee passwords.

3. Save all existing employee passwords in a CSV file.

  • Start SQL Server Management Studio and retrieve the passwords by running the following query:
SELECT login,passwd
FROM   [<EasyVista account>].[am_employee]
WHERE  passwd IS NOT NULL

Note: If you want to update only certain passwords, you can add a WHERE clause to the query to select specific employees. Run the query for each target you want -  Open url.png see  Example 

  • Copy and paste the results in an Excel file.
  • Save the file in CSV format. 

4. Run EasyCrypt and perform the batch encryption of all passwords in the CSV file.

  • In the Automatic section, click [ LOAD FILE ] and select the CSV file you want.
  • Click [ CRYPT FILE ]. A new file will be created in the same folder as the initial file with the suffix _crypted.

5. Integrate the encrypted passwords in Product name - ev itsm.png using an integration model -  Open url.png see  Procedure. The next time AM_EMPLOYEE users log in to Product name - ev itsm.png, they can reuse their existing password.

 

Example: You want to encrypt the passwords of selected employees.

Perform steps 1 to 4 for each of the targets. In the example below:

  • database = test database 40000
  • Target 1 = employees whose employee ID is 9477 and 9478
  • Target 2 = employees whose employee ID is 9480 and 9481
     

1. Check the information regarding each employee.

SELECT employee_id,last_name,passwd,passwd_last_update_ut
FROM   [EVO_DATA40000].[40000].[am_employee]
WHERE  employee_id IN ( 9477, 9478 )

       EasyCrypt - Employees selection Crypt Procedure - before update.png

2. Replace the existing password with a generic encrypted password for each employee.

UPDATE [EVO_DATA40000].[40000].[am_employee]
SET    passwd = 'Crypted generic password'
WHERE  employee_id IN ( 9477, 9478 )

3. Reinitialize the last update date for the password for each employee. This enables you to force the expiration of the passwords manually.

UPDATE [EVO_DATA40000].[40000].[am_employee]
SET    passwd_last_update_ut = NULL
WHERE  employee_id IN ( 9477, 9478 )

4. Check that the update is successfully performed for each employee.

SELECT employee_id,last_name,passwd,passwd_last_update_ut
FROM   [EVO_DATA40000].[40000].[am_employee]
WHERE  employee_id IN ( 9477, 9478 )

       EasyCrypt - Employees selection Crypt Procedure - after update.png

5. Send an email to the selected employees informing them of their new generic encrypted password. The next time users log in to an Product name - ev itsm.png application or function that requires authentication, they will be asked to modify their password.
         Password - New.png

6. Perform steps 1 to 5 for the second target and modify the WHERE clause each time.

       Example documentation icon EN.png  To replace the password:

UPDATE [EVO_DATA40000].[40000].[am_employee]
SET    passwd = 'Crypted generic password'
WHERE  employee_id IN ( 9480, 9481 )
Tags:
Last modified by Unknown User on 2017/12/19 18:48
Created by Administrator XWiki on 2015/04/10 11:27

Shortcuts

Recent Updates

Haven't been here in a while? Here's what changed recently:

-   Product name - ev itsm.png
-   Product name - ev sas.png

Interesting Content

How to Automate Integration
Add a Shortcut to an App
History
Quick Dashboard
Full text search - Stop Words

Powered by XWiki ©, EasyVista 2018