Encryption of Database Password

If the MI client uses a database, you can encrypt the password that is used to connect with the database. In this case, the password for the database user is encrypted. The key used to encrypt the data is stored in a keystore. The keystore is protected by the logon user’s password.

For more information on configuring encryption, see Setting Up Encryption of Database Password.

If the database password encryption is activated it affects the following areas:

User Creation

Multiple users cannot be created at the same time on the client. After a user has been created the information must be synchronized. Once this has been done, the next user can be created. The synchronization completes the initialization of the created user and a keystore is created with the user’s local logon password. Once the keystore has been initialized, it is possible to create more users.

Synchronization

When the server is accessed during synchronization a connection to the keystore is created to read the key. The key is used to decrypt the database password. This password is then used to create the connection to the database. The different types of synchronization can be defined as follows:

·        Mobile device initialization

During the first synchronization, the server initializes the mobile device and provides it with a device ID. The server generates a symmetrical key and sends it to the mobile device. The user is then initialized, a keystore is created, and the database password is encrypted.

·        Standard synchronization

The server selects the symmetrical key that is assigned to the mobile device and sends this to the mobile device, together with the data to be synchronized. The symmetrical key is required to decrypt the database password.

Access to the Keystore

·        Where the mobile device is used by multiple users (without Single Sign-On)

After the user has logged onto the client the keystore is opened. If the user was initialized correctly, his or her keystore contains a symmetrical key, which is required to access the database.

·        Where the mobile device is used by multiple users (with Single Sign-On)

If the user has logged on using Single Sign-On, the keystore is not opened. Instead, the connection to the database is formed using the symmetrical key sent by the server. In this case, the keystore is not used.

·        Where the mobile device is used by one user (with logon)

If the user authenticates his- or herself on the client with the user and local logon password, the keystore is accessed in the same way as described in Where the mobile device is used by multiple users.

·        Where the mobile device is used by one user (bypass option)

If the user authenticates his- or herself using the system logon (bypass option), it is not possible to protect the keystore because the user does not have to authenticate themselves on the client directly. In this case, the user’s keystore is protected by a hard-coded password. This solution is not, however, as secure as the encryption of the local logon password in the keystore. It is to be considered as more of a workaround.

Passwords

·        Change of local logon password

If the user changes his or her local logon password that was already stored as encrypted data in the keystore, the existing keystore is deleted and replaced by a new one.

·        Resetting the local logon password

If the user has forgotten his or her password and resets it, a new keystore is created and filled with the symmetrical key sent by the server. The old keystore that contains the forgotten password is deleted.

An online connection to the server is required to reset the logon password.