Column Level Data Encryption for Siebel 8.0

NOTE: Please do not follow the steps given in the Bookshelf. Please refer the following steps to go about column level data encryption. If you want more details, refer the Bookshelf
Pre-requisites:
1) Note down all the Columns which you want to encrypt.
2) Columns which already has encrypted and unencrypted data together might have problems getting encrypted.
3) Please find out all the existing Enterprise Parameters Name and corresponding passwords.

Please follow the steps in order which they are mentioned.
Step 1.0) Changing the keyfile password.
For upgrading the Encryption level to 256-bit, we need to install the Siebel Strong Encryption Pack (SSEP). But before installing the SSEP we need to change the keyfile password.
Note: If we install the SSEP before changing the keyfile password, you will have to reinstall the Siebel Server, Siebel Application etc. Again.
Step 1) shut down any server components that are configured to use encryption.
Step2) The key file is stored in the Server Bin Directory as shown below
Step 3) Run the key Database Manager Utility on the server command prompt location.
keydbmgr.exe \u db_username \p db_password \l language \c config_file
Where u - User Name (e.g.: SADMIN)
p - Password (eg: SADMIN)
l – Language (e.g.: ENU)
c – Full location of the Configuration file

Step 2.0) Install Siebel Strong Encryption Pack
After changing the password, please install the Siebel Strong Encryption Pack (SSEP). For instructions to install the SSEP refer ‘Siebel Strong Encryption Pack Installation Guide ’.
Installing the SSEP will be mandatory if you want to use higher encryption for AES and RC2.
After installing the SSEP, the following files appear in the BIN subdirectory of the location
Keydbupgrade
sslcrsaxxx.dll
Where xxx refers to the key length that you selected

Step 3.0) Increase the Encryption Level
Step 1) first, take a backup of the keyfile.
Step 2) Make sure that the Siebel Gateway Name Server and the Siebel Server are running.
Step 3) Execute the following command on the server side command prompt.
(Keydbupgrade.exe is located in the Bin Directory on the server)

Keydbupgrade.exe /u db_username /p db_password /l language /c config_file
Where u - User Name (e.g.: SADMIN)
p - Password (e.g.: SADMIN)
l – Language (e.g.: ENU)
c – Full location of the Configuration file

Step 4) Adding a new Encryption key
Step 1) shut down any server components which are running.
Step 2) On the server side command prompt run
(Under server\bin directory)
>>Keydbmgr.exe /u db_username /p db_password /l ENU /c config_file
Step 3) to add an encryption key to the key file
>>enter 2.
Step d) Enter any seed data (e.g.: Temppass)
(Any seed data will do as long as it is at least seven characters long)
Step 4) Exit the utility by entering 3.
There should not be any error messages while exiting the utility.
Step 5) Distribute the keyfile to all Siebel Servers.
Step 6) Restart the server components which you had shut down.
By executing the above steps you ensure that a new key has been generated in the keyfile.To confirm, check the modified date of the keyfile.
Note: Please take a backup again of this keyfile and store it elsewhere.

Step 5) Resetting the Enterprise parameters
This is a very important step. Please do not miss this.
Basically, we are re-encrypting the parameters that have their values encrypted. If they are not re-encrypted to the new encryption level, Siebel Server attempts to decrypt the encrypted parameters using the original encryption key and compare it to the password entered.
For resetting the Enterprise Parameters, you will have to log on the Server Manager Command-Line Interface. (For minute details refer Siebel System Administration Guide)
Before starting you will need the Enterprise Server Name, Siebel Server Name and the Gateway name Server name.
Step 1) Go to the Sever side Command prompt. In the Bin directory, you will find srvrmgr.exe.
Run it using the following command,
Srvrmgr.exe /g gateway /e Enterprise /S Server /u SADMIN /p SADMIN
Where Gateway – Name of the Gateway
Enterprise – Name of the Enterprise
Server – Name of the Siebel Server
If you are not able to connect do not give the Siebel Server address.
There are many Enterprise parameters that you will have to change. They are
ApplicationPassword
CRC
ClientDBAPwd
CustomSecAdpt_CRC
CustomSecAdpt_TrustToken
DBPassword
DBSecAdpt_CRC
DSPassword
DSPrivUserPass
DbaPwd
ExtDBPassword
ExtPasswd
KeyFilePassword
MailPassword
NewDbaPwd
Password
PrivUserPass
SAPRfcPassword
TableOwnPass
TrustToken
Step 2) Change each parameter with the following command
>>Change ent param ApplicationPassword=
>>Change ent param ClientDBAPwd =
and so on…
Change the Password of all the parameters which are mentioned above. Some of them you might not be using, in that case you will get that the parameter is not found. Just ignore it.
NOTE: Please find the existing parameters from the concerned people and as to what they want to set it to.
Step 3) Exit the sever manager command line.

Step 6) Distribute the keyfile to all the servers.

Step 7) Upgrading the existing encrypted and un-encrypted data to use the new encryption level.
Step 1) Configuring the Columns required for Encryption
We need to configure the required column and a new column needs to be created. This is an index key.
Step 2) Creating an Input file
We need to create a input file which contains all the Columns which needs to be encrypted. Name the file as ‘encrypt_columns.inp’. You can encrypt all the columns at once or one at a time.
It is saved and stored in the BIN directory in the server folder.
Format of the Input file is as follows
[S_CONTACT]
X_CC_NUM S_CONTACT X_CCNUM_ENCRPKEY_REF
WHERE (blank if you do not want any condition)
[S_CONTACT_X]
X_SOC_SECURITY_NUM S_CONTACT_X X_SECURITY_ENCRPKEY_REF
WHERE (blank if you do not want any condition)
The utility to run the Encryption is ‘encryptupg.exe’ and it is stored in the Server\Bin Directory.
From SIEBEL_ROOT\siebsrvr\bin, enter the following command:

>>encryptupg.exe /f FromEncrytionStrength /t ToEncryptionStrength /j InputFileName
/l Language /u UserName /p Password /c ConfigurationFile /L LogFile
Where /f – FromEncrytionStrength (e.g. NONE/RC2)
/t - ToEncryptionStrength (e.g. AES)
/j - InputFileName (full path of the Input file (encrypt_columns.inp))
/l - Language (e.g. ENU)
/u - UserName (e.g. SADMIN)
/p - Password (e.g. SADMIN)
/c - ConfigurationFile (full path of the Configuration file)
/L - LogFile (by default it is encryptupg.log—this is optional)

-------------------------END-------------------------