Authentication and Encryption in ProjectWise [FAQ]
DocumentInformation
DocumentType: FAQ
AppliesTo Product(s): Bentley ProjectWise Version(s): All Environment: N/A Area: N/A Subarea: N/A Original Author: Bentley Technical Support Group LegacyDocumentNumber: 8400
What type of encryption is used when a user is logging into WEL without using SSL?
It uses standard base64-encoding. The user name is passed with clear text. Base64 is typically referred to as an encoding scheme not encryption. It is a very trivial encoding and is not considered secure.
What type of encryption is used when a user is logging into WEL with using SSL?
It uses 128 bit encryption for the user name and passwords that are passed over the wire. The strength of the SSL session between a browser and server depends on the strength of the session key that is generated during session negotiation. This is a symmetric key used to encrypt and decrypt data exchanged by the browser and server. Browsers and servers usually negotiate the strongest mutually supported session. This means that if the user's browser and your Web server both supports 128-bit SSL sessions, a 128-bit session is established. If the user's browser only supports 40-bit SSL sessions, then a 40-bit session is established even if your Web server supports 128-bit sessions.
What type of encryption is used when a user is logging in from ProjectWise Explorer using a Windows account from the domain to log into the datasource?
Using NTLM authentication and encryption method. Kerberos authentication is also supported, but neither NTLM nor Kerberos are used for encryption. Without separately activated SSL encryption (between the client and the server), only some most sensitive parts of some messages are encrypted by RC4 algorithm (using 128 bit keys). That is done independently of the authentication protocol.
What type of encryption is used when a user is logging into ProjectWise Explorer using a Logical ProjectWise account to log into the datasource?
It encrypted using RC4 algorithm (using 128 bit keys).
What type of encryption is used when a user is logging in using SSL on the ProjectWise Application Server where the datasources are published (Running ProjectWise in secure mode) ?
Using 128 bit encryption from the certificate server in your network. The keys are validated by the server running certificate server. It still uses port 5800. I would refer to this as the "ProjectWise Secure Connection" when not talking about WEL using HTTPS. SSL is a well know standard and our connection is not based on it.
Can I enable SSL with ProjectWise Explorer? Are there any port configuration changes?
Using ProjectWise in secure mode encrypts the data from ProjectWise Explorer to the application server. The configuration is done on the server. The encryption keys are handled by the certificate server.
Does the file get encrypted using ProjectWise when being transferred over the wire?
Only when using the PW secure connection.
What type of secure communication happens when communicating with the database?
ProjectWise communicates to the backend database through ODBC. ProjectWise will use whatever is the type of connection you have setup. For example MS SQL Server passing user/password in clear text. You can use the Server Network Utility to enable SSL encryption over all enabled network libraries. SQL Server 2000 can then use the SSL to encrypt all data transmitted over any network library between a SQL Server 2000 client (ProjectWise Application Server) and a server running SQL Server 2000. The encryption level, 40-bit versus 128-bit, depends on the level of encryption supported by the Windows operating system involved as well. For maximum security it is recommended that you use Microsoft integrated authentication for the database connection
How does ProjectWise work with Active Directory?
ProjectWise works with an Active Directory model in both Mixed and Native mode. ProjectWise Authentication Server will pull information from the Domain controller on users and groups within AD. Once in ProjectWise the users authenticate from the PW application server to the domain controller in AD.
Does ProjectWise store my Passwords in the Database?
For ProjectWise Windows Users we do NOT store the password in the database. The ProjectWise Authentication Server brings the user names from the domain into the database where they are stored in the DS_SID table. It then populates the user names to the dms_user table. When the user authenticates into ProjectWise, the ProjectWise Application makes a call to the domain controller in real time to authenticate the user. For this reason we do not store ProjectWise Windows accounts in the database. The actual passwords not stored in the database. In the PW logical user case only, a MD5 hash of the passwords is stored so that the plain text user password can not be recovered.
Does ProjectWise support Kerberos?
Not directly, ProjectWise will work with and Win2003 Active Directory using Kerberos. Authentication using Kerberos is supported.
If a user logs in from the WEL client using his NT account how does ProjectWise deal with the password sent over the wire. Again what protocol are we using?
If not using SSL it uses Base64 encoding and the password is encoded using that. For a more secure method it is recommended to use SSL within the web environment.
See Also
ProjectWise TechNotes And FAQs
External Links
Bentley Technical Support KnowledgeBase
Comments or Corrections?
Bentley's Technical Support Group requests that you please confine any comments you have on this Wiki entry to this "Comments or Corrections?" section. THANK YOU!