| Applies To | |||
| Product(s): | ProjectWise | ||
| Version(s): | All | ||
| Environment: | N/A | ||
| Area: | N/A | ||
| Subarea: | N/A | ||
| Original Author: | Bentley Technical Support Group | ||
Encryption for ProjectWise WebParts
Logical and Non-SSO Domain user credentials
WebParts does not provided any encryption for Logical and Non-Domain user credentials, the credentials are passed in plain text from your web browser to the ProjectWise WebParts Server if TLS / SSL is not enabled.
Encryption of credentials from the WebPart server to the Integration Server is handled the same way as ProjectWise Explorer credentials (see below).
SSO Domain user credentials
SSO credential handling depends on the configuration of the browser the user is using and the IIS server hosting the WebParts site. By default IIS is set to use Negotiate and NTLM security providers to exchange an encrypted token. The Negotiate provider will attempt to use a Kerberos first and will fail back to NTLM if Kerberos fails.
The exact strength of encryption used for the token will depend on the provider used and what levels of encryption the client’s browser supports and what versions of Windows / IIS / Active Directory you are running. By default on server 2008 and later most older and weaker forms of NTLM and Kerberos encryption are disabled however it is possible to re-enable these. Please examine you domain and server settings to determine the exact encryption level provided.
This only applies to credentials from your web browser to the ProjectWise WebParts Server. Encryption of credentials from the WebPart Server to the Integration server is handled the same way as ProjectWise Explorer credentials (see below).
Navigation and File Transfer
WebParts does not provided any encryption of navigation or file transfer traffic between the client and web server if TLS / SSL is not enabled.
This only applies to navigation and file transfer from your web browser to the ProjectWise WebParts server. Encryption of navigation and file transfer from the WebPart server to the Integration Server / Storage Area Server is handled the same way as ProjectWise Explorer navigation and file transfer (see below).
With TLS / SSL enabled
Enabling TLS / SSL for the website hosting ProjectWise WebParts does not change any of the above information HOWEVER it does encapsulate all communication between the user and the server in a TLS / SSL encrypted session.
The exact strength of the encryption used will depend on the key length of the certificate used and the encryption algorithms supported by the client and the server. Please examine you certificate and server settings to determine the exact encryption level provided.
This only applies to traffic from your web browser to the ProjectWise WebParts Server. Encryption of credentials from the WebPart Server to the Integration server is handled the same way as ProjectWise credentials (see below).
Encryption for ProjectWise Explorer
Logical and Non-SSO Domain user credentials
Both Logical and Non-SSO domain users are handled the same, ProjectWise Explorer uses RSA 1024 to exchange a Secret Key which is used to encrypt the username and password using 3DES. The encrypted data is sent to the Integration Server which decrypts it and validates Logical users against the ProjectWise Database and Domain users against Active Directory using a Microsoft API.
SSO Domain user credentials
When doing SSO ProjectWise Explorer will try to use Kerberos and fail back to NTLM to get an encrypted token from the domain for authentication. The Integration Server validates the token against the domain using a Microsoft API. Encryption for the API call is governed by Active Directory.
The exact strength of encryption used for the token will depend on the provider used and what levels of encryption the client and servers OS supports and what versions of Active Directory you are running. By default on server 2008 and later most older and weaker forms of NTLM and Kerberos encryption are disabled however it is possible to re-enable these. Please examine you domain and server settings to determine the exact encryption level provided.
Navigation and File Transfer
ProjectWise explorer does not provided any encryption of navigation or file transfer traffic between the client and server if TLS / SSL is not enabled.
With TLS / SSL enabled (SecureConnection=1)
Enabling TLS / SSL for a ProjectWise server does not change any of the above information HOWEVER it does encapsulate all communication between the server with SecureConnection=1 and the next hop in a TLS / SSL encrypted session. The ‘next hop’ could be ProjectWise Explorer, ProjectWise WebParts server or could be another ProjectWise Server (Integration, Gateway, Caching). We only encrypt communication one server at a time to provide the most flexibility in deploying ProjectWise. For most users setting SecureConnection=1 for their public facing Server is sufficient however if you require other connects to be encryption you can enable SecureConnection=1 on any server needed. To enable SecureConnection=1 on a given server you will need to obtain a certificate for that server.
The exact strength of the encryption used will depend on the key length of the certificate used and the encryption algorithms supported by the client and the server OS. Please examine you certificate and server settings to determine the exact encryption level provided.
There is a small performance cost to enabling TLS / SSL that will depend on server load and processing power. While most users don’t see a meaningful impact when enabling TLS / SSL if it is found to cause issues in your environment you may want to look in to 3rd party VPN solutions.
Port when using TLS / SSL
Enabling TLS / SSL does not change the port used by ProjectWise however you can change port ProjectWise uses in the DMSKrnl config to any valid, unused port on the server.
ProjectWise Database
Database Communication
ProjectWise uses a standard ODBC interface for making all calls to the database which is not encrypted by default. Both Microsoft SQL Server and Oracle provide the ability to enable TLS / SSL encryption at this layer. For more information contact your database vender.
User Passwords in the database
For ProjectWise Logical user the password is stored as a SHA1 hash. For Windows users we do not store any password for the user.
Authentication of domain users is accomplished by calling a Microsoft API to validate whatever credentials or token the user presents at login. Encryption for the API call is governed by Active Directory.
See Also
ProjectWise TechNotes And FAQs
External Links
Bentley Technical Support KnowledgeBase
Comments or Corrections?
Bentley's Technical Support Group requests that you please confine any comments you have on this Wiki entry to this "Comments or Corrections?" section. THANK YOU!