Cryptographic Algorithm

Version

Application Scenario

Due to industry restrictions and risk management, some industries and companies need to use domestic encryption methods to control system data and security.

Function Introduction

You can switch Cryptographic Algorithm in the decision-making platform.

• You can switch between Default Algorithm and SM cryptographic algorithm. After switching encryption methods, transmission, storage, user passwords, etc. are all encrypted using SM cryptographic algorithm.

• Switching encryption methods does not affect the normal use of the decision-making platform. Users and their permission settings are preserved.

Notes

1. The decision-making platform must be configured with an external database, and systems using a built-in database do not support switching Cryptographic Algorithm.

2. Before switching to SM cryptographic algorithm, the db.properties file of the external database requires write permission.

3. After switching Cryptographic Algorithm in a cluster environment, other nodes can not connect to FineDB, and communication between nodes cannot be achieved, resulting in the inability to synchronize encryption methods between nodes.

Therefore, if you need to switch Cryptographic Algorithm in a cluster environment, please close other nodes and only perform the switching operation in a single node environment.

After successful switching, you should manually copy the %FR_HOME%\webapps\webroot\WEB-INF\config folder from this node to other nodes, and restart the other nodes in order to successfully switch Cryptographic Algorithm.

4. When the system uses SM cryptographic algorithm, the server cannot be downgraded to a lower version.

5. After switching Cryptographic Algorithm, the administrator password needs to be reset.

6. After switching Cryptographic Algorithm, manually added/imported/synchronized user passwords that can be edited will be automatically reset to 123456.

7. After switching Cryptographic Algorithm, the version of the designer used to remotely connect to the system must be consistent with the system. Inconsistent JAR packages may result in remote connection or system access failures.

8. Switching Cryptographic Algorithm will reset the administrator password, so it is necessary to carefully allocate the permissions in System.

9. If the encryption method used by the server is A, and the encryption method of the database to be enabled is B.

It is necessary to switch the encryption method of the server to B, to ensure that the encryption method used between the server and the enabled database is consistent, and then enable the database.

If the encryption method is inconsistent, enabling external database will cause serious issues such as log-in failure.

Log in to the decision-making platform, click Manage > System > General, and click the Switch button at Cryptographic Algorithm.

The server has two types of cryptographic algorithm built-in: Default Algorithm and SM cryptographic algorithm, and Default Algorithm is used by default.

You can replace the commercial SM cryptographic algorithm that is purchased/developed. You can contact technical support for details. Technical support contact information: see Fanruan Official Service Channel Instructions.

Note: If the selected cryptographic algorithm is the same as the current cryptographic algorithm of the system, the One-click Switch button will be grayed out and cannot be clicked.

This example switches from Default Algorithm to SM cryptographic algorithm, and you can also switch from SM cryptographic algorithm to Default Algorithm with exactly the same steps.

Selecting Algorithm

Select SM cryptographic algorithm, click One-click Switch, and a prompt window will pop up.

• The current project will be backed up before changing the encryption method. It may take a long time. Please make sure that the system is not in use.

• When the encryption method is changed, the user password added/imported/synchronized with editable user information and the administrator account will be reset (reset password to 123456). Sure to change?

Backing up Server

Click OK to automatically back up the current server, and it will prompt: Backing up...Please do not shut down the server

Note:

1. The backed-up files are displayed under Manage > Intelligent Operations > Backup and Restore > Manual Backup. For details, see Backup and Restore.

2. During backup, you will not be able to use the server normally in the decision-making platform. You can only access the server normally after the administrator account and password are successfully reset.

Switching Algorithm

After the switch is completed, it will prompt: The encryption switch is successful, please reset the administrator account, if you use the designer, please upgrade to the same version.

Resetting Password

Click OK and you will be automatically redirected to the Please set administrator account page.

Overall Success

If all processes are correct, transmission and storage encryption switching will be successful, and cryptographic algorithm switching will be successful.

After cryptographic algorithm is switched, the stored passwords in the system will be automatically replaced.

1. You will be automatically redirected to the Please set administrator account page to reset the account and password.

2. For user passwords:

• Synchronize users, but if user information is not set to be editable, synchronization will be triggered and user passwords will be retained.

• Synchronize users, if user information is set to be editable, user passwords will be reset to 123456.

• For manually added/imported users, their passwords will be reset to 123456.

3. The system will automatically change the cryptographic algorithm of the password field in FineDB database and replace it with the password generated by the new cryptographic algorithm.

4. The system will automatically change the cryptographic algorithm during the transmission process and change the connection password algorithm for external databases.

Overall Failure

If the overall switch of cryptographic algorithm failed, the previous cryptographic algorithm will be used for transmission and storage.

1. Incorrect commercial SM cryptographic algorithm

2. Failed to back up server

3. Failed to update external database password

Partial Failure

Some password switches fail, while the rest are successful.

1. Failed to switch passwords stored in database

Prompt:

Passwords stored in database (database connection PWD, Email PWD) update failed.

Please reset the administrator account, if you use the designer, please upgrade to the same version.

2. User passwords switching failed (built-in, synchronized)

Prompt:

• Only built-in user switching failed: Sync User switched successfully; Built-in User switching failed. User password cannot be updated.

• Only sync user switching failed: Sync User switching failed; Built-in User switched successfully. User password cannot be updated.

• Both failed: Sync User switching failed; Built-in User switching failed. User password cannot be updated.

• If both switched successfully, there will not be a prompt.

3. Both the passwords stored in database and user passwords failed to switch

The prompts of the above two scenarios appear together.

Transmission Cryptographic Algorithm

From version 11.0.14, servers use asymmetric cryptographic algorithm by default, while servers of version 11.0.13 and earlier use symmetric encryption algorithm by default, as shown in the table below:

Switching Transmission Cryptographic Algorithm

You can switch between symmetric cryptographic algorithm and asymmetric cryptographic algorithm according to your needs.

Note: Default transmission cryptographic algorithm switching is only supported for servers of version 11.0.14 and later.

1. Go to the directory %FR_HOME%\webroot\WEB-INF\config and find the configuration file encryption.properties.

2. When editing the encryption.properties file, modify the value of the parameter transmission.asymmetric, and restart the server to change the encryption method.

For details, see the table below: