Ellucian Advance

Security Technical Reference

Release 2016
December 2016
Without limitation: Ellucian®, Banner®, Colleague®, and Luminis® are trademarks of the Ellucian group of companies that are registered in
the U.S. and certain other countries; and Ellucian Advance™, Ellucian Course Signals™, Ellucian Degree Works™, Ellucian PowerCampus™,
Ellucian Recruiter™, Ellucian SmartCall™, are also trademarks of the Ellucian group of companies. Other names may be trademarks of their
respective owners.

© 2002, 2016 Ellucian.

Contains confidential and proprietary information of Ellucian and its subsidiaries. Use of these materials is limited to Ellucian licensees, and is
subject to the terms and conditions of one or more written license agreements between Ellucian and the licensee in question.

In preparing and providing this publication, Ellucian is not rendering legal, accounting, or other similar professional services. Ellucian makes no
claims that an institution's use of this publication or the software for which it is provided will guarantee compliance with applicable federal or
state laws, rules, or regulations. Each organization should seek legal, accounting, and other similar professional services from competent
providers of the organization's own choosing.

Ellucian
4375 Fair Lakes Court
Fairfax, Virginia 22033
United States of America

Revision History
Publication Date Summary
December 2016 New version that supports Advance 2016 software.
 Contents
Introduction.................................................................................................................... 4

How this guide is organized ........................................................................................... 4

Assumptions about this Guide ........................................................................................ 4
Intended audience ........................................................................................................ 4

1 Authentication .......................................................................................................... 5

Authentication settings .................................................................................................. 5

Database ..................................................................................................................... 5
LDAP – Independent of the database ............................................................................. 5

2 Customizing Security ................................................................................................ 6

How to customize the Advance Salt Value and Proxy Password ......................................... 6
How to set up LDAP for use with Advance ...................................................................... 7

3 Data Protection ........................................................................................................ 8

4 Data Encryption ........................................................................................................ 9

5 Security Diagram .................................................................................................... 10

Introduction

This document is meant to help you understand the security (authentication and authorization process)
model used by Ellucian Advance™. Gaining a better understanding of how these processes work will
allow you and your organization to make educated decisions regarding whether you should customize
the authentication and authorization process and how to do so.
Information in this document applies to all Ellucian applications that use the Advance security model,
including the following applications:
• Configuration Utility
• AdvExport
• SmartCall Integration Utility

How this guide is organized

This guide was designed so that you may, at any given time, pick it up and read any one section, and
then put it down without needing to proceed to the next section. Additionally, you may use this guide
as a reference to help answer simple questions, such as “what is authentication?”

Assumptions about this Guide

This guide is not all-inclusive. This guide covers all the main tasks you may want to perform, but it
doesn’t tell you all the various ways you can perform a task, nor does it tell you all the possible
options for each task. This guide chooses one way – usually the most commonly used and most
effective way – and steps you through how to perform the task quickly and effectively.

Intended audience
The intended audience of this document is system administrators, database administrators, and
knowledgeable programmers. Information in this document will not be beneficial for most end-users,
such as data entry staff.

Ellucian Advance | Security Technical Reference 4

1 Authentication

The term “authentication” is used to describe the process by which Advance determines whether the
user (identified by their username and password) is who they say they are. For example, if a user
attempts to log in to Advance and enters an invalid username and password combination, their
credentials will fail the authentication process.

Authentication settings
The Advance security model allows you to use either one of the following authentication methods.
• Database
• LDAP Independent of the Database

Database
This authentication type indicates that you wish to use your database to authenticate
username/password combinations. This is the standard out-of-the-box authentication method.
Database accounts use a hashed password to activate the role ‘advrole.’ Non-database accounts have
hashed passwords and ‘advrole’ by default. Advance uses adv100.dll, a variant of the MD5 algorithm
to perform hashes. Use this authentication type if LDAP is integrated with your Oracle database, and
your user is “identified externally.”
If you wish to use this authentication type, set the authentication type in the security.ini file to
‘DBConnect’, and set the Authentication Type for each user to ‘Database’ via the Users Security
window of the Configuration Utility. These are the default settings for an install or upgrade.

LDAP – Independent of the database

This authentication setting indicates you wish to use LDAP to authenticate username/password
combinations. This authentication method requires you have an LDAP directory service installed on
your network, and have LDAP users with passwords in the database. If you wish to use LDAP as
your authentication method, a corresponding Advance user (in the zz_user table) must be created for
each LDAP account using the Users Security window in the Advance Configuration Utility. The user
that you create via the Users Security window must have an Authentication Type of ‘Identified
Independently.’

Ellucian Advance | Security Technical Reference 5

2 Customizing Security

How to customize the Advance Salt Value and

Proxy Password
When the Advance Configuration Utility, AdvExport, and the SmartCall Integration Utility are
installed on a client machine, several files are installed in the executable directory. These files include
the EXEs (Executable), DLLs (Dynamic Link Library), and PBDs (PowerBuilder Dynamic Library)
necessary to run the application. A system administrator, database administrator, or equivalent can
apply an additional level of security to the Advance database. This can be accomplished by having a
PowerBuilder developer use the Custom Salt Value / Proxy Password utility to customize the
Advance salt value and/or proxy password and generate new versions of the file
‘SunGardBSRsalt.pbd’.
The term ‘salt’ is used to describe secret bits of information that can be added to your password to
produce an encrypted version of your password. Customizing the salt value at your institution will
assist you in further protecting your database by decreasing the likelihood that a devious person will
discover encrypted user and role passwords.
The term ‘proxy password’ is used to describe the password that is used for all proxy accounts that
are created when Kerberos or LDAP is used as the authentication method, independent of the
Advance database. The proxy password is also encrypted using the salt value.

Warning:
This utility is not installed with the Advance base product and can only be used on a PC running a
licensed version of PowerBuilder Enterprise version 12.1, build 6518. For instructions on how to
obtain this utility, please contact [email protected].
To customize the Salt Value or Proxy Password:
1. Once you have accessed the Custom Salt/Proxy Password utility, specify the location of the
SunGardBSRsalt.pbd file via the “Source Location” field. Use the ellipses button to search
for the location of this folder.
2. Specify the location that you wish to generate a new version of the SunGardBSRsalt.pbd
file via the “Destination Location” field. Use the ellipses button to search for the location of
this folder.
3. If you wish to change the Salt Value, check the Change Salt Value check box and specify the
new salt value in the New Salt Value field. Confirm the new password in the Confirm New
Salt Value field.
4. If you wish to change the Proxy Password, check the Change Proxy Password check box and
specify the new proxy password in the New Proxy Password field. Confirm the new password
in the Confirm New Proxy Password field.

Ellucian Advance | Security Technical Reference 6

 5. Press the ‘Create SunGardBSRsalt.pbd and pbl’ button.
6. After you have customized the salt value or proxy password via this utility, copy the new pbd
file into your Configuration Utility executable folder.
7. Using an Advance Security Officer username/password combination, launch the
Configuration Utility and open the Timestamp Synchronization window. In this window,
synchronize the timestamp on the new file with the salt_timestamp column in the zz_schema
table. When you use this utility to synchronize the database with the new pbd file, any user
that does not have the new pbd file will be unable to connect to the Advance database, which
makes the timing of this process extremely important.
8. Lastly, distribute a copy of the new .pbd file generated during the creation process. This pbd
file will need to be distributed to all applications systems and all directories that use the
Advance security model, including Advance, the Configuration Utility, AdvLoader,
AdvExport, and the SmartCall Integration Utility.

How to set up LDAP for use with Advance

To set up LDAP for use with Advance:
1. After you have installed and configured your LDAP database, add users via the Configuration
Utility. When the users are added, they must be added with an Authentication Type of
“Identified Independently.”
2. Change the Security Provider Type value in the Web.Config file on the Web Server from
“AdvDBConnect” to “AwaSecurityLDAP.”

Before: <add key="SecurityProviderType" value="AdvDBConnect" />

After: <add key="SecurityProviderType" value="AwaSecurityLDAP" />
3. Change the Security Provider Assembly value in the Web.Config file on the Web Server by
removing the “AdvanceDBConnect” reference.
Before: <add key="SecurityProviderAssembly"
value="Ellucian.Advance.Security.AdvanceDBConnect" />

After: <add key="SecurityProviderAssembly"

value="Ellucian.Advance.Security" />
4. Access the Configuration Utility and set Advance System Options 208-225.

Technical

System Option 210 requires a full Distinguished Name. Failure to set this value
appropriately will result in unexpected system behavior.
For example: cn=manager,dc=sungardbsr,dc=com.

Ellucian Advance | Security Technical Reference 7

3 Data Protection

Securing data that pertains to an individual’s identity and financial information is essential. Advance
includes functionality that aids you in securing the following types of information stored in the
Advance database in a way that the data can not be viewed outside of Advance. This concept applies
regardless of whether the information was entered and saved manually or through an automated feed.
• Tax ID Numbers (e.g. Social Security Numbers)
• Bank Routing Numbers and Account Numbers

Note

Advance does not store credit card information (name on credit card, credit card
number, expiration date).
In respect to viewing sensitive data through Advance:
• Only authorized users using tools such as PL SQL Developer, or SQL Plus or another
database access tool will see actual values when they view any of the secured fields. The
actual values will be masked from view for a user who does not have appropriate
authorization to view the secured fields.
• In earlier versions of Advance, Advanced Lookups allowed you to search on Credit Card
Numbers in the Gift – Tender Type Advanced Lookup, Alternate IDs (including Tax ID such
as Social Security Numbers) in the Bio – ID – Alt ID Advanced Lookup. Currently, you may
not search on Credit Card Numbers. However, you may still search on any alternate IDs using
the Bio-ID-Alt ID Advanced Lookup.
• Existing facilities accommodate limiting a user from viewing sensitive data online, as
follows:
o For Credit Cards:
 Users who are not allowed to view Bank Card information are denied access
to the Bank Card window.
o Users in inquiry mode cannot see Bank Number or Account number information for
EFT Pledges.
o For Alternate ID Numbers, such as Social Security Numbers:
 Only users assigned to the Override Rights Group for an ID type where
Suppress Display Ind = Y in its tms_ids_type table entry can see the ID type
and value.

Ellucian Advance | Security Technical Reference 8

4 Data Encryption

Advance neither requires nor prevents data encryption. Institutions that wish to implement data
encryption may do so by using a utility outside of the Advance application.

Ellucian Advance | Security Technical Reference 9

5 Security Diagram

Ellucian Advance | Security Technical Reference 10