About User Credential Encryption

For the SIMULIA Execution Engine station to start a new process (substation) on behalf of the SIMULIA Execution Engine user (job submitter), it must have the user’s credentials or be running as root (Linux only).

Credentials (name and password) are supplied by the user when any SIMULIA Execution Engine client connects to the SIMULIA Execution Engine. Those credentials are captured when a job is submitted and used by the stations to start processes (substations) in the job submitter’s security context.

For this procedure to be secure, it is necessary to transmit the user’s credentials to the SIMULIA Execution Engine (where they were captured during the log on process), and from the SIMULIA Execution Engine to the SIMULIA Execution Engine station where they will be used to start substation processes. The SIMULIA Execution Engine uses industry-standard PKI encryption technology with strong 1024-bit encryption for transmitting and storing user credentials. The SIMULIA Execution Engine uses a public/private key system to ensure secure communications.

The way in which credentials are used on SIMULIA Execution Engine stations is described below and shown in the following figure. Numbers in the figure correspond to the numbered steps below.

SIMULIA Execution Engine Encryption Process

  1. When the SIMULIA Execution Engine is first started, it generates a secure random private/public key pair.
  2. The SIMULIA Execution Engine connects to the database using the credentials defined by the administrator in the application server configuration.
  3. On some system in the network, the SIMULIA Execution Engine station is started and generates its own secure random private/public key pair. The public key is sent to the SIMULIA Execution Engine, where it is stored with other station configuration details. The private key never leaves the SIMULIA Execution Engine station.
  4. The user logs on to a local computer somewhere in the network and starts an interface that will access the SIMULIA Execution Engine (for example, the Isight Design Gateway).
  5. The user provides credentials (user name and password) for connecting to the SIMULIA Execution Engine.
  6. The application server authenticates the user against the configured SIMULIA Execution Engine security domain. For more information on how this domain is configured, see Configuring SIMULIA Execution Engine Security.
  7. The client program retrieves the SIMULIA Execution Engine’s public key. The SIMULIA Execution Engine’s private key never leaves the SIMULIA Execution Engine and is not available to any clients.
  8. The client program encrypts the user credentials with the SIMULIA Execution Engine’s public key.
  9. The client program submits a job and includes the encrypted credentials with the job request. The SIMULIA Execution Engine stores the encrypted credentials with the job details.
  10. At some later time, the SIMULIA Execution Engine dispatches a work request for the job to a particular SIMULIA Execution Engine station. The user credentials (stored in the job details) are decrypted with the SIMULIA Execution Engine’s private key, and are then re-encrypted with the station’s public key.
  11. The work request is sent to the station with the encrypted credentials.
  12. When the work request is received by the SIMULIA Execution Engine station, the user credentials are decrypted with the station’s private key.
  13. The SIMULIA Execution Engine station launches a new process (substation) by authenticating the user to the local operating system. If authentication fails, the new process is not created and the work request fails.
  14. The new substation process (running in the security context of the job submitter) performs the requested work.