Bookshelf Home | Contents | Index | PDF     

Security Guide for Siebel Business Applications > Configuration Parameters Related to Authentication >

Parameters in the eapps.cfg File

The eapps.cfg file contains parameters that control interactions between the Siebel Web Engine and the Siebel Web Server Extension (SWSE), for all Siebel Business Applications deploying the Siebel Web Client.

The eapps.cfg file is located in the SWEAPP_ROOT\bin directory, where SWEAPP_ROOT is the directory in which you installed the SWSE.

Following list is a portion of a sample eapps.cfg file. This sample includes some parameters that may not coexist. They are provided so you can see a range of authentication-related parameters.

CAUTION:  Typically, password encryption is in effect for the eapps.cfg file, as determined by the setting EncryptedPassword = TRUE. In this case, values for WebUpdatePassword and AnonPassword would be encrypted. For details, see Managing Encrypted Passwords in the eapps.cfg File.

[swe]
Language = enu
Log = all
LogDirectory = D:\sea78\SWEApp\log
ClientRootDir = D:\sea78\SWEApp
WebPublicRootDir = D:\sea78\SWEApp\public\enu
WebUpdatePassword = test
IntegratedDomainAuth = FALSE

[defaults]
EncryptedPassword = TRUE
AnonUserName = GUESTCST
AnonPassword = GUESTCST
StatsPage = _492394stats.swe
SingleSignOn = TRUE
TrustToken = HELLO
UserSpec = REMOTE_USER
UserSpecSource = Server
DoCompression = TRUE
SessionTimeout = 300
GuestSessionTimeout = 900

[/prmportal_enu]
AnonUserName = guestcp
AnonPassword = ldap
ProtectedVirtualDirectory = /p_prmportal_enu
ConnectString = siebel.TCPIP.None.None://172.20.167.200:2320/siebel/eChannelObjMgr_enu

[connmgmt]
CACertFileName = d:\siebel\admin\cacertfile.pem
CertFileName = d:\siebel\admin\certfile.pem
KeyFileName = d:\siebel\admin\kefile.txt
KeyFilePassword = ^s*)Jh!#7
PeerAuth = FALSE
PeerCertValidation = FALSE

NOTE:  Alert 1124 on Siebel SupportWeb recommends that you set the value for StatsPage to a value other than the default value (_stats.swe).

The eapps.cfg file includes sections such as [swe], [defaults], and [connmgmt] and sections for individual Siebel Business Applications, such as [/prmportal_enu] and [/callcenter_enu]. Each parameter value in the [defaults] section is used by all individual applications, unless you override the parameter's value with an entry in an application's own section.

In the eapps.cfg sample above, the AnonUserName and AnonPassword values in the [/prmportal_enu] section are used by Siebel Partner Portal instead of the values provided in the [defaults] section.

NOTE:  You can use any plain text editor to add parameters and their values or to change values for existing parameters. When you edit configuration files, do not use a text editor that adds additional, nontext characters to the file.

In a given eapps.cfg file, some parameters may not appear by default. Changes to the eapps.cfg file are not active until you restart the Siebel Server and the Web server.

Authentication-Related Parameters

The following parameters in the eapps.cfg file relate to authentication. They can be defined in the [defaults] section or in the sections for individual applications.

  • AnonUserName. This parameter specifies the user name required for anonymous browsing and initial access to the login pages. The user name selected should have access to views intended for anonymous browsing, but it should otherwise be the name of a restricted user.
  • AnonPassword. The password corresponding to the value entered for AnonUserName.
  • ClientCertificate. When this parameter is set to TRUE in a Web SSO implementation, the user is authenticated through a digital certificate.

    See also Digital Certificate Authentication.

  • EncryptedPassword. When this parameter is set to TRUE, the password for the anonymous user and the Web update password are interpreted as encrypted passwords. This parameter is added to the eapps.cfg file (with a value of TRUE) when you use the SWSE configuration utility. However, if the parameter is not defined in the file, this is equivalent to a value of FALSE.

    For more information, see Managing Encrypted Passwords in the eapps.cfg File.

  • EncryptSessionId. When this parameter is set to TRUE (the default), the session ID will be encrypted. When it is FALSE, the session ID is not encrypted. For a Siebel Web Client, the session ID is used in the session cookie (in cookie-based mode) or in the application URL (in cookieless mode).

    For more information about cookies, see Cookies and Siebel Business Applications.

  • GuestSessionTimeout. The time, in seconds, that a connection open for anonymous browsing can remain idle before it times out. The default is 300 seconds (5 minutes).

    Guest sessions are used for anonymous browsing. They permit users to navigate portions of the site without logging in. In contrast to anonymous sessions, guest sessions are associated with an individual Siebel Web Client. These sessions are opened when an unregistered user starts navigating the site, and they remain open until the Web client logs out or times out due to inactivity.

    When deciding how long guest user timeout should be, your primary consideration should be whether or not anonymous browsing is being used. If so, guest user timeouts should be greater than the average time users would need to deliberate their next action. In other words, this is the time allowed between user actions.

    Both guest and anonymous sessions use the AnonUserName and AnonPassword parameters to log in.

    For more information on setting this parameter, see Performance Tuning Guide.

  • SessionTimeout. The time, in seconds, from the user's last browser request until the user's connection times out. The default is 900 seconds (15 minutes).

    Standard sessions are those where users log in using their registered user name and password. Otherwise, they share many of the same characteristics as guest sessions.

    Table 26 offers guidelines for setting this parameter.

    NOTE:  All the session timeouts mentioned above deal with the session inactivity. In other words, if they are set to 3600 seconds, then it requires one hour of session inactivity for that session to time out. Session inactivity means there should be no request made to the Siebel Server on that session. Any act pinging the Siebel Server, such as message broadcasting, resets the session timeout period. If the update interval is less than the SessionTimeout set in the eapps.cfg file, the session never times out.

    For more information on setting this parameter, see Performance Tuning Guide.

    Table 26. Guidelines for Setting Session Timeouts
    Session Type
    Condition
    Recommended Setting

    Anonymous session
    • Large numbers of users logging in within a short period of time (login spikes)
    • Frequent logins and logouts

    >30 min.

    Guest
    • Long intervals between user actions
    • Login view is used for logins
    • Logout occurs on a logout view

    >30 min.

    <5 min.

    <5 min.

    Regular
    • Employee applications
    • Customer applications
    • High security requirements
    • High continuity (low interaction) with the browser
    • Lightly loaded system

    >30 min.

    1-15 min.

    <5 min.

    >30 min.

    >30 min.

  • SingleSignOn. The SWSE operates in Web SSO mode when this parameter is TRUE.

    For more information, see Web Single Sign-On Authentication.

  • SubUserSpec. In a Web SSO environment that implements digital certificate authentication, a value of CN specifies that the Siebel user ID should be extracted from the certificate's CN (Common Name) attribute.

    For more information, see User Specification Source.

  • TrustToken. In a Web SSO environment, this token string is a shared secret between the SWSE and the security adapter. It is a measure to protect against spoofing attacks. This setting must be the same on both the SWSE and the security adapter.

    For more information, see Web Single Sign-On Authentication.

  • UserSpec. In a Web SSO implementation, this variable name specifies where the SWSE looks for a user's user name within the source given by UserSpecSource. The value, REMOTE_USER by default, is populated by the authentication filter.

    If digital certificate authentication is implemented on Windows or AIX, use the value CERT_SUBJECT, a variable that contains the certificate name. For example, UserSpec/SubUserSpec would be "CERT_SUBJECT"/"CN". For other UNIX platforms, use "REMOTE_USER" for UserSpec. The SubUserSpec setting is disregarded.

    For more information, see User Specification Source.

  • UserSpecSource. In a Web SSO implementation, this parameter specifies the source from which the SWSE derives the user credentials: Server, if from the usual Web server user name field; Header, if the variable is within the HTTP request header.

    For more information, see User Specification Source.

The following parameter can be defined in the section for each individual Siebel application. Do not define this parameter in the [defaults] section.

  • ProtectedVirtualDirectory. This parameter specifies the protected virtual directory for a Siebel application. This parameter specifies a Web server virtual directory that represents the protected location of the Siebel application. This parameter must have a value in a Web SSO implementation, and is optional in other implementations.

    The protected directory allows you to configure your Web server or third-party authentication software to require user authentication to access specific Siebel application views. Requests for any views that require explicit login are redirected to this virtual directory.

    For more information, see Creating Protected Virtual Directories.

    For example, if you used the suggested name for the protected virtual directory for Siebel Service, enter:

    [/eservice_enu]
    ProtectedVirtualDirectory = /p_eservice

    If your Web SSO implementation is not configured for anonymous browsing, set this value to the same directory as your application. For example:

    [/eservice_enu]
    ProtectedVirtualDirectory = /eservice

    Otherwise, a Web Authentication Failed message may appear in the application's log file.

    NOTE:  You use examples like those above to secure an entire application. However, if some parts of the application do not require authentication, you must be able to authenticate users when they access a secured part of the application. In this case, set the parameter to an alias where the Web SSO credentials are passed. The Siebel application redirects the authentication request.

The following parameter in the eapps.cfg file can be defined in the [swe] section of the file.

  • IntegratedDomainAuth. To support Windows Integrated Authentication for Web SSO, set this parameter to TRUE. This setting causes SWSE to strip out the domain name from HTTP headers, which allows the application to integrate with Windows Integrated Authentication.

SSL-Related Parameters

The following parameters can be included in the [connmgmt] section of the eapps.cfg file, when you are using SSL to encrypt SISNAPI communications between the Web server and the Siebel Server. For more information, see Configuring SSL Encryption for SWSE.

  • CACertFileName. Identifies the trusted authority who issued the certificate.
  • CertFileName. Specifies the name of the ASN/PEM certificate file.
  • KeyFileName. Specifies the name of the PEM private key file.
  • KeyFilePassword. Specifies the password to decrypt the private key file.
  • PeerAuth. Enables peer authentication during SSL handshake. PeerAuth is FALSE by default. Set PeerAuth to TRUE to authenticate certificates from the Siebel Server. The SWSE requires the certifying authority's certificate to authenticate the certificate from the Siebel Server.
  • PeerCertValidation. Independently verifies that the hostname of the SWSE machine matches the hostname presented in the certificate.
    
Security Guide for Siebel Business Applications