Security Guide for Siebel Business Applications > Communications and Data Encryption > Configuring Secure Communications >
Configuring Encryption for Siebel Enterprise and SWSE
When you configure your Siebel Enterprise or Siebel Web Server Extension (SWSE) following installation, you specify which encryption type to use for communications between the Siebel Server and the Web server (SWSE), and between Siebel Servers. Communications between these modules use the SISNAPI protocol.
The encryption type setting determines how encryption is defined within generated connect strings for Siebel Business Applications. It also corresponds to the value of the Siebel Enterprise parameter
The Siebel Software Configuration Utility appears when you first install the Siebel Enterprise or SWSE. For information about running this utility, see the Siebel Installation Guide for the operating system you are using.
Using this utility, you can specify to use Secure Sockets Layer (SSL), Microsoft Crypto, or RSA encryption. (For SSL, you specify None, then specify whether to deploy SSL.)
You can use both SSL and RSA or Microsoft Crypto for SISNAPI encryption in a single Siebel Enterprise. This flexibility is because SSL is enabled at the Siebel Server level while RSA or Microsoft Crypto are enabled at the server component level. For example, because the remote synchronization SISNAPI channel does not currently support SSL, RSA or Microsoft Crypto are the only encryption options for this channel. To encrypt this channel with RSA or Microsoft Crypto, run the remote component on a Siebel Server separate from the Siebel Servers that are configured for SSL. Then, enable RSA or Microsoft Crypto for the remote component.
Use SSL or RSA/Microsoft Crypto to encrypt different communication channels; it does not make sense to encrypt the same communication channel with both SSL and RSA or Microsoft Crypto.
In the Siebel Software Configuration Utility, the Encryption Type screen displays the options for configuring the encryption type. You can choose one of the following options:
- NONE. Specify this option if you will use Secure Sockets Layer (SSL) instead of Microsoft Crypto or RSA encryption, or if you will not use encryption.
- MSCRYPTO. The Microsoft Crypto encryption protocol for communications between Siebel components (option available on Microsoft Windows platforms only).
- RSA. A required protocol if you are using the RSA Security Systems 128-bit strong encryption feature for Siebel components.
NOTE: For Siebel installations that include both UNIX and Microsoft Windows platforms, it is recommended to use an encryption method supported across platforms, such as SSL or RSA.
If you specified None for the encryption type, the utility prompts you for whether you want to deploy SSL in the enterprise (for the Siebel Enterprise or for SWSE).
- If you specify to deploy SSL, then additional screens appear for configuring SSL (these screens are part of the SSL configuration utility). For details, see the following sections:
- If you do not specify to deploy SSL, then the SSL configuration screens do not display and you continue with the main Siebel Software Configuration Utility.
Key Exchange for Microsoft Crypto or RSA Encryption
If you are using Microsoft Crypto or RSA encryption, the following steps explain how Siebel encryption keys are exchanged between the client (for example, the Web server) and the server (for example, Siebel Server).
- The client generates a private/public key pair. The public key is sent as part of the Hello SISNAPI message to the Siebel Server.
- When the server receives a Hello message, it generates an RC4-based symmetrical session key and encrypts the symmetrical session key using the client's public key from the Hello message. The encrypted session key is sent back to the client as part of the Hello Acknowledge message.
- The client uses its private key to decrypt the server-generated session key. From this point on, both the client and the server use the server-generated session key to encrypt and decrypt messages.
- The session key is good for the lifetime of the connection.
NOTE: If you are using SSL encryption between the Web server and Siebel Server or between Siebel Servers, key exchange is handled through a standard SSL handshake.