Security Guide for Siebel Business Applications > Communications and Data Encryption > Configuring Secure Communications >

Configuring SSL Encryption for SWSE


This section describes how to configure your SWSE to use Secure Sockets Layer (SSL) encryption and, optionally, authentication for SISNAPI communications with Siebel Servers.

Configuring SSL communications between Siebel Servers and the Web server also requires that you configure Siebel Enterprise or Siebel Server to use SSL, as described in Configuring SSL Encryption for Siebel Enterprise or Siebel Server.

Performing this procedure adds parameters to the eapps.cfg file in a new section called [connmgmt]. For example, the [connmgmt] section might look like this:

[connmgmt]
CACertFileName = d:\siebel\admin\cacertfile.pem
CertFileName = d:\siebel\admin\certfile.pem
KeyFileName = d:\siebel\admin\kefile.txt
KeyFilePassword = ^s*)Jh!#7
PeerAuth = TRUE
PeerCertValidation = FALSE

Names for eapps.cfg file parameters mentioned in this procedure correspond to Name Server parameters for Siebel Server.

After running this utility, for any AOM that will connect to the SWSE using SSL, you must modify the ConnectString parameter to specify SSL as the communications type (TCP/IP is used by default), and none as the encryption type. For example, for Siebel Sales using U.S. English, modify the parameter in the [/sales_enu] section of eapps.cfg to resemble the following:

siebel.ssl.None.None://gtwyname/siebel/SSEObjMgr_enu

Running the SSL Configuration Utility for SWSE

This section describes running the SSL configuration utility for SWSE—that is, the Siebel Software Configuration Utility (Siebel Web Server Extension SSL).

The prompts for the SSL configuration utility are the same whether you run it in GUI mode or console mode. However, some user interface elements are different in these two modes.

On Windows, SSL configuration of the Enterprise or SWSE always uses GUI mode. On UNIX, initial SSL configuration of the Enterprise or SWSE uses GUI mode. However, if you run the SSL configuration utility separately later on a UNIX platform, it will run in console mode.

To enable SSL encryption for the SWSE

  1. Before you begin, obtain and install the necessary certificate files you will need if you will configure SSL authentication.
  2. If you are running the main Siebel Software Configuration Utility to configure SWSE, start the SSL configuration utility by specifying that you want to deploy SSL for the Enterprise, as described in Configuring Encryption for Siebel Enterprise and SWSE.
  3. Alternatively, to run the SSL configuration utility directly on a Web server machine, start the SSL configuration utility directly, as described below:
    • For Microsoft Windows platforms, open an MS-DOS window and enter the following command (utility runs in GUI mode):

    SWEAPP_ROOT\bin\ssincfgw.exe -l language -f
    SWEAPP_ROOT\admin\sslEapp.scm -logevents all

    where:

    • SWEAPP_ROOT is the SWSE installation directory
    • language is the language in which you want to run the configuration utility (for example, ENU for U.S. English)
    • For UNIX platforms, if the current path is not in the library path, you need to add it so that the SSL configuration utility can run on the machine that hosts the SWSE. The following list describes the parameter values for the library paths on supported UNIX platforms:
      • Sun Solaris = LD_LIBRARY_PATH
      • HP-UX = SHLIB_PATH
      • IBM AIX = LIBPATH
      • LINUX = LD_LIBRARY_PATH

        For example, on IBM AIX, with C shell execute the following command from SWEAPP_ROOT, where SWEAPP_ROOT is the SWSE installation directory if the environment variable was set previously:

    setenv LIBPATH ${LIBPATH}:.

    If the environment variable was not set previously, execute the following command:

    setenv LIBPATH .

    For IBM AIX with Bourne shell or Korn shell execute the following command from SWEAPP_ROOT, where SWEAPP_ROOT is the SWSE installation directory if the environment variable was set previously:

    export LIBPATH=${LIBPATH}:.

    If the environment variable was not set previously, execute the following command:

    export LIBPATH=.

    When the current path is in the library path, you execute the following command to start the SSL configuration utility:

    ./icfg - l language -f SWEAPP_ROOT/admin/sslEapp.scm -logevents all

  4. Specify the names of the certificate file and of the certificate authority file.

    The equivalent parameters in the eapps.cfg file are CertFileName and CACertFileName.

  5. Specify the name of the private key file, and the password for the private key file, then confirm the password.

    The password you specify will be stored in encrypted form.

    The equivalent parameters in the eapps.cfg file are KeyFileName and KeyFilePassword.

  6. Specify whether you require peer authentication.

    Peer authentication means that the SWSE authenticates the Siebel Server whenever a connection is initiated. Peer authentication is false by default.

    NOTE:  The peer authentication parameter is ignored if SSL is not deployed between the SWSE and the Siebel Server. If peer authentication is set to TRUE on the SWSE, the Siebel Server is authenticated, provided that the SWSE has the certifying authority's certificate to authenticate the Siebel Server's certificate. If you deploy SSL, it is recommended that you set PeerAuth to TRUE to obtain maximum security.

    The equivalent parameter in the eapps.cfg file is PeerAuth.

  7. Specify whether you require peer certificate validation.

    Peer certificate validation performs reverse-DNS lookup to independently verify that the hostname of the SWSE machine matches the hostname presented in the certificate. Peer certificate validation is false by default.

    The equivalent parameter in the eapps.cfg file is PeerCertValidation.

  8. If you were running the SSL configuration utility as part of running the Siebel Software Configuration Utility (as described in Step 2), you return to that process, as described in the Siebel Installation Guide for the operating system you are using.
  9. If you were running the SSL configuration utility directly (as described in Step 3), then review the settings, finish configuration, and restart the Web server.
  10. Repeat this procedure for each SWSE in your application environment, as necessary.

    Make sure you also configure each Siebel Server in your environment, as described in Configuring SSL Encryption for Siebel Enterprise or Siebel Server.

Security Guide for Siebel Business Applications