Security Guide for Siebel Business Applications > Security Adapter Authentication >
Security Adapters and Siebel Developer Web Client
The Siebel Developer Web Client relocates business logic from the Siebel Server to the client. The authentication architecture for the Developer Web Client differs from the authentication architecture for the standard Web Client, because it locates the following components on the client instead of the Siebel Server:
- AOM (through the siebel.exe program)
- Application configuration file
- Authentication manager and security adapter
- IBM LDAP Client (where applicable)
NOTE: Siebel Systems support for the Siebel Developer Web Client is restricted to administration, development, and troubleshooting usage scenarios only. Siebel Systems does not support the deployment of this client to end users.
When you implement security adapter authentication for Siebel Developer Web Clients, observe the following principles:
- It is recommended to use the remote configuration option, which can help you make sure that all clients use the same configuration settings. This option is described later in this section.
- Authentication-related configuration parameters stored in application configuration files on client computers, or stored in remote configuration files, should generally contain the same values as the corresponding parameters in the Name Server (for Siebel Web Client users). Distribute the appropriate configuration files to all Siebel Developer Web Client users.
For information about setting parameters in Siebel application configuration files on the Siebel Developer Web Client, see Siebel Application Configuration File Parameters.
- It is recommended that you use checksum validation to make sure that the appropriate security adapter provides user credentials to the authentication manager for all users who request access. For information about checksum validation, see Configuring Checksum Validation.
- In a security adapter authentication implementation, you must set the security adapter configuration parameter
TRUE, and set the Siebel system preference SecThickClientExtAuthent to
TRUE, if you want to implement:
- In some environments, you may want to rely on the data server itself to determine whether to allow Siebel Developer Web Client users to access the Siebel Database and run the application. In the application configuration file on the local client, you can optionally define the parameter
IntegratedSecurity for the server data source (typically, in the [ServerDataSrc] section of the configuration file).
This parameter can be set to
FALSE. The default value is
TRUE, the Siebel client is prevented from prompting the user for a username and password when the user logs in. Facilities provided in your existing data server infrastructure determine if the user should be allowed to log into the database.
You can use
IntegratedSecurity = TRUE with the database security adapter. See also Configuring Database Authentication.
IntegratedSecurity is supported for Oracle and Microsoft SQL Server databases only. For additional information, refer to your third-party documentation. For Oracle, refer to the OPS$ and REMOTE_OS_AUTHENT features. For Microsoft SQL Server, refer to Integrated Security.
For more information about the Siebel Developer Web Client, see the Siebel Installation Guide for the operating system you are using and the Siebel System Administration Guide.
Sample LDAP Section in Configuration File
The following is an example of LDAP configuration information generated by the LDAP/ADSI Configuration Utility when you configure an LDAP security adapter for Developer Web Clients. For more information, see Using the LDAP/ADSI Configuration Utility.
For information about setting Siebel configuration parameters, see Siebel Application Configuration File Parameters.
SecAdptDllName = sscfldap
ServerName = ldapserver.siebel.com
Port = 636
BaseDN = "ou=people, o=xyz.com"
SharedCredentialsDN = "uid=HKIM, ou=people, o=Siebel.com"
UsernameAttributeType = uid
PasswordAttributeType = userPassword
CredentialsAttributeType = mail
RolesAttributeType = roles
SslDatabase = /suitespot/https-myhost/ldapkey.kdb
ApplicationUser = "uid=APPUSER, ou=people, o=xyz.com"
ApplicationPassword = APPUSERPW
HashDBPwd = TRUE
PropagateChange = TRUE
SingleSignOn = TRUE
TrustToken = mydog
UseAdapterUsername = TRUE
SiebelUsernameAttributeType = PHONE
HashUserPwd = TRUE
HashAlgorithm = RSASHA1
Remote Configuration Option for Developer Web Client
For the Siebel Developer Web Client only, the remote configuration option can be implemented in the following authentication strategies:
- Security adapter authentication: LDAP, ADSI, custom (not database authentication)
- Web SSO authentication
With this approach, you create a separate text file that defines any parameter values that configure a security adapter. You configure all security adapter parameters, such as those in a section like [LDAPSecAdpt] or [ADSISecAdpt], in the remote file, not in the application configuration file.
Storing configuration parameters in a centralized location can help you reduce administration overhead. All Developer Web Clients can read the authentication-related parameters stored in the same file at a centralized remote location.
The examples below show how a remote configuration file could be used to provide parameters for a security adapter that is implemented by Siebel Service in a Web SSO environment. The following example is from the configuration file uagent.cfg for Siebel Call Center:
SecAdptMode = LDAP
SecAdptName = LDAPSecAdpt
UseRemoteConfig = \\it_3\vol_1\private\ldap_remote.cfg
In this case, the configuration file ldap_remote.cfg would contain an [LDAPSecAdpt] section. It could be defined similarly to the example earlier in this section, and would contain no other content. The application configuration file would contain the [InfraSecMgr] section as defined above. It would not contain an [LDAPSecAdpt] section—even if it did, it would be ignored.
To implement remote security configuration for Siebel Developer Web Clients, follow these guidelines:
- The [InfraSecMgr] section in the Siebel configuration file must include the
UseRemoteConfig parameter, which provides the path to a remote configuration file. The path is specified in universal naming convention format—that is, for example, \\server\vol\path\ldap_remote.cfg.
- The remote security configuration file contains only a section for configuring the security adapter, such as the [LDAPSecAdpt] section.
- Each Developer Web Client user must have read privileges on the remote configuration file and the disk directory where it resides.