Security Guide for Siebel Business Applications > Security Adapter Authentication >

Configuring Database Authentication

If you do not use LDAP/ADSI authentication, then you must create a unique database account for each user. When an administrator adds a new user to the database, the User ID field must match the username for a database account. The user enters the database username and password when the user logs into a Siebel application.

Database Authentication Process

The stages in a database authentication process are:

1. The user enters a database account's username and password to a Siebel application login form.
2. The Siebel Web Server Extension (SWSE) passes the user credentials to the AOM, which in turn passes them to the authentication manager.
3. The authentication manager hashes the password, if DBHashUserPwd is TRUE for the data source specified for the database security adapter, and passes the user credentials to the database security adapter.
4. If the user credentials match a database account, the user is logged into the database and is identified with a user record whose user ID is the same as the database account's username.

   In other words, the database security adapter validates each user's credentials by trying to connect to the Siebel Database.

Features Not Available for Database Authentication

Some of the features that other authentication strategies provide are not available with database authentication, including:

• A single user-authentication method that is valid for Siebel Business Applications and other applications
• User self-registration (typically used with customer applications)
• External delegated administration of users (typically used with partner applications)
• Creation of users from the Administration - User screen in the Siebel application

Implementing Database Authentication

If you implement database authentication, it will typically be for a Siebel employee application, such as Siebel Call Center or Siebel Sales.

Database authentication is configured as the default, and is the easiest to implement of the authentication approaches presented in this book.

Although configuration may not be required, parameters for the database security adapter can be configured using Siebel Server Manager. To do this, you specify parameter values for a named subsystem (enterprise profile). For Developer Web Client, parameters are configured by editing the application configuration file.

The database security adapter is specified using the Security Adapter Mode (SecAdptMode) and Security Adapter Name (SecAdptName) parameters:

• Security Adapter Mode must be set to DB (the default value).
• Security Adapter Name must be set to DBSecAdpt (the default value), or to a security adatper (enterprise profile or named subsystem) with a different name.

The Security Adapter Mode and Security Adapter Name parameters can be set for the Siebel Enterprise Server, for a particular Siebel Server, for an individual AOM component, or for the Synchronization Manager component (for Siebel Remote).

CAUTION:  If you want to configure a server component or a Siebel Server to use different database authentication settings than those already configured at a higher level (that is, configured for the Siebel Enterprise or Siebel Server), then you should create a new database security adapter. Otherwise, settings you make will reconfigure the existing security adapter wherever it is used.

For more information about parameters for the database security adapter, see Configuration Parameters Related to Authentication.

An administrator must perform the following tasks to provide a new user with access to Siebel Business Applications and the Siebel Database in a database authentication environment:

• Create a database account for the user. Use your database management features to create a database account for each user.
• Create a Siebel user record in the Siebel Database, in which the user ID matches the user name for the database account. You add users through an employee application such as Siebel Call Center.

  For information about adding users, see Internal Administration of Users.

The following option is available if you implement database authentication:

• User password hashing. Maintains an unexposed, hashed password to a database account, while an unhashed version of the password is provided to the user for logging in. When user password hashing is enabled, a hashing algorithm is applied to the user's password before it is compared to the hashed password stored in the database. For details, see Configuring Password Hashing.