Bookshelf Home | Contents | Index | PDF     

Siebel Security Guide > Configuration Parameters Related to Authentication >

Parameters in the eapps.cfg File

The eapps.cfg file contains parameters that control interactions between the Siebel Web Engine and the Siebel Web Server Extension (SWSE), for all Siebel Business Applications deploying the Siebel Web Client.

The eapps.cfg file is located in the SWEAPP_ROOT\bin directory after you apply a SWSE logical profile, where SWEAPP_ROOT is the directory in which you installed the SWSE.

The eapps.cfg file includes sections such as [swe], [defaults], and [connmgmt] and sections for individual Siebel Business Applications, such as [/prmportal_enu] and [/callcenter_enu]. Each parameter value in the [defaults] section is used by all individual applications, unless you override the parameter's value with an entry in an application's own section.

The following list is a portion of a sample eapps.cfg file. This sample includes some parameters that might not coexist. They are provided so you can see a range of authentication-related parameters. In the eapps.cfg sample, the AnonUserName and AnonPassword values in the [/prmportal_enu] section are used by Siebel Partner Portal instead of the values provided in the [defaults] section.

[swe]
Language = enu
Log = all
LogDirectory = D:\sba80\SWEApp\log
ClientRootDir = D:\sba80\SWEApp
WebPublicRootDir = D:\sba80\SWEApp\public\enu
SiebEntSecToken = fJq&29&58hJaY(A8!Z
IntegratedDomainAuth = FALSE

[defaults]
EncryptedPassword = TRUE
AnonUserName = GUESTCST
AnonPassword = fhYt8T*9N4e8&Qay
StatsPage = _492394stats.swe
SingleSignOn = TRUE
TrustToken = mR*739DAPw*94%O2
UserSpec = REMOTE_USER
UserSpecSource = Server
DoCompression = TRUE
SessionTimeout = 900
GuestSessionTimeout = 300

[/prmportal_enu]
AnonUserName = guestcp
AnonPassword = aGr^92!8RWnf7Iy1
ProtectedVirtualDirectory = /p_prmportal_enu
ConnectString = siebel.TCPIP.None.None://172.20.167.200:2320/SBA_80/eChannelObjMgr_enu
SiebEntSecToken = ^s*)Jh!#7^s*)Jh!#7

[connmgmt]
CACertFileName = d:\siebel\admin\cacertfile.pem
CertFileName = d:\siebel\admin\certfile.pem
KeyFileName = d:\siebel\admin\kefile.txt
KeyFilePassword = ^s*)Jh!#7
PeerAuth = FALSE
PeerCertValidation = FALSE

Typically, password encryption is in effect for the eapps.cfg file, as determined by the setting EncryptedPassword = TRUE. In this case, values for SiebEntSecToken, AnonPassword, and TrustToken are encrypted. For more information, see Managing Encrypted Passwords in the eapps.cfg File.

NOTE:  It is recommended that you set the value for StatsPage to a value other than the default value (_stats.swe). For further information on this parameter, see 478289.1 (Article ID) on My Oracle Support. This document was formerly published as Siebel Alert 1124.

You can edit the parameters in the eapps.cfg file manually using a text editor or you can configure and apply a SWSE logical profile using the Siebel Configuration Wizard. When you edit configuration files, do not use a text editor that adds additional, nontext characters to the file. For information on using the Siebel Configure Wizard to configure SWSE parameters, see Siebel Installation Guide for the operating system you are using.

In a given eapps.cfg file, some parameters might not appear by default. Changes to the eapps.cfg file are not active until you restart the Siebel Server and the Web server.

Authentication-Related Parameters

The following parameters in the eapps.cfg file relate to authentication. They can be defined in the [defaults] section or in the sections for individual applications:

  • AnonUserName. This parameter specifies the user name required for anonymous browsing and initial access to the login pages. The user name selected requires access to views intended for anonymous browsing, but must otherwise be the name of a restricted user.
  • AnonPassword. The password corresponding to the value entered for AnonUserName.
  • ClientCertificate. When this parameter is set to TRUE in a Web SSO implementation, the user is authenticated through a digital certificate.

    See also Digital Certificate Authentication.

  • EncryptedPassword. When this parameter is set to TRUE, the password for the anonymous user and the Web update password are interpreted as encrypted passwords. This parameter is added to the eapps.cfg file (with a value of TRUE) when you apply a SWSE logical profile using the Siebel Configuration Wizard for SWSE. However, if the parameter is not defined in the file, this is equivalent to a value of FALSE.

    For more information, see Managing Encrypted Passwords in the eapps.cfg File.

  • EncryptSessionId. When this parameter is set to TRUE (the default), the session ID will be encrypted. When it is FALSE, the session ID is not encrypted. For a Siebel Web Client, the session ID is used in the session cookie (in cookie-based mode) or in the application URL (if cookie-based mode is not enabled).

    For more information about cookies, see About Using Cookies with Siebel Business Applications.

  • GuestSessionTimeout. The time, in seconds, that a connection open for anonymous browsing can remain idle before it times out. The default is 300 seconds (5 minutes).

    Guest sessions are used for anonymous browsing. They permit users to navigate portions of the site without logging in. In contrast to anonymous sessions, guest sessions are associated with an individual Siebel Web Client. These sessions are opened when an unregistered user starts navigating the site, and the sessions remain open until the Web client logs out or times out due to inactivity.

    When deciding how long guest user timeout is to be, the primary consideration is whether or not anonymous browsing is being used. If anonymous browsing is being used, guest user timeouts must be greater than the average time users require to deliberate their next action. In other words, this is the time allowed between user actions.

    Both guest and anonymous sessions use the AnonUserName and AnonPassword parameters to log in. For more information on setting this parameter, see Siebel Performance Tuning Guide.

  • SessionTimeout. The time, in seconds, from the user's last browser request until the user's connection times out. The default is 900 seconds (15 minutes). Table 30 offers guidelines for setting this parameter.

    Standard sessions are those where users log in using their registered user name and password. Otherwise, standard sessions share many of the same characteristics as guest sessions.

    Table 30. Guidelines for Setting Session Timeouts
    Session Type
    Condition
    Recommended Setting

    Anonymous session
    • Large numbers of users logging in within a short period of time (login spikes)
    • Frequent logins and logouts

    Greater than 30 minutes.

    Guest
    • Long intervals between user actions
    • Login view is used for logins
    • Logout occurs on a logout view

    Greater than 30 minutes.

    Less than 5 minutes.

    Less than 5 minutes.

    Regular
    • Employee applications
    • Customer applications
    • High security requirements
    • High continuity (low interaction) with the browser
    • Lightly loaded system

    Greater than 30 minutes.

    1-15 minutes.

    Less than 5 minutes.

    Greater than 30 minutes.

    Greater than 30 minutes.

    Session timeout refers to session inactivity. That is, if session timeout is set to 3600 seconds, then it requires one hour of session inactivity for that session to time out. Session inactivity means no request is made to the Siebel Server on that session. Any act that sends a ping request to the Siebel Server, such as message broadcasting, resets the session timeout period. If the update interval is less than the SessionTimeout set in the eapps.cfg file, the session never times out.

    If you use the Siebel Portal Framework to implement portal views, note that Siebel Business Applications time out if user activity in the portal view exceeds the time that is specified by SessionTimeout. Note also that, by default, portal views send a ping status request to their server every 120 seconds (2 minutes) to keep their session alive. For more information about the Siebel Portal Framework, see Siebel Portal Framework Guide. For more information about setting the SessionTimeout parameter, see Siebel Performance Tuning Guide.

  • SingleSignOn. The SWSE operates in Web SSO mode when this parameter is TRUE. For more information, see Web Single Sign-On Authentication.
  • SubUserSpec. In a Web SSO environment that implements digital certificate authentication, a value of CN specifies that the Siebel user ID is to be extracted from the certificate's CN (Common Name) attribute. For more information, see Configuring the User Specification Source.
  • TrustToken. In a Web SSO environment, this token string is a shared secret between the SWSE and the security adapter. It is a measure to protect against spoofing attacks. This setting must be the same on both the SWSE and the security adapter.

    For more information, see Web Single Sign-On Authentication.

  • UserSpec. In a Web SSO implementation, this variable name specifies where the SWSE looks for a user's user name within the source given by UserSpecSource. The value, REMOTE_USER by default, is populated by the authentication filter.

    If digital certificate authentication is implemented on Windows or AIX, use the value CERT_SUBJECT, a variable that contains the certificate name. For example, UserSpec/SubUserSpec is "CERT_SUBJECT"/"CN". For other UNIX operating systems, use the value "REMOTE_USER" for the UserSpec parameter. The SubUserSpec setting is disregarded.

    For more information, see Configuring the User Specification Source.

  • UserSpecSource. In a Web SSO implementation, this parameter specifies the source from which the SWSE derives the user credentials:
    • Server. If credentials are derived from the usual Web server user name field
    • Header. If credentials are derived from the variable within the HTTP request header.

      For more information, see Configuring the User Specification Source.

The following parameter can be defined in the section for each individual Siebel application. Do not define this parameter in the [defaults] section.

  • ProtectedVirtualDirectory. This parameter specifies a Web server virtual directory that represents the protected location of the Siebel application. This parameter must have a value in a Web SSO implementation, and is optional in other implementations.

    The protected directory allows you to configure your Web server or third-party authentication software to require user authentication to access specific Siebel application views. Requests for any views that require explicit login are redirected to this virtual directory.

    For more information, see Creating Protected Virtual Directories.

    For example, if you used the suggested name for the protected virtual directory for Siebel eService, enter:

    [/eservice_enu]
    ProtectedVirtualDirectory = /p_eservice

    If your Web SSO implementation is not configured for anonymous browsing, set this value to the same directory as your application. For example:

    [/eservice_enu]
    ProtectedVirtualDirectory = /eservice

    Otherwise, a Web Authentication Failed message might appear in the application's log file.

    NOTE:  You use examples like those above to secure an entire application. However, if some parts of the application do not require authentication, you must be able to authenticate users when they access a secured part of the application. In this case, set the parameter to an alias where the Web SSO credentials are passed. Siebel Business Applications redirect the authentication request.

The following parameter in the eapps.cfg file can be defined in the [swe] section of the file.

  • IntegratedDomainAuth. To support Windows Integrated Authentication for Web SSO, set this parameter to TRUE. This setting causes SWSE to strip out the domain name from HTTP headers, which allows the application to integrate with Windows Integrated Authentication.

SSL-Related Parameters

The following parameters can be included in the [connmgmt] section of the eapps.cfg file, when you are using SSL to encrypt SISNAPI communications between the Web server and the Siebel Server. For more information, see Configuring SSL Encryption for SWSE.

  • CACertFileName. Identifies the trusted authority who issued the certificate.
  • CertFileName. Specifies the name of the ASN/PEM certificate file.
  • KeyFileName. Specifies the name of the PEM private key file.
  • KeyFilePassword. Specifies the password to decrypt the private key file.
  • PeerAuth. Enables peer authentication during SSL handshake. PeerAuth is FALSE by default. Set PeerAuth to TRUE to authenticate certificates from the Siebel Server. The SWSE requires the certifying authority's certificate to authenticate the certificate from the Siebel Server.
  • PeerCertValidation. Independently verifies that the hostname of the SWSE computer matches the hostname presented in the certificate.
    
Siebel Security Guide Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices.