Siebel Security Guide > Communications and Data Encryption >

Configuring SSL Mutual Authentication

Mutual authentication is a process in which a connection between two parties is established only after each party has authenticated the other. In SSL mutual authentication, the client is authenticated to the server and the server is authenticated to the client during the SSL handshake, using digital certificates issued by certificate authorities.

Siebel Business Applications support server authentication and, in the current release, client authentication is also supported for SSL-based communications using the EAI HTTP Transport business service, and for workflows or outbound Web service calls that call the EAI HTTP Transport business service.

If you choose to enable client authentication, the Siebel Server presents a client certificate to an external Web server by supplying values for the HTTPCertSerialNo and HTTPCertAuthority EAI HTTP Transport parameters.

This task is a step in Process of Configuring Secure Communications.

The following procedure describes how to configure client authentication using the EAI HTTP Transport business service.

To configure client authentication using EAI HTTP Transport

1. Obtain the following files and install them on the Siebel Server:
   • A certificate authority file
   • A client certificate file

     Client certificate files must be in PKCS#12 format.

     For information on installing certificate files, see About Installing Certificate Files on Windows and Installing Certificate Files on UNIX for Client Authentication.

2. Configure the Web server for client authentication.

   For information on configuring client authentication on the Web server, see your Web server vendor documentation.

3. Provide client authentication information by specifying values for the following EAI HTTP Transport parameters:
   • HTTPCertSerialNo. Specify the client certificate serial number. This is a hexadecimal string which cannot contain spaces.
   • HTTPCertAuthority. Specify the name of the authority that issued the client certificate. The issuing authority name must be in FQDN format and is case sensitive.

     The certificate authority and serial number details are displayed on the certificate, which you can view using Internet Explorer (Windows) or the mwcontrol utility (UNIX).

     The EAI HTTP Transport business service can be called directly or indirectly.

   • If the EAI HTTP Transport business service is invoked directly by an eScript script or workflow, you can specify the HTTPCertSerialNo and HTTPCertAuthority parameters using the Set Property method of the business service call. For additional information, see Transports and Interfaces: Siebel Enterprise Application Integration.
   • If the EAI HTTP Transport business service is invoked indirectly by an outbound Web service, you can specify the HTTPCertSerialNo and HTTPCertAuthority parameters as input arguments for the outbound Web Service Dispatcher. For additional information, see Integration Platform Technologies: Siebel Enterprise Application Integration.

Using Null Ciphers on UNIX

If you configure your Web server for client authentication using SSL 3.0, and if your Siebel Server is on a UNIX operating system, you can encounter an error (Error 12157) during the SSL handshake procedure if you have enabled the NULL encryption cipher.

To use the NULL cipher on the Web server, you must disable all other ciphers. For information on disabling ciphers in the Mainsoft MainWin registry using the X-Windows regedit utility, and for general information on resolving errors that can occur when using the EAI HTTP Transport business service with SSL, see 762002.1 (Article ID) on My Oracle Support.