Siebel Security Guide > Communications and Data Encryption >

About Configuring Communications Encryption for Siebel Enterprise and SWSE

When you configure your Siebel Enterprise or a Siebel Web Server Extension (SWSE) logical profile after installation, you specify which encryption type to use for communications between the Siebel Server and the Web server (SWSE), and between Siebel Servers. Communications between these modules use the SISNAPI protocol.

The encryption type setting determines how encryption is defined within generated connect strings for Siebel Business Applications. It also corresponds to the value of the Siebel Enterprise parameter Encryption Type (alias Crypt). You can specify Secure Sockets Layer (SSL), Microsoft Crypto, or RSA encryption.

You can use both SSL and RSA or Microsoft Crypto for SISNAPI encryption in a single Siebel Enterprise. This flexibility is because SSL is enabled at the Siebel Server level while RSA or Microsoft Crypto are enabled at the server component level. For example, because the remote synchronization SISNAPI channel does not currently support SSL, RSA or Microsoft Crypto are the only encryption options for this channel. To encrypt this channel with RSA or Microsoft Crypto, run the remote component on a Siebel Server separate from the Siebel Servers that are configured for SSL. Then, enable RSA or Microsoft Crypto for the remote component.

Use SSL or RSA or Microsoft Crypto to encrypt different communication channels; it does not make sense to encrypt the same communication channel with both SSL and RSA or Microsoft Crypto.

When configuring the Siebel Enterprise using the Siebel Configuration Wizard, the Security Encryption Level or Type screen displays the options for configuring the encryption type. You can choose one of the following options:

• None
• SISNAPI Without Encryption
• SISNAPI Using RSA Encryption Algorithm
• SISNAPI Using SSL 3.0
• SISNAPI Using Enhanced SSL 3.0 (requires hardware proxy)
• SISNAPI Using Microsoft Crypto API Encryption (Windows Only)

NOTE:  For Siebel CRM installations that use both UNIX and Microsoft Windows operating systems, it is recommended to use an encryption method supported by both, such as SSL or RSA.

When using the Siebel Configuration Wizard to configure a SWSE logical profile that you subsequently deploy to Web Servers in your Siebel environment, you are presented with an option allowing you to enable SSL communication between the Web server and Siebel Server. For information about running the Siebel Configuration Wizard, see Siebel Installation Guide for the operating system you are using. For more information on configuring SSL, see the following topics:

• Configuring SSL Encryption for the Siebel Enterprise or a Siebel Server
• Configuring SSL Encryption for SWSE

Key Exchange for Microsoft Crypto or RSA Encryption

If you are using Microsoft Crypto or RSA encryption, the following steps explain how Siebel encryption keys are exchanged between the client (for example, the Web server) and the server (for example, Siebel Server).

1. The client generates a private public key pair. The public key is sent as part of the Hello SISNAPI message to the Siebel Server.
2. When the server receives a Hello message, it generates an RC4-based symmetrical session key and encrypts the symmetrical session key using the client's public key from the Hello message. The encrypted session key is sent back to the client as part of the Hello Acknowledge message.
3. The client uses its private key to decrypt the server-generated session key. From this point on, both the client and the server use the server-generated session key to encrypt and decrypt messages.
4. The session key is good for the lifetime of the connection.

NOTE:  If you are using SSL encryption between the Web server and Siebel Server or between Siebel Servers, the key exchange is handled through a standard SSL handshake.