|
Siebel Security Guide > Communications and Data Encryption >
Configuring SSL or TLS Encryption for SWSE
This topic describes how to configure the SWSE to use either SSL or TLS encryption and, optionally, authentication for SISNAPI communications with Siebel Servers using the Siebel Configuration Wizard. Configuring SSL or TLS communications between Siebel Servers and the Web server also requires that you configure a Siebel Enterprise or Siebel Server to use SSL or TLS. For information on this task, see Configuring SSL or TLS Encryption for a Siebel Enterprise or Siebel Server. This task is a step in Process of Configuring Secure Communications. NOTE: The information in this topic describes how to implement either SSL or TLS for communications between the SWSE and the Siebel Servers. For information on implementing SSL or TLS for communications between a Siebel Web Client and the SWSE, see Configuring a Siebel Web Client to Use HTTPS.
Configuring the SWSE to use SSL or TLS encryption involves the following tasks:
- Run the Siebel Enterprise Configuration Wizard to configure a new Siebel Web Server Extension Logical Profile and select the appropriate option to deploy SSL or TLS.
This task is described in Deploying SSL or TLS for Siebel Web Server Extension.
- Modify the ConnectString parameter in the eapps.cfg file and specify either SSL or TLS encryption as appropriate.
This task is described in Configuring SSL or TLS Encryption for SWSE.
Deploying SSL or TLS for Siebel Web Server Extension
To deploy SSL or TLS for SWSE, you first configure a SWSE logical profile using the Siebel Enterprise Configuration Wizard. During this stage, you specify the values for deployment of SSL or TLS on the SWSE. You then apply the SWSE logical profile to the installed instance of the SWSE using the SWSE Configuration Wizard. The following procedure describes both of these steps. To deploy SSL or TLS encryption for the Siebel Web Server Extension
- Before you begin, obtain and install the necessary certificate files you need if you are configuring SSL or TLS authentication.
- Launch the Siebel Enterprise Configuration Wizard.
For information on this task, see Siebel Installation Guide for the operating system you are using.
- Choose the Create New Configuration option, then the Configure a New Siebel Web Server Extension Logical Profile option.
For information on configuring the SWSE logical profile, see Siebel Installation Guide for the operating system you are using.
- Configure values for the SWSE logical profile until the Select the Connection Protocol and Encryption screen appears.
- Specify whether you are using TCP/IP, TLS, or SSL for communication between Siebel Servers and the SWSE.
If you select either TLS or SSL, then the Deploy SSL or TLS in the Enterprise screen is displayed.
- Select the appropriate check box to enable either SSL or TLS communications between the SWSE and the Siebel Server.
TLS or SSL settings for SWSE must be compatible with those for Siebel Servers that connect to the Web server.
- Specify the names of the certificate file and of the certificate authority file.
The equivalent parameters in the eapps.cfg file are CertFileName and CACertFileName.
- Specify the name of the private key file, and the password for the private key file, then confirm the password.
The password you specify is stored in encrypted form.
The equivalent parameters in the eapps.cfg file that the SWSE logical profile applies to the installed SWSE are KeyFileName and KeyFilePassword.
- Specify whether you require peer authentication.
Peer authentication means that the SWSE authenticates the Siebel Server whenever a connection is initiated. Peer authentication is false by default.
NOTE: If peer authentication is set to TRUE on the SWSE, then the Siebel Server is authenticated, provided that the SWSE has the certifying authority's certificate to authenticate the Siebel Server's certificate. If you deploy SSL, then it is recommended that you set PeerAuth to TRUE to obtain maximum security.
The equivalent parameter in the eapps.cfg file that the SWSE logical profile applies to the installed SWSE is PeerAuth.
- Specify whether you require peer certificate validation.
Peer certificate validation performs reverse-DNS lookup to independently verify that the hostname of the Siebel Server computer matches the hostname presented in the certificate. Peer certificate validation is false by default.
The equivalent parameter in the eapps.cfg file that the SWSE logical profile applies to the installed SWSE is PeerCertValidation.
- Review the settings. If the settings are correct, then execute the configuration and proceed to Step 12.
- Using the Siebel Web Server Extension Configuration Wizard, apply the SWSE logical profile to each SWSE in your Siebel environment for which you want to secure communications using SSL or TLS.
For information on applying the SWSE logical profile, see the Siebel Installation Guide for the operating system you are using.
- For each Application Object Manager that will connect to the SWSE using SSL or TLS, modify the ConnectString parameter as described in Configuring SSL or TLS Encryption for SWSE.
Configuring SSL or TLS Encryption for SWSE
When you configure the SWSE to use either SSL or TLS using the Configuration Wizards, parameters are added to the eapps.cfg file in a new section called [connmgmt]. For descriptions of the SSL or TLS-related parameters listed in the [connmgmt] section, see About Parameters in the eapps.cfg File. The [connmgmt] section looks similar to the following: [connmgmt]
CACertFileName = c:\security\cacertfile.pem
CertFileName = c:\security\certfile.pem
KeyFileName = c:\sba8x\admin\keyfile.txt
KeyFilePassword = ^s*)Jh!#7
PeerAuth = TRUE
PeerCertValidation = FALSE
For each Application Object Manager that will connect to the SWSE using SSL or TLS, modify the ConnectString parameter to specify SSL or TLS as the communications type (TCP/IP is used by default), and None as the encryption type. For example, for Siebel Sales using U.S. English, modify the parameter in the [/sales_enu] section of eapps.cfg to resemble one of the following as appropriate:
|
