Siebel Security Guide > Communications and Data Encryption >

Configuring SSL Mutual Authentication

Mutual authentication is a process in which a connection between two parties is established only after each party has authenticated the other. In SSL mutual authentication, the client is authenticated to the server and the server is authenticated to the client during the SSL handshake, using digital certificates issued by certificate authorities.

Siebel supports server authentication and, in the current release, client authentication is also supported for SSL-based communications using the EAI HTTP Transport business service, and for workflows or outbound Web service calls that call the EAI HTTP Transport business service.

If you choose to enable client authentication, then the Siebel Server presents a client certificate to an external Web server by supplying values for the HTTPCertSerialNo and HTTPCertAuthority EAI HTTP Transport parameters. The following procedure describes how to configure client authentication using the EAI HTTP Transport business service.

This task is a step in Process of Configuring Secure Communications.

To configure client authentication using EAI HTTP Transport

1. Obtain the following files and install them on the Siebel Server:
   • A certificate authority file
   • A client certificate file that is in PKCS#12 format.

     For information on installing certificate files, see About Installing Certificate Files on Windows or Installing Certificate Files on UNIX for Client Authentication.

2. Configure the Web server for client authentication.

   For information on configuring client authentication on the Web server, refer to your Web server vendor documentation.

3. Provide client authentication information by specifying values for the following EAI HTTP Transport parameters:
   • HTTPCertSerialNo. Specify the client certificate serial number. This is a hexadecimal string which cannot contain spaces.
   • HTTPCertAuthority. Specify the name of the authority that issued the client certificate. The issuing authority name must be in FQDN format and is case sensitive.

     The certificate authority and serial number details are displayed on the certificate, which you can view using your browser (Windows) or the mwcontrol utility (UNIX).

     The EAI HTTP Transport business service can be called directly or indirectly.

   • If the EAI HTTP Transport business service is invoked directly by an eScript script or workflow, then you can specify the HTTPCertSerialNo and HTTPCertAuthority parameters using the Set Property method of the business service call. For additional information, see Transports and Interfaces: Siebel Enterprise Application Integration.
   • If the EAI HTTP Transport business service is invoked indirectly by an outbound Web service, then you can specify the HTTPCertSerialNo and HTTPCertAuthority parameters as input arguments for the outbound Web Service Dispatcher. For additional information, see Integration Platform Technologies: Siebel Enterprise Application Integration.

NOTE:  The Transport Layer Security (TLS) protocol is not supported on the UNIX operating system for HTTPS calls to external Web servers. Make sure that the external Web server allows the use of the SSL 2.0 or SSL 3.0 protocol; otherwise WinInet error 12157 occurs on the Siebel Server.

Using Null Ciphers on UNIX

If you configure your Web server for client authentication using SSL 3.0, and if your Siebel Server is on a UNIX operating system, then you can encounter an error (Error 12157) during the SSL handshake procedure if you have enabled the NULL encryption cipher.

To use the NULL cipher on the Web server, you must disable all other ciphers. For information on disabling ciphers in the Mainsoft MainWin registry using the X-Windows regedit utility, and for general information on resolving errors that can occur when using the EAI HTTP Transport business service with SSL, see 762002.1 (Article ID) on My Oracle Support.