Siebel Security Hardening Guide > Securing the Network and Infrastructure >

Securing the Siebel Web Server

Because a Web server is one of the most exposed and intruder-targeted elements in a network, securing the Web server is a priority. Before using your Web server in a Siebel Business Applications deployment, secure your Web server by applying vendor-recommended security procedures and practices as described in your Web server documentation. Then consider implementing the recommendations outlined in this topic.

Implementing a Proxy Server

Deploy a reverse-proxy server in the demilitarized zone to protect the Web server from attacks relating to denial of service and directory traversal. For additional information, see Proxy Servers.

Monitoring Disk Space

Monitor the disk space available on your Siebel Web server. If the Web server is allowed to reach the disk space limit, then denial of service events can occur when the Siebel Server or Siebel Web clients connect to the Siebel Web server. For information on the tools that are available to monitor disk utilization for your Web server, see your Web server vendor documentation. For additional information on denial of service attacks, see Preventing Denial of Service Attacks.

Removing Unnecessary Subdirectories (Windows)

See the vendor-specific security documentation for information on removing unnecessary subdirectories in a Windows environment.

Assigning Web Server File Permissions (Windows)

Set Web server file and directory permissions appropriately to make sure only authorized users can access and modify designated files. Siebel Web Server Extension (SWSE) directories contain executable files which must be protected, for example, Java scripts (.js files), cascading style sheets (.css files), and ActiveX controls (.cab files).

Use the following procedure to assign Web server file permissions in a Windows environment.

To assign Web server file permissions in a Windows environment

1. Start the IIS Manager Console.
2. Navigate to Start, Programs, Administrative Tools, and then choose the Internet Information Services (IIS) Manager.
3. Expand IIS, Local Computer, Web Sites, and then Default Web Site node.
4. Select a Siebel application, for example, callcenter_enu.
5. Right-click the Siebel application, then select Permissions.
6. Assign read and execute permissions for authorized users.
7. Verify that only authorized users have appropriate permissions on the SWSE files and directories.

NOTE:  Administrators must have full rights to the Web server files and directories to grant and revoke permissions and to back up or recover tasks.

Encrypting Communications to the Web Server

It is recommended that you secure all communications between the Siebel Web Client, the Web server and the Siebel Server using TLS, SSL, MSCRYPTO or RSA. Consider implementing SSL mutual authentication, if appropriate for your environment. For additional information on encrypting communications, see Enabling Encryption of Network Traffic.

Encrypting Passwords in the eapps.cfg File

The eapps.cfg file contains parameters that control interactions between the Siebel Web Engine and the Siebel Web Server Extension (SWSE) for all Siebel Business Applications. Passwords are written to the file in encrypted form when you initially configure the SWSE. Thereafter, encryption behavior is subject to the status of the EncryptedPassword parameter. The default value of the parameter is True. If the EncryptedPassword parameter does not exist in the eapps.cfg file, then the default behavior is the same as if EncryptedPassword is set to False. It is recommended that you verify that the EncryptedPassword parameter exists, and that it is set to True.

NOTE:  If the EncryptedPassword parameter is set to True, then make sure that all passwords stored in the eapps.cfg file are encrypted.

If you manually edit the eapps.cfg file to set the EncryptedPassword parameter to True, then use the encryptstring utility to generate an encrypted version of the password to store in the file. For information on editing the eapps.cfg file and using the encryptstring utility, see Siebel Security Guide.

Securing User Session IDs

Session ID spoofing is a form of computer network attack during which a user's session ID is intercepted during communications between a valid user's browser and the Web server. The attacker can then hijack that user's session by sending the still active Session ID in the URL with a SWE message back to the Web server.

Implementing SSL or TLS for communications between the client browser and the Web server helps reduce the risk of session ID spoofing. In addition, it is recommended that you perform the following steps:

• Enforce the use of session cookies to manage user sessions for Siebel Web Client users instead of allowing the session ID to be passed in the URL.

  In cookieless mode, a user name and unencrypted password are also passed in the URL, which constitutes another possible security vulnerability and is an additional reason for enforcing the use of session cookies.

  In some circumstances, it is not possible to use cookies, for example, if Siebel Business Applications are running inside a portal, or if an application, such as Oracle Business Intelligence (BI) Publisher, is running from inside Siebel Business Applications. However, if you have implemented Web Single Sign-On as your method of user authentication, then for security reasons, it is recommended that you use cookie mode.

• Configure the Web server to encrypt the session ID in session cookies; this prevents unauthorized attackers from capturing the cookie and determining the format.

To secure session IDs by enabling the use of session cookies, perform the following procedure.

To secure user session IDs

1. To force the SWSE to always use cookie-based mode, edit the eapps.cfg file and add the following parameters:

   SessionTracking = Cookie
   URLSession = FALSE
   CookieSession = TRUE

2. To configure the Web server to encrypt the session ID, edit the eapps.cfg file, and add the following parameter to the Defaults section:

   EncryptSessionId = TRUE

Setting Security Features of the Siebel Web Server Extension

The SWSE can be configured to allow only URLs that use SSL or TLS over HTTP (HTTPS protocol) to access views in a Siebel application or to transmit user credentials entered in a login form from the browser. It is recommended that you implement both of these features. You can choose to:

• Use HTTPS only on the login view (to protect password transmission).
• Use HTTPS for additional specified views.
• Use HTTPS for all views.

Securing Access to Views

You can indicate whether or not the HTTPS protocol must be used to access a view by doing either or both of the following:

• Setting the Secure property of a specific view to True to indicate that the HTTPS protocol must be used to access the view (applies to Siebel Business Applications using standard-interactivity mode only).
• Setting the SecureBrowse parameter to True to indicate that all views in the Siebel application must use HTTPS, regardless of how the secure attribute is set for individual views. Securing the entire user session in this way helps to prevent network-sniffing attacks.

  Use Siebel Server Manager to specify a value for the SecureBrowse component parameter. For information on this task, see Siebel Security Guide.

Securing Login Information

To secure login information, it is recommended that you configure the Siebel Web Engine to transmit user credentials entered in a login form from the browser to the Web server to use HTTPS. Securing login information prevents sniffing user credentials.

To implement secure login, on each Siebel application where you want to implement secure login, set the value of the SecureLogin component parameter to True. For information on this task, see Siebel Security Guide.