Siebel Innovation Pack 2014: Authentication-Related Parameters in Eapps.cfg

Table 32 lists the parameters in the eapps.cfg file that relate to authentication. The authentication parameters can be defined in the [defaults] section of the file or in the sections for individual applications.

Table 32. Authentication-Related Parameters in the Eapps.cfg File
Parameter	Description
AnonUserName	This parameter specifies the user name required for anonymous browsing and initial access to the login pages. The user name selected as the anonymous user must be assigned access to views intended for anonymous browsing, but to no other views.
AnonPassword	The password corresponding to the value entered for AnonUserName.
ClientCertificate	When this parameter is set to TRUE in a Web SSO implementation, the user is authenticated through a digital certificate. For information, see About Digital Certificate Authentication.
EncryptedPassword	When this parameter is set to TRUE, the password for the anonymous user and the Web update password are interpreted as encrypted passwords. This parameter is added to the eapps.cfg file (with a value of `TRUE`) when you apply a SWSE logical profile using the Siebel Configuration Wizard for SWSE. However, if the parameter is not defined in the file, this is equivalent to a value of FALSE. For additional information, see Encrypted Passwords in the eapps.cfg File.
EncryptSessionId	When this parameter is set to TRUE (the default), the session ID is encrypted. When it is FALSE, the session ID is not encrypted. For a Siebel Web Client, the session ID is used in the session cookie (in cookie-based mode) or in the application URL (in cookieless mode). For more information about cookies, see About Using Cookies with Siebel Business Applications.
GuestSessionTimeout	The time, in seconds, that a connection open for anonymous browsing can remain idle before it times out. The default is 300 seconds (5 minutes). Guest sessions are used for anonymous browsing. They permit users to navigate portions of the site without logging in. In contrast to anonymous sessions, guest sessions are associated with an individual Siebel Web Client. These sessions are opened when an unregistered user starts navigating the site, and they remain open until the Web client logs out or times out due to inactivity. When deciding the value to specify for guest user timeout, the primary consideration is whether or not anonymous browsing is being used. If it is, then set guest user timeouts to be greater than the average time users need to deliberate their next action. In other words, this is the time allowed between user actions. Both guest and anonymous sessions use the AnonUserName and AnonPassword parameters to log in.
SessionTimeout	The time, in seconds, from the user's last browser request until the user's connection times out. The default is 900 seconds (15 minutes). Standard sessions are those where users log in using their registered user name and password. Otherwise, standard sessions share many of the same characteristics as guest sessions. For guidelines on setting a value for the SessionTimeout parameter, see About the SessionTimeout Parameter.
SessionTimeoutWarning	Before a session times out, a prompt is displayed allowing users to choose whether or not to extend the session. The time at which this prompt appears is determined by the value selected for the SessionTimeoutWarning parameter. The default value is 60 seconds. NOTE: The SessionTimeoutWarning functionality is supported with Siebel standard-interactivity applications only; it is not supported with Siebel high-interactivity applications or with Siebel Open UI. The time at which the timeout warning prompt is displayed is calculated by subtracting the value of the SessionTimeoutWarning parameter from the value of the SessionTimeout parameter. For example, if the SessionTimeout parameter is set to the default value of 900 seconds, and the SessionTimeoutWarning parameter is set to a value of 300 seconds, the timeout warning prompt is displayed after 600 seconds of inactivity (900 minus 300 equals 600). If the user selects OK in response to the timeout warning prompt, then the session timer is reset to zero and is only activated again after another 600 seconds of inactivity have elapsed. If the user selects Cancel, then the session is terminated once the session timeout period is reached. If you do not want users to see a timeout warning prompt, then set the value of the SessionTimeoutWarning parameter to one of the following: - (minus symbol) never 0
SingleSignOn	The SWSE operates in Web SSO mode when this parameter is `TRUE`. For more information, see Web Single Sign-On Authentication.
SubUserSpec	In a Web SSO environment that implements digital certificate authentication, a value of CN specifies that the Siebel user ID is to be extracted from the certificate's CN (Common Name) attribute. For more information, see Configuring the User Specification Source.
TrustToken	In a Web SSO environment, this token string is a shared secret between the SWSE and the security adapter. It is a measure to protect against spoofing attacks. This setting must be the same on both the SWSE and the security adapter. For more information, see Web Single Sign-On Authentication.
UserSpec	In a Web SSO implementation, this variable name specifies where the SWSE looks for a user's user name within the source given by UserSpecSource. The value, REMOTE_USER, by default is populated by the authentication filter. If digital certificate authentication is implemented on Windows or AIX, then use the value CERT_SUBJECT, a variable that contains the certificate name. For example, UserSpec/SubUserSpec is CERT_SUBJECT/CN. For other UNIX operating systems, use REMOTE_USER for UserSpec. The SubUserSpec setting is disregarded. For more information, see Configuring the User Specification Source.
UserSpecSource	In a Web SSO implementation, this parameter specifies the source from which the SWSE derives the user credentials: Server, if from the usual Web server user name field; Header, if the variable is within the HTTP request header. For more information, see Configuring the User Specification Source.
ProtectedVirtualDirectory Defined in the section for each individual Siebel application in eapps.cfg. Do not define in the [defaults] section.	This parameter specifies a Web server virtual directory that represents the protected location of the Siebel application. This parameter must have a value in a Web SSO implementation, and is optional in other implementations. For more information, see About the Protected Virtual Directory Parameter.
IntegratedDomainAuth Defined in the [swe] section of eapps.cfg.	To support Windows Integrated Authentication for Web SSO, set this parameter to `TRUE`. This setting causes SWSE to strip out the domain name from HTTP headers, which allows the application to integrate with Windows Integrated Authentication.

About the SessionTimeout Parameter

SessionTimeout is the time, in seconds, from the user's last browser request until the user's connection times out. Table 33 offers guidelines for setting this parameter.

All the session timeouts mentioned in Table 33 refer to session inactivity. That is, if session timeout is set to 3600 seconds, then it requires one hour of session inactivity for that session to time out. Session inactivity means no request is made to the Siebel Server on that session. Any act that sends a ping request to the Siebel Server, such as sending notifications, resets the session timeout period. If the update interval is less than the SessionTimeout set in the eapps.cfg file, then the session never times out.

If you use the Siebel Portal Framework to implement portal views, then note that the Siebel application times out if user activity in the portal view exceeds the time that is specified by SessionTimeout. Note also that, by default, portal views send a ping status request to their server every 120 seconds (2 minutes) to keep their session alive. For more information about the Siebel Portal Framework, see Siebel Portal Framework Guide.

About the Protected Virtual Directory Parameter

The ProtectedVirtualDirectory parameter specifies a Web server virtual directory that represents the protected location of the Siebel application. This parameter is required in a Web SSO implementation.

The protected directory allows you to configure your Web server or third-party authentication software to require user authentication to access specific Siebel application views. Requests for any views that require explicit login are redirected to this virtual directory. For more information, see (Optional) Creating Protected Virtual Directories.

For example, if you used the suggested name for the protected virtual directory for Siebel eService, enter:

If your Web SSO implementation is not configured for anonymous browsing, then set this value to the same directory as your application. For example:

Otherwise, a Web Authentication Failed message might appear in the application's log file.

NOTE: You use examples like those above to secure an entire application. However, if some parts of the application do not require authentication, you must be able to authenticate users when they access a secured part of the application. In this case, set the parameter to an alias where the Web SSO credentials are passed. The Siebel application redirects the authentication request.

Siebel Security Guide		Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices.