Bookshelf Home | Contents | Index | PDF     

Siebel Security Guide > Communications and Data Encryption >

Configuring SSL or TLS Encryption for a Siebel Enterprise or Siebel Server

This topic describes how to configure a Siebel Enterprise or Siebel Server to use SSL or TLS encryption and authentication for SISNAPI communications between Siebel Servers and the Web server (SWSE), and between Siebel Servers. Configuring SSL or TLS for SISNAPI communications is optional.

This task is a step in Process of Configuring Secure Communications.

Configuring SSL or TLS communications between Siebel Servers and the Web server also requires that you configure the SWSE to use SSL or TLS. When configuring SSL or TLS for Siebel Server and the SWSE, you can also configure connection authentication for the relevant modules. In other words, when a module connects to another module, modules might be required to authenticate themselves against the other using third-party certificates.

Connection authentication scenarios are:

  • Siebel Server authenticates against the Web server.
  • Web server authenticates against the Siebel Server.
  • Siebel Server authenticates against another Siebel Server.

If you select the peer authentication option, mutual authentication is performed.

Configuring a Siebel Enterprise or Siebel Server to use SSL or TLS encryption involves the following tasks:

  1. Run the Siebel Configuration Wizard for the Siebel Enterprise or Siebel Server and select the appropriate option to deploy either SSL or TLS.

    This task is described in Deploying SSL or TLS for a Siebel Enterprise or Siebel Server.

  2. For each Application Object Manager that is to use either SSL or TLS, set the CommType parameter to SSL or TLS as appropriate.

    This task is described in Setting Additional Parameters for Siebel Server SSL or TLS.

Deploying SSL or TLS for a Siebel Enterprise or Siebel Server

The following procedure describes running the Siebel Configuration Wizard to deploy SSL or TLS for a Siebel Server or a Siebel Enterprise. Performing this procedure adds parameters to the Siebel Gateway Name Server; these parameters can alternatively be set using Siebel Server Manager.

NOTE:  If you configure SSL or TLS for the Siebel Enterprise, then all Siebel Servers in the Enterprise inherit all settings. These settings include the key file name and password and certificate file names. You can run the Siebel Configuration Wizard again later to separately configure individual Siebel Servers, at which time you can specify unique key file names or passwords or unique certificate file names. In order to completely configure SSL or TLS for your Siebel Servers, you must run this utility multiple times.

To enable SSL or TLS encryption for the Siebel Server or Enterprise

  1. Before you begin, obtain and install the necessary certificate files that you need if you are configuring SSL or TLS authentication.
  2. If you are running the Siebel Configuration Wizard to configure the Siebel Enterprise, then do the following:
    1. Start the Siebel Configuration Wizard and configure values for the Enterprise.

      For information on this task, see Siebel Installation Guide for the operating system you are using.

    2. When the Additional Tasks for Configuring the Enterprise screen appears, select the Enterprise Network Security Encryption Type option.
    3. On the Security Encryption Level or Type screen, select the SISNAPI Using TLS 1.2 option, the SISNAPI Using SSL 3.0 option, or the SISNAPI Using Enhanced SSL 3.0 option.
    4. Proceed to Step 4.
  3. Alternatively, to run the Siebel Configuration Wizard directly on a Siebel Server computer, do the following:
    1. Start the Siebel Server Configuration Wizard directly and configure values for the Siebel Server.

      For information on this task, see Siebel Installation Guide for the operating system you are using.

    2. When the Additional Tasks for Configuring the Siebel Server screen is displayed, select the Server-Specific Security Encryption Settings option.
    3. On the Security Encryption Level or Type screen, select the SISNAPI Using TLS 1.2 option or the SISNAPI Using SSL 3.0 option.
    4. Proceed to Step 4.
  4. Specify the name and location of the certificate file and of the certificate authority file.

    The equivalent parameters in the Siebel Gateway Name Server are CertFileName (display name Certificate file name) and CACertFileName (display name CA certificate file name).

  5. Specify the name of the private key file, and the password for the private key file, then confirm the password.

    The password you specify is stored in encrypted form.

    The equivalent parameters in the Siebel Gateway Name Server are KeyFileName (display name Private key file name) and KeyFilePassword (display name Private key file password).

  6. Specify whether or not you want to enable peer authentication.

    Peer authentication means that this Siebel Server authenticates the client (that is, SWSE or another Siebel Server) that initiates a connection. Peer authentication is false by default.

    The peer authentication parameter is ignored if SSL or TLS is not deployed between the Siebel Server and the client (either the SWSE or another Siebel Server). If peer authentication is set to TRUE on the Siebel Server, then a certificate from the client is authenticated provided that the Siebel Server has the certifying authority's certificate to authenticate the client's certificate. The client must also have a certificate. If SSL or TLS is deployed and the SWSE has a certificate, then it is recommended that you set PeerAuth to TRUE on both the Siebel Server and the SWSE to obtain maximum security.

    The equivalent parameter in the Siebel Gateway Name Server is PeerAuth (display name Peer Authentication).

  7. Specify whether or not you require peer certificate validation.

    Peer certificate validation performs reverse-DNS lookup to independently verify that the hostname of the Siebel Server computer matches the hostname presented in the certificate. Peer certificate validation is false by default.

    The equivalent parameter in the Siebel Gateway Name Server is PeerCertValidation (display name Validate peer certificate).

    Depending on the Siebel Configuration Wizard you are running, you return to either the Siebel Enterprise or the Siebel Server configuration process.

  8. Continue to configure values for the Siebel Enterprise or Siebel Server, then review the settings, finish configuration, and restart the server.
  9. Perform the tasks in Setting Additional Parameters for Siebel Server SSL or TLS.
  10. Repeat this procedure for each Siebel Server in your environment, as necessary.

    Make sure you also configure each SWSE in your environment. For information, see Configuring SSL or TLS Encryption for SWSE.

Setting Additional Parameters for Siebel Server SSL or TLS

After configuring SSL or TLS for a Siebel Server, you must set additional Gateway Name Server parameters to enable SSL or TLS for the Siebel Server as described in the following procedure.

To set additional parameters for Siebel Server SSL or TLS

  1. Using Siebel Server Manager, set the Communication Transport parameter (alias CommType) to either SSL or TLS as appropriate for each Application Object Manager that is to use SSL or TLS. (TCP/IP is used by default.)

    For information on using Siebel Server Manager, see Siebel System Administration Guide.

  2. If you previously used Microsoft Crypto or RSA encryption, then, using Siebel Server Manager, set the Encryption Type parameter (alias Crypt) to NONE for the Siebel Enterprise.
      
Siebel Security Guide Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices.