|
Siebel Security Guide > Communications and Data Encryption >
About Certificates and Key Files Used for SSL or TLS Authentication
When you configure SSL or TLS authentication for a Siebel Enterprise, Siebel Server, or SWSE, you specify parameter values that indicate the names of certificate files, certificate authority files, and private key files on the computers that host these components. The certificate files you use for this purpose can be issued by and obtained from third-party certificate authorities. Certificate authority files identify the third-party certificate authority who issued the certificate. Certificate files must adhere to the following requirements:
- Use a supported certificate file format:
- On Microsoft Windows environments, certificate authority files can use either ASN (Abstract Syntax Notation) or PEM (Privacy Enhanced Mail) format.
The ASN.1 format is also referred to as the Distinguished Encoding Rules (DER) format. Rename certificate files in DER format to have the file extension .asn.
- On UNIX environments, certificate authority files must use the PEM (Base 64 encoded X.509) format. Certificate files in ASN format cannot be used in UNIX environments.
- Private key files must use the PEM format.
The certificate file must use the file extension that corresponds to the certificate file format in use: .pem for the PEM format, and .asn for the ASN format.
NOTE: You can convert PEM-based certificate files to the ASN-based format.
- Certificate files on each computer must be unique and belong to that computer if PeerAuth is set to TRUE on the remote computer.
- If an intermediate certification authority is used, then both the intermediate and the root certificate authority certificates must be in the same file. You specify the name of this file for the CACertFileName parameter when you configure SSL or TLS for communication between Siebel components.
Certificate files and private key files are typically installed on each computer that hosts a component or module for which you configure SSL or TLS, such as a Siebel Server or SWSE. You do not have to authenticate or encrypt communications between components on the same computer. For information on installing certificate files, see Installing Certificate Files. About Supported Values for Certificate Encryption Keys
A certificate authority certifies ownership of the public and private key pairs that are used to encrypt and decrypt SSL or TLS communications. Messages are encrypted with the public key and decrypted with the private key. The certificate key size refers to the size, in bits, of the encryption key provided with the certificate. In general, for SSL or TLS authentication for a Siebel Enterprise, Siebel Server, or SWSE, Siebel Business Applications support certificates that use an encryption key size of 1024 bits. If you require a higher encryption key size, for example, 2048 or 4096 bits, then you must use Siebel Strong Encryption. The size of the certificate key supported depends on the components for which you are configuring SSL or TLS communications. Table 4 shows the certificate key sizes supported for communications between different components in a Siebel Business Applications deployment.
Table 4. Encryption Key Sizes Supported For SSL or TLS Certificates
SSL or TLS Communication Type |
|
SSL or TLS communications using SISNAPI. Communications between the Siebel Server and the Web server (SWSE), and between Siebel Servers. |
1024-bit certificate keys only are supported by default. To use certificate key sizes larger than 1024 bits, for example, 2048-bit or 4096-bit keys, you must follow the instructions in Increasing the Certificate Key Sizes Supported For SISNAPI Communications. |
TLS communications between Web clients and the Web server. |
The acceptable protocols and key sizes are determined by the underlying operating system and Web server software. In most cases, these systems support larger private key sizes. |
SSL communications between developer clients (including Siebel Tools) and components in the Siebel environment. |
1024-bit certificate keys only are supported. |
SSL or TLS communications between the Siebel Server and the Siebel database. |
The key size supported is determined by the third-party database used and database client software. |
SSL or TLS communications between Siebel security adapters and external directory servers. |
These connections can support larger bit sizes for SSL certificate keys. |
SSL or TLS communications for Web services. |
1024-bit certificate keys only are supported. |
NOTE: Oracle does not support the use of SSL v3.0 encryption for environments with high-security requirements. It is recommended that you implement TLS encryption where possible. For additional information, see Using Secure Socket Layer v3.0 with Siebel CRM.
Increasing the Certificate Key Sizes Supported For SISNAPI Communications
For SSL or TLS authentication for Siebel Enterprise, Siebel Server, or SWSE communications, Siebel Business Applications support certificates that use an encryption key size of 1024 bits. If you want to use certificates with larger encryption key sizes, for example, certificates that use 2048-bit or 4096-bit encryption keys, then perform the steps in the following procedure. To increase the certificate key sizes supported for SISNAPI communications
- Navigate to the directory where the Siebel Strong Encryption (SSE) files were installed on the Siebel Server, Siebel Gateway Name Server, or the Web server:
- Web server
- Siebel Server or Siebel Gateway Name Server
- Windows: COMPONENT_ROOT
\BIN\SSEP
- UNIX: COMPONENT_ROOT
/LIB/SSEP
where COMPONENT_ROOT is either the Siebel Server installation directory or the Gateway Name Server installation directory.
For additional information, see Implementing Siebel Strong Encryption.
- Copy the sslcnapi128 file from the SSEP directory to the directory where the sslcnapi file is located on the Siebel Server, Gateway Name Server, or the Web server as appropriate. The sslcnapi file is located as follows:
- Web server
- Windows:
SWEAPP_ROOT\BIN\sslcnapi.dll
- UNIX:
SWEAPP_ROOT/BIN/sslcnapi.so
- Siebel Server or Gateway Name Server
- Windows:component
\BIN\sslcnapi.dll
- UNIX:component
/lib/libsslcnapi.so
- Rename the sslcnapi128 file to either sslcnapi or libsslcnapi to replace the existing sslcnapi file.
|
