Bookshelf Home | Contents | Index | PDF     

Siebel Security Guide > Security Adapter Authentication >

Configuring LDAP or ADSI Security Adapters Using the Siebel Configuration Wizard

This topic describes how to configure the Siebel LDAP or ADSI security adapters using the Siebel Configuration Wizard after you have installed Siebel Business Applications. Alternatively, you can configure the security adapter settings by setting Gateway Name Server parameters directly using Server Manager. For information on installing and configuring Siebel Business Applications, see Siebel Installation Guide for the operating system you are using.

You use the Siebel Configuration Wizard to configure the Siebel Gateway Name Server parameters that set security adapter values. You can also use the Siebel Configuration Wizard to configure security adapter settings for Gateway Name Server access authentication; these parameters are stored in the Gateway Name Server configuration file (gateway.cfg). When configuring a Siebel Developer Web Client, you configure authentication parameters stored in the Siebel application configuration file. When you configure Siebel Gateway Name Server parameters, the Siebel Gateway Name Server must be running.

NOTE:  The Siebel Enterprise and Gateway Name Server are configured to use database authentication by default. If you specify LDAP or ADSI authentication using the Siebel Configuration Wizard, then the parameter values you specify for the security adapter are only implemented when you manually change the SecAdptName and SecAdptMode parameters using Server Manager to enable LDAP or ADSI authentication.

When you specify LDAP or ADSI as the security adapter type using the Configuration Wizard, the setting you make provides the value for the Security Adapter Mode (SecAdptMode) parameter. The Security Adapter Mode and Security Adapter Name parameters can be set for the Siebel Gateway Name Server, the Siebel Enterprise Server, for a particular Siebel Server, for an individual Application Object Manager component, or for the Synchronization Manager component (for Siebel Remote).

CAUTION:  If you want to configure a server component or a Siebel Server to use different LDAP or ADSI authentication settings than those already configured at a higher level (that is, configured for the Siebel Enterprise or Siebel Server), then you must create a new LDAP or ADSI security adapter. Otherwise, the settings you make reconfigure the existing security adapter wherever it is used.

When you specify LDAP or ADSI as the security adapter mode, additional configuration parameters are defined for the particular LDAP or ADSI security adapter. For example, the Security Adapter DLL Name (SecAdptDllName) parameter is automatically set when you specify LDAP or ADSI as the security adapter mode.

The Siebel Configuration Wizard sets authentication-related configuration parameters for Siebel Business Applications and Gateway Name Server authentication, but does not make changes to the LDAP directory or to Active Directory. Make sure the configuration information you enter is compatible with your directory server.

The following procedure describes how to run the Siebel Configuration Wizard to configure the LDAP or ADSI security adapters provided with Siebel Business Applications.

To configure your LDAP or ADSI security adapter

  1. Start the Siebel Enterprise Configuration Wizard.
  2. Choose the Create New Configuration option, then Configure a New Enterprise in a Gateway Name Server.

    For details about launching the wizard, see Siebel Installation Guide for the operating system you are using.

  3. Navigate to the Enterprise Security Authentication Profile screen.
  4. Choose the authentication type that corresponds to the security adapter you want to implement, and click Next.
    • Select Lightweight Directory Access Protocol (LDAP) Authentication to implement the LDAP security adapter.
    • Select Active Directory (ADSI) Authentication (Windows only) to implement the ADSI security adapter.

      Enter values for the various parameters that the Configuration Wizard presents to you as described in the following steps. The screens that the Configuration Wizard presents depends on the authentication type you select.

  5. Security Adapter Name (named subsystem). Specify the name of the security adapter. The setting you make provides a value for the Security Adapter Name parameter. You can accept the default name, or specify a nondefault name. If an enterprise profile (named subsystem) does not already exist with the name you specify, then the Siebel Configuration Wizard creates a new enterprise profile using that name. The default names are:
    • For LDAP, Security Adapter Name defaults to LDAPSecAdpt.
    • For ADSI, Security Adapter Name defaults to ADSISecAdpt.
  6. Security Authentication Library CRC Checksum. Specify whether you want to use checksum validation for the security adapter DLL file. Corresponds to the CRC parameter.

    If you do not want to use checksum validation, enter 0. Otherwise, enter the value that you generate. For information, see Configuring Checksum Validation.

  7. Directory Server Domain Name. Corresponds to the ServerName parameter.

    Specifies the name of the computer on which the LDAP or Active Directory server runs.

    • LDAP. You must specify the fully qualified domain name of the LDAP server, not just the domain name. For example, specify ldapserver.example.com, not example.com.
    • ADSI. For Active Directory, if TLS is configured between the Siebel Server computer and the Active Directory server computer, then you must specify the fully qualified domain name of the directory server. If the Siebel Server and directory server are in the same domain, then you can specify the complete computer name of the Active Directory server.

      Do not specify the IP address of the Active Directory server for the Server Name parameter.

  8. LDAP Port Configuration (LDAP only). The port number used by the LDAP directory server. Corresponds to the Port parameter. Select the appropriate option according to whether LDAP is configured to use a standard port (389) or a secure transmission port (636). Proceed to Step 10.

    If you configured LDAP to use a transmission port other than one of those listed, then check the Use a different transmission port (non-default) option and proceed to Step 9.

    The Active Directory server port is set as part of the directory installation, not as a configuration parameter.

  9. Network TCP/IP Port Number. Enter the TCP/IP port number used by your LDAP implementation to authenticate the Siebel application.
  10. Enter configuration information pertaining to attribute mapping:
    • Siebel Username Attribute. The Siebel user ID attribute used by the directory. An example entry for an LDAP directory is uid. An example entry for Active Directory is sAMAccountName (maximum length 20 characters). If your directory uses a different attribute for the Siebel user ID, then enter that attribute instead. Corresponds to the UsernameAttributeType parameter.
    • Siebel Password Attribute. The password for the Siebel user ID attribute used by the directory (LDAP only). Corresponds to the PasswordAttributeType parameter.
    • Credentials Attribute. The database credentials attribute type used by the directory. For LDAP and Active Directory, an example entry is dbaccount.
  11. Enter values for the following:
    • LDAP Roles Attribute. The attribute type for roles stored in the directory. This setting is required only if you use roles in your directory. Corresponds to the RolesAttributeType parameter. For more information, see Configuring Roles Defined in the Directory.
    • Shared Database Account Distinguished Name (DN). If you are implementing a shared database account for users, then specify the full DN of the directory object containing the shared database account values. Corresponds to the SharedCredentialsDN parameter. Configuring the shared database account also uses the database account attribute you defined in Credentials Attribute.

      You can, as an alternative, specify the database credentials as profile parameters. For more information on this option, see Step 12.

  12. Store shared database user credentials as parameters. Choose the appropriate action:
    • Select the check box Store Shared Database User Credentials as Parameters if you want to store the database credentials for the shared database account as parameter values for the LDAP Security Adapter profile or the ADSI Security Adapter profile instead of as directory attributes. Proceed to Step 13.
    • Leave the check box clear if you want to store each user's database account credentials in an attribute of that user's record in the directory. Proceed to Step 14.
  13. Configure the shared database account:
    • Shared Database Account. Specify the shared database account user name.
    • Shared Database Account Password. Specify the shared database account password.

      For more information on the shared database account, see Configuring the Shared Database Account.

  14. Configure the application user:
    • Application User Distinguished Name (DN). The full DN (distinguished name) for the application user stored in the directory. Corresponds to the ApplicationUser parameter.

      In addition to defining the application user here, you must also create the application user in the LDAP directory or in Active Directory. For more information, see Configuring the Application User.

      NOTE:  If you are configuring an ADSI security adapter, then the application user must either be a domain user or have access to the directory server. If the application user cannot access the directory server, then the authentication process fails.

    • Application Password. The password for the application user stored in the directory. Corresponds to the ApplicationPassword parameter. Confirm the password.
  15. Configure Web Single Sign-On (Web SSO). To configure Web SSO, select the check box. Corresponds to the SingleSignOn parameter.
    • If you selected the check box, then go to Step 16.
    • If you did not select the check box, then go to Step 17.
  16. Enter configuration information pertaining to Web SSO:
    • Credentials Attribute. Enter the database credentials attribute type used by the directory.
    • User Specification. The Web server variable which stores the user's identity key. Corresponds to the UserSpec parameter.
    • Shared Secret. Specify the trust token to use for Web SSO. Corresponds to the TrustToken parameter. The value also corresponds to the TrustToken parameter in the eapps.cfg file on the SWSE.
  17. SSL Database Certificate File. To enable SSL with the LDAP security adapter, provide the directory path to the Oracle wallet. For more information, see Enabling SSL for the Siebel LDAP Security Adapter.
  18. Enter values for pass word hashing:
    • Hash User Passwords. Specify whether or not you want to use password hashing for user passwords. Corresponds to the HashUserPwd parameter.
    • Hash Database Passwords. Specify whether or not you want to use password hashing for database credentials passwords. Corresponds to the HashDBPwd parameter.

      For more information, see About Password Hashing.

  19. Salt User Passwords. Specify whether you want to add a salt value to user passwords before they are hashed. Corresponds to the SaltUserPwd parameter. This option is available only if you have chosen to hash user passwords.

    NOTE:  You cannot add salt values to user passwords if you enable Web Single Sign-On.

    For more information on the salt value feature, see About Password Hashing.

  20. Salt Attribute. If you have chosen to add salt values to user passwords, then specify the attribute that is to store the salt value. The default attribute is title. Corresponds to the SaltAttributeType parameter.
  21. Security Adapter Mapped User Name. Specify whether you want to implement the adapter-defined user name. Corresponds to the UseAdapterUserName parameter. For more information, see Configuring Adapter-Defined User Name.
    • If you check this option, then you must specify the Siebel User ID attribute. Go to Step 22.
    • If you do not check this option, then go to Step 23.
  22. Siebel User ID Attribute. Specify the Siebel User ID attribute for the adapter-defined user name. Corresponds to the SiebelUsernameAttributeType parameter.
  23. Base Distinguished Name (DN). Specify the base distinguished name (DN) in the directory under which Siebel users are stored. Corresponds to the BaseDN parameter.
  24. Propagate Change. Specify whether you want to configure the ability to propagate changes to the LDAP directory or to Active Directory from a Siebel Developer Web Client or a Siebel Mobile Web Client. Corresponds to the PropagateChange parameter.

    NOTE:  If you specify this option, then you must also set the SecThickClientExtAuthent system preference to TRUE.

  25. Propagate Authentication Settings to the Gateway Name Server. Select the check box to apply the Enterprise authentication settings you have just configured to the Gateway Name Server. The values you have specified are written to the gateway.cfg file.

    Selecting this option also sets the ConnectString parameter in the gateway.cfg file to the ODBC data source name used to connect to the Siebel database.

    NOTE:  If this is the first time the Enterprise is being configured on the Gateway Name Server, then you must select this option for the configuration to complete. Subsequently, select this option only when changing existing settings.

    For further information on the gateway.cfg file, see About Authentication for Gateway Name Server Access and Parameters in the Gateway.cfg File.

  26. Perform any of the additional tasks listed on the Additional Tasks for Configuring the Enterprise screen as required.
  27. Review the settings you have specified on the Summary screen, then execute the configuration.
  28. When the Siebel Enterprise Configuration Wizard has executed successfully, enable LDAP or ADSI authentication and implement the security adapter settings you have just configured by changing the SecAdptName and SecAdptMode parameters to specify either LDAP or ADSI.

    For the Enterprise, change the SecAdptName and SecAdptMode parameters using Siebel Server Manager (see Configuring Security Adapter Gateway Name Server Parameters). For the Gateway Name Server, edit the SecAdptName and SecAdptMode parameters in the gateway.cfg file (see Parameters in the Gateway.cfg File).

      
Siebel Security Guide Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices.