|
Security Guide for Siebel Business Applications > Configuration Parameters Related to Authentication >
Siebel Gateway Name Server Parameters
Parameters for the Siebel Gateway Name Server can be set at one or more of the Enterprise, Siebel Server, or component levels. They are set in the Administration - Server Configuration screen of a Siebel employee application, such as Siebel Call Center.
- Parameters you set at the Enterprise level configure all Siebel Servers throughout the enterprise.
- Parameters you set at the Siebel Server level configure all applicable components on a specific Siebel Server.
- Parameters you set at the component level configure all the tasks, or instances, of a specific component.
- Parameters you set for an enterprise profile (named subsystem) configure the applicable security adapter.
For purposes of authentication, most of the components of interest are AOMs, such as the Call Center Object Manager or the eService Object Manager. The Synchronization Manager component also supports authentication. A particular parameter set at a lower level overrides the same parameter set at a higher level. For example, if Security Adapter Mode = LDAP at the Enterprise level, and Security Adapter Mode = ADSI at the component level for the eService Object Manager component, then the ADSI security adapter is used for Siebel Service. Parameters configured for Siebel security adapters are configured for the enterprise profile (for GUI Server Manager) or named subsystem (for command-line Server Manager). For more information about configuring security adapters, see Security Adapter Authentication. NOTE: For detailed information about how to set parameters on the Siebel Gateway Name Server, using Siebel Server Manager, see Siebel System Administration Guide.
Parameters for Database Authentication
The following parameters are for database authentication, and are defined for named subsystems of type InfraSecAdpt_DB (that is, they may be set for the DBSecAdpt named subsystem, or a similar security adapter with a nondefault name):
The following parameters are also for database authentication environments, and are defined for named subsystems of type InfraDataSource (that is, they may be set for the ServerDataSrc named subsystem, or another data source). The named subsystem is specified as the value for the DataSourceName parameter for the database security adapter.
- Hash User Password (alias DSHashUserPwd). Specifies password hashing for user passwords. Uses the hashing algorithm specified using the
DSHashAlgorith parameter. For details, see Configuring Password Hashing.
- User Password Hash Algorithm (alias DSHashAlgorithm). Specifies the password hashing algorithm to use, if
DSHashUserPwd is TRUE. The default value, RSASHA1, provides hashing using the RSA SHA-1 algorithm. The value SIEBELHASH specifies the password hashing mechanism provided by the mangle algorithm from Siebel Systems (supported for existing customers only). For details, see Configuring Password Hashing.
Parameters for LDAP/ADSI Authentication
The following parameters are for LDAP/ADSI authentication, and are defined for named subsystems of type InfraSecAdpt_LDAP (that is, they may be set for the named subsystems LDAPSecAdpt or ADSISecAdpt, or a similar security adapter with a nondefault name):
- Application Password (alias ApplicationPassword). Specifies the password in the directory for the user defined by the
ApplicationUser parameter.
- In an LDAP directory, the password is stored in an attribute.
- In ADS, the password is stored using ADS user management tools; it is not stored in an attribute.
- Application User (alias ApplicationUser). Specifies the user name of a record in the directory with sufficient permissions to read any user's information and do any necessary administration.
This user provides the initial binding of the LDAP or ADS with the AOM when a user requests the login page, or else anonymous browsing of the directory is required.
You enter this parameter as a full distinguished name (DN), for example "uid=APPUSER, ou=People, o=companyname.com"—including quotes—for LDAP. The security adapter uses this name to bind.
NOTE: You must implement an application user.
- Base DN (alias BaseDN). Specifies the Base Distinguished Name, which is the root of the tree under which users of this Siebel application are stored in the directory. Users can be added directly or indirectly below this directory. A typical entry for an LDAP server might be
BaseDN = "ou=people, o=domain_name". "o" denotes "organization" and is typically your Web site's domain name. "ou" denotes "organization unit" and is the subdirectory in which users are stored.
A typical entry for an ADS server might be BaseDN = "CN=Users, DC=qatest, DC=siebel, DC=com". Domain Component (DC) entries are the nested domains that locate this server. Common Name (CN) entries are the specific paths for the user objects in the directory. Therefore, adjust the number of CN and DC entries to represent your architecture.
- CRC (alias CRC). Use this parameter to implement checksum validation, in order to verify that each user gains access to the database through the correct security adapter. This parameter contains the value calculated by the checksum utility for the applicable security adapter DLL. If you leave this value empty, the system does not perform the check. If you upgrade your system, you must recalculate and replace the value in this parameter.
For more information, see Configuring Checksum Validation.
- Credentials Attribute Type (alias CredentialsAttributeType). Specifies the attribute type that stores a database account. For example, if
CredentialsAttributeType = dbaccount, then when a user with user name HKIM is authenticated, the security adapter retrieves the database account from the dbaccount attribute for HKIM.
This attribute value must be of the form username=U password=P, where U and P are credentials for a database account. There may be any amount of white space between the two key-value pairs and no space within each pair. The keywords username and password must be lowercase.
NOTE: If you implement LDAP or ADSI security adapter authentication to manage the users in the directory through the Siebel client, then the value of the database account attribute for a new user is inherited from the user who creates the new user. The inheritance is independent of whether you implement a shared database account, but does not override the use of the shared database account. For information on shared database accounts, see Configuring the Shared Database Account.
- Hash DB Cred (alias HashDBPwd). Specifies password hashing for database credentials passwords. For details, see Configuring Password Hashing.
- Hash User Password (alias HashUserPwd). Specifies password hashing for user passwords. Uses the hashing algorithm specified using the
HashAlgorith parameter. For details, see Configuring Password Hashing.
- Password Attribute Type (alias PasswordAttributeType). Specifies the attribute type under which the user's login password is stored in the directory.
PasswordAttributeType = userPassword is the only supported value for LDAP. When a user with user name HKIM attempts to log in, the security adapter compares the value in the userPassword attribute for HKIM with the password the user enters.
This parameter is used by the LDAP security adapter only. (ADS does not store the password in an attribute, so this parameter is not used with the ADSI security adapter.)
- Password Expire Warn Days (ADSI only) (alias PasswordExpireWarnDays). Specifies the number of days to display a warning message before a password expires.
This parameter is used by the ADSI security adapter only.
- Port (alias Port). Specifies the port on the server machine that is used to access the LDAP server. Typically, use 389, the default value, for standard transmission or use 636 for secure transmission.
This parameter is used by the LDAP security adapter only. (For ADS, you set the port at the directory level, so this parameter is not used with the ADSI security adapter.)
- Propagate Change (alias PropagateChange). Set this parameter to
TRUE to allow administration of the directory through Siebel Business Applications. When an administrator then adds a user or changes a password from within a Siebel application or a user changes a password or self-registers, the change is propagated to the directory.
NOTE: A non-Siebel security adapter must support the SetUserInfo and ChangePassword methods to allow dynamic directory administration.
- Roles Attribute Type (alias RolesAttributeType). Specifies the attribute type for roles stored in the directory. For example, if
RolesAttributeType = roles, then when a user with user name HKIM is authenticated, the security adapter retrieves the user's Siebel responsibilities from the roles attribute for HKIM.
Responsibilities are typically associated with users in the Siebel Database, but they can be stored in the database, in the directory, or in both. The user gets access to all of the views in all of the responsibilities specified in both sources. However, it is recommended that you define responsibilities in the database or in the directory, but not in both places.
For details, see Configuring Roles Defined in Directory.
- Security Adapter Dll Name (alias SecAdptDllName). Specifies the DLL that implements the security adapter API required for integration with Siebel Business Applications. The file extension need not be explicitly specified. For example, sscfldap.dll implements the LDAP security adapter in a Windows implementation. On supported UNIX platforms, the file name may be libsscfldap.so or libsscfldap.sl. If the DLL name for the LDAP security adapter is used in a UNIX implementation, it is converted internally to the actual filename.
- Server Name (alias ServerName). Specifies the name of the machine on which the LDAP or ADS server runs, for example ldapserver.siebel.com.
NOTE: For ADSI, this parameter must be populated with the ADS server's complete machine name, not its IP address—otherwise, users will be unable to change their passwords through the Siebel application. This restriction is due to a limitation of the ADSI client library used by the ADSI security adapter.
- Shared Credentials DN (alias SharedCredentialsDN). Specifies the absolute path (not relative to the
BaseDN) of an object in the directory that has the shared database account for the application. If it is empty, the database account is looked up in the user's DN as usual. If it is not empty, then the database account for all users is looked up in the shared credentials DN instead. The attribute type is still determined by CredentialsAttributeType.
For example, if SharedCredentialsDN = "uid=HKIM, ou=People, o=siebel.com", then when any user is authenticated, the security adapter retrieves the database account from the appropriate attribute in the HKIM record. This parameter's default value is an empty string.
- Siebel Username Attribute Type (alias SiebelUsernameAttributeType). If
UseAdapterUsername = TRUE, this parameter is the attribute from which the security adapter retrieves an authenticated user's Siebel user ID. If this parameter is left empty, the user name passed in is assumed to be the Siebel user ID.
- Single Sign On (alias SingleSignOn). (
TRUE or FALSE) If TRUE, the security adapter is used in Web SSO mode, instead of using security adapter authentication.
- SSL Database (alias SslDatabase). Specifies whether a Secure Sockets Layer (SSL) is used for communication between the LDAP security adapter and the directory. If empty, SSL is not used. If not empty, its value must be the absolute path of the file ldapkey.kdb. This file, which is generated by IBM GSK iKeyMan, contains a certificate for the certificate authority that is used by the LDAP server.
- Trust Token (alias TrustToken). Applies only in a Web SSO environment. The adapter compares the
TrustToken value provided in the request with the value stored in this application configuration file. If they match, the AOM accepts that the request has come from the SWSE, that is, from a trusted Web server. This parameter's default value is an empty string.
- Use Adapter Defined Username (alias UseAdapterUsername). (
TRUE or FALSE) If TRUE, this parameter indicates that when the user key passed to the security adapter is not the Siebel user ID, the security adapter retrieves the Siebel user ID for authenticated users from an attribute defined by the SiebelUsernameAttributeType parameter. The default value for UseAdapterUsername is FALSE.
- User Password Hash Algorithm (alias HashAlgorithm). Specifies the password hashing algorithm to use, if
HashUserPwd is TRUE or HashDBPwd is TRUE. The default value, RSASHA1, provides hashing using the RSA SHA-1 algorithm. The value SIEBELHASH specifies the password hashing mechanism provided by the mangle algorithm from Siebel Systems (supported for existing customers only). For details, see Configuring Password Hashing.
- Username Attribute Type (alias UsernameAttributeType). Specifies the attribute type under which the user's login name is stored in the directory. For example, if
UsernameAttributeType = uid, then when a user attempts to log in with user name HKIM, the security adapter searches for a record in which the uid attribute has the value HKIM. This attribute is the Siebel user ID, unless the UseAdapterUsername parameter is TRUE.
NOTE: If you implement an adapter-defined user name (UseAdapterUsername = TRUE), then you must set the OM - Username BC Field parameter appropriately to allow the directory attribute defined by UsernameAttributeType to be updated from the Siebel client. For more information about implementing an adapter-defined user name, see Configuring Adapter-Defined User Name.
Parameters for Custom Security Adapter Authentication
The following parameters are for custom security adapter authentication only, and are defined for the named subsystem InfraSecAdpt_Custom:
- Config File Name (alias ConfigFileName). Specifies the file name that contains custom security adapter configuration parameters. These settings would be other than those defined in this section.
- Config Section Name (alias ConfigSectionName). Specifies the name of the section, in the file specified using the
ConfigFileName parameter, that contains custom security adapter configuration settings.
The following parameters are for custom security adapter authentication, and are defined for the named subsystem InfraSecAdpt_Custom. For more information about these parameters, see the descriptions for similar parameters applicable to LDAP/ADSI security adapters, in Siebel Gateway Name Server Parameters.
- CRC (alias CustomSecAdpt_CRC)
- Hash DB Cred (alias CustomSecAdpt_HashDBPwd)
- Hash User Password (alias CustomSecAdpt_HashUserPwd)
- Propagate Change (alias CustomSecAdpt_PropagateChange)
- Security Adapter Dll Name (alias CustomSecAdpt_SecAdptDllName)
- Single Sign On (alias CustomSecAdpt_SingleSignOn)
- Trust Token (alias CustomSecAdpt_TrustToken)
- Use Adapter Defined Username (alias CustomSecAdpt_UseAdapterUsername)
- User Password Hash Algorithm (alias CustomSecAdpt_HashAlgorithm)
Parameters for AOM
The following parameters are defined for the Enterprise, Siebel Server, or AOM component:
- OM - Proxy Employee (alias ProxyEmployee). User ID of the proxy employee.
For information about the proxy employee, see Seed Data.
- OM - Username BC Field (alias UsernameBCField). This parameter is used only if you implement an adapter-defined user name. It specifies the field of the User business component that populates the attribute in the directory defined by the
UsernameAttributeType parameter in the application's configuration file. That is, when the user ID (LoginName field in the User business component) is not the identity key, this field is. If this parameter is not present in the parameters list, you must add it.
For information, see Configuring Adapter-Defined User Name.
|
