Bookshelf Home | Contents | Index | PDF     

Siebel Security Guide > Configuration Parameters Related to Authentication >

Siebel Gateway Name Server Parameters

Parameters for the Siebel Gateway Name Server can be set at one or more of the Enterprise, Siebel Server, or component levels. They are set in the Administration - Server Configuration screen of a Siebel employee application, such as Siebel Call Center.

  • Parameters you set at the Enterprise level configure all Siebel Servers throughout the enterprise.
  • Parameters you set at the Siebel Server level configure all applicable components on a specific Siebel Server.
  • Parameters you set at the component level configure all the tasks, or instances, of a specific component.
  • Parameters you set for an enterprise profile (named subsystem) configure the applicable security adapter.

For purposes of authentication, most of the components of interest are AOMs, such as the Call Center Application Object Manager or the eService Application Object Manager. The Synchronization Manager component also supports authentication.

A particular parameter set at a lower level overrides the same parameter set at a higher level. For example, if Security Adapter Mode is set to LDAP at the Enterprise level, and Security Adapter Mode is set to ADSI at the component level for the eService Application Object Manager component, then the ADSI security adapter is used for Siebel eService.

Parameters configured for Siebel security adapters are configured for the enterprise profile (for GUI Server Manager) or named subsystem (for command-line Server Manager). For more information about configuring security adapters, see Security Adapter Authentication.

NOTE:  You can set parameters on the Siebel Gateway Name Server using Siebel Server Manager or you can do so using the Siebel Configuration Wizard. For information on editing Gateway Name Server parameters using the Siebel Configuration Wizard, see Configuring LDAP or ADSI Security Adapters Using the Siebel Configuration Wizard. For information on using Siebel Server Manager to edit Gateway Name Server parameters, see Siebel System Administration Guide.

Parameters for Database Authentication

The following parameters are for database authentication, and are defined for named subsystems of type InfraSecAdpt_DB (that is, they might be set for the DBSecAdpt named subsystem or a similar security adapter with a nondefault name):

  • CRC (alias DBSecAdpt_CRC). Use this parameter to implement checksum validation, in order to verify that each user gains access to the database through the correct security adapter. This parameter contains the value calculated by the checksum utility for the applicable security adapter DLL. If you leave this value empty, the system does not perform the check. If you upgrade your system, you must recalculate and replace the value in this parameter.

    For more information, see Configuring Checksum Validation.

  • DataSource Name (alias DataSourceName). Specifies the data source for which you are specifying password hashing parameters.
  • Propagate Change (alias DBSecAdpt_PropagateChange). Set this parameter to TRUE to allow administration of the current user's password in the database through Siebel Business Applications.

    If this parameter is set to TRUE (the default setting):

    • Users can change their passwords from within Siebel Business Applications on the User Profile screen (navigate to Tools, User Preferences, and then User Profile) and the change is propagated to the database.
    • An administrator can change the password associated with his or her own login ID using the Administration - User screen in the Siebel Web Client, and the change is propagated to the database. The administrator cannot change other users' passwords from the Administration - User screen.
  • Security Adapter Dll Name (alias DBSecAdpt_SecAdptDllName). Specifies the DLL that implements the security adapter API required for integration with Siebel Business Applications. The file extension does not have to be explicitly specified. For example, sscfsadb.dll implements the Siebel database security adapter in a Windows implementation, and libsscfsadb.so does so in a UNIX implementation. If the DLL name for the adapter is used in a UNIX implementation, it is converted internally to the actual filename DLL.

The following parameters are also for database authentication environments, and are defined for named subsystems of type InfraDataSource (that is, they might be set for the ServerDataSrc named subsystem or another data source). The named subsystem is specified as the value for the DataSourceName parameter for the database security adapter.

  • Hash User Password (alias DSHashUserPwd). Specifies password hashing for user passwords. Uses the hashing algorithm specified using the DSHashAlgorithm parameter. For details, see About Password Hashing.
  • User Password Hash Algorithm (alias DSHashAlgorithm). Specifies the password hashing algorithm to use, if DSHashUserPwd is TRUE. The default value, RSASHA1, provides hashing using the RSA SHA-1 algorithm. The value SIEBELHASH specifies the password hashing mechanism provided by the mangle algorithm from Siebel Business Applications (supported for existing customers only). For details, see About Password Hashing.

Parameters for LDAP or ADSI Authentication

The following parameters are for LDAP or ADSI authentication, and are defined for named subsystems of type InfraSecAdpt_LDAP (that is, they might be set for the named subsystems LDAPSecAdpt or ADSISecAdpt, or a similar security adapter with a nondefault name):

  • Application Password (alias ApplicationPassword). Specifies the password in the directory for the user defined by the ApplicationUser parameter.
    • In an LDAP directory, the password is stored in an attribute.
    • In an ADSI directory, the password is stored using Active Directory user management tools; it is not stored in an attribute.
  • Application User (alias ApplicationUser). Specifies the user name of a record in the directory with sufficient permissions to read any user's information and do any necessary administration.

    This user provides the initial binding of the LDAP or ADSI security adapter with the AOM when a user requests the login page, or else anonymous browsing of the directory is required. You must implement an application user.

    You enter this parameter as a full distinguished name (DN), for example "uid=APPUSER, ou=people, o=companyname.com"—including quotes—for LDAP. The security adapter uses this name to bind.

  • Base DN (alias BaseDN). Specifies the Base Distinguished Name, which is the root of the tree under which users of this Siebel application are stored in the directory. Users can be added directly or indirectly below this directory.

    A typical entry for an LDAP server might be:

    BaseDN = "ou=people, o=domain_name"

    where

    • "o" denotes organization and is typically your Web site's domain name.
    • "ou" denotes organization unit and is the subdirectory in which users are stored.

      A typical entry for an Active Directory server might be

    BaseDN = "ou=people, DC=qatest, DC=siebel, DC=com"

    Domain Component (DC) entries are the nested domains that locate this server. Therefore, adjust the number of DC entries to represent your architecture. You cannot distribute the users of a single Siebel application in more than one base DN.

  • CRC (alias CRC). Use this parameter to implement checksum validation, in order to verify that each user gains access to the database through the correct security adapter. This parameter contains the value calculated by the checksum utility for the applicable security adapter DLL. If you leave this value empty, the system does not perform the check. If you upgrade your system, you must recalculate and replace the value in this parameter.

    For more information, see Configuring Checksum Validation.

  • Credentials Attribute Type (alias CredentialsAttributeType). Specifies the attribute type that stores a database account. For example, if CredentialsAttributeType is set to dbaccount, then when a user with user name HKIM is authenticated, the security adapter retrieves the database account from the dbaccount attribute for HKIM.

    This attribute value must be of the form username=U and password=P, where U and P are credentials for a database account. There can be any amount of white space between the two key-value pairs and no space within each pair. The keywords username and password must be lowercase.

    NOTE:  If you implement LDAP or ADSI security adapter authentication to manage the users in the directory through the Siebel client, then the value of the database account attribute for a new user is inherited from the user who creates the new user. The inheritance is independent of whether you implement a shared database account, but does not override the use of the shared database account.

  • Hash DB Cred (alias HashDBPwd). Specifies password hashing for database credentials passwords. For details, see About Password Hashing.
  • Hash User Password (alias HashUserPwd). Specifies password hashing for user passwords. Uses the hashing algorithm specified using the HashAlgorithm parameter. For details, see Process of Configuring User and Credentials Password Hashing.
  • Password Attribute Type (alias PasswordAttributeType). Specifies the attribute type under which the user's login password is stored in the directory.

    The LDAP entry must be userPassword. However, if you use the LDAP security adapter to authenticate against Microsoft Active Directory, set the value of this parameter to either unicodePWD or userPassword, depending on the code page used by the directory server.

    Active Directory does not store the password in an attribute so this parameter is not used by the ADSI adapter. You must, however, specify a value for the Password Attribute Type parameter even if you are using the ADSI adapter. Specify a value of either userPassword or unicodePWD, depending on the code page used by the directory server. In general, specify a value of userPassword if an ASCII code page is used by the directory server, and specify a value of unicodePWD if a Unicode code page is used.

  • Password Expire Warn Days (ADSI only) (alias PasswordExpireWarnDays). Specifies the number of days to display a warning message before a password expires.

    You can only specify a value for this parameter when using an ADSI directory. You can specify a value when the security adapter in use is the ADSI Security Adapter or the LDAP Security Adapter.

  • Port (alias Port). Specifies the port on the server computer that is used to access the LDAP server. Typically, use 389, the default value, for standard transmission or use 636 for secure transmission.

    This parameter is used by the LDAP security adapter only. (For ADSI, you set the port at the directory level, so this parameter is not used with the ADSI security adapter.) You must, however, specify a value for the Port parameter even if you are using the ADSI adapter; specify either port 389 or 636.

  • Propagate Change (alias PropagateChange). Set this parameter to TRUE to allow administration of the directory through Siebel Business Applications. When an administrator then adds a user or changes a password from within Siebel Business Applications, or a user changes a password or self-registers, the change is propagated to the directory.

    NOTE:  A non-Siebel security adapter must support the SetUserInfo and ChangePassword methods to allow dynamic directory administration.

  • Roles Attribute Type (alias RolesAttributeType). Specifies the attribute type for roles stored in the directory. For example, if RolesAttributeType is set to Roles, then when a user with user name HKIM is authenticated, the security adapter retrieves the user's Siebel responsibilities from the roles attribute for HKIM.

    Responsibilities are typically associated with users in the Siebel database, but they can be stored in the database, in the directory, or in both. The user gets access to all of the views in all of the responsibilities specified in both sources. However, it is recommended that you define responsibilities in the database or in the directory, but not in both places.

    For details, see Configuring Roles Defined in the Directory.

  • Security Adapter Dll Name (alias SecAdptDllName). Specifies the DLL that implements the security adapter API required for integration with Siebel Business Applications. The file extension does not have to be explicitly specified. For example, sscfldap.dll implements the LDAP security adapter in a Windows implementation. On supported UNIX operating systems, the file name can be libsscfldap.so or libsscfldap.sl. If the DLL name for the LDAP security adapter is used in a UNIX implementation, it is converted internally to the actual filename.
  • Server Name (alias ServerName). Specifies the name of the computer on which the LDAP or ADSI server runs, for example ldapserver.siebel.com.

    You must specify the fully qualified domain name of the LDAP server, not just the domain name. For example, specify ldapserver.oracle.com, not oracle.com.

    For ADSI, if SSL is configured between the Siebel Server computer and the Active Directory server computer, you must specify the fully qualified domain name of the Active Directory server. If the Siebel Server and Active Directory server are in the same domain, you can specify the Active Directory server's complete computer name or its IP address.

  • Shared Credentials DN (alias SharedCredentialsDN). Specifies the absolute path (not relative to the BaseDN) of an object in the directory that has the shared database account for the application. If it is empty, the database account is looked up in the user's DN as usual. If it is not empty, then the database account for all users is looked up in the shared credentials DN instead. The attribute type is still determined by the value of CredentialsAttributeType.

    For example, if SharedCredentialsDN is set as follows:

    "uid=HKIM, ou=people, o=oracle.com"

    then when any user is authenticated, the security adapter retrieves the database account from the appropriate attribute in the HKIM record. This parameter's default value is an empty string.

  • Shared DB Password (alias SharedDBPassword). Specify the password to connect to the Siebel database. Specify a value for this parameter if you store the password as a parameter rather than as an attribute of the directory entry for the shared database account. To use this parameter, you must use an LDAP directory. For more information, see Configuring the Shared Database Account.
  • Shared DB Username (alias SharedDBUsername). Specify the username to connect to the Siebel database. You must specify a valid Siebel user name and password for the SharedDBUsername and SharedDBPassword parameters. Specify a value for this parameter if you store the username as a parameter rather than as an attribute of the directory entry for the shared database account. To use this parameter, you must use an LDAP directory. For more information, see Configuring the Shared Database Account.
  • Siebel Username Attribute Type (alias SiebelUsernameAttributeType). If the UseAdapterUsername parameter is set to TRUE, this parameter is the attribute from which the security adapter retrieves an authenticated user's Siebel user ID. If this parameter is left empty, the user name passed in is assumed to be the Siebel user ID.
  • Single Sign On (alias SingleSignOn). (TRUE or FALSE) If TRUE, the security adapter is used in Web SSO mode, instead of using security adapter authentication.
  • SSL Database (alias SslDatabase). Specifies whether a Secure Sockets Layer (SSL) is used for communication between the LDAP security adapter and the directory. If empty, SSL is not used. If not empty, its value must be the absolute path of the file ldapkey.kdb. This file, which is generated by IBM GSK iKeyMan, contains a certificate for the certificate authority that is used by the LDAP server.
  • Trust Token (alias TrustToken). Applies only in a Web SSO environment. The adapter compares the TrustToken value provided in the request with the value stored in this application configuration file. If they match, the AOM accepts that the request has come from the SWSE, that is, from a trusted Web server. This parameter's default value is an empty string.
  • Use Adapter Defined Username (alias UseAdapterUsername). (TRUE or FALSE) If TRUE, this parameter indicates that when the user key passed to the security adapter is not the Siebel user ID, the security adapter retrieves the Siebel user ID for authenticated users from an attribute defined by the SiebelUsernameAttributeType parameter. The default value for UseAdapterUsername is FALSE.
  • User Password Hash Algorithm (alias HashAlgorithm). Specifies the password hashing algorithm to use, if HashUserPwd is TRUE or HashDBPwd is TRUE. The default value, RSASHA1, provides hashing using the RSA SHA-1 algorithm. The value SIEBELHASH specifies the password hashing mechanism provided by the mangle algorithm from Siebel Business Applications (supported for existing customers only). For details, see About Password Hashing.
  • Username Attribute Type (alias UsernameAttributeType). Specifies the attribute type under which the user's login name is stored in the directory. For example, if UsernameAttributeType is set to uid, then when a user attempts to log in with user name HKIM, the security adapter searches for a record in which the uid attribute has the value HKIM. This attribute is the Siebel user ID, unless the UseAdapterUsername parameter is TRUE.

    NOTE:  If you implement an adapter-defined user name (UseAdapterUsername is set to TRUE), then you must set the OM - Username BC Field parameter appropriately to allow the directory attribute defined by UsernameAttributeType to be updated from the Siebel client. For more information about implementing an adapter-defined user name, see Configuring Adapter-Defined User Name.

Parameters for Custom Security Adapter Authentication

The following parameters are for custom security adapter authentication only, and are defined for the named subsystem InfraSecAdpt_Custom:

  • Config File Name (alias ConfigFileName). Specifies the file name that contains custom security adapter configuration parameters. These settings would be other than those defined in this section.
  • Config Section Name (alias ConfigSectionName). Specifies the name of the section, in the file specified using the ConfigFileName parameter, that contains custom security adapter configuration settings.

The following parameters are for custom security adapter authentication, and are defined for the named subsystem InfraSecAdpt_Custom. For more information about these parameters, see the descriptions for similar parameters applicable to LDAP or ADSI security adapters, in Siebel Gateway Name Server Parameters.

  • CRC (alias CustomSecAdpt_CRC)
  • Hash DB Cred (alias CustomSecAdpt_HashDBPwd)
  • Hash User Password (alias CustomSecAdpt_HashUserPwd)
  • Propagate Change (alias CustomSecAdpt_PropagateChange)
  • Security Adapter Dll Name (alias CustomSecAdpt_SecAdptDllName)
  • Single Sign On (alias CustomSecAdpt_SingleSignOn)
  • Trust Token (alias CustomSecAdpt_TrustToken)
  • Use Adapter Defined Username (alias CustomSecAdpt_UseAdapterUsername)
  • User Password Hash Algorithm (alias CustomSecAdpt_HashAlgorithm)

Parameters for AOM

The following parameters are defined for the Enterprise, Siebel Server, or AOM component:

  • AllowAnonUsers. (TRUE or FALSE) Unregistered users are not allowed access to the Siebel application if this parameter value is FALSE.
  • DisableReverseProxy. If you deploy IBM Tivoli Access Manager WebSEAL to authenticate users of Siebel Business Applications with high interactivity in a Web Single Sign-On deployment, set DisableReverseProxy to TRUE to disable reverse proxy support. You must disable implicit reverse proxy support as IBM Tivoli Access Manager WebSEAL acts as a reverse proxy server. The default value for DisableReverseProxy is FALSE.
  • SecureLogin. (TRUE or FALSE) If TRUE, the login form completed by the user is transmitted over Secure Sockets Layer (SSL). This requires that you have a certificate from a certificate authority on the Web server on which the Siebel Web Engine is installed.
  • SecureBrowse. When SecureBrowse is set to TRUE, all views in the application are navigated over SSL. When SecureBrowse is set to FALSE, views in the application whose Secure attribute is set to TRUE are navigated over SSL.

    NOTE:  Siebel customer applications support switching between secure and nonsecure views but employee applications (such as Siebel Call Center) do not. For more information, see Configuring a Siebel Web Client to Use SSL.

    For information about the Secure attribute for a view, see Configuring Siebel Business Applications.

  • OM - Proxy Employee (alias ProxyEmployee). User ID of the proxy employee. For information about the proxy employee, see Seed Data.
  • OM - Username BC Field (alias UsernameBCField). This parameter is used only if you implement an adapter-defined user name. It specifies the field of the User business component that populates the attribute in the directory defined by the UsernameAttributeType parameter in the application's configuration file. That is, when the user ID (LoginName field in the User business component) is not the identity key, this field is. If this parameter is not present in the parameters list, you must add it.

    For information, see Configuring Adapter-Defined User Name.

    
Siebel Security Guide Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices.