Bookshelf Home | Contents | Index | PDF     

Siebel Security Guide > Communications and Data Encryption >

About Certificates and Key Files Used for SSL Authentication

When you configure SSL authentication for a Siebel Enterprise, Siebel Server, or SWSE, you specify parameter values that indicate the names of certificate files, certificate authority files, and private key files on the computers that host these components. The certificate files you use for this purpose can be issued by and obtained from third-party certificate authorities. Certificate authority files identify the third-party certificate authority who issued the certificate.

Certificate files must adhere to the following requirements:

  • Use a supported certificate file format:
    • On Microsoft Windows environments, certificate authority files can use either ASN (Abstract Syntax Notation) or PEM (Privacy Enhanced Mail) format.

      The ASN.1 format is also referred to as the Distinguished Encoding Rules (DER) format. Rename certificate files in DER format to have the file extension .asn.

    • On UNIX environments, certificate authority files must use the PEM (Base 64 encoded X.509) format. Certificate files in ASN format cannot be used in UNIX environments.
    • Private key files must use the PEM format.

      The certificate file must use the file extension that corresponds to the certificate file format in use: .pem for the PEM format, and .asn for the ASN format.

      NOTE:  You can convert PEM-based certificate files to the ASN-based format.

  • Certificate files on each computer must be unique and belong to that computer if PeerAuth is set to TRUE on the remote computer.
  • If an intermediate certification authority is used, both the intermediate and the root certificate authority certificates must be in the same file. You specify the name of this file for the CACertFileName parameter when you configure SSL for communication between Siebel components.

Certificate files and private key files are typically installed on each computer that hosts a component or module for which you configure SSL, such as a Siebel Server or SWSE. You do not have to authenticate or encrypt communications between components on the same computer. For information on installing certificate files, see Installing Certificate Files.

About Supported Values for SSL Certificate Encryption Keys

A certificate authority certifies ownership of the public and private key pairs that are used to encrypt and decrypt SSL communications. Messages are encrypted with the public key and decrypted with the private key. The certificate key size refers to the size, in bits, of the encryption key provided with the certificate.

In general, for SSL authentication for a Siebel Enterprise, Siebel Server, or SWSE, Siebel Business Applications support certificates that use an encryption key size of 1024 bits. If you require a higher encryption key size, you must install the Siebel Strong Encryption Pack. However, the size of the certificate key supported depends on the components for which you are configuring SSL communications.

Table 5 shows the certificate key sizes supported for SSL communications between different components in a Siebel Business Applications deployment.

Table 5. Encryption Key Sizes Supported For SSL Certificates
SSL Communication Type
Supported Key Size

SSL communications using SISNAPI.

Communications between the Siebel Server and the Web server (SWSE), and between Siebel Servers.

1024-bit certificate keys only are supported if you do not install the Siebel Strong Encryption Pack (SSEP).

To use certificate key sizes larger than 1024 bits, install the Siebel Strong Encryption Pack and follow the instructions in Increasing the Certificate Key Sizes Supported For SISNAPI Communications.

SSL communications between Web clients and the Web server.

The acceptable SSL protocols and key sizes are determined by the underlying operating system and Web server software. In most cases, these systems support larger private key sizes.

SSL communications between dedicated clients (including Siebel Tools) and components in the Siebel environment.

1024-bit certificate keys only are supported.

SSL communications between the Siebel Server and the Siebel database.

The key size supported is determined by the third-party database used and database client software.

SSL communications between Siebel security adapters and external directory servers.

These connections can support larger bit sizes for SSL certificate keys.

SSL communications for Web services.

1024-bit certificate keys only are supported.

Increasing the Certificate Key Sizes Supported For SISNAPI Communications

In general, for SSL authentication for Siebel Enterprise, Siebel Server, or SWSE communications, Siebel Business Applications support certificates that use an encryption key size of 1024 bits. If you want to use certificates with encryption key sizes larger than 1024 bits, perform the steps in the following procedure.

To increase the certificate key sizes supported for SISNAPI communications

  1. Install the Siebel Strong Encryption Pack (SSEP) on the Siebel Server and the Web server.

    For information on installing the SSEP, see Installing the Siebel Strong Encryption Pack.

  2. Replace the sslcnapi file on the Siebel Server and the Web server with the sslcnapi128 file that is included with the Siebel Strong Encryption Pack. The sslcnapi files are located as follows:
    • Web server
      • Windows: \SWEAPP\bin\sslcnapi.dll
      • UNIX: /sweapp/bin/sslcnapi.so
    • Siebel Server
      • Windows: \siebsrvr\bin\sslcnapi.dll
      • UNIX: /siebsrvr/lib/libsslcnapi.so

If your version of the Siebel Strong Encryption Pack does not include the sslcnapi128 file, create a service request (SR) on My Oracle Support. Alternatively, you can phone Oracle Global Customer Support directly to create a service request or get a status update on your current SR. Support phone numbers are listed on My Oracle Support.

    
Siebel Security Guide Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices.