Bookshelf Home | Contents | Index | PDF     

Siebel Security Guide > Communications and Data Encryption >

Configuring SSL Encryption for the Siebel Enterprise or a Siebel Server

This topic describes how you configure your Siebel Enterprise or Siebel Server to use Secure Sockets Layer (SSL) encryption and authentication for SISNAPI communications between Siebel Servers and the Web server (SWSE), and between Siebel Servers. Configuring SSL for SISNAPI communications is optional.

This task is a step in Process of Configuring Secure Communications.

Configuring SSL communications between Siebel Servers and the Web server also requires that you configure the SWSE to use SSL, as described in Configuring SSL Encryption for SWSE.

When configuring SSL for Siebel Server and the SWSE, you can also configure connection authentication for the relevant modules. In other words, when a module connects to another module, modules might be required to authenticate themselves against the other using third-party certificates.

Connection authentication scenarios are:

  • Siebel Server authenticates against the Web server.
  • Web server authenticates against the Siebel Server.
  • Siebel Server authenticates against another Siebel Server.

A peer authentication option requires that mutual authentication be done.

The following procedure describes running the Siebel Configuration Wizard to deploy SSL for a Siebel Server or a Siebel Enterprise. Performing this procedure adds parameters to the Siebel Gateway Name Server; these parameters can also be set using Siebel Server Manager.

NOTE:  If you configure SSL for the Siebel Enterprise, all Siebel Servers in the Enterprise inherit all settings. These settings include the key file name and password and certificate file names. You can run the Siebel Configuration Wizard again later to separately configure individual Siebel Servers, at which time you can specify unique key filenames or passwords or unique certificate file names. In order to completely configure SSL for your Siebel Servers, you must run this utility multiple times.

On Windows, SSL configuration of the Enterprise or SWSE always uses GUI mode. On UNIX, initial SSL configuration of the Enterprise or SWSE uses GUI mode. However, if you configure SSL separately later on a UNIX operating system, SSL runs in console mode.

To enable SSL encryption for the Siebel Enterprise or for a Siebel Server

  1. Before you begin, obtain and install the necessary certificate files that you require if you are configuring SSL authentication.
  2. (Siebel Enterprise) If you are running the Siebel Configuration Wizard to configure the Siebel Enterprise, do the following:
    1. Start the Siebel Configuration Wizard and configure values for the Enterprise, as described in Siebel Installation Guide for the operating system you are using.
    2. When the Additional Tasks for Configuring the Enterprise screen appears, select the Enterprise Network Security Encryption Type option.
    3. Specify that you want to deploy SSL for the Enterprise.
    4. Proceed to Step 4.
  3. (Siebel Server) If you are running the Siebel Configuration Wizard directly on a Siebel Server computer, do the following:
    1. Start the Siebel Server Configuration Wizard directly and configure values for the Siebel Server, as described in Siebel Installation Guide for the operating system you are using.
    2. When the Additional Tasks for Configuring the Siebel Server screen is displayed, select the Server-Specific Security Encryption Settings option.
    3. Proceed to Step 4.
  4. Specify the name and location of the certificate file and of the certificate authority file.

    The equivalent parameters in the Siebel Gateway Name Server are CertFileName (display name is Certificate file name) and CACertFileName (display name is CA certificate file name).

  5. Specify the name of the private key file, and the password for the private key file, then confirm the password.

    The password you specify is stored in encrypted form. The equivalent parameters in the Siebel Gateway Name Server are KeyFileName (display name Private key file name) and KeyFilePassword (display name Private key file password).

  6. Specify whether you require peer authentication.

    Peer authentication means that this Siebel Server authenticates the client (that is, SWSE or another Siebel Server) that initiates a connection. Peer authentication is false by default.

    The peer authentication parameter is ignored if SSL is not deployed between the Siebel Server and the client (that is, SWSE or another Siebel Server). If peer authentication is set to TRUE on the Siebel Server, a certificate from the client is authenticated provided that the Siebel Server has the certifying authority's certificate to authenticate the client's certificate. The client must also have a certificate. If SSL is deployed and the SWSE has a certificate, then it is recommended that you set PeerAuth to TRUE on both the Siebel Server and the SWSE to obtain maximum security.

    The equivalent parameter in the Siebel Gateway Name Server is PeerAuth (display name Peer Authentication).

  7. Specify whether you require peer certificate validation.

    Peer certificate validation performs reverse-DNS lookup to independently verify that the hostname of the Siebel Server computer matches the hostname presented in the certificate. Peer certificate validation is false by default.

    The equivalent parameter in the Siebel Gateway Name Server is PeerCertValidation (display name Validate peer certificate).

  8. (Siebel Enterprise) If you are running the Siebel Configuration Wizard to configure the Siebel Enterprise, you return to that process, as described in the Siebel Installation Guide for the operating system you are using.
  9. (Siebel Server) If you are running the Siebel Server Configuration Wizard, select the appropriate option to specify whether or not you want to enable clustering of the Siebel Servers and, if you do, the type of clustering you want to use.
  10. Select the check box if you want the Siebel Server system service to start automatically.
  11. Select the check box if you want the Siebel Server system service to start at the end of the profile configuration.
  12. Review the settings, finish configuration, and restart the server.
  13. Perform the tasks in Setting Additional SSL Parameters for Siebel Server.
  14. Repeat this procedure for each Siebel Server in your environment, as necessary.

    Make sure you also configure each SWSE in your environment, as described in Configuring SSL Encryption for SWSE.

Setting Additional SSL Parameters for Siebel Server

After configuring SSL for a Siebel Server, you must set additional SSL parameters for the Siebel Server, as described in the following procedure.

To set additional SSL parameters for Siebel Server

  • Using Siebel Server Manager, set the Communication Transport parameter (alias CommType) to SSL for each AOM that is to use SSL. (TCP/IP is used by default.)
  • If you previously used Microsoft Crypto or RSA encryption, then, using Siebel Server Manager, set the Encryption Type parameter (alias Crypt) to NONE (instead of MSCRYPTO or RSA) for the Siebel Enterprise.

For information on using Siebel Server Manager, see Siebel System Administration Guide.

    
Siebel Security Guide Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices.