Siebel Security Guide > Security Adapter Authentication >

Security Adapters and the Siebel Developer Web Client

The Siebel Developer Web Client relocates business logic from the Siebel Server to the client. The authentication architecture for the Developer Web Client differs from the authentication architecture for the standard Web Client, because it locates the following components on the client instead of the Siebel Server:

• AOM (through the siebel.exe program)
• Application configuration file
• Authentication manager and security adapter
• IBM LDAP Client (where applicable)

NOTE:  Siebel Business Applications support for the Siebel Developer Web Client is restricted to administration, development, and troubleshooting usage scenarios only. Siebel Business Applications does not support the deployment of this client to end users.

When you implement security adapter authentication for Siebel Developer Web Clients, observe the following principles:

• It is recommended to use the remote configuration option, which can help you make sure that all clients use the same configuration settings. This option is described later in this topic.
• Authentication-related configuration parameters stored in application configuration files on client computers, or stored in remote configuration files, must generally contain the same values as the corresponding parameters in the Siebel Gateway Name Server (for Siebel Web Client users). Distribute the appropriate configuration files to all Siebel Developer Web Client users.

  For information about setting parameters in Siebel application configuration files on the Siebel Developer Web Client, see Siebel Application Configuration File Parameters.

• It is recommended that you use checksum validation to make sure that the appropriate security adapter provides user credentials to the authentication manager for all users who request access. For information about checksum validation, see Configuring Checksum Validation.
• In a security adapter authentication implementation, you must set the security adapter configuration parameter PropagateChange to TRUE, and set the Siebel system preference SecThickClientExtAuthent to TRUE, if you want to implement:
  • Security adapter authentication of Siebel Developer Web Client users.
  • Propagation of user administration changes from the Siebel Developer Web Client to an external LDAP or AD directory. (For example, if a user changes his or her password in the Developer Web Client, the password change is also populated to the directory.)

    For more information, see Siebel Application Configuration File Parameters and Configuring LDAP or ADSI Authentication for Developer Web Clients.

• In some environments, you might want to rely on the data server itself to determine whether to allow Siebel Developer Web Client users to access the Siebel database and run the application. In the application configuration file on the local client, you can optionally define the parameter IntegratedSecurity for the server data source (typically, in the [ServerDataSrc] section of the configuration file).

  The IntegratedSecurity parameter can be set to TRUE or FALSE. The default value is FALSE. When TRUE, the Siebel client is prevented from prompting the user for a username and password when the user logs in. Facilities provided in your existing data server infrastructure determine if the user is allowed to log into the database.

  You can set the IntegratedSecurity parameter to TRUE with the database security adapter. See also Configuring Database Authentication.

  NOTE:  Integrated Security is only supported for Siebel Developer Web clients that access Oracle and Microsoft SQL Server databases. This functionality is not available for Siebel Web clients or Siebel Mobile Web clients.

  For additional information on integrated authentication, see your third-party documentation. For Oracle, see the OPS$ and REMOTE_OS_AUTHENT features. For Microsoft SQL Server, see Integrated Security.

For more information about the Siebel Developer Web Client, see the Siebel Installation Guide for the operating system you are using and Siebel System Administration Guide.

Sample LDAP Section in a Configuration File

The following is an example of LDAP configuration information generated by the Siebel Configuration Wizard when you configure an LDAP security adapter for Developer Web Clients. For more information, see Configuring LDAP or ADSI Security Adapters Using the Siebel Configuration Wizard.

For information about setting Siebel configuration parameters, see Siebel Application Configuration File Parameters.

[LDAPSecAdpt]
SecAdptDllName = sscfldap
ServerName = ldapserver.siebel.com
Port = 636
BaseDN = "ou=people, o=xyz.com"
SharedCredentialsDN = "uid=HKIM, ou=people, o=oracle.com"
UsernameAttributeType = uid
PasswordAttributeType = userPassword
CredentialsAttributeType = mail
RolesAttributeType = roles
SslDatabase = /suitespot/https-myhost/ldapkey.kdb
ApplicationUser = "uid=APPUSER, ou=people, o=xyz.com"
ApplicationPassword = APPUSERPW
HashDBPwd = TRUE
PropagateChange = TRUE
CRC =
SingleSignOn = TRUE
TrustToken = mydog
UseAdapterUsername = TRUE
SiebelUsernameAttributeType = PHONE
HashUserPwd = TRUE
HashAlgorithm = RSASHA1

Remote Configuration Option for Developer Web Client

This option applies to the Siebel Developer Web Client only. The remote configuration option can be implemented in the following authentication strategies:

• Security adapter authentication: LDAP, ADSI, custom (not database authentication)
• Web SSO authentication

With this approach, you create a separate text file that defines any parameter values that configure a security adapter. You configure all security adapter parameters, such as those in a section like [LDAPSecAdpt] or [ADSISecAdpt], in the remote file, not in the application configuration file.

Storing configuration parameters in a centralized location can help you reduce administration overhead. All Developer Web Clients can read the authentication-related parameters stored in the same file at a centralized remote location.

The examples below show how a remote configuration file could be used to provide parameters for a security adapter that is implemented by Siebel eService in a Web SSO environment. The following example is from the configuration file uagent.cfg for Siebel Call Center:

[InfraSecMgr]
SecAdptMode = LDAP
SecAdptName = LDAPSecAdpt
UseRemoteConfig = \\it_3\vol_1\private\ldap_remote.cfg

In this case, the configuration file ldap_remote.cfg would contain an [LDAPSecAdpt] section. It could be defined similarly to the example earlier in this topic, and would contain no other content. The application configuration file would contain the [InfraSecMgr] section as defined above. It would not contain an [LDAPSecAdpt] section—even if it did, it would be ignored.

To implement remote security configuration for Siebel Developer Web Clients, follow these guidelines:

• The [InfraSecMgr] section in the Siebel configuration file must include the UseRemoteConfig parameter, which provides the path to a remote configuration file. The path is specified in universal naming convention format—that is, for example, \\server\vol\path\ldap_remote.cfg.
• The remote security configuration file contains only a section for configuring the security adapter, such as the [LDAPSecAdpt] section.
• Each Developer Web Client user must have read privileges on the remote configuration file and the disk directory where it resides.