Bookshelf Home | Contents | Index | PDF     

Security Guide for Siebel eBusiness Applications > Configuration Parameters Related to Authentication >

Parameters in the eapps.cfg File

The eapps.cfg file contains parameters that control interactions between the Siebel Web Engine and the Siebel Web Server Extension (SWSE), for all Siebel applications deploying the Siebel Web Client.

The eapps.cfg file is located in the SWEAPP_ROOT\bin directory, where SWEAPP_ROOT is the directory in which you installed the SWSE.

Following list is a portion of a sample eapps.cfg file. This sample includes some parameters that may not coexist. They are provided so you can see a range of authentication-related parameters.

CAUTION:  Typically, password encryption is in effect for the eapps.cfg file, as determined by the setting EncryptedPassword = TRUE. In this case, values for WebUpdatePassword and AnonPassword would be encrypted. For details, see Managing Encrypted Passwords in the eapps.cfg File.

[swe]
Language = enu
Log = all
LogDirectory = D:\sea77\SWEApp\log
ClientRootDir = D:\sea77\SWEApp
WebPublicRootDir = D:\sea77\SWEApp\public\enu
WebUpdatePassword = test
IntegratedDomainAuth = FALSE

[defaults]
EncryptedPassword = TRUE
AnonUserName = GUESTCST
AnonPassword = GUESTCST
StatsPage = _stats.swe
SingleSignOn = TRUE
TrustToken = HELLO
UserSpec = REMOTE_USER
UserSpecSource = Server
DoCompression = TRUE
SessionTimeout = 300
GuestSessionTimeout = 900

[/prmportal_enu]
AnonUserName = guestcp
AnonPassword = ldap
ProtectedVirtualDirectory = /p_prmportal_enu
ConnectString = siebel.TCPIP.None.None://172.20.167.200:2320/siebel/eChannelObjMgr_enu

[connmgmt]
CACertFileName = d:\siebel\admin\cacertfile.pem
CertFileName = d:\siebel\admin\certfile.pem
KeyFileName = d:\siebel\admin\kefile.txt
KeyFilePassword = ^s*)Jh!#7
PeerAuth = FALSE
PeerCertValidation = FALSE

The eapps.cfg file includes sections such as [swe], [defaults], and [connmgmt] and sections for individual Siebel applications, such as [/prmportal_enu] and [/callcenter]. Each parameter value in the [defaults] section is used by all individual applications, unless you override the parameter's value with an entry in an application's own section.

In the eapps.cfg sample above, the AnonUserName and AnonPassword values in the [/prmportal_enu] section are used by Siebel Partner Portal instead of the values provided in the [defaults] section.

NOTE:  You can use any plain text editor to add parameters and their values or to change values for existing parameters. When you edit configuration files, do not use a text editor that adds additional, nontext characters to the file.

In a given eapps.cfg file, some parameters may not appear by default. Changes to the eapps.cfg file are not active until you restart the Siebel Server and the Web server.

Authentication-Related Parameters

The following parameters in the eapps.cfg file relate to authentication. They can be defined in the [defaults] section or in the sections for individual applications.

  • AnonUserName. This parameter is the user name for an anonymous user that is stored in the directory and also in the Siebel Database.

    The anonymous user provides binding between the directory and the AOM, to allow a Siebel application home page to display to a user who has not logged in. Similarly, this anonymous user supplies a login so the user can see other pages for which you allow anonymous browsing. The home page that is displayed likely provides an interface for the user to log in.

  • AnonPassword. This parameter is the authenticated password that is paired with AnonUserName.
  • ClientCertificate. When this parameter is set to TRUE in a Web SSO implementation, the user is authenticated through a digital certificate.

    See also Digital Certificate Authentication.

  • DoCompression. Specifies whether the SWSE will compress HTTP traffic.

    Compressing HTTP traffic, where it is feasible to do so, substantially reduces bandwidth consumption. This feature is supported on HTTP 1.1, and is not supported on HTTP 1.0.

    • When this parameter is set to FALSE, HTTP traffic will not be compressed. Use this setting if HTTP traffic should never be compressed. For example, you might use this setting if your proxy servers only support HTTP 1.0, or if the overhead of compression/decompression is of more concern to you than bandwidth constraints.
    • When this parameter is set to TRUE, HTTP traffic will be compressed if no proxy server is detected. However, if any proxy server is detected, it will be assumed not to support HTTP 1.1, and HTTP traffic will not be compressed. Use this setting if you want to compress HTTP traffic where feasible, but cannot be certain that proxy servers that do not support HTTP 1.1 may be used.
    • When this parameter is set to CompressProxyTraffic, HTTP traffic will always be compressed. Use this setting for Siebel applications only if you are certain that any proxy server that resides in front of your Siebel application users supports HTTP 1.1.

      You can set this parameter for individual Siebel applications, or set it for multiple applications by defining it in the [defaults] section. For example, you might set this parameter to CompressProxyTraffic for employee applications accessed on an intranet—if you know that any proxy servers that are deployed support HTTP 1.1. Otherwise, set this parameter to either FALSE or TRUE (such as in the [defaults] section).

      NOTE:  Because it is impossible to know what type of proxy server an external user (that is, a partner or customer) may be using, the setting CompressProxyTraffic should be used for employee applications only, not for customer or partner applications.

  • EncryptedPassword. When this parameter is set to TRUE, the password for the anonymous user and the Web update password are interpreted as encrypted passwords. This parameter is added to the eapps.cfg file (with a value of TRUE) when you use the SWSE configuration utility. However, if the parameter is not defined in the file, this is equivalent to a value of FALSE.

    For more information, see Managing Encrypted Passwords in the eapps.cfg File.

  • EncryptSessionId. When this parameter is set to TRUE (the default), the session ID will be encrypted. When it is FALSE, the session ID is not encrypted. For a Siebel Web Client, the session ID is used in the session cookie (in cookie-based mode) or in the application URL (in cookieless mode).

    For more information about cookies, see Cookies and Siebel Applications.

  • GuestSessionTimeout. The session timeout for guest users. The default is 300 seconds (five minutes). For more information about session timeouts, see the description for the SessionTimeout parameter.
  • SessionTimeout. The time, in seconds, from the user's last browser request until the user's connection times out. The default is 900 seconds (15 minutes). Standard sessions are those where users log in using their registered user name and password.

    NOTE:  All the session timeouts mentioned above deal with the session inactivity. In other words, if they are set to 3600 seconds, then it requires one hour of session inactivity for that session to time out. The session inactivity means there should be no request made to the server on that session. Any act that pings the server, including message bar updates and calendar alarm functionality, resets the session timeout period. If the update interval is less than the SessionTimeout value, the session will never timeout.

  • SingleSignOn. The SWSE operates in Web SSO mode when this parameter is TRUE.

    For more information, see Web Single Sign-On Authentication.

  • SubUserSpec. In a Web SSO environment that implements digital certificate authentication, a value of CN specifies that the Siebel user ID should be extracted from the certificate's CN (Common Name) attribute.

    For more information, see User Specification Source.

  • TrustToken. In a Web SSO environment, this token string is a shared secret between the SWSE and the security adapter. It is a measure to protect against spoofing attacks. This setting must be the same on both the SWSE and the security adapter.

    For more information, see Web Single Sign-On Authentication.

  • UserSpec. In a Web SSO implementation, this variable name specifies where the SWSE looks for a user's user name within the source given by UserSpecSource. The value, REMOTE_USER by default, is populated by the authentication filter.

    If digital certificate authentication is implemented on Windows or AIX, use the value CERT_SUBJECT, a variable that contains the certificate name. For example, UserSpec/SubUserSpec would be "CERT_SUBJECT"/"CN". For other UNIX platforms, use "REMOTE_USER" for UserSpec. The SubUserSpec setting is disregarded.

    For more information, see User Specification Source.

  • UserSpecSource. In a Web SSO implementation, this parameter specifies the source from which the SWSE derives the user credentials: Server, if from the usual Web server user name field; Header, if the variable is within the HTTP request header.

    For more information, see User Specification Source.

The following parameter can be defined in the section for each individual Siebel application. Do not define this parameter in the [defaults] section.

  • ProtectedVirtualDirectory. This parameter specifies the protected virtual directory for a Siebel application. This parameter specifies a Web server virtual directory that represents the protected location of the Siebel application. This parameter must have a value in a Web SSO implementation, and is optional in other implementations.

    The protected directory allows you to configure your Web server or third-party authentication software to require user authentication to access specific Siebel application views. Requests for any views that require explicit login are redirected to this virtual directory.

    For more information, see Creating Protected Virtual Directories.

    For example, if you used the suggested name for the protected virtual directory for Siebel eService, enter:

    [/eservice]
    ProtectedVirtualDirectory = /p_eservice

    If your Web SSO implementation is not configured for anonymous browsing, set this value to the same directory as your application. For example:

    [/eservice]
    ProtectedVirtualDirectory = /eservice

    Otherwise, a Web Authentication Failed message may appear in the application's log file.

    NOTE:  You use examples like those above to secure an entire application. However, if some parts of the application do not require authentication, you must be able to authenticate users when they access a secured part of the application. In this case, set the parameter to an alias where the Web SSO credentials are passed. The Siebel application redirects the authentication request.

The following parameter in the eapps.cfg file can be defined in the [swe] section of the file.

  • IntegratedDomainAuth. To support Windows Integrated Authentication for Web SSO, set this parameter to TRUE. This setting causes SWSE to strip out the domain name from HTTP headers, which allows the application to integrate with Windows Integrated Authentication.

SSL-Related Parameters

The following parameters can be included in the [connmgmt] section of the eapps.cfg file, when you are using SSL to encrypt SISNAPI communications between the Web server and the Siebel Server. For more information, see Configuring SSL Encryption for SWSE.

  • CACertFileName. Identifies the trusted authority who issued the certificate.
  • CertFileName. Specifies the name of the ASN/PEM certificate file.
  • KeyFileName. Specifies the name of the PEM private key file.
  • KeyFilePassword. Specifies the password to decrypt the private key file.
  • PeerAuth. Enables peer authentication during SSL handshake.
  • PeerCertValidation. Independently verifies that the hostname of the SWSE machine matches the hostname presented in the certificate.
    
Security Guide for Siebel eBusiness Applications