Security Guide for Siebel eBusiness Applications > Communications and Data Encryption > Configuring Secure Communications >

Configuring SSL Encryption for Siebel Enterprise or Siebel Server

This section describes how you can configure your Siebel Enterprise or Siebel Server to use Secure Sockets Layer (SSL) encryption and authentication for SISNAPI communications between Siebel Servers and the Web server (SWSE), and between Siebel Servers. Configuring SSL for SISNAPI communications is optional.

Configuring at the Enterprise level applies to all Siebel Servers in the enterprise. In general, some of the settings should be configured differently at the Siebel Server level.

Configuring SSL communications between Siebel Servers and the Web server also requires that you configure SWSE to use SSL, as described in Configuring SSL Encryption for SWSE.

When configuring SSL for Siebel Server and the SWSE, you can also configure connection authentication for the relevant modules. In other words, when a module connects to another module, modules may be required to authenticate themselves against the other using third-party certificates.

Connection authentication scenarios are:

• Siebel Server authenticates against the Web server.
• Web server authenticates against the Siebel Server.
• Siebel Server authenticates against another Siebel Server.

A peer authentication option requires that mutual authentication be done.

Performing the procedure below adds parameters to the Siebel Gateway Name Server. If you also configure the SWSE for SSL, Name Server parameters mentioned in this procedure (short names) correspond to parameters added to the [connmgmt] section of the eapps.cfg file. Name Server parameters mentioned in this procedure can alternatively be set using Siebel Server Manager.

About Certificates and Private Key Files Used for SSL Authentication

When you configure SSL authentication for each Siebel Server and SWSE, you specify parameter values that indicate the names of certificate files, certificate authority files, and private key files on the Siebel Server and SWSE machines.

The certificate files you use for this purpose can be issued by and obtained from third-party certificate authorities. Certificate files must use either ASN (Abstract Syntax Notation) or PEM (Privacy Enhanced Mail) format. The certificate file must use the file extension that corresponds to the certificate file format in use: .pem for the PEM format and .asn for the ASN format. Certificate files on each machine must be unique and belong to that machine if PeerAuth = TRUE on the remote machine. Certificate authority files identify the third-party certificate authority who issued the certificate. Private key files must use PEM format.

NOTE:  The ASN format is also referred to as the DER format. The file extension (.asn) remains the same.

Certificate files and private key files are typically installed on each Siebel Server machine and SWSE machine for which you configure SSL.

You need not authenticate or encrypt communications between components on the same machine.

Running the SSL Configuration Utility for Siebel Server

This section describes running the SSL configuration utility for Siebel Server—that is, the Siebel Software Configuration Utility (Siebel Server SSL). Use this procedure to configure the Siebel Enterprise or to configure individual Siebel Servers.

NOTE:  While performing the procedure below, if you specify to configure SSL for the Siebel Enterprise rather than an individual Siebel Server, all Siebel Servers in the Enterprise inherit all settings. These settings include the key filename and password and certificate filenames. You can run the utility again later to separately configure individual Siebel Servers, at which time you can specify unique key filenames or passwords or unique certificate filenames. In order to completely configure SSL for your Siebel Servers, you must run this utility multiple times.

The prompts for the SSL configuration utility are the same whether you run it in GUI mode or console mode. However, some user interface elements are different in these two modes.

On Windows, SSL configuration of the Enterprise or SWSE always uses GUI mode. On UNIX, initial SSL configuration of the Enterprise or SWSE uses GUI mode. However, if you run the SSL configuration utility separately later on a UNIX platform, it will run in console mode.

To enable SSL encryption for the Siebel Server

1. Before you begin, obtain and install the necessary certificate files you will need if you will configure SSL authentication.
2. If you are running the main Siebel Software Configuration Utility to configure the Siebel Enterprise or specific Siebel Servers, start the SSL configuration utility by specifying that you want to deploy SSL for the Enterprise, as described in Configuring Encryption for Siebel Enterprise and SWSE.
3. Alternatively, to run the SSL configuration utility directly on a Siebel Server machine, start the SSL configuration utility directly, as described below:
   • For Microsoft Windows platforms, open an MS-DOS window and enter the following command (utility runs in GUI mode):

   SIEBSRVR_ROOT\bin\ssincfgw.exe -l language -f SIEBSRVR_ROOT\admin\sslSiebsrvr.scm -logevents all

   where:

   • SIEBSRVR_ROOT is the Siebel Server installation directory
   • language is the language in which you want to run the SSL configuration utility (for example, ENU for U.S. English)
   • For UNIX platforms, enter the following commands (utility runs in console mode):

   cd SIEBSRVR_ROOT

   For Bourne shell or Korn shell:

   . ./siebenv.sh

   (Make sure there is a space between the initial period (.) and ./siebenv.sh.)

   For C shell:

   source siebenv.csh

   cd SIEBSRVR_ROOT/bin

   ./icfg - l language -f SIEBSRVR_ROOT/admin/sslSiebsrvr.scm -logevents all

   where:

   • SIEBSRVR_ROOT is the Siebel Server installation directory
   • language is the language in which you want to run the SSL configuration utility (for example, ENU for U.S. English)
4. If you are running the SSL configuration utility separately (as described in Step 3), enter the hostname of the Siebel Gateway Name Server machine and the name of the Siebel Enterprise applicable to the component you want to configure.

   NOTE:  If you are running the SSL configuration utility as part of running the Siebel Software Configuration Utility (as described in Step 2), the Siebel Gateway Name Server and Siebel Enterprise were already specified. This screen does not appear.

5. Specify the configuration type: whether to configure SSL for the Siebel Enterprise or for a Siebel Server. (The issues behind this choice are described in a note just before this procedure.)
6. If you are configuring a Siebel Server, specify the name of the Siebel Server.

   NOTE:  If you specify Siebel Server SSL, the settings apply to all components on the Siebel Server. You cannot specify settings at the component level.

7. Specify the names of the certificate file and of the certificate authority file.

   The equivalent parameters in the Name Server are CertFileName (display name Certificate file name) and CACertFileName (display name CA certificate file name).

8. Specify the name of the private key file, and the password for the private key file, then confirm the password.

   The password you specify will be stored in encrypted form.

   The equivalent parameters in the Name Server are KeyFileName (display name Private key file name) and KeyFilePassword (display name Private key file password).

9. Specify whether you require peer authentication.

   Peer authentication means that this Siebel Server authenticates the client (that is, SWSE or another Siebel Server) that initiates a connection. Peer authentication is false by default.

   NOTE:  The peer authentication parameter is ignored if SSL is not deployed between the Siebel Server and the client (that is, SWSE or another Siebel Server). If peer authentication is set to TRUE on the Siebel Server, a certificate from the client is authenticated provided that the Siebel Server has the certifying authority's certificate to authenticate the client's certificate. The client must also have a certificate. If SSL is deployed and the SWSE has a certificate, then it is recommended that you set PeerAuth to TRUE on both the Siebel Server and the SWSE to obtain maximum security.

   The equivalent parameter in the Name Server is PeerAuth (display name Peer Authentication).

10. Specify whether you require peer certificate validation.

    Peer certificate validation performs reverse-DNS lookup to independently verify that the hostname of the Siebel Server machine matches the hostname presented in the certificate. Peer certificate validation is false by default.

    The equivalent parameter in the Name Server is PeerCertValidation (display name Validate peer certificate).

11. If you were running the SSL configuration utility as part of running the Siebel Software Configuration Utility, you return to that process, as described in the Siebel Installation Guide for the operating system you are using.
12. If you were running the SSL configuration utility directly, then review the settings, finish configuration, and restart the server.
13. Repeat this procedure for each Siebel Server in your environment, as necessary.

    Make sure you also configure each SWSE in your environment, as described in Configuring SSL Encryption for SWSE.

Setting Additional Name Server Parameters for Siebel Server SSL

After configuring SSL for Siebel Servers as described earlier in this section, make the following configuration changes:

• Using Siebel Server Manager, set the Communication Transport parameter (alias CommType) to SSL for each AOM that is to use SSL. (TCP/IP is used by default.)
• If you previously used Microsoft Crypto or RSA encryption, then, using Siebel Server Manager, set the Encryption Type parameter (alias Crypt) to NONE (instead of MSCRYPTO or RSA) for the Siebel Enterprise.