Bookshelf Home | Contents | Index | PDF     

Security Guide for Siebel eBusiness Applications > Security Adapter Authentication >

Security Adapters and Siebel Dedicated Web Client

The Siebel Dedicated Web Client relocates business logic from the Siebel Server to the client. The authentication architecture for the Dedicated Web Client differs from the authentication architecture for the standard Web Client, because it locates the following components on the client instead of the Siebel Server:

  • AOM (through the siebel.exe program)
  • Application configuration file
  • Authentication manager and security adapter

When you implement security adapter authentication for Siebel Dedicated Web Clients, observe the following principles:

  • It is recommended to use the remote configuration option, which can help you make sure that all clients use the same configuration settings. This option is described later in this section.
  • Authentication-related configuration parameters stored in application configuration files on client computers, or stored in remote configuration files, should generally contain the same values as the corresponding parameters in the Name Server (for Siebel Web Client users). Distribute the appropriate configuration files to all Siebel Dedicated Web Client users.

    For information about setting parameters in Siebel application configuration files on the Siebel Dedicated Web Client, see Siebel Application Configuration File Parameters.

  • It is recommended that you use checksum validation to make sure that the appropriate security adapter provides user credentials to the authentication manager for all users who request access. For information about checksum validation, see Configuring Checksum Validation.
  • In a security adapter authentication implementation, you must set the security adapter configuration parameter PropagateChange to TRUE, and set the Siebel system preference SecThickClientExtAuthent to TRUE, if you want to implement:
    • Security adapter authentication of Siebel Dedicated Web Client users.
    • Propagation of user administration changes from the Siebel Dedicated Web Client to an external directory such as LDAP or ADS. (For example, if a user changes his or her password in the Dedicated Web Client, the password change will also be populated to the directory.)

      For more information, see Siebel Application Configuration File Parameters and System Preference.

  • In some environments, you may want to rely on the data server itself to determine whether to allow Siebel Dedicated Web Client users to access the Siebel Database and run the application. In the application configuration file on the local client, you can optionally define the parameter IntegratedSecurity for the server data source (typically, in the [ServerDataSrc] section of the configuration file).

    This parameter can be set to TRUE or FALSE. The default value is FALSE. When TRUE, the Siebel client is prevented from prompting the user for a username and password when the user logs in. Facilities provided in your existing data server infrastructure determine if the user should be allowed to log into the database.

    You can use IntegratedSecurity = TRUE with the database security adapter. See also Configuring Database Authentication.

    NOTE:  IntegratedSecurity is supported for Oracle and Microsoft SQL Server databases only. For additional information, refer to your third-party documentation. For Oracle, refer to the OPS$ and REMOTE_OS_AUTHENT features. For Microsoft SQL Server, refer to Integrated Security.

For more information about the Siebel Dedicated Web Client, see the Siebel Installation Guide for the operating system you are using and the Siebel System Administration Guide.

Sample LDAP Section in Configuration File

The following is an example of LDAP configuration information generated by the LDAP/ADSI Configuration Utility when you configure an LDAP security adapter for Dedicated Web Clients. For more information, see Using the LDAP/ADSI Configuration Utility.

For information about setting Siebel configuration parameters, see Siebel Application Configuration File Parameters.

[LDAPSecAdpt]
SecAdptDllName = sscfldap
ServerName = ldapserver.siebel.com
Port = 636
BaseDN = "ou=people, o=xyz.com"
SharedCredentialsDN = "uid=HKIM, ou=people, o=Siebel.com"
UsernameAttributeType = uid
PasswordAttributeType = userPassword
CredentialsAttributeType = mail
RolesAttributeType = roles
SslDatabase = /suitespot/https-myhost/ldapkey.kdb
ApplicationUser = "uid=APPUSER, ou=people, o=xyz.com"
ApplicationPassword = APPUSERPW
HashDBPwd = TRUE
PropagateChange = TRUE
CRC =
SingleSignOn = TRUE
TrustToken = mydog
UseAdapterUsername = TRUE
SiebelUsernameAttributeType = PHONE
HashUserPwd = TRUE
HashAlgorithm = RSASHA1

Remote Configuration Option for Dedicated Web Client

For the Siebel Dedicated Web client only, the remote configuration option can be implemented in the following authentication strategies:

  • Security adapter authentication: LDAP, ADSI, custom (not database authentication)
  • Web SSO authentication

With this approach, you create a separate text file that defines any parameter values that configure a security adapter. You configure all security adapter parameters, such as those in a section like [LDAPSecAdpt] or [ADSISecAdpt], in the remote file, not in the application configuration file.

Storing configuration parameters in a centralized location can help you reduce administration overhead. All Dedicated Web Clients can read the authentication-related parameters stored in the same file at a centralized remote location.

The examples below show how a remote configuration file could be used to provide parameters for a security adapter that is implemented by Siebel eService in a Web SSO environment. The following example is from the configuration file uagent.cfg for Siebel Call Center:

[InfraSecMgr]
SecAdptMode = LDAP
SecAdptName = LDAPSecAdpt
UseRemoteConfig = \\it_3\vol_1\private\ldap_remote.cfg

In this case, the configuration file ldap_remote.cfg would contain an [LDAPSecAdpt] section. It could be defined similarly to the example earlier in this section, and would contain no other content. The application configuration file would contain the [InfraSecMgr] section as defined above. It would not contain an [LDAPSecAdpt] section—even if it did, it would be ignored.

To implement remote security configuration for Siebel Dedicated Web Clients, follow these guidelines:

  • The [InfraSecMgr] section in the Siebel configuration file must include the UseRemoteConfig parameter, which provides the path to a remote configuration file. The path is specified in universal naming convention format—that is, for example, \\server\vol\path\ldap_remote.cfg.
  • The remote security configuration file contains only a section for configuring the security adapter, such as the [LDAPSecAdpt] section.
  • Each Dedicated Web Client user must have read privileges on the remote configuration file and the disk directory where it resides.
    
Security Guide for Siebel eBusiness Applications