Bookshelf v7.5: Using an External Security Adapter

Implementing Siebel eBusiness Applications on DB2 UDB for OS/390 and z/OS > Security > OS/390 and z/OS Security >

Using an External Security Adapter

An external security adapter is an interface that lets you use an external system to authenticate users. For example, you might employ an LDAP (Lightweight Data Access Protocol) repository, a protocol for storing and retrieving directory-related information that includes authentication services.

Using an external security adapter makes administration easier, because you do not have to create an account for each Siebel application user on the OS/390 host. You can instead create a few generic database accounts that are used by multiple Siebel users.

When users log onto the Siebel application, the external security adapter validates user names, passwords, user roles, and database credentials against the information in the external system. If the external security adapter finds a match, it retrieves a generic set of user credentials (username and password) that supply access to the database.

NOTE: For LDAP, the generic set of user credentials can be the same for every user, if desired.

The following paragraphs summarize the steps required to configure LDAP for use with Siebel eBusiness Applications. For detailed instructions on how to configure LDAP, refer to Applications Administration Guide and Security Guide for Siebel eBusiness Applications.

The default user objectclass in LDAP is inetOrgPerson (or one of its descendants). The user ID can be stored in the uid attribute, the password in the userpassword attribute, and the database credentials in any unused directory string-type attribute, such as mail.

Database credentials should take the following form:

username=db_user password=db_password

where:

db_user = a valid user ID with appropriate access; it need not be a Siebel user.

db_password = the password for the given user ID (in lowercase characters).

NOTE: The values for user name and password must be lowercase. The credential contains one space between the two parameters and no additional spaces.

You must configure LDAP in several different locations, as described below.

To configure LDAP

Edit the appropriate Siebel Application Object Managers (AOM):

Launch Siebel Call Center or another Siebel application and activate Server Manager. For instructions on how to use Server Manager, refer to Siebel Server Administration Guide.

Locate the applicable configuration file for your application (for example, uagent.cfg for Call Center) and supply the following information in the [LDAP] section of the file:


Parameter	Description
`ServerName`	LDAP server host name
`Port`	LDAP port (usually 389)
`BaseDN`	Represents the location in LDAP where users are located.
`UsernameAttributeType`	User ID
`PasswordAttributeType`	User password
`CredentialsAttributeType`	Mail

Edit the eapps.cfg file of your Siebel Web Server Extension.

Locate the eapps.cfg file in the binary subdirectory of your Siebel Web Server Extension installation directory.

Open the eapps.cfg file using any text editor, such as Notepad on Windows or vi on UNIX, and edit it appropriately for your environment, using the following example:

[/callcenter_enu]

AnonUserName = user1

AnonPassword = password1

NOTE: Make sure the parameters AnonUserName and AnonPassword for the application you are using are valid for a Siebel user that exists in your LDAP server.

If your enterprise uses applications such as Siebel eService, and you want users to be able to self-register or you want to use a delegated administrator, you must revise and activate the following workflows:

User Registration Company Information (SCW)

User Registration Forgot Password Process

User Registration Initial Process

User Registration SubProcess

User Registration Process

User Registration Individual Information (SCW)

Set the following system OS Preferences:


Parameter	Value	Description
`SecExternalUserAdministration`	`FALSE`	Allows user-administration with LDAP for Siebel eBusiness Applications.
`SecThickClientExtAuthent`	`TRUE`	Allows users to log into a Siebel application through the Siebel Web Client, using LDAP for authentication.
`Security Adapter CRC`	`0` (zero)	Not used in this case. For more information, see the Siebel Bookshelf CD-ROM.

Configure the applications your enterprise uses for LDAP by setting the SecurityAdapter parameter to LDAP in their Application Object Manager, using the instructions in Step 1. In this example, sccobjmgr_enu is the object manager for Siebel Call Center.

To set all Siebel applications to use LDAP, using the command-line tool srvrmgr, enter the following command:

change ent param SecurityAdapter=LDAP

To change an individual application, enter the following command:

change param SecurityAdatper=LDAP for comp YourAppObjMgr_lang

where:

YourAppObjMgr is the name of the Application Object Manager that applies, appended by the three-letter language prefix, such as sccobjmgr_enu for Siebel Call Center.