Bookshelf Home | Contents | Index | Search | PDF |
Security Guide for Siebel eBusiness Applications > Authentication Details > Configuration Parameters Related to Authentication >
Siebel Application Configuration File Parameters
A configuration file exists for each Siebel eBusiness Application for each language. The parameters in the file determine how the user interacts with the Application Object Manager and with the security adapter.
The configuration file that controls a particular user session depends on the client with which a user connects.
- Configuration file on the Siebel Server. For users connecting with the standard Web Client, application configuration files are located in the SIEBSRVR_ROOT\bin\LANGUAGE subdirectory. For example, eservice.cfg is provided for Siebel eService, for implementation in U.S. English, in the SIEBSRVR_ROOT\bin\ENU directory.
- Configuration file on the Siebel Dedicated Web Client. For users connecting through the Siebel Dedicated Web Client (or Mobile Web Client), the configuration file is located in the SIEBEL_CLIENT_ROOT\bin\LANGUAGE subdirectory on the client. For example, eservice.cfg is provided for Siebel eService, for implementation in U.S. English, in the SIEBEL_CLIENT_ROOT\bin\ENU directory. The Siebel Dedicated Web Client connects directly to the database; it bypasses the Siebel Server.
For a list of Siebel application configuration files, refer to Siebel Server Administration Guide.
For more information about working with configuration files, see Siebel Web Client Administration Guide.
In a given configuration file, some parameters may not appear by default. Others may appear with a preceding semicolon (;), indicating that the parameter is a comment and is not being interpreted. The semicolon must be deleted to make the parameter active. Changes to an application configuration file are not active until you restart the Siebel Server.
CAUTION: The parameter values that reference directory attributes that you provide for the Siebel LDAP and ADSI adapters are case-sensitive. The values must match the attribute names in the directory.
The following parameters are authentication-related parameters that are present by default or can be added to each application's configuration file. They are grouped by the labeled sections in which they occur. This listing does not include parameters in an application's configuration file that are not authentication-related.
[SWE] section:
- AllowAnonUsers. (
TRUE
orFALSE
) Unregistered users are not allowed access to this Siebel application if this parameter value isFALSE
.- SecureLogin. (
TRUE
orFALSE
) IfTRUE
, the login form completed by the user is transmitted over Secure Sockets Layer (SSL). This requires that you have a certificate from a certificate authority on the Web server on which the Siebel Web Engine is installed.- SecureBrowse. When
SecureBrowse
is set toTRUE
, all views in the application are navigated over SSL. WhenSecureBrowse
is set toFALSE
, views in the application whose Secure attribute is set toTRUE
are navigated over SSL.CAUTION: Siebel customer applications support switching between secure and non-secure views, but employee applications (such as Siebel Call Center) do not. For more information, see Secure Views.
NOTE: For some browsers, even if
SecureBrowse
is set toTRUE
, the following message may appear when you access a Siebel application, "This page contains both Secure and Non Secure items. Do you want to download non secure items?" Despite this message, Siebel application requests will be processed on HTTPS, not HTTP.For information about the Secure attribute for a view, see Siebel Tools Reference.
[SecurityAdapters] section:
- Adapter Name, for example "LDAP". Each line you enter here refers to a section in this application's configuration file that contains parameters for a particular security adapter. For example, the line
LDAP = LDAP
means this entry in the security adapters list,LDAP
, points to an [LDAP] section that follows containing configuration parameters for a particular security adapter, such as the Siebel LDAP security adapter. The names you provide are arbitrary.[adapter_name] section, for example [LDAP]:
Each security adapter's section, for example [LDAP] or [ADSI], corresponds to the right member of a line in the [SecurityAdapters] section. In each security adapter's section, the set of parameters configures how the security adapter is implemented.
Each authentication-related parameter in an application's configuration file is interpreted by either the Application Object Manager or the security adapter (for LDAP or ADSI), or both. If you implement a non-Siebel security adapter, you must configure your adapter to interpret the parameters used by the Siebel adapters if you want to use those parameters.
For information about configuring a non-Siebel security adapter, see Security Adapters for External Authentication.
Some parameters apply only in a Web SSO authentication environment.
- DllName. This parameter is interpreted by the Application Object Manager. It is the DLL that implements the security adapter API required for integration with Siebel eBusiness Applications. For example, sscfldap.dll implements the Siebel LDAP adapter in a Windows implementation, and libsscfldap.so does so in a UNIX implementation. If the DLL name for the Siebel LDAP adapter is used in a UNIX implementation, it is converted internally to the actual filename.
- ServerName. This parameter is interpreted by Siebel security adapters. It is the name of the machine on which the LDAP or ADS server runs, for example ldapserver.siebel.com.
NOTE: For ADSI, this parameter must be populated with the ADS server's complete machine name, not its IP address—otherwise, users will be unable to change their passwords through the Siebel application. This restriction is due to a limitation of the ADSI client library used by the Siebel ADSI security adapter.
- Port. This parameter is interpreted by the Siebel LDAP security adapter only. It is the port on the server machine that is used to access the LDAP server. Typically, use 389, the default value, for standard transmission or use 636 for secure transmission. You set the port at the ADS directory level, not as a configuration parameter.
- BaseDN. This parameter is interpreted by Siebel security adapters. The Base Distinguished Name is the root of the tree under which users of this Siebel application are stored in the directory. Users can be added directly or indirectly below this directory. A typical entry for an LDAP server might be
BaseDN = "ou=people, o=
domain_name
"
. "o
" denotes "organization" and is typically your Web site's domain name. "ou
" denotes "organization unit" and is the subdirectory in which users are stored.A typical entry for an ADS server might be
BaseDN = "CN=Users, DC=qatest, DC=siebel, DC=com"
. Domain Component (DC) entries are the nested domains that locate this server. Common Name (CN) entries are the specific paths for the user objects in the directory. Therefore, adjust the number of CN and DC entries to represent your architecture.- UsernameAttributeType. This parameter is interpreted by Siebel security adapters. It is the attribute type under which the user's login name is stored in the directory. For example, if
UsernameAttributeType = uid
, then when a user attempts to log in with username HKIM, the security adapter searches for a record in which the uid attribute has the value HKIM. This attribute is the Siebel user ID, unless theUseAdapterUsername
parameter isTRUE
.NOTE: If you implement an adapter-defined user name (
UseAdapterUsername = TRUE
), then you must set theOM - Username BC Field Name Server
parameter appropriately to allow the directory attribute defined byUsernameAttributeType
to be updated from the Siebel client. For more information about implementing an adapter-defined user name, see Adapter-Defined User Name.- PasswordAttributeType. This parameter is interpreted by the Siebel LDAP security adapter. It is the attribute type under which the user's login password is stored in the directory.
PasswordAttributeType = userPassword
is the only supported value for LDAP. When a user with username HKIM attempts to log in, the security adapter compares the value in the userPassword attribute for HKIM with the password the user enters.ADS does not store the password in an attribute, so this parameter is not used with the Siebel ADSI adapter.
- CredentialsAttributeType. This parameter is interpreted by Siebel security adapters. It is the attribute type that stores a database account. For example, if
CredentialsAttributeType = dbaccount
, then when a user with username HKIM is authenticated, the security adapter retrieves the database account from the dbaccount attribute for HKIM.This attribute value must be of the form
username=
U
password=
P
, whereU
andP
are credentials for a database account. There may be any amount of white space between the two key-value pairs and no space within each pair. The keywordsusername
andpassword
must be lowercase.NOTE: If you implement LDAP or ADSI security adapter authentication to manage the users in the directory through the Siebel client, then the value of the database account attribute for a new user is inherited from the user who creates the new user. The inheritance is independent of whether you implement a shared database account, but does not override the use of the shared database account. For information on shared database accounts, see Shared Database Account.
- RolesAttributeType. This parameter is interpreted by Siebel security adapters. It is the attribute type for roles stored in the directory. For example, if
RolesAttributeType = roles
, then when a user with username HKIM is authenticated, the security adapter retrieves the user's Siebel responsibilities from the roles attribute for HKIM.Responsibilities are typically associated with users in the Siebel Database, but they can be stored in the database, in the directory, or in both. The user gets access to all of the views in all of the responsibilities specified in both sources. However, it is recommended that you define responsibilities in the database or in the directory, but not in both places.
- SslDatabase. This parameter is interpreted by the Siebel LDAP security adapter only. It determines whether a Secure Sockets Layer (SSL) is used for communication between the LDAP adapter and the directory. If empty, SSL is not used. If not empty, its value must be the absolute path of a Sun ONE cert7.db file that contains a certificate for the certificate authority that is used by the LDAP server.
- UseSSL. (
TRUE
orFALSE
) This parameter is interpreted by the Siebel ADSI security adapter only. If it is set toTRUE
, a Secure Sockets Layer (SSL) is used for communication between the ADSI adapter and the ADS directory, otherwise SSL is not used.- EncryptCredentialsPassword. (
TRUE
orFALSE
) This parameter is interpreted by the Application Object Manager. IfTRUE
, the database password in the directory for an authenticated user is encrypted by a Siebel-provided utility before being sent to the Object Manager. The encrypted version is the valid database login password. This parameter's default value isFALSE
.- ApplicationUser. This parameter is interpreted by Siebel security adapters. It is the user name of a record in the directory with sufficient permissions to read any user's information and do any necessary administration.
If this parameter value is not empty, this user provides the initial binding of the LDAP or Active Directory server with the Application Object Manager when a user requests the login page, or else anonymous browsing of the directory is required.
You enter this parameter as a full distinguished name (DN), for example
"uid=APPUSER, ou=People, o=
companyname.com
"
—including quotes—for LDAP. The security adapter uses this name to bind.It is strongly recommended that you implement an application user.
- ApplicationPassword. This parameter is interpreted by the Siebel LDAP and ADSI security adapters. It must match the password in the directory for the user defined by the
ApplicationUser
parameter.In an LDAP directory, the password is stored in an attribute. In ADS, the password is stored using ADS user management tools. It is not stored in an attribute.
- EncryptApplicationPassword. (
TRUE
orFALSE
) This parameter is interpreted by Siebel security adapters. IfTRUE
, the password in theApplicationPassword
parameter is compared with an encrypted version of the password for the application user in the directory.- SingleSignOn. (
TRUE
orFALSE
) This parameter is interpreted by the Application Object Manager. IfTRUE
, the security adapter is used in Web SSO mode, instead of using security adapter authentication.- TrustToken. This parameter is interpreted by Siebel security adapters. It applies only in a Web SSO environment. The adapter compares the
TrustToken
value provided in the request with the value stored in this application configuration file. If they match, the Application Object Manager accepts that the request has come from the Siebel Web Server Extension, that is, from a trusted Web server. This parameter's default value is an empty string.- SharedCredentialsDn. This parameter is interpreted by Siebel security adapters. It is the absolute path (not relative to the
BaseDN
) of an object in the directory that has the shared database account for the application. If it is empty, the database account is looked up in the user's DN as usual. If it is not empty, then the database account for all users is looked up in the shared credentials DN instead. The attribute type is still determined byCredentialsAttributeType
.For example, if
SharedCredentialsDn = "uid=HKIM, ou=People, o=siebel.com"
, then when any user is authenticated, the security adapter retrieves the database account from the appropriate attribute in the HKIM record. This parameter's default value is an empty string.- UseAdapterUsername. (
TRUE
orFALSE
) This parameter is interpreted by the Application Object Manager. IfTRUE
, this parameter indicates that when the user key passed to the security adapter is not the Siebel user ID, the security adapter retrieves the Siebel user ID for authenticated users from an attribute defined by theSiebelUsernameAttributeType
parameter. The default value for theUseAdapterUsername
isFALSE
.- SiebelUsernameAttributeType. This parameter is interpreted by the Siebel security adapters. If
UseAdapterUsername = TRUE
, this parameter is the attribute from which the security adapter retrieves an authenticated user's Siebel user ID. If this parameter is left empty, the username passed in is assumed to be the Siebel user ID.- UseRemoteConfig. This parameter is interpreted by the Application Object Manager. It is the path to a configuration file that contains only parameters for a security adapter, that is, it contains parameters as they would be formatted if they were included in a section such as [LDAP] in an application's configuration file. The parameter values in the remote configuration file override those in the same section in the application's configuration file.
You must provide the path in universal naming convention (UNC) format, that is, \\server\vol\path\filename.cfg.
Bookshelf Home | Contents | Index | Search | PDF |
Security Guide for Siebel eBusiness Applications Published: 23 June 2003 |