| Bookshelf Home | Contents | Index | Search | PDF | |
Security Guide for Siebel eBusiness Applications > Authentication Details > Authentication Options >
Application User
This option can be implemented in the following authentication strategies that implement a Siebel security adapter:
- Siebel security adapter authentication
- Web SSO
By setting up an application user as the only user with search and write privileges to the directory, you minimize the level of access of all other users to the directory and the administration required to provide such access.
The application user is a user that you define in the directory with the following qualities:
- This user provides the initial binding of the LDAP or Active Directory server with the Application Object Manager when a user requests the login page, or else binding defaults to the anonymous user.
- This user has sufficient permissions to read any user's information and do any necessary administration. The application user does all searching and writing to the directory that is requested through the security adapter.
NOTE: The application user is not an actual user who logs into an application, but rather a special user to handle access to the directory.
If you do not implement an application user in a Siebel security adapter authentication environment, then:
- The anonymous user must have search and write privileges to the directory if you allow user self-registration.
- Each user who creates or modifies other users must have search and write privileges to the directory. Internal administrators and delegated administrators are included in this group.
It is strongly recommended that you implement an application user.
To implement an application user
- In the directory, define a user that uses the same attributes as other users. Assign values in appropriate attributes that contain the following information:
- Username. Assign a name of your choice. If you implement an adapter-defined username, use that attribute. Otherwise, use the attribute in which you store the Siebel user ID, although the application user does not have a Siebel user ID.
- Password. Assign a password of your choice. You can opt to enter an encrypted password if you implement application password encryption. If you implement an ADS directory, you specify the password using ADS user management tools, not as an attribute.
NOTE: Make sure the application user has, at least, search privileges for all user records in the directory in a Web SSO implementation. Additionally, provide the application user with write privileges in a Siebel security adapter implementation.
- For each Siebel application that implements an application user, set the following parameter values in the application's configuration file, both on the server and on each Siebel Dedicated Web Client. For example, edit the eservice.cfg file for Siebel eService.
- In the [adapter_name] section, for example [LDAP]:
ApplicationUser = application user's full distinguished name (DN) in the directory
ApplicationPassword = encrypted or unencrypted version of the password, depending on whether you implement application user password encryption
- If you implement application user password encryption:
EncryptApplicationPassword = TRUE
For information about setting Siebel application configuration file parameters, see Siebel Application Configuration File Parameters.
For information about application user password encryption, see Application User Password Encryption that follows.
The application user is discussed in a usage context in Implementing LDAP and ADSI Security Adapter Authentication and in Implementing Web SSO Authentication.
Application User Password Encryption
You can maintain an unexposed, unencrypted password for the application user in the directory, while an encrypted version of the password is used in other phases of the authentication process.
You can implement application user password encryption with the Siebel mangle utility. The Siebel mangle utility is included when you install your Siebel applications.
For information about the application user, see Application User.
The following application user password encryption principles and procedures apply to users who access a Siebel application through the Web Client or through the Siebel Dedicated Web Client.
To implement application user password encryption
- Create a password and enter it in the attribute in the directory in which the application user's password is stored. If you implement an ADS directory, you specify the password using ADS user management tools, not as an attribute.
- From a command line run mangle.exe, located in the SIEBSRVR_ROOT\bin subdirectory, on the password from Step 1. For example, enter:
manglepasswordThe command line returns the encrypted version of the password.
- For each Siebel application that implements application user password encryption, set the following parameter values in the application's configuration file. For example, edit the eservice.cfg file for Siebel eService.
- In the [adapter_name] section, for example [LDAP]:
ApplicationUser = application user's full distinguished name (DN) in the directory
ApplicationPassword = encrypted version of the password
EncryptApplicationPassword = TRUE
For information about setting Siebel application configuration file parameters, see Siebel Application Configuration File Parameters.
Application user password encryption is discussed in a usage context in Deployment Options for Security Adapter Authentication.
Application User and Password Expiration Policies
Typically, user administration in an LDAP or ADS server is performed through the application user. In addition, user policies that are set for the entire directory apply to the application user as well as to all other users.
Typically, you do not want the application user's password to expire. If you implement a password expiration policy in the directory, then you must exempt the application user from the policy. To do so, set the application user's password policy explicitly after the application user sets the password policy for the whole directory.
| Bookshelf Home | Contents | Index | Search | PDF | |
Security Guide for Siebel eBusiness Applications Published: 23 June 2003 |