Bookshelf Home | Contents | Index | Search | PDF

Security Guide for Siebel eBusiness Applications > Communications and Data Encryption > Configuring for Encryption >

Configuring Siebel Enterprise or Siebel Server for SSL Encryption

---

This section describes how to configure your Siebel Enterprise or Siebel Server to use Secure Sockets Layer (SSL) encryption or authentication for SISNAPI (Siebel Internet Session API) communications between Siebel Servers and the Web server, and between Siebel Servers.

Configuring at the Siebel Enterprise level applies to all Siebel Servers in the Enterprise. In general, some of the settings should be configured differently at the Siebel Server level.

Configuring SSL communications between Siebel Servers and the Web server also requires that you configure Siebel Web Server Extension to use SSL, as described in Configuring Siebel Web Server Extension for SSL Encryption.

Configuring SSL for Siebel Server and the Siebel Web Server Extension also configures connection authentication for the relevant modules. In other words, when a module connects to another module, modules may be required to authenticate themselves against the other using third-party certificates issued by certificate authorities. Connection authentication scenarios are:

Siebel Server authenticates against the Web server.
Web server authenticates against the Siebel Server.
Siebel Server authenticates against another Siebel Server.

A peer authentication option requires that mutual authentication be done.

Performing the procedure below adds parameters to the Name Server. If you also configure the Siebel Web Server Extension for SSL, Name Server parameters mentioned in this procedure (short names) correspond to parameters added to the [ConnMgmt] section of the eapps.cfg file. Name Server parameters mentioned in this procedure can alternatively be set using Siebel Server Manager.

Running the SSL Configuration Utility for Siebel Server

This section describes running the Siebel Software Configuration Utility (Siebel Server SSL).

NOTE:  The prompts for the SSL configuration utility are the same whether you run it in GUI mode (Windows) or console mode (UNIX). However, many of the specific user interface elements are different in these two modes.

CAUTION:  The following procedure must be performed after installing all applicable maintenance releases. For more information, refer to the Maintenance Release Guide for your Siebel products.

To enable SSL encryption for the Siebel Server

On a Siebel Server machine, start the Siebel Software Configuration Utility (Siebel Server SSL version).
For Microsoft Windows platforms, open an MS-DOS window and enter the following command to run this utility in a graphical mode:

SIEBSRVR_ROOT\bin\ssincfgw.exe -l language -f SIEBSRVR_ROOT\admin\sslsiebsrvr.scm -logevents all

where:

SIEBSRVR_ROOT is the Siebel Server installation directory
language is the language in which you want to run the configuration utility (for example, ENU for U.S. English)
For UNIX platforms, enter the following commands to run this utility in console mode:

cd SIEBSRVR_ROOT

For Bourne shell or Korn shell: . ./siebenv.sh

(Make sure there is a space between the initial period (.) and ./siebenv.sh.)

For C shell: source siebenv.csh

cd SIEBSRVR_ROOT/bin

./icfg - l language -f SIEBSRVR_ROOT/admin/sslsiebsrvr.scm
-logevents all

where:

SIEBSRVR_ROOT is the Siebel Server installation directory
language is the language in which you want to run the configuration utility (for example, ENU for U.S. English)
Enter the hostname of the Siebel Gateway machine and the name of the Siebel Enterprise applicable to the component you want to configure.
Specify the configuration type: whether to configure SSL for the Siebel Enterprise or for a Siebel Server.

NOTE:  If you specify Siebel Enterprise SSL, all settings, including the key filename and password and certificate filenames, will be inherited by all Siebel Servers in the Enterprise. You can run the utility again later to separately configure individual Siebel Servers, at which time you can specify unique key filenames or passwords or unique certificate filenames.

If you are configuring a Siebel Server, specify the name of the Siebel Server.

NOTE:  If you specify Siebel Server SSL, the settings apply to all components on the Siebel Server. You cannot specify settings at the component level.

Specify the names of the certificate file and of the certificate authority file.

The certificate file must use either ASN or PEM format. The certificate authority file identifies the trusted authority who issued the certificate.

These files are typically located on each Siebel Server machine for which you configure Siebel Server SSL. (You need not authenticate or encrypt communications between components on the same machine.)

The equivalent parameters in the Name Server are CertFileName (Certificate file name) and CACertFileName (CA certificate file name).

Specify the name of the private key file, and the password for the private key file, then confirm the password.

The private key file must use PEM format. This file is typically located on each Siebel Server machine for which you configure Siebel Server SSL.

The password you specify will be stored in encrypted form.

The equivalent parameters in the Name Server are KeyFileName (Private key file name) and KeyFilePassword (Private key file password).

Specify whether you require peer authentication.

Peer authentication means that this Siebel Server must authenticate itself with a certificate against the client (that is, SWSE or another Siebel Server that connects to this one), whenever a connection is established. Peer authentication is false by default.

NOTE:  You must set peer authentication for a Siebel Server if you also set peer authentication for the connecting client (that is, SWSE or another Siebel Server that connects to this one).

The equivalent parameter in the Name Server is PeerAuth (Peer Authentication).

Specify whether you require peer certificate validation.

Peer certificate validation performs reverse-DNS lookup to independently verify that the hostname of the Siebel Server machine matches the hostname presented in the certificate. Peer certificate validation is false by default.

The equivalent parameter in the Name Server is PeerCertValidation (Validate peer certificate).

Review the settings, specify to finish configuration, and then restart the server.

Repeat this procedure for each Siebel Server in your application environment, as necessary. Make sure you configure all applicable Siebel Servers and also configure the Siebel Web Server Extension. Set the same encryption type for all components.

Setting Additional Name Server Parameters for Siebel Server SSL

After configuring SSL for Siebel Servers as described earlier in this section, make the following configuration changes:

Run the Siebel Server Manager and set the CommType parameter (Communication Transport) to SSL for each Application Object Manager that is to use SSL. (TCP/IP is used by default.)
If you previously used Microsoft Crypto or RSA encryption, run the Siebel Software Configuration Wizard, as described in Configuring Siebel Enterprise for Microsoft Crypto or RSA Encryption. Specify NONE as the encryption type, instead of MSCRYPTO or RSA.

Or, use Siebel Server Manager to change the value of the Crypt parameter (Encryption Type) to NONE. Specify this setting at the Enterprise level.

Bookshelf Home | Contents | Index | Search | PDF