Siebel Security Guide > Changing and Managing Passwords >

About Managing and Changing Passwords

It is recommended that a password management policy is implemented in all Siebel Business Applications implementations to ensure that only authorized users can access the applications. The password management policy that is most appropriate varies according to site-specific variables, such as the size of the implementation and users' business needs. However, all password management policies ought to provide guidelines relating to how frequently end users must change their passwords, whether or not password expiry periods are enforced, and the circumstances in which passwords must be changed.

Password management policies must also be applied to accounts that are used to manage and maintain the Siebel implementation, such as the Siebel administrator account. The topics in this chapter provide information on changing and managing the passwords for these accounts. For information on how end users can change their passwords, see Changing a Password. For information on implementing password management policies, see Siebel Security Hardening Guide.

NOTE:  It is recommended that you use the configuration wizards installed with Siebel Business Applications to perform the initial configuration of the Gateway Name Server, Siebel Server, and Web server. This initial configuration process includes specifying names and passwords for accounts described in this chapter, and choosing whether or not to encrypt passwords. Using the configuration wizards simplifies the task of setting password-related values for accounts and reduces configuration errors.

Guidelines for Changing Passwords

Before changing passwords in your environment, review the following general points:

• For end users, the availability of the Password and Verify Password fields in the Siebel application (User Preferences screen, User Profile view) depends on several factors:
  • For an environment using Lightweight Directory Access Protocol (LDAP) or Active Directory Service Interfaces (ADSI) authentication, the underlying security mechanism must allow this functionality. See also Requirements for the LDAP Directory or Active Directory.

    In addition, the Propagate Change parameter (alias PropagateChange) must be TRUE for the LDAP or ADSI security adapter (default is TRUE). For Siebel Developer Web Clients, the system preference, SecThickClientExtAuthent, must also be TRUE. For more information, see Security Adapter Authentication.

  • For an environment using database authentication, the Propagate Change parameter (alias DBSecAdpt_PropagateChange) must be TRUE for the database security adapter. The default is FALSE for the parameter defined in the Siebel Gateway Name Server, FALSE for the same parameter defined in application configuration files for the Developer Web Client. For more information, see Security Adapter Authentication.
• If you are using a third-party load balancer for Siebel Server load balancing, then make sure load-balancer administration passwords are set. Also make sure that the administrative user interfaces for your load-balancer products are securely protected.
• If you set and change passwords at the Siebel Enterprise level, then the changes are inherited at the component level. However, if you set a password parameter at the component level, then from that point forward, the password can be changed only at the component level. Changing it at the Enterprise level does not cause the new password to be inherited at the component level, unless the override is deleted at the component level. For more information, see Siebel System Administration Guide.

For information about changing the local DBA password on Mobile Web Clients, see Siebel Remote and Replication Manager Administration Guide. For information about configuring and using hashed user passwords and database credentials passwords through your security adapter, see About Password Hashing.