Bookshelf Home | Contents | Index | PDF |
Siebel Security Hardening Guide > Securing the Network and Infrastructure > Securing the Siebel Web ServerBecause a Web server is one of the most exposed and intruder-targeted elements in a network, securing the Web server is a priority. Before using your Web server in a Siebel Business Applications deployment, secure your Web server by applying vendor-recommended security procedures and practices as described in your Web server documentation. Then consider implementing the recommendations outlined in this topic. Implementing a Proxy ServerDeploy a reverse-proxy server in the demilitarized zone to protect the Web server from attacks relating to denial of service and directory traversal. For additional information, see Proxy Servers. Monitoring Disk SpaceMonitor the disk space available on your Siebel Web server. If the Web server is allowed to reach the disk space limit, then denial of service events can occur when the Siebel Server or Siebel Web clients connect to the Siebel Web server. For information on the tools that are available to monitor disk utilization for your Web server, see your Web server vendor documentation. For additional information on denial of service attacks, see Preventing Denial of Service Attacks. Removing Unnecessary Subdirectories (Windows)See the vendor-specific security documentation for information on removing unnecessary subdirectories in a Windows environment. Assigning Web Server File Permissions (Windows)Set Web server file and directory permissions appropriately to make sure only authorized users can access and modify designated files. Siebel Web Server Extension (SWSE) directories contain executable files which must be protected, for example, Java scripts (.js files), cascading style sheets (.css files), and ActiveX controls (.cab files). Use the following procedure to assign Web server file permissions in a Windows environment. To assign Web server file permissions in a Windows environment
NOTE: Administrators must have full rights to the Web server files and directories to grant and revoke permissions and to back up or recover tasks. Encrypting Communications to the Web ServerIt is recommended that you secure all communications between the Siebel Web Client, the Web server and the Siebel Server using TLS, SSL, MSCRYPTO or RSA. Consider implementing SSL mutual authentication, if appropriate for your environment. For additional information on encrypting communications, see Enabling Encryption of Network Traffic. Encrypting Passwords in the eapps.cfg FileThe eapps.cfg file contains parameters that control interactions between the Siebel Web Engine and the Siebel Web Server Extension (SWSE) for all Siebel Business Applications. Passwords are written to the file in encrypted form when you initially configure the SWSE. Thereafter, encryption behavior is subject to the status of the EncryptedPassword parameter. The default value of the parameter is True. If the EncryptedPassword parameter does not exist in the eapps.cfg file, then the default behavior is the same as if EncryptedPassword is set to False. It is recommended that you verify that the EncryptedPassword parameter exists, and that it is set to True. NOTE: If the EncryptedPassword parameter is set to True, then make sure that all passwords stored in the eapps.cfg file are encrypted. If you manually edit the eapps.cfg file to set the EncryptedPassword parameter to True, then use the encryptstring utility to generate an encrypted version of the password to store in the file. For information on editing the eapps.cfg file and using the encryptstring utility, see Siebel Security Guide. Securing User Session IDsSession ID spoofing is a form of computer network attack during which a user's session ID is intercepted during communications between a valid user's browser and the Web server. The attacker can then hijack that user's session by sending the still active Session ID in the URL with a SWE message back to the Web server. Implementing SSL or TLS for communications between the client browser and the Web server helps reduce the risk of session ID spoofing. In addition, it is recommended that you perform the following steps:
To secure session IDs by enabling the use of session cookies, perform the following procedure.
Setting Security Features of the Siebel Web Server ExtensionThe SWSE can be configured to allow only URLs that use SSL or TLS over HTTP (HTTPS protocol) to access views in a Siebel application or to transmit user credentials entered in a login form from the browser. It is recommended that you implement both of these features. You can choose to:
Securing Access to ViewsYou can indicate whether or not the HTTPS protocol must be used to access a view by doing either or both of the following:
Securing Login InformationTo secure login information, it is recommended that you configure the Siebel Web Engine to transmit user credentials entered in a login form from the browser to the Web server to use HTTPS. Securing login information prevents sniffing user credentials. To implement secure login, on each Siebel application where you want to implement secure login, set the value of the SecureLogin component parameter to True. For information on this task, see Siebel Security Guide. |
Siebel Security Hardening Guide | Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices. | |