| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2015 E24814-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2015 E24814-01 |
|
Previous |
Next |
View PDF |
Parameters for the Siebel Gateway Name Server can be set at one or more of the Enterprise, Siebel Server, or component levels. They are set in the Administration - Server Configuration screen of a Siebel employee application, such as Siebel Call Center. The following rules apply:
Parameters you set at the Enterprise level configure all Siebel Servers throughout the enterprise.
Parameters you set at the Siebel Server level configure all applicable components on a specific Siebel Server.
Parameters you set at the component level configure all the tasks, or instances, of a specific component.
Parameters you set for an enterprise profile (named subsystem) configure the applicable security adapter.
For purposes of authentication, most of the components of interest are Application Object Managers, such as the Call Center Object Manager or the eService Object Manager. The Synchronization Manager component also supports authentication.
A particular parameter set at a lower level overrides the same parameter set at a higher level. For example, if Security Adapter Mode is set to LDAP at the Enterprise level, and Security Adapter Mode is set to ADSI at the component level for the eService Object Manager component, then the ADSI security adapter is used for Siebel eService.
Parameters configured for Siebel security adapters are configured for the enterprise profile (for GUI Server Manager) or named subsystem (for command-line Server Manager). For more information about configuring security adapters, see Chapter 5, "Security Adapter Authentication."
|
Note: You can set parameters on the Siebel Gateway Name Server using Siebel Server Manager or you can do so using the Siebel Configuration Wizard. For information on editing Gateway Name Server parameters using the Siebel Configuration Wizard, see "Configuring LDAP or ADSI Security Adapters Using the Siebel Configuration Wizard". For information on using Siebel Server Manager to edit Gateway Name Server parameters, see Siebel System Administration Guide. |
The following topics provide detailed information on the Gateway Name Server parameters:
This topic outlines the Gateway Name Server parameters related to database authentication. The database authentication parameters can be defined for the InfraSecAdpt_DB named subsystem or the InfraDataSource named subsystem.
The parameters in Table A-4 are defined for named subsystems of type InfraSecAdpt_DB, that is, they can be set for the DBSecAdpt named subsystem, or a similar security adapter with a nondefault name.
Table A-4 Database Authentication Parameters for InfraSecAdpt_DB Named Subsystems
| Parameter | Description |
|---|---|
|
CRC (alias DBSecAdpt_CRC) |
This parameter is used to implement checksum validation to verify that each user gains access to the database through the correct security adapter. This parameter contains the value calculated by the checksum utility for the applicable security adapter DLL. For more information, see "Configuring Checksum Validation". Caution: Do not reset or change the value of the DBSecAdpt_CRC parameter. Changing the value of this parameter can disrupt the correct functioning of your Siebel application. |
|
DataSource Name (alias DataSourceName) |
Specifies the data source for which you are specifying password hashing parameters. |
|
Propagate Change (alias DBSecAdpt_ PropagateChange) |
Set this parameter to TRUE to allow administration of the current user's password in the database through Siebel Business Applications. If this parameter is set to TRUE (the default setting):
|
|
Security Adapter Dll Name (alias DBSecAdpt_ SecAdptDllName) |
Specifies the DLL that implements the security adapter API required for integration with Siebel Business Applications. The file extension need not be explicitly specified. For example, sscfsadb.dll implements the Siebel database security adapter in a Windows implementation, and libsscfsadb.so does so in a UNIX implementation. If the DLL name for the adapter is used in a UNIX implementation, then it is converted internally to the actual filename DLL. |
The parameters in Table A-5 are also for database authentication environments, and are defined for named subsystems of type InfraDataSource, that is, they may be set for the ServerDataSrc named subsystem, or another data source. The named subsystem is specified as the value for the DataSourceName parameter for the database security adapter.
Table A-5 Database Authentication Parameters for InfraDataSource Named Subsystems
| Parameter | Description |
|---|---|
|
Hash User Password (alias DSHashUserPwd) |
Specifies password hashing for user passwords. Uses the hashing algorithm specified using the DSHashAlgorithm parameter. For details, see "About Password Hashing". |
|
User Password Hash Algorithm (alias DSHashAlgorithm) |
Specifies the password hashing algorithm to use, if DSHashUserPwd is |
This topic outlines the Gateway Name Server parameters related to LDAP or ADSI authentication. The LDAP or ADSI authentication parameters, described in Table A-6, are defined for named subsystems of type InfraSecAdpt_LDAP; they can be set for the named subsystems LDAPSecAdpt or ADSISecAdpt, or a similar security adapter with a nondefault name.
Table A-6 LDAP and ADSI Authentication Parameters
| Parameter | Description |
|---|---|
|
Application Password (alias ApplicationPassword) |
Specifies the password in the directory for the user defined by the ApplicationUser parameter.
|
|
Application User (alias ApplicationUser) |
Specifies the user name of a record in the directory with sufficient permissions to read any user's information and do any necessary administration. This user provides the initial binding of the LDAP directory or Active Directory with the Application Object Manager when a user requests the login page, or else anonymous browsing of the directory is required. You enter this parameter as a full distinguished name (DN), for example Note: You must implement an application user. |
|
Base DN (alias BaseDN) |
Specifies the Base Distinguished Name, which is the root of the tree under which users of this Siebel application are stored in the directory. Users can be added directly or indirectly below this directory. A typical entry for an LDAP server might be: BaseDN = "ou=people, o=domain_name" where:
A typical entry for an ADSI server might be: BaseDN = "ou=people, DC=qatest, DC=siebel, DC=com" Domain Component (DC) entries are the nested domains that locate this server. Therefore, adjust the number of DC entries to represent your architecture. |
|
CRC (alias CRC) |
Use this parameter to implement checksum validation in order to verify that each user gains access to the database through the correct security adapter. This parameter contains the value calculated by the checksum utility for the applicable security adapter DLL. If you leave this value empty, then the system does not perform the check. If you upgrade your version of Siebel Business Applications, then you must recalculate and replace the value in this parameter. For more information, see "Configuring Checksum Validation". |
|
Credentials Attribute Type (alias CredentialsAttributeType) |
Specifies the attribute type that stores a database account. For example, if CredentialsAttributeType is set to dbaccount, then when a user with user name HKIM is authenticated, the security adapter retrieves the database account from the dbaccount attribute for HKIM. This attribute value must be of the form If you implement LDAP or ADSI security adapter authentication to manage the users in the directory through the Siebel client, then the value of the database account attribute for a new user is inherited from the user who creates the new user. The inheritance is independent of whether you implement a shared database account, but does not override the use of the shared database account. |
|
Hash DB Cred (alias HashDBPwd) |
Specifies password hashing for database credentials passwords. For details, see "About Password Hashing". |
|
Hash User Password (alias HashUserPwd) |
Specifies password hashing for user passwords. Uses the hashing algorithm specified using the HashAlgorithm parameter. For details, see "About Password Hashing". |
|
Password Attribute Type (alias PasswordAttributeType) |
Specifies the attribute type under which the user's login password is stored in the directory. The LDAP entry must be userPassword. However, if you use the LDAP security adapter to authenticate against Microsoft Active Directory, then set the value of this parameter to unicodePWD. Active Directory does not store the password in an attribute so this parameter is not used by the ADSI security adapter. You must, however, specify a value for the Password Attribute Type parameter even if you are using the ADSI adapter. Specify a value of unicodePWD. |
|
Password Expire Warn Days (alias PasswordExpireWarnDays) (ADSI only) |
Specifies the number of days to display a warning message before a password expires. You can only specify a value for this parameter when the directory server in use is Active Directory. You can specify a value when the security adapter in use is an ADSI or LDAP security adapter. |
|
Port (alias Port) |
Specifies the port on the server computer that is used to access the LDAP server. Typically, use 389, the default value, for standard transmission or use 636 for secure transmission. This parameter is used by the LDAP security adapter only. For ADSI, you set the port at the directory level, so this parameter is not used. You must, however, specify a value for the Port parameter even if you are using the ADSI adapter; specify either port 389 or 636. |
|
Propagate Change (alias PropagateChange) |
Set this parameter to TRUE to allow administration of the directory through Siebel Business Applications. When an administrator then adds a user or changes a password from within a Siebel application, or a user changes a password or self-registers, the change is propagated to the directory. A non-Siebel security adapter must support the SetUserInfo and ChangePassword methods to allow dynamic directory administration. |
|
Roles Attribute Type (alias RolesAttributeType) |
Specifies the attribute type for roles stored in the directory. For example, if RolesAttributeType is set to roles, then when a user with user name HKIM is authenticated, the security adapter retrieves the user's Siebel responsibilities from the roles attribute for HKIM. Responsibilities are typically associated with users in the Siebel database, but they can be stored in the database, in the directory, or in both. The user gets access to all of the views in all of the responsibilities specified in both sources. However, it is recommended that you define responsibilities in the database or in the directory, but not in both places. For details, see "Configuring Roles Defined in the Directory". |
|
Salt User Passwords (alias SaltUserPwd) |
Set this parameter to TRUE to specify that salt values are to be added to user passwords before they are hashed. This parameter is ignored if the HashUserPwd parameter is set to FALSE. Adding salt values to user passwords is not supported if you are using Web Single Sign-On. For further information on salt values, see "About Password Hashing". |
|
Salt Attribute (alias SaltAttributeType) |
Specifies the attribute that stores the salt value if you have chosen to add salt values to user passwords. The default attribute is title. |
|
Security Adapter Dll Name (alias SecAdptDllName) |
Specifies the DLL that implements the security adapter API required for integration with Siebel Business Applications. The file extension need not be explicitly specified. For example, enter sscforacleldap to implement the LDAP security adapter in a Windows implementation. For the ADSI security adapter, enter On supported UNIX operating systems, the file name can be libsscforacleldap.so or libsscforacleldap.sl. If the DLL name for the LDAP security adapter is used in a UNIX implementation, then it is converted internally to the actual filename. |
|
Server Name (alias ServerName) |
Specifies the name of the computer on which the LDAP or Active Directory server runs.
Do not specify the IP address of the Active Directory server for the ServerName parameter. |
|
Shared Credentials DN (alias SharedCredentialsDN) |
Specifies the absolute path (not relative to the BaseDN) of an object in the directory that has the shared database account for the application. If it is empty, then the database account is looked up in the user's DN as usual. If it is not empty, then the database account for all users is looked up in the shared credentials DN instead. The attribute type is still determined by the value of CredentialsAttributeType. For example, if SharedCredentialsDN is set to: ”uid=HKIM, ou=people, o=example.com” when a user is authenticated, the security adapter retrieves the database account from the appropriate attribute in the HKIM record. This parameter's default value is an empty string. |
|
Specify the password associated with the Shared DB Username parameter. |
|
|
Specify the user name to connect to the Siebel database. You must specify a valid Siebel user name and password for the SharedDBUsername and SharedDBPassword parameters. Specify a value for this parameter if you store the shared database account user name as a parameter rather than as an attribute of the directory entry for the shared database account. To use this parameter, you can use either an LDAP directory or Active Directory. For more information, see "Storing Shared Database Account Credentials as Profile Parameters". |
|
|
Siebel Username Attribute Type (alias SiebelUsername AttributeType) |
If UseAdapterUsername is set to TRUE, then this parameter is the attribute from which the security adapter retrieves an authenticated user's Siebel user ID. If this parameter is left empty, then the user name passed in is assumed to be the Siebel user ID. |
|
Single Sign On (alias SingleSignOn) |
(TRUE or FALSE) If TRUE, then the security adapter is used in Web SSO mode, instead of using security adapter authentication. |
|
SSL Database (alias SslDatabase) |
Specifies whether SSL is used for communication between the LDAP security adapter and the directory. If this parameter is empty, then SSL is not used. To use SSL, the value of this parameter must be the absolute path of the wallet, generated by Oracle Wallet Manager, that contains a certificate for the certificate authority that is used by the LDAP server. |
|
Trust Token (alias TrustToken) |
Applies only in a Web SSO environment. The adapter compares the |
|
Use Adapter Defined Username (alias UseAdapterUsername) |
(TRUE or FALSE) If TRUE, then this parameter indicates that when the user key passed to the security adapter is not the Siebel user ID, the security adapter retrieves the Siebel user ID for authenticated users from an attribute defined by the SiebelUsernameAttributeType parameter. The default value for UseAdapterUsername is |
|
User Password Hash Algorithm (alias HashAlgorithm) |
Specifies the password hashing algorithm to use if HashUserPwd or HashDBPwd is TRUE. The default value, |
|
Username Attribute Type (alias UsernameAttributeType) |
Specifies the attribute type under which the user's login name is stored in the directory. For example, if UsernameAttributeType is set to uid, then when a user attempts to log in with user name HKIM, the security adapter searches for a record in which the uid attribute has the value HKIM. This attribute is the Siebel user ID, unless the UseAdapterUsername parameter is TRUE. If you implement an adapter-defined user name (UseAdapterUsername is set to TRUE), then you must set the OM - Username BC Field parameter appropriately to allow the directory attribute defined by UsernameAttributeType to be updated from the Siebel client. For more information about implementing an adapter-defined user name, see "Configuring Adapter-Defined User Name". |
|
WalletPassword |
Specifies the password assigned to the Oracle wallet that contains the certificate for the certificate authority that is used by the LDAP server. |
This topic outlines the Gateway Name Server parameters related to custom security adapter authentication. The Gateway Name Server parameters in Table A-7 are for custom security adapter authentication only, and are defined for the named subsystem InfraSecAdpt_Custom.
Table A-7 Custom Security Adapter Authentication Parameters
| Parameter | Description |
|---|---|
|
Config File Name (alias ConfigFileName) |
Specifies the file name that contains custom security adapter configuration parameters. These settings would be other than those defined in this section. |
|
Config Section Name (alias ConfigSectionName) |
Specifies the name of the section, in the file specified using the ConfigFileName parameter, that contains custom security adapter configuration settings. |
The following parameters are for custom security adapter authentication, and are defined for the named subsystem InfraSecAdpt_Custom. For more information about these parameters, see the descriptions for similar parameters applicable to LDAP or ADSI security adapters, in "Parameters for LDAP or ADSI Authentication".
CRC (alias CustomSecAdpt_CRC)
Hash DB Cred (alias CustomSecAdpt_HashDBPwd)
Hash User Password (alias CustomSecAdpt_HashUserPwd)
Propagate Change (alias CustomSecAdpt_PropagateChange)
Salt User Passwords (alias CustomSecAdpt_SaltUserPwd)
Security Adapter Dll Name (alias CustomSecAdpt_SecAdptDllName)
Single Sign On (alias CustomSecAdpt_SingleSignOn)
Trust Token (alias CustomSecAdpt_TrustToken)
Use Adapter Defined Username (alias CustomSecAdpt_UseAdapterUsername)
User Password Hash Algorithm (alias CustomSecAdpt_HashAlgorithm)
The Gateway Name Server parameters in Table A-8 are defined for the Enterprise, Siebel Server, or Application Object Manager component.
Table A-8 Enterprise, Siebel Server, or Application Object Manager Component Parameters
| Parameter | Description |
|---|---|
|
AllowAnonUsers |
(TRUE or FALSE) Unregistered users are not allowed access to the Siebel application if this parameter value is If your Siebel application does not use functionality that requires anonymous browsing, then set the AllowAnonUsers parameter to False. |
|
If you deploy IBM Tivoli Access Manager WebSEAL to authenticate users of Siebel Business Applications with high interactivity in a Web Single Sign-On deployment, then set DisableReverseProxy to TRUE to disable reverse proxy support. You must disable implicit reverse proxy support as IBM Tivoli Access Manager WebSEAL acts as a reverse proxy server. The default value for DisableReverseProxy is |
|
|
SecureLogin |
(TRUE or FALSE) If TRUE, the login form completed by the user is transmitted over TLS. This requires that you have a certificate from a certificate authority on the Web server on which the Siebel Web Engine is installed. |
|
SecureBrowse |
When SecureBrowse is set to TRUE, all views in the application are navigated over TLS. When SecureBrowse is set to FALSE, views in the application whose Secure attribute is set to TRUE are navigated over TLS. Note: Siebel customer applications support switching between secure and nonsecure views, but employee applications (such as Siebel Call Center) do not. For more information, see "Configuring a Siebel Web Client to Use HTTPS". |
|
OM - Proxy Employee (alias ProxyEmployee) |
User ID of the proxy employee. For information about the proxy employee, see Appendix B, "Seed Data.". |
|
OM - Username BC Field (alias UsernameBCField) |
This parameter is used only if you implement an adapter-defined user name as described in "Configuring Adapter-Defined User Name". This parameter specifies the field of the User business component that populates the attribute in the directory defined by the UsernameAttributeType parameter in the application's configuration file. That is, when the user ID (LoginName field in the User business component) is not the identity key, this field is. If this parameter is not present in the parameters list, you must add it. The OM - Username BC Field parameter is case sensitive. The value you specify for this parameter must match the value specified for the parameter in Siebel Tools. |
