Skip Headers
Siebel CRM Siebel Security Guide
Siebel Innovation Pack 2015
E24814-01
  Go to Documentation Home
Home		 Go To Table Of Contents
Contents		 Go To Index
Index
Previous
Previous 		 Next
Next		     View PDF

Configuring TLS Encryption for a Siebel Enterprise or Siebel Server

This topic describes how to configure a Siebel Enterprise or Siebel Server to use TLS encryption and authentication for SISNAPI communications between Siebel Servers and the Web server (SWSE), and between Siebel Servers. Configuring TLS for SISNAPI communications is optional.

This task is a step in "Process of Configuring Secure Communications".

Configuring TLS communications between Siebel Servers and the Web server also requires that you configure the SWSE to use TLS. When configuring TLS for Siebel Server and the SWSE, you can also configure connection authentication for the relevant modules. In other words, when a module connects to another module, modules might be required to authenticate themselves against the other using third-party certificates.

Connection authentication scenarios are:

If you select the peer authentication option, mutual authentication is performed.

Configuring a Siebel Enterprise or Siebel Server to use TLS encryption involves the following tasks:

  1. Run the Siebel Configuration Wizard for the Siebel Enterprise or Siebel Server and select the appropriate option to deploy TLS.

    This task is described in "Deploying TLS for a Siebel Enterprise or Siebel Server".

  2. For each Application Object Manager that is to use TLS, set the CommType parameter to TLS as appropriate.

    This task is described in "Setting Additional Parameters for Siebel Server TLS".

Deploying TLS for a Siebel Enterprise or Siebel Server

The following procedure describes running the Siebel Configuration Wizard to deploy TLS for a Siebel Server or a Siebel Enterprise. Performing this procedure adds parameters to the Siebel Gateway Name Server; these parameters can alternatively be set using Siebel Server Manager.


Note:

If you configure TLS for the Siebel Enterprise, then all Siebel Servers in the Enterprise inherit all settings. These settings include the key file name and password and certificate file names. You can run the Siebel Configuration Wizard again later to separately configure individual Siebel Servers, at which time you can specify unique key file names or passwords or unique certificate file names. In order to completely configure TLS for your Siebel Servers, you must run this utility.

To enable TLS encryption for the Siebel Server or Enterprise: 

  1. Before you begin, obtain and install the necessary certificate files that you need if you are configuring TLS authentication.

  2. If you are running the Siebel Configuration Wizard to configure the Siebel Enterprise, then do the following:

    1. Start the Siebel Configuration Wizard and configure values for the Enterprise.

      For information on this task, see Siebel Installation Guide for the operating system you are using.

    2. When the Additional Tasks for Configuring the Enterprise screen appears, select the Enterprise Network Security Encryption Type option.

    3. On the Security Encryption Level or Type screen, select the SISNAPI Using TLS 1.2 option.

    4. Proceed to Step 4.

  3. Alternatively, to run the Siebel Configuration Wizard directly on a Siebel Server computer, do the following:

    1. Start the Siebel Server Configuration Wizard directly and configure values for the Siebel Server.

      For information on this task, see Siebel Installation Guide for the operating system you are using.

    2. When the Additional Tasks for Configuring the Siebel Server screen is displayed, select the Server-Specific Security Encryption Settings option.

    3. On the Security Encryption Level or Type screen, select the SISNAPI Using TLS 1.2 option.

    4. Proceed to Step 4.

  4. Specify the name and location of the certificate file and of the certificate authority file.

    The equivalent parameters in the Siebel Gateway Name Server are CertFileName (display name Certificate file name) and CACertFileName (display name CA certificate file name).

  5. Specify the name of the private key file, and the password for the private key file, then confirm the password.

    The password you specify is stored in encrypted form.

    The equivalent parameters in the Siebel Gateway Name Server are KeyFileName (display name Private key file name) and KeyFilePassword (display name Private key file password).

  6. Specify whether or not you want to enable peer authentication.

    Peer authentication means that this Siebel Server authenticates the client (that is, SWSE or another Siebel Server) that initiates a connection. Peer authentication is false by default.

    The peer authentication parameter is ignored if TLS is not deployed between the Siebel Server and the client (either the SWSE or another Siebel Server). If peer authentication is set to TRUE on the Siebel Server, then a certificate from the client is authenticated provided that the Siebel Server has the certifying authority's certificate to authenticate the client's certificate. The client must also have a certificate. If TLS is deployed and the SWSE has a certificate, then it is recommended that you set PeerAuth to TRUE on both the Siebel Server and the SWSE to obtain maximum security.

    The equivalent parameter in the Siebel Gateway Name Server is PeerAuth (display name Peer Authentication).

  7. Specify whether or not you require peer certificate validation.

    Peer certificate validation performs reverse-DNS lookup to independently verify that the hostname of the Siebel Server computer matches the hostname presented in the certificate. Peer certificate validation is false by default.

    The equivalent parameter in the Siebel Gateway Name Server is PeerCertValidation (display name Validate peer certificate).

    Depending on the Siebel Configuration Wizard you are running, you return to either the Siebel Enterprise or the Siebel Server configuration process.

  8. Continue to configure values for the Siebel Enterprise or Siebel Server, then review the settings, finish configuration, and restart the server.

  9. Perform the tasks in "Setting Additional Parameters for Siebel Server TLS".

  10. Repeat this procedure for each Siebel Server in your environment, as necessary.

    Make sure you also configure each SWSE in your environment. For information, see "Configuring TLS Encryption for SWSE".

Setting Additional Parameters for Siebel Server TLS

After configuring TLS for a Siebel Server, you must set additional Gateway Name Server parameters to enable TLS for the Siebel Server as described in the following procedure.

To set additional parameters for Siebel Server TLS  

  1. Using Siebel Server Manager, set the Communication Transport parameter (alias CommType) to TLS as appropriate for each Application Object Manager that is to use TLS. (TCP/IP is used by default.)

    For information on using Siebel Server Manager, see Siebel System Administration Guide.

  2. If you previously used Microsoft Crypto or RSA encryption, then, using Siebel Server Manager, set the Encryption Type parameter (alias Crypt) to NONE for the Siebel Enterprise.

  Previous
Previous 		 Next
Next
  Go to Documentation Home
Home		 Go To Table Of Contents
Contents		 Go To Index
Index