Configuring TLS Encryption for SWSE

This topic describes how to configure the SWSE to use TLS encryption and, optionally, authentication for SISNAPI communications with Siebel Servers using the Siebel Configuration Wizard. Configuring TLS communications between Siebel Servers and the Web server also requires that you configure a Siebel Enterprise or Siebel Server to use TLS. For information on this task, see "Configuring TLS Encryption for a Siebel Enterprise or Siebel Server".

This task is a step in "Process of Configuring Secure Communications".

Note: The information in this topic describes how to implement TLS for communications between the SWSE and the Siebel Servers. For information on implementing TLS for communications between a Siebel Web Client and the SWSE, see "Configuring a Siebel Web Client to Use HTTPS".

Configuring the SWSE to use TLS encryption involves the following tasks:

1. Run the Siebel Enterprise Configuration Wizard to configure a new Siebel Web Server Extension Logical Profile and select the appropriate option to deploy TLS.

   This task is described in "Deploying TLS for Siebel Web Server Extension".

2. Modify the ConnectString parameter in the eapps.cfg file and specify TLS encryption as appropriate.

   This task is described in "Configuring TLS Encryption for SWSE".

Deploying TLS for Siebel Web Server Extension

To deploy TLS for SWSE, you first configure a SWSE logical profile using the Siebel Enterprise Configuration Wizard. During this stage, you specify the values for deployment of TLS on the SWSE. You then apply the SWSE logical profile to the installed instance of the SWSE using the SWSE Configuration Wizard. The following procedure describes both of these steps.

To deploy TLS encryption for the Siebel Web Server Extension 

1. Before you begin, obtain and install the necessary certificate files you need if you are configuring TLS authentication.

2. Launch the Siebel Enterprise Configuration Wizard.

   For information on this task, see Siebel Installation Guide for the operating system you are using.

3. Choose the Create New Configuration option, then the Configure a New Siebel Web Server Extension Logical Profile option.

   For information on configuring the SWSE logical profile, see Siebel Installation Guide for the operating system you are using.

4. Configure values for the SWSE logical profile until the Select the Connection Protocol and Encryption screen appears.

5. Specify whether you are using TCP/IP or TLS for communication between Siebel Servers and the SWSE.

   If you select TLS, then the Deploy TLS in the Enterprise screen is displayed.

6. Select the appropriate check box to enable TLS communications between the SWSE and the Siebel Server.

   TLS settings for SWSE must be compatible with those for Siebel Servers that connect to the Web server.

7. Specify the names of the certificate file and of the certificate authority file.

   The equivalent parameters in the eapps.cfg file are CertFileName and CACertFileName.

8. Specify the name of the private key file, and the password for the private key file, then confirm the password.

   The password you specify is stored in encrypted form.

   The equivalent parameters in the eapps.cfg file that the SWSE logical profile applies to the installed SWSE are KeyFileName and KeyFilePassword.

9. Specify whether you require peer authentication.

   Peer authentication means that the SWSE authenticates the Siebel Server whenever a connection is initiated. Peer authentication is false by default.

   
   

   Note: If peer authentication is set to TRUE on the SWSE, then the Siebel Server is authenticated, provided that the SWSE has the certifying authority's certificate to authenticate the Siebel Server's certificate. If you deploy TLS, then it is recommended that you set PeerAuth to TRUE to obtain maximum security.

   
   

   The equivalent parameter in the eapps.cfg file that the SWSE logical profile applies to the installed SWSE is PeerAuth.

10. Specify whether you require peer certificate validation.

    Peer certificate validation performs reverse-DNS lookup to independently verify that the hostname of the Siebel Server computer matches the hostname presented in the certificate. Peer certificate validation is false by default.

    The equivalent parameter in the eapps.cfg file that the SWSE logical profile applies to the installed SWSE is PeerCertValidation.

11. Review the settings. If the settings are correct, then execute the configuration and proceed to Step 12.

12. Using the Siebel Web Server Extension Configuration Wizard, apply the SWSE logical profile to each SWSE in your Siebel environment for which you want to secure communications using TLS.

    For information on applying the SWSE logical profile, see the Siebel Installation Guide for the operating system you are using.

13. For each Application Object Manager that will connect to the SWSE using TLS, modify the ConnectString parameter as described in "Configuring TLS Encryption for SWSE".

Configuring TLS Encryption for SWSE

When you configure the SWSE to use TLS using the Configuration Wizards, parameters are added to the eapps.cfg file in a new section called [connmgmt]. For descriptions of the TLS-related parameters listed in the [connmgmt] section, see "About Parameters in the eapps.cfg File". The [connmgmt] section looks similar to the following:

[connmgmt]
CACertFileName = c:\security\cacertfile.pem
CertFileName = c:\security\certfile.pem
KeyFileName = c:\sba8x\admin\keyfile.txt
KeyFilePassword = ^s*)Jh!#7
PeerAuth = TRUE
PeerCertValidation = FALSE

For each Application Object Manager that will connect to the SWSE using TLS, modify the ConnectString parameter to specify TLS as the communications type (TCP/IP is used by default), and None as the encryption type.

For example, for Siebel Sales using U.S. English, modify the parameter in the [/sales_enu] section of eapps.cfg to resemble the following as appropriate:

• For TLS:

  siebel.tls.None.None://siebsrvrname:scbrokerport/siebel/SSEObjMgr_enu