| Siebel CRM Siebel Security Hardening Guide Siebel Innovation Pack 2015 E24815-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Hardening Guide Siebel Innovation Pack 2015 E24815-01 |
|
Previous |
Next |
View PDF |
Oracle's Siebel Remote enables a Siebel Mobile Web Client (MWC) that typically operates remotely in disconnected mode to connect to a Siebel Server so that the local client database can be synchronized with the enterprise Siebel database. Making the Siebel Remote architecture as secure as possible involves implementing security strategies for the following areas:
This topic outlines issues to consider and provides recommendations for securing the synchronization framework for Siebel Remote.
In addition to implementing the suggestions in this topic, make sure that you assign the least privileges required to the Siebel service owner account on the Siebel Server that runs the Synchronization Manager component. For additional information, see "Assigning Rights to the Siebel Service Owner Account".
By default, the Synchronization Manager does not authenticate incoming Remote client requests to make sure that the client is valid. It is recommended that you configure your Siebel application to require that client requests are authenticated by setting the value of the Authentication Method parameter of the Synchronization Manager to one of the supported authentication methods:
Database
LDAP
Active Directory
Siebel
AppServer
The synchronization session takes place through a fixed port that is dedicated to the Synchronization Manager; the default TCP/IP port number is 40400. The port number is set on the Synchronization Manager Server component and is then open in any firewall. Therefore, it is recommended that you change the default value of the port.
The synchronization session can be managed using unencrypted communications, but it is recommended that you implement RSA or MSCrypto encryption. To use encryption, both the Siebel Server and the Remote client must enforce encryption in their connection parameters. To enable encryption, set the Encryption Type parameter of the Synchronization Manager Server component to RSA or MSCrypto and change the DockConnString parameter in the [Local] section of the client .cfg file to the same value. For additional information, see Siebel Remote and Replication Manager Administration Guide.
Siebel Remote allows Mobile Web Clients to connect to a Siebel Server and exchange updated data and files during the synchronization process. The updated data is sent to or retrieved from the server in the form of .dx transaction files.
To protect your data, encrypt the .dx files using any suitable third-party utility, such as Pretty Good Privacy (PGP), when the files are removed from the \docking folder for any reason. To secure the .dx files within the \docking folder during run time, operating system-level encryption techniques can be used, for example, Microsoft Windows Encrypting File System, so that encryption and decryption are performed dynamically.
|
Caution: Implementing operating system-level encryption on the\docking folders can adversely affect data replication. |
It is recommended that every synchronization session occur within the corporate firewall. If your deployment of Siebel Business Applications must support synchronization through the Internet from outside the firewall, then it is recommended that you use a Virtual Private Network (VPN).
If there is a firewall on the network between the synchronization client and the Siebel Server, or between the VPN server and the Siebel Server, then the port for synchronizing with the Siebel Server must be opened on the firewall, and this port must be a port other than port 80. If a VPN connection is not used, then it is possible that your Internet Service Provider (ISP) or another host on the route might block communications on this particular port. For additional information, see Siebel Remote and Replication Manager Administration Guide.
The Siebel Mobile Web Client uses a local database to store data for user access and uses a local Siebel File System to store files. This topic outlines recommendations for securing both.
Two local database template files are provided with Siebel Business Applications for use with Siebel Remote. These templates provide the starting point to generate your own database template:
sse_utf8.dbf. A template that is not encrypted.
sse_encr.dbf. A template that is encrypted with standard Sybase encryption.
By default, the template that defines the local database schema is not encrypted. It is recommended that you use the encrypted local database template to encrypt the entire local database, thereby providing a layer of security against unauthorized access to the local database.
To use an encrypted database template for mobile clients, the Generate New Database and Database Extract tasks must be configured and run using the sse_encr.dbf template. For information, see Siebel Remote and Replication Manager Administration Guide.
If the local Siebel File System is used to store highly sensitive data, then it is recommended that you encrypt the local Siebel File System, either using third-party products or encryption features provided by your operating system.
When using the Siebel Mobile Web Client, secure access to the Siebel Server and to data on the local database by implementing password management procedures as follows:
Implement the following password functionality for local database authentication provided by Siebel Business Applications:
Lock applications after a given number of failed-access attempts.
Disable passwords after a given period.
Check password formats based on specified rules.
Reset user passwords. The administrator performs this task.
To guard against unauthorized administrative access to the local database, change the local database DBA password from the default value, which is the first eight characters of the Siebel Enterprise name.
Specify a strong password for the local DBA by modifying the value of the New DBA Password parameter when generating a new database template.
Enable password hashing. For information on this task, see "About Configuring Password Hashing for Users".
