Siebel CRM Siebel Security Guide Siebel Innovation Pack 2016, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
The eapps.cfg file contains parameters that control interactions between the Siebel Web Engine and the Siebel Web Server Extension (SWSE) for all Siebel Business Applications deploying the Siebel Web Client. The eapps.cfg file is located in the SWEAPP_ROOT
\bin
directory after you apply a SWSE logical profile, where SWEAPP_ROOT
is the directory in which you installed the SWSE.
The eapps.cfg file includes sections such as [swe], [defaults], and [connmgmt] and sections for individual Siebel Business Applications, such as [/prmportal_enu] and [/callcenter_enu]. Each parameter value in the [defaults] section is used by all individual applications, unless you override the parameter's value with an entry in an application's own section.
You can edit the parameters in the eapps.cfg file manually using a text editor or you can configure and apply a SWSE logical profile using the Siebel Configuration Wizard. When you edit configuration files, do not use a text editor that adds additional, nontext characters to the file. For information on using the Siebel Configuration Wizard to configure SWSE parameters, see Siebel Installation Guide for the operating system you are using.
In a given eapps.cfg file, some parameters might not appear by default. Changes to the eapps.cfg file are not active until you restart the Siebel Server and the Web server.
For more detailed information on the eapps.cfg file parameters, see:
The following is a portion of a sample eapps.cfg file. This sample includes some parameters that might not coexist. They are provided so you can see a range of authentication-related parameters. In the eapps.cfg sample, the AnonUserName and AnonPassword values in the [/prmportal_enu] section are used by Siebel Partner Portal instead of the values provided in the [defaults] section.
[swe] Language = enu Log = all LogDirectory = D:\sba8x\SWEApp\log ClientRootDir = D:\sba8x\SWEApp IntegratedDomainAuth = FALSE [defaults] EncryptedPassword = TRUE AnonUserName = GUESTCST AnonPassword = fhYt8T*9N4e8&Qay StatsPage = _492394stats.swe SingleSignOn = TRUE TrustToken = mR*739DAPw*94%O2 WebPublicRootDir = D:\sba8x\SWEApp\public\enu SiebEntSecToken = fJq&29&58hJaY(A8!Z UserSpec = REMOTE_USER UserSpecSource = Server DoCompression = TRUE SessionTimeout = 900 GuestSessionTimeout = 300 [/prmportal_enu] AnonUserName = guestcp AnonPassword = aGr^92!8RWnf7Iy1 ProtectedVirtualDirectory = /p_prmportal_enu ConnectString = siebel.TCPIP.None.None://172.20.167.200:2320/SBA_8x/eChannelObjMgr_enu SiebEntSecToken = ^s*)Jh!#7^s*)Jh!#7 [connmgmt] CACertFileName = d:\siebel\admin\cacertfile.pem CertFileName = d:\siebel\admin\certfile.pem KeyFileName = d:\siebel\admin\kefile.txt KeyFilePassword = ^s*)Jh!#7 PeerAuth = FALSE PeerCertValidation = FALSE
Typically, password encryption is in effect by default for the eapps.cfg file, as determined by the setting EncryptedPassword = TRUE. In this case, values for SiebEntSecToken, AnonPassword, and TrustToken must be encrypted. For more information, see "Encrypted Passwords in the eapps.cfg File".
Note: It is recommended that you set the value for StatsPage to a value other than the default value (_stats.swe). |
Table A-1 lists the parameters in the eapps.cfg file that relate to authentication. The authentication parameters can be defined in the [defaults] section of the file or in the sections for individual applications.
Table A-1 Authentication-Related Parameters in the Eapps.cfg File
Parameter | Description |
---|---|
AnonUserName |
This parameter specifies the user name required for anonymous browsing and initial access to the login pages. The user name selected as the anonymous user must be assigned access to views intended for anonymous browsing, but to no other views. |
AnonPassword |
The password corresponding to the value entered for AnonUserName. |
ClientCertificate |
When this parameter is set to TRUE in a Web SSO implementation, the user is authenticated through a digital certificate. For information, see "About Digital Certificate Authentication". |
EncryptedPassword |
When this parameter is set to TRUE, the password for the anonymous user and the Web update password are interpreted as encrypted passwords. This parameter is added to the eapps.cfg file (with a value of |
EncryptSessionId |
When this parameter is set to TRUE (the default), the session ID is encrypted. When it is FALSE, the session ID is not encrypted. For a Siebel Web Client, the session ID is used in the session cookie (in cookie-based mode) or in the application URL (in cookieless mode). For more information about cookies, see "About Using Cookies with Siebel Business Applications". |
The time, in seconds, that a connection open for anonymous browsing can remain idle before it times out. The default is 300 seconds (5 minutes). Guest sessions are used for anonymous browsing. They permit users to navigate portions of the site without logging in. In contrast to anonymous sessions, guest sessions are associated with an individual Siebel Web Client. These sessions are opened when an unregistered user starts navigating the site, and they remain open until the Web client logs out or times out due to inactivity. When deciding the value to specify for guest user timeout, the primary consideration is whether or not anonymous browsing is being used. If it is, then set guest user timeouts to be greater than the average time users need to deliberate their next action. In other words, this is the time allowed between user actions. Both guest and anonymous sessions use the AnonUserName and AnonPassword parameters to log in. |
|
The time, in seconds, from the user's last browser request until the user's connection times out. The default is 900 seconds (15 minutes). Standard sessions are those where users log in using their registered user name and password. Otherwise, standard sessions share many of the same characteristics as guest sessions. For guidelines on setting a value for the SessionTimeout parameter, see "About the SessionTimeout Parameter". |
|
SingleSignOn |
The SWSE operates in Web SSO mode when this parameter is |
SubUserSpec |
In a Web SSO environment that implements digital certificate authentication, a value of CN specifies that the Siebel user ID is to be extracted from the certificate's CN (Common Name) attribute. For more information, see "Configuring the User Specification Source". |
TrustToken |
In a Web SSO environment, this token string is a shared secret between the SWSE and the security adapter. It is a measure to protect against spoofing attacks. This setting must be the same on both the SWSE and the security adapter. For more information, see Chapter 6, "Single Sign-On Authentication." |
UserSpec |
In a Web SSO implementation, this variable name specifies where the SWSE looks for a user's user name within the source given by UserSpecSource. The value, REMOTE_USER, by default is populated by the authentication filter. If digital certificate authentication is implemented on Windows or AIX, then use the value CERT_SUBJECT, a variable that contains the certificate name. For example, UserSpec/SubUserSpec is CERT_SUBJECT/CN. For other UNIX operating systems, use REMOTE_USER for UserSpec. The SubUserSpec setting is disregarded. For more information, see "Configuring the User Specification Source". |
UserSpecSource |
In a Web SSO implementation, this parameter specifies the source from which the SWSE derives the user credentials: Server, if from the usual Web server user name field; Header, if the variable is within the HTTP request header. For more information, see "Configuring the User Specification Source". |
ProtectedVirtualDirectory Defined in the section for each individual Siebel application in eapps.cfg. Do not define in the [defaults] section. |
This parameter specifies a Web server virtual directory that represents the protected location of the Siebel application. This parameter must have a value in a Web SSO implementation, and is optional in other implementations. For more information, see "About the Protected Virtual Directory Parameter". |
IntegratedDomainAuth Defined in the [swe] section of eapps.cfg. |
To support Windows Integrated Authentication for Web SSO, set this parameter to |
SessionTimeout is the time, in seconds, from the user's last browser request until the user's connection times out. Table A-2 offers guidelines for setting this parameter.
Table A-2 Guidelines for Setting Session Timeouts
Session Type | Condition | Recommended Setting |
---|---|---|
Anonymous session |
|
Greater than 30 minutes. |
Guest |
|
Greater than 30 minutes. Less than 5 minutes. Less than 5 minutes. |
Regular |
|
Greater than 30 minutes. 1-15 minutes. Less than 5 minutes. Greater than 30 minutes. Greater than 30 minutes. |
All the session timeouts mentioned in Table A-2, "Guidelines for Setting Session Timeouts" refer to session inactivity. That is, if session timeout is set to 3600 seconds, then it requires one hour of session inactivity for that session to time out. Session inactivity means no request is made to the Siebel Server on that session. Any act that sends a ping request to the Siebel Server, such as sending notifications, resets the session timeout period. If the update interval is less than the SessionTimeout set in the eapps.cfg file, then the session never times out.
If you use the Siebel Portal Framework to implement portal views, then note that the Siebel application times out if user activity in the portal view exceeds the time that is specified by SessionTimeout. Note also that, by default, portal views send a ping status request to their server every 120 seconds (2 minutes) to keep their session alive. For more information about the Siebel Portal Framework, see Siebel Portal Framework Guide.
The ProtectedVirtualDirectory parameter specifies a Web server virtual directory that represents the protected location of the Siebel application. This parameter is required in a Web SSO implementation.
The protected directory allows you to configure your Web server or third-party authentication software to require user authentication to access specific Siebel application views. Requests for any views that require explicit login are redirected to this virtual directory. For more information, see "(Optional) Creating Protected Virtual Directories".
For example, if you used the suggested name for the protected virtual directory for Siebel eService, enter:
[/eservice_enu] ProtectedVirtualDirectory = /p_eservice
If your Web SSO implementation is not configured for anonymous browsing, then set this value to the same directory as your application. For example:
[/eservice_enu] ProtectedVirtualDirectory = /eservice
Otherwise, a Web Authentication Failed message might appear in the application's log file.
Note: You use examples like those above to secure an entire application. However, if some parts of the application do not require authentication, you must be able to authenticate users when they access a secured part of the application. In this case, set the parameter to an alias where the Web SSO credentials are passed. The Siebel application redirects the authentication request. |
TLS-related parameters can be included in the [connmgmt] section of the eapps.cfg file if you are using TLS to encrypt SISNAPI communications between the Web server and the Siebel Server. Table A-3 describes these parameters. For more information on configuring TLS encryption, see "Configuring TLS Encryption for SWSE".
Table A-3 TLS Parameters in the Eapps.cfg File
For additional information on the eapps.cfg file, see "About Parameters in the eapps.cfg File" and "Authentication-Related Parameters in Eapps.cfg".