Process of Installing and Configuring Oracle LDAP Client Software Without Using Siebel Enterprise Server Installer

Follow the instructions in this process for migration installations of Siebel Enterprise Server and for Oracle Database deployments where you plan to install an external Oracle LDAP Client and configure the client for LDAP connectivity or if there is an existing Oracle LDAP Client preinstalled on your machine (for example, installed using the native database client installer). You must configure the Oracle LDAP Client, for authentication and install the critical patches, applicable to your operating system. The Oracle LDAP Client must be version 11.2.0.3 or later.

This topic outlines the steps involved in installing and configuring the Oracle LDAP Client and Oracle Wallet Manager. To install the Oracle LDAP Client software, and to configure it for your environment, perform the following tasks:

Review "Requirements for Oracle LDAP Client Installation"
Review "Considerations if Using LDAP Authentication with TLS"
Perform one of the following tasks, as appropriate:
- "Installing the Oracle LDAP Client Software on Windows"
- "Installing the Oracle LDAP Client Software on UNIX"
(UNIX operating systems only) "Configuring the siebenv.csh and siebenv.sh Scripts for the Oracle LDAP Client"
(Optional) "Creating a Wallet for Certificate Files When Using LDAP Authentication with TLS"

Considerations if Using LDAP Authentication with TLS

This topic provides information on using LDAP authentication with TLS. The Oracle LDAP Client requires that Oracle Wallet Manager is installed if TLS must be supported. The LDAP libraries and utilities provided with the Oracle LDAP Client use the TLS libraries provided with Oracle Wallet Manager.

This task is a step in "Process of Installing and Configuring Oracle LDAP Client Software Without Using Siebel Enterprise Server Installer".

If Oracle Wallet Manager is installed, then the LDAP libraries dynamically load the TLS libraries and use them to enable TLS, when TLS is configured.
If Oracle Wallet Manager is not installed and the TLS libraries are not available, then the LDAP library is fully functional, with the exception of TLS support.

By using TLS with server authentication, an LDAP application can use simple LDAP authentication (user ID and password) over an encrypted communication connection between the LDAP client application and the LDAP server. In addition, TLS provides data confidentiality (encryption) on connections protected by TLS. Authentication of servers to clients is accomplished with X.509 certificates.

It is assumed that TLS capability is, or will be, required for Siebel LDAP authentication. Therefore, the LDAP client installation process includes Oracle Wallet Manager installation as an integral part. If you are absolutely sure that TLS will never be turned on for Siebel LDAP authentication, then you do not have to install Oracle Wallet Manager.

Installing the Oracle LDAP Client Software on Windows

This topic describes how to obtain the Oracle LDAP Client installation files on Microsoft Windows and how to install the Oracle LDAP Client and Oracle Wallet Manager.

This task is a step in "Process of Installing and Configuring Oracle LDAP Client Software Without Using Siebel Enterprise Server Installer".

To install the Oracle LDAP Client and Oracle Wallet Manager on Windows

Log on to Microsoft Windows.
Navigate to the Siebel image location for the current release, then navigate to the directory Siebel_Image\Windows\Server\Siebel_Enterprise_Server\Disk1\stage\ORACLE_LDAP_Client\enu.
Copy the files in the \enu directory to a directory on the Siebel Server and Siebel Gateway Name Server where you want to install the Oracle LDAP Client.
Install the Oracle LDAP Client, selecting the Runtime option when you are prompted to select the type of installation you want to perform.

For detailed information on installing Oracle LDAP Client, see Oracle® Database Client Installation Guide 11g Release 2 (11.2) for Microsoft Windows. When the installation has completed, the following software is available on the Siebel Server and Siebel Gateway Name Server:
- Oracle LDAP SDK
- Oracle LDAP client library
- Oracle Wallet Manager
  
  Note:
  The Oracle LDAP client software components are embedded in the Oracle LDAP Client and are not listed as separately installed programs on the Siebel Server.

Install patch p19285025_112030_WINNT.zip from the following location:

Siebel_Image\Windows\Server\Siebel_Enterprise_Server\Disk1\stage\ORACLE_LDAP_Client\enu

Set the value of the ORACLE_HOME environment variable to the location of the directory into which you installed the Oracle LDAP Client files, for example:

set ORACLE_HOME=C:\oracle\SUN64\11gR2\11.2.0.3

Note:

If you are using Siebel Business Applications with an Oracle Database, and if you have a previous Oracle LDAP Client installation, change the value of ORACLE_HOME to specify the location of the Oracle LDAP Client you have just installed. You can set the ORACLE_HOME environment variable by navigating to the following location on your machine: Computer, Properties, Advanced System Settings, Environment Variables, and then System Variables.

Set the value of the Security Adapter Dll Name parameter to sscforacleldap.dll.

For information on the Security Adapter Dll Name parameter, see "Parameters for LDAP or ADSI Authentication".
Stop and restart the Siebel Server and Siebel Gateway Name Server.

Installing the Oracle LDAP Client Software on UNIX

This topic describes how to obtain the Oracle LDAP Client installation files on a UNIX operating system platform and how to install the Oracle LDAP Client and Oracle Wallet Manager.

This task is a step in "Process of Installing and Configuring Oracle LDAP Client Software Without Using Siebel Enterprise Server Installer".

To install the Oracle LDAP Client and Oracle Wallet Manager on UNIX

Login as a nonroot user.
Navigate to the Siebel image location for the current release, then navigate to the directory Siebel_Image/UNIX_operating_system/Server/Siebel_Enterprise_Server/Disk1/stage/ORACLE_LDAP_Client/enu, where UNIX_operating_system is one of the following as required: Solaris, AIX, HPUX, Linux.

The /enu directory contains the Oracle LDAP Client files and patches you must apply to the Oracle LDAP Client if you are using either the Oracle Solaris, AIX, or HP-UX operating systems.
Copy the files in the /enu directory to a directory on the Siebel Server and Siebel Gateway Name Server where you want to install the Oracle LDAP Client. Make sure you also copy the appropriate patch for your operating system as follows:
- Oracle Solaris. p16852128_112030_SOLARIS.zip
- AIX. p12375092_112030_AIX.zip
- HP-UX. p17758083_112030_HPUX-IA32.zip
Patches are available under the following directory location:
```
Siebel_Image\<ARCH>\Server\Siebel_Enterprise_Server\Disk1\stage\ORACLE_LDAP_Client\enu\patches
```
There are two patches for Oracle Solaris, AIX, and HP-UX and there is one patch for Linux and Microsoft Windows. Copy and apply the patches using the Opatch utility. Every patch comes with a readme file which contains instructions about how to install the patch.
Install the Oracle LDAP Client, selecting the Runtime option when you are prompted to select the type of installation you want to perform.

For detailed information on installing Oracle LDAP Client, see Oracle® Database Client Installation Guide 11g Release 2 (11.2) for Linux. When the installation is completed, the following software is available on the Siebel Server and Siebel Gateway Name Server:
- Oracle LDAP SDK
- Oracle LDAP client library
- Oracle Wallet Manager
  
  Note:
  The Oracle LDAP client software components are embedded in the Oracle LDAP Client and are not listed as separately installed programs on the Siebel Server and Siebel Gateway Name Server.

Set the value of the ORACLE_HOME environment variable to the location of the directory into which you installed the Oracle LDAP Client files, for example:

For C shell (.csh):

setenv ORACLE_HOME
/../example.com/vol/dbclient/oracle/SUN64/11gR2/11.2.0.3

For Bourne shell or Korn shell (.sh:)

ORACLE_HOME=/../example.com/vol/dbclient/oracle/SUN64/11gR2/11.2.0.3
export ORACLE_HOME

Note:

Add the directory path of the Oracle LDAP Client libraries to the library path environment variable in either the siebenv.csh (C shell) or siebenv.sh (Bourne or Korn shell) script file. For information on this task, see "Configuring the siebenv.csh and siebenv.sh Scripts for the Oracle LDAP Client".
Unzip the operating system-specific patch for the Oracle LDAP Client that you downloaded in Step 3, then apply the patch using the Oracle OPatch utility.
Change the value of the Security Adapter Dll Name parameter to libsscforacleldap.so or libsscforacleldap.sl, depending on the UNIX operating system you are using.

For information on the Security Adapter Dll Name parameter, see "Parameters for LDAP or ADSI Authentication".
Stop and restart the Siebel Server and Siebel Gateway Name Server.

Configuring the siebenv.csh and siebenv.sh Scripts for the Oracle LDAP Client

After you have installed the Oracle LDAP Client on your UNIX operating system, you must add the directory path of the Oracle LDAP Client libraries to the library path environment variable in either the siebenv.csh (C shell) or siebenv.sh (Bourne or Korn shell) shell scripts. When you source these scripts, they set the environment variables for your Siebel implementation.

The siebenv.csh and siebenv.sh scripts are created in the $SIEBEL_ROOT directory during the Siebel Server installation and configuration process. Edit the siebenv.csh or siebenv.sh script, as described in the following topics, where $ORACLE_HOME/lib is the installation path of your Oracle LDAP Client libraries, $ORACLE_HOME/lib.

This task is a step in "Process of Installing and Configuring Oracle LDAP Client Software Without Using Siebel Enterprise Server Installer".

Linux and Oracle Solaris Operating Systems

On Linux and Oracle Solaris operating systems, the name of the library path environment variable is LD_LIBRARY_PATH. Depending on whether you source the siebenv.csh or the siebenv.sh script, set the LD_LIBRARY_PATH variable as follows:

siebenv.csh

if ($?LD_LIBRARY_PATH) then
setenv LD_LIBRARY_PATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LD_LIBRARY_PATH}
else
setenv LD_LIBRARY_PATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
endif

siebenv.sh

if [ a${LD_LIBRARY_PATH} = ${LD_LIBRARY_PATH}a ]
then
LD_LIBRARY_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
else
LD_LIBRARY_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LD_LIBRARY_PATH}
fi
export LD_LIBRARY_PATH

AIX Operating System

On the AIX operating system, the name of the library path environment variable is LIBPATH. Depending on whether you source the siebenv.csh or the siebenv.sh script, set the LIBPATH variable as follows:

siebenv.csh

if ($?LIBPATH) then
setenv LIBPATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LIBPATH}
else
setenv LIBPATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
endif

siebenv.sh

if [ a${LIBPATH} = ${LIBPATH}a ]
then
LIBPATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
else
LIBPATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LIBPATH}
fi
export LIBPATH

HP-UX Operating System

On the HP-UX operating system, the name of the library path environment variable is SHLIB_PATH. Depending on whether you source the siebenv.csh or the siebenv.sh script, set the SHLIB_PATH variable as follows:

siebenv.csh

if ($?SHLIB_PATH) then
setenv SHLIB_PATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${SHLIB_PATH}
else
setenv SHLIB_PATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
endif

siebenv.sh

if [ a${SHLIB_PATH} = ${SHLIB_PATH}a ]
then
SHLIB_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
else
SHLIB_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${SHLIB_PATH}
fi
export SHLIB_PATH

Creating a Wallet for Certificate Files When Using LDAP Authentication with TLS

If you are using LDAP authentication with TLS, then you must use Oracle Wallet Manager to create a wallet to store the certificates required for TLS communications. This topic describes how to create the wallet, and how to enable TLS for the Siebel LDAP security adapter. For detailed information on using Oracle Wallet Manager, see Oracle® Database Advanced Security Administrator's Guide.

By enabling TLS for the Siebel LDAP security adapter, an encrypted connection is established between the Siebel application and the LDAP server. For information on enabling TLS for an LDAP server, refer to your third-party LDAP server administration documentation. This topic assumes that the LDAP server is already TLS-enabled, that is, it accepts TLS connections.

This task is a step in "Process of Installing and Configuring Oracle LDAP Client Software Without Using Siebel Enterprise Server Installer".

Creating an Oracle Wallet

To enable TLS for the Siebel LDAP security adapter, an Oracle wallet must be created on the Siebel Server computer which runs the Application Object Managers or other components that must support LDAP authentication through the LDAP security adapter. The Oracle wallet must contain CA server certificates that have been issued by Certificate Authorities to LDAP servers.

Use the following procedure to create an Oracle wallet. Before creating an Oracle Wallet, note that you must be logged in to Siebel as the same user that the Siebel Server service runs under and the wallet must be located in the default location for that user.

To create an Oracle wallet

Determine which Certificate Authorities issued the server certificate for your LDAP server and obtain this CA certificate.
Copy the CA certificate to the computer where you have installed Oracle Wallet Manager.
On the Siebel Server computer where you will run the Application Object Manager components that support LDAP authentication, create an Oracle wallet using Oracle Wallet Manager.

To create the wallet, follow the detailed instructions in Oracle® Database Advanced Security Administrator's Guide. Specify the following values:
1. In the New Wallet dialog box, enter a password for the wallet in the Wallet Password field, then reenter the password in the Confirm Password field.
2. From the Wallet Type list, select Standard, then click OK.
  
  A new empty wallet is created.
3. When prompted to specify whether or not you want to add a certificate request, select No.
  
  You return to the Oracle Wallet Manager main window.
4. Save the wallet by selecting Wallet, then Save In System Default to save the wallet file to the default directory location:
  - For UNIX the default directory location is $ORACLE_HOME/bin/owm/wallets/username.
  - For Windows the default directory location is ORACLE_HOME\bin\owm\wallets\username.
  You must specify this directory when configuring TLS for clients and servers. You can save the wallet to a different directory if required.
Import the certificate referred to in Step 2 into the wallet you have created.

You can import as many CA certificates as required. For information on importing certificates, see Oracle® Database Advanced Security Administrator's Guide.

Note:

For LDAP servers that have their server certificate issued from a new CA, just add the CA certificate to the existing wallet, instead of creating a new wallet for every LDAP server.

Enabling TLS for the Siebel LDAP Security Adapter

Use the procedure below to configure TLS for the Siebel LDAP security adapter. For more information about LDAP security adapter configuration, see "Configuring LDAP or ADSI Security Adapters Using the Siebel Configuration Wizard".

To enable TLS for the Siebel LDAP security adapter

Copy the wallet you created in "Creating an Oracle Wallet" to the Siebel Server computer where you will run the Application Object Manager components that support LDAP authentication.
(Windows Only) If you are using Windows, do one of the following:
- Copy the contents of the wallet directory ORACLE_HOME\bin\owm\wallets\username into a location that the Siebel Server service owner can access, for example c:\wallet.
- Alternatively, change the Siebel Server service owner account log on values so that they are the same as the account used to create the wallet described in "Creating an Oracle Wallet". To change the Siebel Server service account owner log on values:
  - From the Windows Start menu, choose Settings, Control Panel, Administrative Tools, and then the Services item.
  - Right-click on the Siebel Server System Service, then select Properties.
  - In the Properties dialog box for this service, click the Log On tab.
  - Select the This Account option, then enter the name and password of the account used to create the wallet.

Modify the LDAP security adapter configuration parameters using values similar to those shown in the following table.

Parameter Value

port

Parameter	Value
port	port_number The TLS port is configurable for the LDAP server. Verify the actual port number the LDAP server is using for TLS and specify that value. The default value is 636.
ssldatabase	wallet_directory_path Specify the absolute path to the wallet directory using a format similar to the following: `file:sslwallet`. where: `file` is the wallet resource locator type `sslwallet` is the directory containing the wallet, for example, `$ORACLE_HOME/siebsrvr/bin/owm/wallets/`username Note the following: The wallet must be located in the `siebsrvr/bin` folder or else the wallet will not be found (Windows only) If you copied the contents of the wallet directory into another location, for example `c:\wallet` (see Step `2`), then specify the wallet directory path as follows: `file: c:\wallet`.
WalletPassword	wallet_password Specify the password you assigned to the wallet when creating the wallet.

port_number

The TLS port is configurable for the LDAP server. Verify the actual port number the LDAP server is using for TLS and specify that value. The default value is 636.

ssldatabase

wallet_directory_path

Specify the absolute path to the wallet directory using a format similar to the following: file:sslwallet.

where:

file is the wallet resource locator type
sslwallet is the directory containing the wallet, for example, $ORACLE_HOME/siebsrvr/bin/owm/wallets/username

Note the following:

The wallet must be located in the siebsrvr/bin folder or else the wallet will not be found
(Windows only) If you copied the contents of the wallet directory into another location, for example c:\wallet (see Step 2), then specify the wallet directory path as follows: file: c:\wallet.

WalletPassword

wallet_password

Specify the password you assigned to the wallet when creating the wallet.

For information on configuring parameters for the LDAP security adapter, see "Parameters for LDAP or ADSI Authentication".

Restart the Siebel Server (if you are configuring LDAP on a Siebel Server).