| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2016, Rev. A E24814-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2016, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
Siebel Business Applications running in the Web browser use cookies for a variety of purposes. This topic describes the types of cookies used and provides instructions for enabling cookies for Siebel Business Applications.
All cookies used by Siebel Business Applications are encrypted using standard encryption algorithms. Siebel Business Applications use the following kinds of cookies:
Session cookie. Manages user sessions for Siebel Web Client users. For details, see "Session Cookie".
Auto-login credential cookie. Stores user credentials for Siebel Web Client users. For details, see "Auto-Login Credential Cookie".
|
Note: It is recommended that you always run Siebel applications using HTTPS mode in order to mark cookies as secure. This ensures that security does not mix secure and insecure content. Applications run using HTTP mode will not mark cookies as secure. |
Using cookies helps to maintains user session information. Browsers with cookies disabled cannot maintain a Siebel user session. Siebel does not support or recommend cookieless mode.
The session cookie consists of the session ID generated for a user's session. This cookie is used to manage the state of the user's session. The session cookie applies to the Siebel Web Client only.
Cookie modes are determined on the Siebel Web Server Extension (SWSE) by the setting of the SessionTracking parameter in the eapps.cfg file. For information about setting parameters in the eapps.cfg file, see Appendix A, "Configuration Parameters Related to Authentication."
The SessionTracking parameter settings are:
Automatic
Using the default SessionTracking setting of Automatic, the SWSE runs in cookie-based mode and session information is maintained through cookies.
Cookie
To force the SWSE to always use cookie-based mode, set the following parameters in the eapps.cfg file to the values shown:
SessionTracking = Cookie URLSession = FALSE CookieSession = TRUE
If you want to implement cookie-based mode, be aware of the following:
If you set SessionTracking to Cookie, Web browsers with cookie handling disabled cannot maintain a Siebel user session.
If you use the Internet Explorer Web browser, make sure that the Web server host name does not include special characters. Internet Explorer does not support session cookies if the Web server host name contains characters such as the underscore (_) or hyphen (-).
|
Note: Siebel Open UI requires cookie-based mode. If you implement Siebel Open UI, set the SessionTracking parameter in the eapps.cfg file to Cookie. |
URL
Do not set SessionTracking to URL. Always set URLSession to False. Siebel Open UI clients do not support cookieless mode.
Some Siebel application requirements relating to the settings of the SessionTracking parameter are as follows:
The Quick Print feature requires that you set SessionTracking to Automatic (the default). For information about using this printing feature, see Siebel Fundamentals. For information about browser requirements for this feature, see Siebel System Administration Guide.
Inbound EAI HTTP Transport requires cookie-based mode. You can omit the SessionTracking parameter, or set it to either Automatic (the default) or Cookie, in each eapps.cfg file section whose name starts with eai. For more information about inbound EAI HTTP Transport, see Transports and Interfaces: Siebel Enterprise Application Integration and other relevant Siebel EAI documentation.
The Remember My User ID functionality requires that you set SessionTracking to either Automatic (the default) or Cookie. Make sure that cookies are enabled in the browser. See also the description of the auto-login credential cookie in "Auto-Login Credential Cookie".
If you have implemented Web Single Sign-On as your method of user authentication, then, for security reasons, it is recommended that you implement cookie mode by setting the SessionTracking parameter to Cookie.
This topic describes how session IDs are generated and processed in cookie-based mode. Cookie-based mode applies when SessionTracking is set to Cookie, or when SessionTracking is set to Automatic and the user's browser accepts cookies.
When a Siebel Web Client user successfully logs into Siebel Business Applications, a unique session ID is generated for that user. The steps involved in a user session are as follows:
The components of the session ID are generated in the Siebel Server and sent to the Session Manager running in the SWSE.
The session ID is passed to the client either in the URL or in a cookie as determined by the value of the SessionTracking parameter.
In cookie-based mode, the following occurs:
The session ID is passed to the user's browser in the form of a nonpersistent cookie which is stored in memory. It stays in the browser for the duration of the session, and is deleted when the user logs out or is timed out.
For every application request that the user makes during the session, the cookie is passed to the Web server in an HTTP header as part of the request.
The SWSE parses the incoming cookie to obtain the session ID and, if the ID is valid, processes the request. If the HTTP header does not include a cookie containing a valid session ID, then the Web server does not honor that request.
To increase the security of session cookies, Siebel Business Applications assign the Secure attribute to all session cookies by default. Setting the Secure attribute for cookies specifies that the cookies are to be transmitted to Web servers only over HTTPS connections, that is, to Web servers that have enabled TLS.
The EnableSecureCookie parameter is used to configure whether or not the Secure attribute is set for Siebel session cookies. If the parameter is set to True, then the Secure attribute is set for all session cookies. If the parameter is set to False, then the Secure attribute is not assigned to session cookies.
The following procedure describes how to configure secure cookies.
To enable secure cookies
Navigate to the eapps.cfg file in the SWEAPP_ROOT\bin directory.
In the [swe] section of the eapps.cfg file, set the value of the EnableSecureCookie parameter to True, which is the default value.
Verify that the Siebel Web server is configured to support HTTPS.
If you set the EnableSecureCookie parameter to True, but the Siebel Web server does not support HTTPS communications, then the Secure attribute is not assigned to Siebel session cookies and the cookies can be sent over HTTP connections between the Siebel Web server and the Siebel client.
The session ID is composed of the applicable server ID, process ID, and task ID, combined with a timestamp. All values are in hexadecimal form, as shown:
server_ID.process_ID.task_ID.timestamp
For example, the session ID might resemble the following:
sn=!1.132.6024.3ca46b0a
You can optionally choose to encrypt the session ID in the cookie (cookie-based mode). To encrypt the session ID, set the EncryptSessionId parameter to TRUE in the eapps.cfg file.
The algorithm encrypts the session ID. Encrypting the session ID prevents unauthorized users from capturing it and using it in a malicious attack.
It is strongly recommended to use an the encryption key length up to 256-bits for AES. To increase the encryption key length, you must use Siebel Strong Encryption. For more information about Siebel Strong Encryption, see "About Siebel Strong Encryption".
|
Note: If the user changes the password during an application session, then the password information in the session ID might no longer allow the user to access Siebel Reports during this session. This is the case when using both database authentication and password hashing. After changing the password, the user must log out and log in again in order to be able to run reports. |
The auto-login credential cookie underlies the Remember My User ID feature on the login page. This cookie consists of the user name for a given user, and the URL string used to access the application. The auto-login credential cookie is persistent and is stored on the user's browser in encrypted form (it is always encrypted). The AES algorithm encrypts this cookie. The result of this encryption is then encoded using base64 Content-Transfer-Encoding. This cookie applies to the Siebel Web Client only.
The auto-login credential cookie is not mandatory. It is an optional way to allow users not to have to enter their user name every time they log in. If the user subsequently accesses the application URL through another browser window, then the user information is provided to the application so the user does not have to provide it again.
The format of the auto-login credential cookie is as follows:
start.swe=encrypted_user_information
|
Note: Functionality provided by the auto-login credential cookie is not available in cookieless mode. |
Related Topic
This topic describes how to enable the Microsoft Internet Explorer Web browser to handle cookies used by Siebel Business Applications. These instructions can vary depending on your supported browser version.
|
Note: If you are using a browser other than Internet Explorer to run Siebel Business Applications, see your browser documentation for information on enabling cookies. |
To enable cookies using Internet Explorer
Choose Tools, and then Internet Options.
Click the Privacy tab.
In Privacy settings, click Advanced.
Verify that Override automatic cookie handling is checked. Also consider:
If First-party Cookies is set to Accept, then all Siebel cookies are enabled.
If First-party Cookies are blocked, then you can still enable the session cookie by checking Always allow session cookies.
Click OK, then click OK again.
Related Topic
