Go to primary content
Siebel CRM Siebel Security Guide
Siebel Innovation Pack 2016, Rev. A
E24814-01
Home
Index
Next
View PDF
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
What's New in This Release
What's New in Siebel Security Guide, Siebel Innovation Pack 2016, Rev. A
What's New in Siebel Security Guide, Siebel Innovation Pack 2016
What's New in Siebel Security Guide, Siebel Innovation Pack 2015
2
About Security for Siebel Business Applications
About This Guide
General Security Concepts
Industry Standards for Security
About Supported Security Products
Siebel Security Architecture
User Authentication for Secure System Access
Security Adapter for Database Authentication
Security Adapters for LDAP and ADSI Authentication
Web Single Sign-On
Security Adapter SDK
End-to-End Encryption for Data Confidentiality
About Controlling Access to Data
View-Level Access Control
Record-Level Access Control
Support for Auditing in a Siebel Environment
Secure Physical Deployment to Prevent Intrusion
Security for Mobile Solutions
Mobile Device User Authentication
Security Settings for the Web Browser
About URL-Based Authentication
Web Sites with Security Information
Using Transport Layer Security with Siebel CRM
Supported TLS Versions and RSA SHA
About Siebel Open UI
Roadmap for Configuring Security
3
Changing and Managing Passwords
About Managing and Changing Passwords
Guidelines for Changing Passwords
Characters Supported in Siebel Passwords
Supported Characters
Unsupported Characters
About Default Accounts
Database Accounts
Siebel User Accounts
Changing System Administrator Passwords on Microsoft Windows
Changing the Password for the Siebel Service Owner Account
Changing the Password for the Siebel Administrator Account
Changing AnonPassword When SADMIN is set to Anonymous User
Changing the Siebel Administrator Password on UNIX
Changing the Table Owner Password
Troubleshooting Password Changes By Checking for Failed Server Tasks
About the Gateway Name Server Authentication Password
Using Siebel Utilities to Access the Gateway Name Server
Encrypted Passwords in the eapps.cfg File
Encrypting Passwords Using the encryptstring Utility
About Encryption of Gateway Name Server Password Parameters
Upgrading to Siebel CRM
Determining Encrypted Parameters and Values in the Siebns.dat File
4
Communications and Data Encryption
Types of Encryption
Communications Encryption
Data Encryption
Process of Configuring Secure Communications
About Certificates and Key Files Used for TLS Authentication
About Supported Values for Certificate Encryption Keys
Increasing the Certificate Key Sizes Supported For SISNAPI Communications
Installing Certificate Files
About Installing Certificate Files on Windows
About Installing Certificate Files on UNIX
Installing Certificate Files on UNIX for Client Authentication
Configuring Certificates for the Java Web Container Server
Setting HTTP Proxy for UNIX Using the mwcontrol Utility
Configuring TLS Mutual Authentication
About Configuring Encryption for a Siebel Enterprise and SWSE
About Key Exchange for Microsoft Crypto or RSA Encryption
Configuring TLS Encryption for a Siebel Enterprise or Siebel Server
Deploying TLS for a Siebel Enterprise or Siebel Server
Setting Additional Parameters for Siebel Server TLS
Configuring TLS Encryption for SWSE
Deploying TLS for Siebel Web Server Extension
Configuring TLS Encryption for SWSE
Enabling TLS Acceleration for Web Server and Web Client Communications
About Configuring Encryption for Web Clients
About Session Cookies and Web Clients
Configuring Encryption for Mobile Web Client Synchronization
About Data Encryption
How Data Encryption Works
Requirements for Data Encryption
Encrypted Database Columns
Upgrade Issues for Data Encryption
Configuring Encryption and Search on Encrypted Data
Managing the Key File Using the Key Database Manager
Adding New Encryption Keys
Changing the Key File Password
About Upgrading Data to a Higher Encryption Level
Process of Upgrading Data to a Higher Encryption Level
Requirements for Upgrading to a Higher Encryption Level
Modifying the Input File
About Using the Where Clause and Flags in the Input File
Running the Encryption Upgrade Utility
Implementing Siebel Strong Encryption
About Siebel Strong Encryption
Requirements for Implementing Siebel Strong Encryption
Implementing Siebel Strong Encryption
Increasing the Encryption Level
Reencrypting Password Parameters in the Siebns.dat File
Security Considerations for Unicode Support
Using Non-ASCII Characters in a Unicode Environment
Logging In to a Siebel Application
Encrypted Data
About Encoding UI Values
5
Security Adapter Authentication
About User Authentication
Issues for Developer and Mobile Web Clients
Comparison of Authentication Strategies
About Siebel Security Adapters
Authentication Directories
Security Adapter Authentication
Event Logging for Siebel Security Adapters
About Database Authentication
Database Authentication Process
Features Not Available for Database Authentication
Implementing Database Authentication
About Implementing the Database Security Adapter
About Password Expiration
Implementing Database Authentication with Microsoft SQL Server
About LDAP or ADSI Security Adapter Authentication
LDAP and ADSI Security Adapter Authentication Process
Directory Servers Supported by Siebel Business Applications
Comparison of LDAP and ADSI Security Adapters
About Administering the Directory through Siebel Business Applications
Using the LDAP Security Adapter with Active Directory: Setting the Base DN
Communicating with More Than One Authentication Server
ADSI Security Adapter
LDAP Security Adapter
Requirements for the LDAP Directory or Active Directory
LDAP Security Adapter Requirements
ADSI Security Adapter Requirements
About Setting Up the LDAP Directory or Active Directory
About Creating the Application User in the Directory
Verifying the Active Directory Client Installation
About Installing Oracle LDAP Client Software
Requirements for Oracle LDAP Client Installation
Installing Oracle LDAP Client Software Using Siebel Enterprise Server Installer
Process of Installing and Configuring Oracle LDAP Client Software Without Using Siebel Enterprise Server Installer
Considerations if Using LDAP Authentication with TLS
Installing the Oracle LDAP Client Software on Windows
Installing the Oracle LDAP Client Software on UNIX
Configuring the siebenv.csh and siebenv.sh Scripts for the Oracle LDAP Client
Linux and Oracle Solaris Operating Systems
AIX Operating System
HP-UX Operating System
Creating a Wallet for Certificate Files When Using LDAP Authentication with TLS
Creating an Oracle Wallet
Enabling TLS for the Siebel LDAP Security Adapter
Configuring LDAP or ADSI Security Adapters Using the Siebel Configuration Wizard
Process of Implementing LDAP or ADSI Security Adapter Authentication
Requirements for Implementing an LDAP or ADSI Authentication Environment
About Creating a Database Login for Externally Authenticated Users
Setting Up the LDAP Directory or Active Directory
Creating Users in the LDAP Directory or Active Directory
Adding User Records in the Siebel Database
Setting Security Adapter Parameters in the SWSE Configuration File (eapps.cfg)
Configuring Security Adapter Gateway Name Server Parameters
Parameters for Enterprise, Siebel Servers, or Components
Parameters for Application Object Manager Components
Parameters for Security Adapter (Profile/Named Subsystem)
Configuring LDAP or ADSI Authentication for Developer Web Clients
Configuring Security Adapter Parameters for Developer Web Clients
Setting a System Preference for Developer Web Clients
Restarting Servers
Testing the LDAP or ADSI Authentication System
About Migrating from Database to LDAP or ADSI Authentication
Considerations in Migrating to LDAP or ADSI Authentication
Migrating from Database to LDAP or ADSI Authentication
Security Adapter Deployment Options
Configuring the Application User
About Application User Permissions
Defining the Application User
Application User and Password Expiration Policies
Configuring Checksum Validation
Configuring Secure Communications for Security Adapters
Configuring TLS for the LDAP Security Adapter
Configuring TLS for the ADSI Security Adapter
Configuring the Shared Database Account
Shared Database Accounts and Administrative Users
Storing Shared Database Account Credentials as Directory Attributes
Storing Shared Database Account Credentials as Profile Parameters
Configuring Adapter-Defined User Name
Configuring the Anonymous User
Anonymous Browsing and the Anonymous User
Configuring Roles Defined in the Directory
About Password Hashing
Login Scenario for Password Hashing
Process of Configuring User and Credentials Password Hashing
Guidelines for Password Hashing
Configuring User Password Hashing
Configuring Password Hashing of Database Credentials
Running the Password Hashing Utility
Hashing Passwords Using the RSA SHA-1 Algorithm
About Authentication for Gateway Name Server Access
Authentication Mechanisms
About the gateway.cfg File
Implementing LDAP or ADSI Authentication for the Gateway Name Server
Security Adapters and the Siebel Developer Web Client
Sample LDAP Section in Configuration File
Remote Configuration Option for Developer Web Client
About Authentication for Mobile Web Client Synchronization
About the Synchronization Process for Remote Users
Authentication Options for Synchronization Manager
6
Single Sign-On Authentication
Supported Single Sign-On Solutions for Siebel Deployment
About Web Single Sign-On
Web Single Sign-On Limitations
Web Single Sign-On and Silent Login
About Implementing Web Single Sign-On
Web Single Sign-On Implementation Considerations
Web Single Sign-On Options
Web Single Sign-On Authentication Process
Requirements for Standards-Based Web Single Sign-On
Set Up Tasks for Standards-Based Web Single Sign-On
Requirements for Microsoft Windows Integrated Authentication
Configuring Internet Explorer for Windows Integrated Authentication
Process of Implementing Windows Integrated Authentication
Requirements for the Example Windows Integrated Authentication Environment
Setting Up Active Directory to Store Siebel User Credentials for Windows Integrated Authentication
Configuring the Microsoft IIS Web Server for Windows Integrated Authentication
Configuring the IIS Web Server to Authenticate against Active Directory
Configuring Authentication for Siebel Virtual Directories
(Optional) Creating Protected Virtual Directories
Creating Users in the Directory (Windows Integrated Authentication)
Adding User Records in the Siebel Database
Setting Web Single Sign-On Authentication Parameters in the SWSE Configuration File
Setting Web Single Sign-On Authentication Parameters for the Gateway Name Server
Editing Web Single Sign-On Parameters in the Application Configuration File
Restarting Servers
Testing Web Single Sign-On Authentication
About Digital Certificate Authentication
Configuring the User Specification Source
Configuring the Session Timeout
Configuring the Session Timeout
Testing the Web Single Sign-On Session Timeout Configuration
Configuring Siebel CRM and Oracle BI Publisher for Web Single Sign-On
Configuring Siebel CRM for Integration with Oracle BI Publisher with Web Single Sign-On
Configuring Oracle BI Publisher for Integration with Siebel CRM with Web Single Sign-On
Enabling Reports Scheduling with Web Single Sign-On
Enabling Transport Layer Security for Oracle BI Publisher Running on Oracle WebLogic Server
Configuring Siebel CRM and Oracle Business Intelligence Enterprise Edition for Web Single Sign-On
Web Single Sign-On Authentication Process When Using Siebel REST and Web Services in Portal Application
About Implementing Federated Single Sign-On
Federated Single Sign-On Authentication Process for Interactive User Interfaces
About Configuring Interactive User Interfaces for Federated Single Sign-On
Identity Provider-Initiated Single Sign-On Authentication Process
Oracle API Gateway Role in Single Sign-On
7
Security Features of Siebel Web Server Extension
Configuring a Siebel Web Client to Use HTTPS
Login Security Features
Implementing Secure Login
Logging Out of a Siebel Application
Login User Names and Passwords
Remember My User ID
Account Policies and Password Expiration
About Password Expiration
Password Expiration on Active Directory
About Using Cookies with Siebel Business Applications
Session Cookie
Cookie-Based Mode
Using Secure Cookies
Session ID Encryption
Auto-Login Credential Cookie
Enabling Cookies for Siebel Business Applications
8
User Administration
About User Registration
Requirements for User Registration
Seed Data for User Registration
About Anonymous Browsing
Process of Implementing Anonymous Browsing
Anonymous Browsing and the Anonymous User Record
Setting Configuration Parameters for Anonymous Browsing
Configuring Views for Anonymous Browsing or Explicit Login
About Self-Registration
User Experience for Self-Registration
Process of Implementing Self-Registration
Self-Registration and the Anonymous User Record
Setting the PropagateChange Parameter for Self-Registration
About Activating Workflow Processes for Self-Registration
About the Self-Registration Workflow Processes
About the Self-Registration Workflow Process Views
(Optional) Modifying Self-Registration Views and Workflows
Replacing the License Agreement Text
About Revising a Workflow Process
Custom Business Services
Redefining Required Fields
Adding or Deleting Fields in an Existing View
About Changing the Physical Appearance of a View or Applet
About Creating a New View for Self-Registration
(Optional) Managing Duplicate Users
Modifying Updated Fields for a Duplicate User
Modifying Fields Used to Determine a Duplicate User
Deactivating the Duplicate User Check
Identifying Disruptive Workflows
About Managing Forgotten Passwords
Retrieving a Forgotten Password (Users)
Defining Password Length for Retrieved Passwords
Related Topic
Architecture for Forgotten Passwords
About Modifying the Workflow Process for Forgotten Passwords
Modifying Workflow Process to Query Null Fields
Modifying Workflow Process to Request Different Identification Data
Modifying the User Interface for User Registration
Modifying Input Arguments for the Workflow Process
Internal Administration of Users
About Adding a User to the Siebel Database
Adding a New Employee
Completing Employee Setup
Deactivating an Employee
About Adding a New Partner User
Adding a New Contact User
Promoting a Contact to a Contact User
Modifying the New Responsibility for a User Record
Delegated Administration of Users
User Authentication Requirements for Delegated Administration
Access Considerations for Delegated Administration
Registering Contact Users (Delegated Administration)
Registering Partner Users (Delegated Administration)
Maintaining a User Profile
Editing Personal Information
Changing a Password
Changing the Active or Primary Position
Changing the Active Position in a Siebel Employee Application
Changing the Primary Position in a Siebel Partner Application
9
Configuring Access Control
About Access Control
Access Control for Parties
Access Control for Data
Data Categorization for Master Data
Access Control Mechanisms
About Personal Access Control
About Position Access Control
About Single-Position Access Control
About Team (Multiple-Position) Access Control
About Manager Access Control
Business Component Uses Position Access Control
Business Component Uses Personal Access Control
About Organization Access Control
About Single-Organization and Multiple-Organization Access Control
About Suborganization Access Control
About All Access Control
About Access-Group Access Control
Planning for Access Control
Access Control and Business Environment Structure
Benefits of Multiple Organizations
Deciding Whether to Set Up Multiple Organizations
About Planning for Divisions
About Planning for Organizations
About Planning for Positions
Positions and Employees
Position Administration
About Planning for Responsibilities
Setting Up Divisions, Organizations, Positions, and Responsibilities
Setting Up Divisions
Setting Up Organizations
Setting Up Positions
Setting Up Responsibilities and Adding Views and Users
About View and Data Access Control
Listing the Views in an Application
Responsibilities and Access Control
About Associating a Responsibility with Organizations
Local Access for Views and Responsibilities
Read Only View for Responsibilities
Assigning a Responsibility to a Person
Using Responsibilities to Allow Limited Access to Server Administration Views
Viewing Business Component View Modes
Configuring Access to Business Components from Scripting Interfaces
Configuring the Scripting Operations Permitted on Business Components (Siebel Server Parameter)
Configuring the Scripting Operations Permitted on Business Components (Business Component User Property)
Viewing an Applet's Access Control Properties
Listing View Access Control Properties
Example of Flexible View Construction
About Implementing Access-Group Access Control
Scenario That Applies Access-Group Access Control
Implementing the Reseller Resources Access Control Structure
Viewing Categorized Data (Users)
Implementing Access-Group Access Control
About Administering Catalogs of Data
Administration Tasks for Positions, Organizations, Households, and User Lists
About Administering Positions
About Administering Organizations
About Administering Households
Administering User Lists
Administering Access Groups
Creating an Access Group
Modifying an Access Group
Modifying an Access Group Hierarchy
Associating Access Groups with Data
Associating an Access Group with a Catalog
Associating an Access Group with a Category
Managing Tab Layouts Through Responsibilities
Specifying Tab Layouts for Responsibilities
Assigning a Primary Responsibility
Exporting and Importing Tab Layouts
Exporting Tab Layouts
Importing Tab Layouts
Managing Tasks Through Responsibilities
Associating Responsibilities with a Task
Creating Task Links for a Responsibility
Administering Access Control for Business Services
Associating a Business Service with a Responsibility
Associating a Responsibility with a Business Service
Example of Associating a Responsibility with Business Service Methods
Clearing Cached Business Services
Disabling Access Control for Business Services
Administering Access Control for Business Processes
Clearing Cached Responsibilities
About Configuring Visibility of Pop-Up and Pick Applets
About Setting Visibility of the Pick List Object Definition
About Using the Visibility Auto All Property
About Using the Special Frame Class and User Properties
About Configuring Drilldown Visibility
Drilldown Visibility Within the Same Business Object
Drilldown Visibility Between Different Business Objects
Visibility Rules for the Drilldown Object Type
Visibility Rules for the Link Object Type
Example of Visibility in a Drilldown Between Different Business Objects
Party Data Model
How Parties Relate to Each Other
Person (Contact) Data Model
User Data Model
Employee Data Model
Position Data Model
Account Data Model
Division Data Model
Organization Data Model
Partner Organization Data Model
Household Data Model
User List Data Model
Access Group Data Model
10
Troubleshooting Security Issues
Troubleshooting User Authentication Issues
Troubleshooting User Registration Issues
Troubleshooting Access Control Issues
A
Configuration Parameters Related to Authentication
About Parameters in the eapps.cfg File
Sample Eapps.cfg File
Authentication-Related Parameters in Eapps.cfg
About the SessionTimeout Parameter
About the Protected Virtual Directory Parameter
TLS-Related Parameters in Eapps.cfg
Siebel Gateway Name Server Parameters
Parameters for Database Authentication
Parameters for LDAP or ADSI Authentication
Parameters for Custom Security Adapter Authentication
Parameters for Application Object Manager
Parameters in the Gateway.cfg File
Parameters in the [InfraNameServer] Section
Parameters in the [InfraSecMgr] Section
Parameters in the [DBSecAdpt] Section
Parameters in the [DataSources] Section
Parameters in the [LDAPSecAdpt] or [ADSISecAdpt] Section
Siebel Application Configuration File Parameters
Parameters in the [InfraUIFramework] Section
Parameters in [InfraSecMgr] Section
Parameters in [DBSecAdpt] Section
Parameters in Data Source Section
Parameters in [LDAPSecAdpt] or [ADSISecAdpt] Section
B
Seed Data
Seed Employee
Seed Users
Seed Responsibilities
Listing the Views Associated with a Responsibility
Seed Position and Organization
C
Addendum for Siebel Financial Services
Siebel Financial Services Applications
User Authentication for Siebel Financial Services
LDAP and ADSI Security Adapter Authentication
About Implementing LDAP and ADSI Security Adapter Authentication
About Setting Up Security Adapter Authentication
About Implementing Web SSO Authentication
About Setting Up Web SSO
Parameters in the eapps.cfg and eapps_sia.cfg Files
Siebel Application Configuration File Parameters
User Registration and Administration for Siebel Financial Services
Seed Data
Unregistered Users and Anonymous Browsing
Self-Registration
Internal Administration of Users
External Administration of Users
Access Considerations
Maintaining a User Profile
Basic Access Control for Siebel Financial Services
Access Control Mechanisms
Access-Group Access Control
Administration of Access-Group Access Control
Associating an Access Group with a Catalog
Associating an Access Group with a Category
Configuration File Names for Siebel Financial Services Applications
Seed Data for Siebel Financial Services
Seed Users
Seed Responsibilities
Index