Siebel CRM Siebel Security Hardening Guide Siebel Innovation Pack 2016 E24815-01 |
|
Previous |
Next |
View PDF |
This topic outlines recommendations for securing Siebel Business Applications data when performing configuration tasks. In addition to applying critical patch updates, encoding relevant data, and implementing secure coding practices, perform the recommendations in the following topics:
When creating, implementing, and publishing Web services, implement the WS-Security UserName Token mechanism to pass user credentials (Username and Password) to Web services. Passing the user name and password in the Web service URL is not supported in Siebel CRM version 8.1 or 8.2.
Using the WS-Security UserName Token mechanism means that user names and passwords do not have to be passed to Web services in the URL and a session cookie does not have to be passed with the HTTP request. For additional information on the WS-Security UserName Token, see Integration Platform Technologies: Siebel Enterprise Application Integration.
When you create an inbound Web service based on a Siebel business service or a Siebel workflow process, make sure that the Web service is secure. Siebel CRM does not verify the security of inbound Web services you create.
This topic describes measures you can take to protect Siebel application data from HTML injection attacks.
Siebel Business Applications allow you to display HTML content in fields in the user interface. When using Control objects that are field values, you can set the value of the HTML Display Mode property to control how the field value is displayed in the user interface. You can specify the following values for the HTML Display Mode property:
EncodeData. If the field value contains HTML reserved characters, then they are encoded before they are displayed so that the HTML displays as text in the user interface and is not executed as an HTML command. It is recommended that you set the HTML Display Mode property to EncodeData for each Control object to ensure executable statements are not included in Siebel data records.
DontEncodeData. Use this value only when the value of the field is HTML text and you want the HTML to be executed. Selecting this value is not recommended because the HTML text can be the object of malicious interference.
FormatData. This value is used when description or comment fields are in read-only layout. Setting FormatData to TRUE causes data to be formatted in HTML. For further information, see Siebel Object Types Reference.
Oracle recommends that you review all Control objects whose HTML Display Mode property is set to either DontEncodeData or FormatData, and consider changing the value of the property to EncodeData. The following SQL commands can be used to return a list of Control objects that have the HTML Display Mode property set to a value of either FormatData or DontEncodeData:
SELECT HTML_DISPLAY_MODE FROM SIEBEL.S_CONTROL WHERE HTML_DISPLAY_MODE = 'FormatData' OR HTML_DISPLAY_MODE = 'DontEncodeData'
Review the list of Control objects returned in the query. You cannot change the value of the HTML Display Mode property to EncodeData for all Control objects in one operation from within the Siebel application. The property must be set for each control individually.
If you choose another method of changing the HTML Display Mode property to EncodeData for all the Control objects returned in the query, then consider the consequences carefully before proceeding. It is recommended that you contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance with this task.
To strengthen your Siebel application and data against attacks, you can specify the name of each of the host servers that are authorized for use with the Siebel application. The following procedure describes how to specify the names of these trusted servers.
To specify the names of trusted servers
Start Siebel Tools.
In the Object Explorer, select the Application object type.
The Applications list appears.
Query for the name of your Siebel application in the Object List Editor.
For example, for the Siebel Call Center application, query for Siebel Universal Agent.
Lock the application object.
In the Object Explorer, expand the Application object type, then select the Application User Prop object type.
The Application User Props list appears.
In the Object List Editor, add an application user property for each server used by the Siebel application. For example:
Name: AllowedServerNamesUrl0 value:server_name1 Name: AllowedServerNamesUrl1 value:server_name2
Compile the project associated with the application into an SRF file.
External business components are used to access data that resides in a non-Siebel table or view using a Siebel business component. When configuring external business components, you must specify the data source for the external table that contains the data you want to access.
To prevent users having to log in when accessing the external data source, for each data source accessed by an external business component, specify the data source user name and password details using the DSUsername and DSPassword values when configuring the data source named subsystem. The DSUsername and the DSPassword parameters are activated only when using the database security adapter. For information on configuring external business components, see Integration Platform Technologies: Siebel Enterprise Application Integration.
The HTTP protocol supports a number of methods that are used to specify the operation to be performed on a resource on the Web. Siebel Business Applications support the HTTP GET and POST methods only. All other HTTP methods are blocked to maximize the security of your Siebel application. For information on using the HTTP GET and POST methods with Siebel Business Applications, see Transports and Interfaces: Siebel Enterprise Application Integration.
In Siebel Innovation Pack 2014 and later, you can allow access to a blocked method for HTTP GET access using the GETEnabledMethods user property. For information about using the GETEnabledMethods user property, see Configuring Siebel Open UI.