Enabling Encryption of Network Traffic

If a Siebel Business Applications deployment over the Internet does not implement encryption between users' browsers and the Web server or between the Web server and application server, then such a deployment is susceptible to network sniffing and compromising of sensitive data. Implementing encryption for all network traffic and for all sensitive data prevents network sniffing attacks.

In Siebel Business Applications, stored data can be selectively encrypted at the field level, and access to this data can be secured. In addition, data can be converted into an encrypted form for transmission over a network. Encrypting communications safeguards such data from unauthorized access.

As illustrated in Figure 3-5, encryption protects confidentiality along the entire data communications path, from the Web client browser to the Web server, to the Siebel Server, and back again. It is recommended that TLS encryption is enabled where possible. Figure 3-5 shows the types of encryption available for communications within the Siebel environment. Communications encryption is available in the following areas:

• Between client browser to Web server

• Between Web server to Siebel Server

• Between Siebel Server to database

• For database storage

Figure 3-5 Encryption of Communications in the Siebel Business Applications Environment

Description of ''Figure 3-5 Encryption of Communications in the Siebel Business Applications Environment ''

For additional information on encryption options available, see the following topics:

• "Enabling Encryption Between the Web Client Browser and Web Server"

• "Enabling Encryption Between the Web Server and Siebel Server"

• "Enabling Encryption Between the Siebel Server and Siebel Database"

• "Enabling Encryption for Security Adapters"

• "About Using TLS with Siebel Enterprise Application Integration (EAI)"

Enabling Encryption Between the Web Client Browser and Web Server

Siebel Business Applications run using the Siebel Web Client in a standard Web browser. When a user accesses a Siebel application, a Web session is set up between the browser and the Siebel Server, with the Web server in between. To protect against session hijacking when sensitive data is transmitted, it is recommended that you use the TLS protocol for communications between the browser and Web server, if support for this protocol is provided by your Web server.

The use of TLS for Web server and Siebel Web Client communications is transparent to Siebel Business Applications. For information on configuring TLS for Web server communications with the browser, see the vendor documentation.

You can specify the Web pages (known as views) within a Siebel application that are to use TLS. For additional information, see "Setting Security Features of the Siebel Web Server Extension".

Enabling Encryption Between the Web Server and Siebel Server

Siebel Business Applications components communicate over the network using a Siebel TCP/IP-based protocol called SISNAPI (Siebel Internet Session API). You have the option to secure SISNAPI using TLS or embedded encryption from RSA or Microsoft Crypto APIs. These technologies allow data to be transmitted securely between the Web server and the Siebel Server. For additional information, see Siebel Security Guide.

Enabling Encryption Between the Siebel Server and Siebel Database

For secure transmission between the Siebel database and the Siebel Server, data can be encrypted using the proprietary security protocols specific to the database in use. For additional information, see your RDBMS vendor documentation.

Enabling Encryption for Security Adapters

You can implement TLS encryption for connections between a Siebel LDAP or ADSI security adapter and a certified LDAP directory or Active Directory. By enabling encryption for the Siebel security adapter, a secure connection is established between the Siebel application and the directory server.

The procedure for implementing encryption for a security adapter varies according to the type of security adapter you implement. The following parameters must be set:

• To configure encryption for the LDAP security adapter, set the SslDatabase parameter value for the LDAP Security Adapter profile or named subsystem to the absolute path of the Oracle wallet directory.

• To configure encryption (TSL) for the ADSI security adapter, set the parameter UseSsl to a value of True for the ADSI Security Adapter profile or named subsystem.

For detailed information on implementing communications encryption for a security adapter, see the topics about installing LDAP client software and process of installing and configuring LDAP client software in Siebel Security Guide.

About Using TLS with Siebel Enterprise Application Integration (EAI)

It is recommended that Siebel Business Applications external interfaces (EAI), which use Web services to send and receive messages over HTTP, encrypt communications using the TSL protocol.

The Siebel EAI HTTP Transport business service lets you send XML messages over HTTP to a target URL (Web site) and uses the Siebel Web Engine (SWE) to provide inbound messaging from an application that uses HTTP.

For outbound messages, Siebel CRM supports client authentication for TLS-based communications (mutual authentication) using the EAI HTTP Transport business service. For information on configuring mutual authentication, see Transports and Interfaces: Siebel Enterprise Application Integration and Siebel Security Guide.

To enable TSL for inbound messaging using the EAI HTTP Transport business service, follow the steps in Siebel Security Guide that describe how to configure a Siebel Web Client to use TLS.