| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
You can encrypt sensitive data in the Siebel database using AES encryption. It is recommended that you implement AES encryption for increased data security.
See the following topics for information about data encryption:
You configure encryption using Siebel Tools. For details, see "Configuring Encryption and Search on Encrypted Data".
When encryption is enabled for a column in a database table, unencrypted data from all the fields in this column is sent through the AES Encryptor. The encryptor encrypts the data using an encryption key stored in the key file.
After the data is encrypted, it is sent back to the database. When a user accesses this data, the encrypted data is sent through the encryptor again to be decrypted. The data is decrypted using the same encryption key from the key file that was used for encryption. The decrypted data is then sent to the business component field to be displayed in the application. For information on configuring encryption for a database column, see "Configuring Encryption and Search on Encrypted Data".
The key file stores a number of encryption keys that encrypt and decrypt data. The key file is named keyfile.bin and is located in the SIEBSRVR_ROOT/admin directory of each Siebel Server. Additional encryption keys can be added to the key file. For security, the keyfile.bin file is itself encrypted with the key file password. For information on using the Key Database Manager utility to add encryption keys and to change the key file password, see "Managing the Key File Using the Key Database Manager".
|
Note: The loss of the key file's password is irrecoverable. |
This topic outlines the restrictions and requirements to bear in mind when encrypting data.
|
Caution: Do not attempt to change the encryption key length after a Siebel environment has been set up and is running. To do so requires the regeneration of all keys (including the key file), as well as the re-encryption of all the applicable data. Rather, set the key length once during installation. You can, however, use the supported mechanisms to explicitly upgrade the encryption key lengths. |
The following requirements exist for data encryption:
Because encryption and decryption have performance implications, encrypt only column data that is truly sensitive, such as credit card numbers and social security numbers.
Siebel Assignment Manager does not decrypt data before making assignments. Assignment rules must take this limitation into consideration.
When creating a link object to define a one-to-many relationship between a master business component and a detail business component, the source and destination fields specified in the link object definition must not be encrypted fields. If encrypted fields are specified, then the Siebel application cannot create the association between the two business components. For detailed information on configuring links, see Configuring Siebel Business Applications.
Data that is moved into or out of the Siebel database using Siebel EIM is not encrypted or decrypted by EIM.
For additional information on encrypting EIM data after it is imported into an encrypted column, see "Running the Encryption Upgrade Utility".
Encrypted data is retrieved, decrypted, and displayed from the fields in the encrypted column when records are selected. Users can perform exact-match queries on the unencrypted values for these fields if you create a hash column to store the hash values. For information, see "Configuring Encryption and Search on Encrypted Data".
You can only apply AES encryption to data in database columns that are at least 32 bytes long. You cannot encrypt database columns of type VarChar that are less than 30 bytes long.
Encrypted data requires more storage space in the database than unencrypted data. You must specify appropriate data length for the affected columns. Use the following formulae when you allocate storage space for encrypted data:
For ASCII characters, the column size must be: (number of characters * [multiplied by] 2) + [plus] 10.
For non-English characters, the column size must be: (number of characters * [multiplied by] 4) + [plus] 10.
If you create a Hash Column (to enable search on encrypted data), then specify VarChar as the physical type of the column. The column size must be at least 30 characters; this is a requirement for use of the SHA-1 algorithm.
Field-level AES encryption is not supported for Developer Web Clients.
Encryption is not supported for List of Values (LOV) columns or multilingual LOV (MLOV) columns.
Encryption is not supported for join columns or foreign key columns.
Encryption for a Mobile Web Client.
Rather than encrypt data using AES encryption, the local database is encrypted. For information about encrypting the local database, see Siebel Remote and Replication Manager Administration Guide. For information about configuring encryption when the Mobile Web Client's local database is synchronized, see "Configuring Encryption for Mobile Web Client Synchronization".
Siebel Business Applications provide a number of database columns that are encrypted by default. Table 4-2 lists the database table columns encrypted by default in the Siebel database. For information on how to encrypt a database column, see "Configuring Encryption and Search on Encrypted Data".
Table 4-2 Encrypted Database Table Columns
| Table | Table Column |
|---|---|
|
S_AGREE_TERMS |
CC_NUMBER |
|
S_CM_CNCTR_PARM |
ENCRYPTED_VALUE |
|
S_CONTACT_FNX |
YL_PASSWD |
|
S_DOC_ORDER |
CC_NUMBER |
|
CCV_NUMBER |
|
|
S_INV_PROF |
CC_NUMBER |
|
CCV_NUMBER |
|
|
S_ORDER |
CC_NUMBER |
|
S_PTY_PAY_PRFL |
PAY_ACCNT_NUM |
|
VERIFICATION_NUM |
|
|
S_SMQ_ADDR |
SECURITY_TOKEN |
|
S_SRC_PAYMENT |
CC_NUM |
|
S_SSO_SYS_USER |
SSO_PASSWORD |
|
S_USER |
CHALLENGE_ANSWER |
|
CHALLENGE_QUESTION |
|
|
T_DETAIL |
ENCRPTD_COL |
The CC_NUMBER and CC_NUM columns listed in Table 4-2 are used to store credit card number data. The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of standards designed to enhance the security of credit card data in organizations that process such data. It is contrary to the PCI standards to store credit card numbers in a database. The CC_NUMBER and CC_NUM columns are provided for backwards-compatibility purposes only and might be removed in a future release.
This topic describes data encryption issues to consider when upgrading from a previous release of Siebel Business Applications to a Siebel 8.x release.
Application developers enable data encryption by encrypting columns in database tables. All fields in the encrypted columns are encrypted.
When you upgrade from an earlier release to the current release, the upgrade process automatically migrates business component field user properties to database table column properties so that all fields in the encrypted column are encrypted.
|
Note: If data encryption is to work in a current release, then the encrypted column and the key index column must reside in the same database table. For information on encrypting database columns in Siebel 8.x releases, see "Configuring Encryption and Search on Encrypted Data" and "Encrypting Columns in a Business Component". |
