Installing and Configuring Oracle LDAP Client Software

Install the Oracle LDAP Client, which is part of the Oracle Database Client, only for non-Oracle Database deployments and if there is no external or existing Oracle LDAP Client installed on your machine.

To install the Oracle LDAP Client software (which includes Oracle Wallet Manager) and to configure it for your environment, perform the following tasks:

Note:

If you install the Oracle LDAP Client with a Siebel Enterprise Server that connects to an Oracle Database, then this installation resets the existing Oracle Home defined for the Oracle LDAP Client to the new Oracle LDAP Client. Consequently, Siebel Business Applications will be unable to connect to the database.

Review "Requirements for Implementing an LDAP Authentication Environment for Oracle LDAP Client Installation"
Review "Considerations if Using LDAP Authentication with TLS"
Perform one of the following tasks, as appropriate:
- "Installing the Oracle LDAP Client Software on Windows"
- "Installing the Oracle LDAP Client Software on UNIX"
(UNIX operating systems only) "Configuring the siebenv.csh and siebenv.sh Scripts for the Oracle LDAP Client"
(Optional) "Creating a Wallet for Certificate Files When Using LDAP Authentication with TLS"

Considerations if Using LDAP Authentication with TLS

This topic provides information on using LDAP authentication with TLS. The Oracle LDAP Client requires that Oracle Wallet Manager is installed if TLS must be supported. The LDAP libraries and utilities provided with the Oracle LDAP Client use the TLS libraries provided with Oracle Wallet Manager.

This task is a step in "Installing and Configuring Oracle LDAP Client Software".

If Oracle Wallet Manager is installed, then the LDAP libraries dynamically load the TLS libraries and use them to enable TLS, when TLS is configured.
If Oracle Wallet Manager is not installed and the TLS libraries are not available, then the LDAP library is fully functional, with the exception of TLS support.

By using TLS with server authentication, an LDAP application can use simple LDAP authentication (user ID and password) over an encrypted communication connection between the LDAP client application and the LDAP server. In addition, TLS provides data confidentiality (encryption) on connections protected by TLS. Authentication of servers to clients is accomplished with X.509 certificates.

It is assumed that TLS capability is, or will be, required for Siebel LDAP authentication. Therefore, the LDAP client installation process includes Oracle Wallet Manager installation as an integral part. If you are absolutely sure that TLS will never be turned on for Siebel LDAP authentication, then you do not have to install Oracle Wallet Manager.

Installing the Oracle LDAP Client Software on Windows

This topic describes how to obtain the Oracle LDAP Client installation files on Microsoft Windows and how to install the Oracle LDAP Client and Oracle Wallet Manager.

Note:

As of Siebel Innovation Pack 2017, the Oracle LDAP Client is no longer provided as part of Siebel product media - it is now installed as part of the Oracle Database Client, which you must download separately from Oracle Software Delivery Cloud.

This task is a step in "Installing and Configuring Oracle LDAP Client Software".

To install the Oracle LDAP Client and Oracle Wallet Manager on Windows

Log on to Microsoft Windows.
Obtain Oracle LDAP Client installation files as follows:
1. Go to the Certifications tab on My Oracle Support (https://support.oracle.com).
2. Search for Oracle Database Client and download same from Oracle Software Delivery Cloud. Oracle Database Client contains both Oracle Database and Oracle LDAP Client.
Copy the files in the \enu directory to a directory on the Siebel Server and Siebel Gateway where you want to install the Oracle LDAP Client.
Install the Oracle LDAP Client, selecting the Runtime option when you are prompted to select the type of installation you want to perform.

For detailed information on installing Oracle LDAP Client, see Oracle® Database Client Installation Guide 12c Release 1 (12.1) for Microsoft Windows. and the Certification tab on My Oracle Support. When the installation has completed, the following software is available on the Siebel Server and Siebel Gateway:
- Oracle LDAP SDK
- Oracle LDAP client library
- Oracle Wallet Manager
  
  Note:
  The Oracle LDAP client software components are embedded in the Oracle LDAP Client and are not listed as separately installed programs on the Siebel Server.

Set the value of the ORACLE_HOME environment variable to the location of the directory into which you installed the Oracle LDAP Client files, for example:

set ORACLE_HOME=C:\oracle\SUN32\12C\12.1.x

Note:

If you are using Siebel Business Applications with an Oracle Database, and if you have a previous Oracle LDAP Client installation, change the value of ORACLE_HOME to specify the location of the Oracle LDAP Client you have just installed. You can set the ORACLE_HOME environment variable by navigating to the following location on your machine: Computer, Properties, Advanced System Settings, Environment Variables, and then System Variables.

Set the value of the Security Adapter Dll Name parameter to sscforacleldap.dll.

For information on the Security Adapter Dll Name parameter, see "Parameters for Configuring Security Adapter Authentication".
Stop and restart the Siebel Server and Siebel Gateway.

Installing the Oracle LDAP Client Software on UNIX

This topic describes how to obtain the Oracle LDAP Client installation files on a UNIX operating system platform.

Note:

This task is a step in "Installing and Configuring Oracle LDAP Client Software".

To install the Oracle LDAP Client and Oracle Wallet Manager on UNIX

Login as a nonroot user.
Obtain Oracle LDAP Client installation files as follows:
1. Go to the Certifications tab on My Oracle Support (https://support.oracle.com).
2. Search for Oracle Database Client and download same from Oracle Software Delivery Cloud. Oracle Database Client contains both Oracle Database and Oracle LDAP Client.
Install the Oracle Database Client.

Configuring the siebenv.csh and siebenv.sh Scripts for the Oracle LDAP Client

After you have installed the Oracle LDAP Client on your UNIX operating system, you must add the directory path of the Oracle LDAP Client libraries to the library path environment variable in either the siebenv.csh (C shell) or siebenv.sh (Bourne or Korn shell) shell scripts. When you source these scripts, they set the environment variables for your Siebel implementation.

The siebenv.csh and siebenv.sh scripts are created in the $SIEBEL_ROOT directory during the Siebel Server installation and configuration process. Edit the siebenv.csh or siebenv.sh script, as described in the following topics, where $ORACLE_HOME/lib is the installation path of your Oracle LDAP Client libraries, $ORACLE_HOME/lib.

This task is a step in "Installing and Configuring Oracle LDAP Client Software".

Linux and Oracle Solaris Operating Systems

On Linux and Oracle Solaris operating systems, the name of the library path environment variable is LD_LIBRARY_PATH. Depending on whether you source the siebenv.csh or the siebenv.sh script, set the LD_LIBRARY_PATH variable as follows:

siebenv.csh

if ($?LD_LIBRARY_PATH) then
setenv LD_LIBRARY_PATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LD_LIBRARY_PATH}
else
setenv LD_LIBRARY_PATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
endif

siebenv.sh

if [ a${LD_LIBRARY_PATH} = ${LD_LIBRARY_PATH}a ]
then
LD_LIBRARY_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
else
LD_LIBRARY_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LD_LIBRARY_PATH}
fi
export LD_LIBRARY_PATH

AIX Operating System

On the AIX operating system, the name of the library path environment variable is LIBPATH. Depending on whether you source the siebenv.csh or the siebenv.sh script, set the LIBPATH variable as follows:

siebenv.csh

if ($?LIBPATH) then
setenv LIBPATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LIBPATH}
else
setenv LIBPATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
endif

siebenv.sh

if [ a${LIBPATH} = ${LIBPATH}a ]
then
LIBPATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
else
LIBPATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LIBPATH}
fi
export LIBPATH

HP-UX Operating System

On the HP-UX operating system, the name of the library path environment variable is SHLIB_PATH. Depending on whether you source the siebenv.csh or the siebenv.sh script, set the SHLIB_PATH variable as follows:

siebenv.csh

if ($?SHLIB_PATH) then
setenv SHLIB_PATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${SHLIB_PATH}
else
setenv SHLIB_PATH
${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
endif

siebenv.sh

if [ a${SHLIB_PATH} = ${SHLIB_PATH}a ]
then
SHLIB_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib
else
SHLIB_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${SHLIB_PATH}
fi
export SHLIB_PATH

Creating a Wallet for Certificate Files When Using LDAP Authentication with TLS

If you are using LDAP authentication with TLS, then you must use Oracle Wallet Manager to create a wallet to store the certificates required for TLS communications. This topic describes how to create the wallet, and how to enable TLS for the Siebel LDAP security adapter. For detailed information on using Oracle Wallet Manager, see Oracle® Database Advanced Security Administrator's Guide.

By enabling TLS for the Siebel LDAP security adapter, an encrypted connection is established between the Siebel application and the LDAP server. For information on enabling TLS for an LDAP server, refer to your third-party LDAP server administration documentation. This topic assumes that the LDAP server is already TLS-enabled, that is, it accepts TLS connections.

This task is a step in "Installing and Configuring Oracle LDAP Client Software".

Creating an Oracle Wallet

To enable TLS for the Siebel LDAP security adapter, an Oracle wallet must be created on the Siebel Server computer which runs the Application Object Managers or other components that must support LDAP authentication through the LDAP security adapter. The Oracle wallet must contain CA server certificates that have been issued by Certificate Authorities to LDAP servers.

Use the following procedure to create an Oracle wallet. Before creating an Oracle Wallet, note that you must be logged in to Siebel as the same user that the Siebel Server service runs under and the wallet must be located in the default location for that user.

To create an Oracle wallet

Determine which Certificate Authorities issued the server certificate for your LDAP server and obtain this CA certificate.
Copy the CA certificate to the computer where you have installed Oracle Wallet Manager.
On the Siebel Server computer where you will run the Application Object Manager components that support LDAP authentication, create an Oracle wallet using Oracle Wallet Manager.

To create the wallet, follow the detailed instructions in Oracle® Database Advanced Security Administrator's Guide. Specify the following values:
1. In the New Wallet dialog box, enter a password for the wallet in the Wallet Password field, then reenter the password in the Confirm Password field.
2. From the Wallet Type list, select Standard, then click OK.
  
  A new empty wallet is created.
3. When prompted to specify whether or not you want to add a certificate request, select No.
  
  You return to the Oracle Wallet Manager main window.
4. Save the wallet by selecting Wallet, then Save In System Default to save the wallet file to the default directory location:
  - For UNIX the default directory location is $ORACLE_HOME/bin/owm/wallets/username.
  - For Windows the default directory location is ORACLE_HOME\bin\owm\wallets\username.
  You must specify this directory when configuring TLS for clients and servers. You can save the wallet to a different directory if required.
Import the certificate referred to in Step 2 into the wallet you have created.

You can import as many CA certificates as required. For information on importing certificates, see Oracle® Database Advanced Security Administrator's Guide.

Note:

For LDAP servers that have their server certificate issued from a new CA, just add the CA certificate to the existing wallet, instead of creating a new wallet for every LDAP server.

Enabling TLS for the Siebel LDAP Security Adapter

Use the following procedure to configure TLS for the Siebel LDAP security adapter. For more information about LDAP security adapter configuration, see "Configuring Security Adapters Using the Siebel Management Console".

To enable TLS for the Siebel LDAP security adapter

Copy the wallet you created in "Creating an Oracle Wallet" to the Siebel Server computer where you will run the Application Object Manager components that support LDAP authentication.
(Windows Only) If you are using Windows, do one of the following:
- Copy the contents of the wallet directory ORACLE_HOME\bin\owm\wallets\username into a location that the Siebel Server service owner can access, for example c:\wallet.
- Alternatively, change the Siebel Server service owner account log on values so that they are the same as the account used to create the wallet described in "Creating an Oracle Wallet". To change the Siebel Server service account owner log on values:
  - From the Windows Start menu, choose Settings, Control Panel, Administrative Tools, and then the Services item.
  - Right-click on the Siebel Server System Service, then select Properties.
  - In the Properties dialog box for this service, click the Log On tab.
  - Select the This Account option, then enter the name and password of the account used to create the wallet.

Modify the LDAP security adapter configuration parameters using values similar to those shown in the following table.

Parameter	Value
Port	port_number The TLS port is configurable for the LDAP server. Verify the actual port number the LDAP server is using for TLS and specify that value. The default value is 636.
SSL	Select this check box to enable Secure Sockets Layer for socket connections to the host.
Enable SSL	Select this check box to use TLS for communications between the LDAP security adapter and the directory. Note the following: The wallet file (ewallet.p12) must be stored in the `keystore/truststore` central location configured for Siebel Gateway, Siebel Application Interface, and other nodes. Oracle LDAP client libraries are required to decipher the ewallet file, which is used to make secure connections (LDAPS) to the LDAP server. The required Oracle LDAP client library files are: oraclepki.jar, osdt_core.jar, and osdt_cert.jar These library files must be located in the `WEB-INF/lib` directory for the Siebel Web application.
Wallet Password	wallet_password Specify the password you assigned to the wallet when creating the wallet.

For information on configuring parameters for the LDAP security adapter, see "Configuring Security Adapters Using the Siebel Management Console" and "Parameters for Configuring Security Adapter Authentication".

Restart the Siebel Server (if you are configuring LDAP on a Siebel Server).