| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
The Siebel Developer Web Client relocates business logic from the Siebel Server to the client. The authentication architecture for the Developer Web Client differs from the authentication architecture for the standard Web Client, because it locates the following components on the client instead of the Siebel Server:
Application Object Manager (through the siebel.exe program)
Application configuration file
Authentication manager and security adapter
Oracle LDAP Client (where applicable)
|
Note: Siebel Business Applications support for the Siebel Developer Web Client is restricted to administration, development, and troubleshooting usage scenarios only. Siebel Business Applications does not support the deployment of this client to end users. |
When you implement security adapter authentication for Siebel Developer Web Clients, observe the following principles:
It is recommended to use the remote configuration option, which can help you make sure that all clients use the same configuration settings. This option is described later in this topic.
Authentication-related configuration parameters stored in application configuration files on client computers, or stored in remote configuration files, must generally contain the same values as the corresponding parameters in the Siebel Gateway (for Siebel Web Client users). Distribute the appropriate configuration files to all Siebel Developer Web Client users. For information about setting parameters in Siebel application configuration files on the Siebel Developer Web Client, see "Siebel Application Configuration Parameters".
It is recommended that you use checksum validation to make sure that the appropriate security adapter provides user credentials to the authentication manager for all users who request access. For information about checksum validation, see "Configuring Checksum Validation".
In a security adapter authentication implementation, you must set the security adapter configuration parameter Propagate Change to TRUE, and set the Siebel system preference SecThickClientExtAuthent to TRUE, if you want to implement:
Security adapter authentication of Siebel Developer Web Client users.
Propagation of user administration changes from the Siebel Developer Web Client to an external directory such as LDAP. (For example, if a user changes his or her password in the Developer Web Client, then the password change is also propagated to the directory.)
For more information, see "Siebel Application Configuration Parameters" and "Configuring LDAP Authentication for Developer Web Clients".
In some environments, you might want to rely on the data server itself to determine whether to allow Siebel Developer Web Client users to access the Siebel database and run the application. In the application configuration file on the local client, you can optionally define the parameter IntegratedSecurity for the server data source (typically, in the [ServerDataSrc] section of the configuration file).
This parameter can be set to TRUE or FALSE. The default value is FALSE. When TRUE, the Siebel client is prevented from prompting the user for a user name and password when the user logs in. Facilities provided in your existing data server infrastructure determine if the user is allowed to log into the database.
You can set the IntegratedSecurity parameter to TRUE with the database security adapter. See also "About Database Authentication".
|
Note: Integrated Security is only supported for Siebel Developer Web clients that access Oracle and Microsoft SQL Server databases. This functionality is not available for Siebel Web Clients or Siebel Mobile Web clients. |
For additional information on integrated authentication, refer to your third-party documentation. For Oracle, refer to the OPS$ and REMOTE_OS_AUTHENT features. For Microsoft SQL Server, refer to Integrated Security. For more information about the Siebel Developer Web Client, see the Siebel Installation Guide for the operating system you are using and the Siebel System Administration Guide.
The following sample is an example of LDAP configuration information generated by the Siebel Management Console when you configure an LDAP security adapter for Developer Web Clients. For more information, see "Configuring Security Adapters Using the Siebel Management Console". For information about setting Siebel configuration parameters, see "Siebel Application Configuration Parameters".
[LDAPSecAdpt] SecAdptDllName = sscforacleldap ServerName = ldapserver.example.com Port = 636 BaseDN = ou=people, o=example.com SharedCredentialsDN = uid=HKIM, ou=people, o=example.com UsernameAttributeType = uid PasswordAttributeType = userPassword CredentialsAttributeType = mail RolesAttributeType = roles SslDatabase =file:c:\sslSLwallet ApplicationUser = uid=APPUSER, ou=people, o=example.com ApplicationPassword = APPUSERPW HashDBPwd = TRUE PropagateChange = TRUE CRC = SingleSignOn = TRUE TrustToken = mydog UseAdapterUsername = TRUE SiebelUsernameAttributeType = PHONE HashUserPwd = TRUE HashAlgorithm = RSASHA1
This option applies to the Siebel Developer Web Client only. The remote configuration option can be implemented in the following authentication strategies:
Security adapter authentication: LDAP, custom (not database authentication)
Web SSO authentication
With this approach, you create a separate text file that defines any parameter values that configure a security adapter. You configure all security adapter parameters, such as those in a section like [LDAPSecAdpt], in the remote file, not in the application configuration file.
Storing configuration parameters in a centralized location can help you reduce administration overhead. All Developer Web Clients can read the authentication-related parameters stored in the same file at a centralized remote location.
The following examples show how a remote configuration file can be used to provide parameters for a security adapter that is implemented by Siebel eService in a Web SSO environment. The following example is from the configuration file uagent.cfg for Siebel Call Center:
[InfraSecMgr] SecAdptMode = LDAP SecAdptName = LDAPSecAdpt UseRemoteConfig = \\it_3\vol_1\private\ldap_remote.cfg
In this case, the configuration file ldap_remote.cfg would contain an [LDAPSecAdpt] section. It could be defined similarly to the example earlier in this topic, and would contain no other content. The application configuration file would contain the [InfraSecMgr] section as defined in the preceding example. It would not contain an [LDAPSecAdpt] section and, even if it did, it would be ignored.
To implement remote security configuration for Siebel Developer Web Clients, follow these guidelines:
The [InfraSecMgr] section in the Siebel configuration file must include the UseRemoteConfig parameter, which provides the path to a remote configuration file. The path is specified in universal naming convention format, for example, \\server\vol\path\ldap_remote.cfg.
The remote security configuration file contains only a section for configuring the security adapter, such as the [LDAPSecAdpt] section.
Each Developer Web Client user must have read privileges on the remote configuration file and the disk directory where it resides.
