Go to primary content
Siebel CRM Siebel Security Guide
Siebel Innovation Pack 2017, Rev. A
E24814-01
Home
Index
Next
View PDF
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
What's New in This Release
What's New in Siebel Security Guide, Siebel Innovation Pack 2017, Rev. A
What's New in Siebel Security Guide, Siebel Innovation Pack 2017
What's New in Siebel Security Guide, Siebel Innovation Pack 2016, Rev. A
What's New in Siebel Security Guide, Siebel Innovation Pack 2016
2
About Security for Siebel Business Applications
About This Guide
General Security Concepts
Industry Standards for Security
About Supported Security Products
Siebel Security Architecture
User Authentication for Secure System Access
Security Adapter for Database Authentication
Security Adapters for LDAP Authentication
Web Single Sign-On
Security Adapter SDK
End-to-End Encryption for Data Confidentiality
About Controlling Access to Data
View-Level Access Control
Record-Level Access Control
Support for Auditing in a Siebel Environment
Secure Physical Deployment to Prevent Intrusion
Security for Mobile Solutions
Mobile Device User Authentication
Security Settings for the Web Browser
Web Sites with Security Information
Using Transport Layer Security with Siebel CRM
Supported TLS Versions and RSA SHA
About Siebel Open UI
Roadmap for Configuring Security
3
Changing and Managing Passwords
About Managing and Changing Passwords
Guidelines for Changing Passwords
Characters Supported in Siebel Passwords
Supported Characters
Unsupported Characters
About Default Accounts
Database Accounts
Siebel User Accounts
Changing System Administrator Passwords on Microsoft Windows
Changing the Password for the Siebel Service Owner Account
Changing the Password for the Siebel Administrator Account
Changing the Anonymous User Password When a User Account is set to Anonymous User
Changing the Siebel Administrator Password on UNIX
Changing the Table Owner Password
Troubleshooting Password Changes By Checking for Failed Server Tasks
About Siebel Gateway Authentication Password
Using Siebel Utilities to Access Siebel Gateway
Encrypted Passwords in Siebel Application Interface Profile Configuration
Changing Encrypted Passwords Using the Siebel Management Console
About Encryption of Siebel Gateway Password Parameters
Upgrading to Siebel CRM
Determining Encrypted Parameters and Values in Siebel Gateway Registry
4
Communications and Data Encryption
Types of Encryption
Communications Encryption
Certificate Requirements for Communications
Disabling Certificate Based Mutual Authentication
Disabling HTTPS
About Keystore and Truststore Files
Modifying Keystore and Truststore Files
Data Encryption
About Certificates and Key Files Used for TLS Authentication
About Supported Values for Certificate Encryption Keys
Process of Configuring Secure Communications
Installing Certificate Files
About Installing Certificate Files on Windows
About Installing Certificate Files on UNIX
Installing Certificate Files on UNIX for Client Authentication
Setting HTTP Proxy for UNIX Using the mwcontrol Utility
Configuring TLS Mutual Authentication for SHA-2 Certificates Using EAI HTTP Transport
About Configuring Encryption for Siebel Enterprise and Siebel Application Interface
About Key Exchange for RSA Encryption
Configuring TLS Encryption for Siebel Enterprise or Siebel Server
Deploying TLS for a Siebel Enterprise or Siebel Server
Setting Additional Parameters for Siebel Server TLS
Configuring TLS Encryption for Siebel Application Interface
About Configuring Encryption for Web Clients
About Session Cookies and Web Clients
Configuring Encryption for Mobile Web Client Synchronization
About Data Encryption
How Data Encryption Works
Requirements for Data Encryption
Encrypted Database Columns
Upgrade Issues for Data Encryption
Configuring Encryption and Search on Encrypted Data
Encrypting Columns in a Business Component
Managing the Key File Using the Key Database Manager
Adding New Encryption Keys
Changing the Key File Password
Process of Upgrading Data to a Higher Encryption Level
Requirements for Upgrading to a Higher Encryption Level
Modifying the Input File
About Using the Where Clause and Flags in the Input File
Running the Encryption Upgrade Utility
About Siebel Encryption
Reencrypting Password Parameters in Siebel Gateway Registry
Security Considerations for Unicode Support
Using Non-ASCII Characters in a Unicode Environment
Logging In to a Siebel Application
Encrypted Data
About Encoding UI Values
5
Security Adapter Authentication
About User Authentication
Issues for Developer and Mobile Web Clients
Comparison of Authentication Strategies
About Siebel Security Adapters
Authentication Directories
Security Adapter Authentication
Event Logging for Siebel Security Adapters
About Database Authentication
Database Authentication Process
Features Not Available for Database Authentication
Implementing Database Authentication
About Implementing the Database Security Adapter
About Password Expiration
Implementing Database Authentication with Microsoft SQL Server
About Authentication for LDAP Security Adapter
LDAP Security Adapter Authentication Process
Directory Servers Supported by Siebel Business Applications
Administering the Directory through Siebel Business Applications
Communicating with More Than One Authentication Server
Requirements for the LDAP Directory
About Setting Up the LDAP Directory
About Creating the Application User in the Directory
Process of Implementing LDAP Security Adapter Authentication
Requirements for Implementing an LDAP Authentication Environment for Oracle LDAP Client Installation
About Creating a Database Login for Externally Authenticated Users
Setting Up the LDAP Directory
Creating Users in the LDAP Directory
Adding User Records in the Siebel Database
LDAP Security Adapter Authentication Parameters in the Siebel Application Interface Profile
Configuring Security Adapter Parameters for Siebel Gateway
Parameters for Enterprise, Siebel Servers, or Components
Parameters for Application Object Manager Components
Parameters for Security Adapter (Profile/Named Subsystem)
Configuring LDAP Authentication for Developer Web Clients
Configuring Security Adapter Parameters for Developer Web Clients
Setting a System Preference for Developer Web Clients
Restarting Servers
Testing the LDAP Authentication System
About Authentication for Siebel Gateway Access
Authentication Mechanisms
Security Profile Configuration
Implementing LDAP Authentication for Siebel Gateway
About Authentication for Mobile Web Client Synchronization
About the Synchronization Process for Remote Users
Authentication Options for Synchronization Manager
Installing and Configuring Oracle LDAP Client Software
Considerations if Using LDAP Authentication with TLS
Installing the Oracle LDAP Client Software on Windows
Installing the Oracle LDAP Client Software on UNIX
Configuring the siebenv.csh and siebenv.sh Scripts for the Oracle LDAP Client
Linux and Oracle Solaris Operating Systems
AIX Operating System
HP-UX Operating System
Creating a Wallet for Certificate Files When Using LDAP Authentication with TLS
Creating an Oracle Wallet
Enabling TLS for the Siebel LDAP Security Adapter
Configuring Security Adapters Using the Siebel Management Console
Migrating from Database to LDAP Authentication
Considerations in Migrating to LDAP Authentication
Migrating from Database to LDAP Authentication
Security Adapter Deployment Options
Configuring the Application User
About Application User Permissions
Defining the Application User
Application User and Password Expiration Policies
Configuring Checksum Validation
Configuring Secure Communications for Security Adapters
Configuring TLS for the LDAP Security Adapter
Configuring the Shared Database Account
Shared Database Accounts and Administrative Users
Storing Shared Database Account Credentials as Directory Attributes
Storing Shared Database Account Credentials as Profile Parameters
Configuring Adapter-Defined User Name
Configuring the Anonymous User
Anonymous Browsing and the Anonymous User
Configuring Roles Defined in the Directory
Security Adapters and the Siebel Developer Web Client
Sample LDAP Configuration
Remote Configuration Option for Developer Web Client
About Password Hashing
Login Scenario for Password Hashing
Process of Configuring User and Credentials Password Hashing
Guidelines for Password Hashing
Configuring User Password Hashing
Configuring Password Hashing of Database Credentials
Running the Password Hashing Utility
Hashing Passwords Using the RSA SHA-1 Algorithm
6
Single Sign-On Authentication
Supported Single Sign-On Solutions for Siebel Deployment
About Web Single Sign-On
Web Single Sign-On Limitations
Web Single Sign-On and Silent Login
About Implementing Web Single Sign-On
Web Single Sign-On Implementation Considerations
Web Single Sign-On Options
Web Single Sign-On Authentication Process
Requirements for Standards-Based Web Single Sign-On
Set up Tasks for Standards-Based Web Single Sign-On
Configuring the Session Timeout
Configuring the Session Timeout
Testing the Web Single Sign-On Session Timeout Configuration
Configuring Siebel CRM and Oracle Business Intelligence Enterprise Edition for Web Single Sign-On
Web Single Sign-On Authentication Process When Using Siebel REST and Web Services in Portal Application
About Implementing Federated Single Sign-On
Federated Single Sign-On Authentication Process for Interactive User Interfaces
About Configuring Interactive User Interfaces for Federated Single Sign-On
Identity Provider-Initiated Single Sign-On Authentication Process
About Oracle API Gateway Role in Single Sign-On Authentication Process
7
Security Features of Siebel Application Interface
About the Siebel Web Client and Using HTTPS
Implementing Secure Login
Logging Out of a Siebel Application
Login User Names and Passwords
Account Policies and Password Expiration
About Password Expiration
About Using Cookies with Siebel Business Applications
Session Cookie
Using Secure Cookies
Session ID Encryption
Auto-Login Credential Cookie
Enabling Cookies for Siebel Business Applications
8
User Administration
About User Registration
Requirements for User Registration
Seed Data for User Registration
About Anonymous Browsing
Process of Implementing Anonymous Browsing
Anonymous Browsing and the Anonymous User Record
Setting Configuration Parameters for Anonymous Browsing
Configuring Views for Anonymous Browsing or Explicit Login
About Self-Registration
User Experience for Self-Registration
Process of Implementing Self-Registration
Self-Registration and the Anonymous User Record
Setting the Propagate Change Parameter for Self-Registration
About Activating Workflow Processes for Self-Registration
About the Self-Registration Workflow Processes
About the Self-Registration Workflow Process Views
(Optional) Modifying Self-Registration Views and Workflows
Replacing the License Agreement Text
About Revising a Workflow Process
Custom Business Services
Redefining Required Fields
Adding or Deleting Fields in an Existing View
About Changing the Physical Appearance of a View or Applet
About Creating a New View for Self-Registration
(Optional) Managing Duplicate Users
Modifying Updated Fields for a Duplicate User
Modifying Fields Used to Determine a Duplicate User
Deactivating the Duplicate User Check
Identifying Disruptive Workflows
About Managing Forgotten Passwords
Retrieving a Forgotten Password (Users)
Defining Password Length for Retrieved Passwords
Architecture for Forgotten Passwords
About Modifying the Workflow Process for Forgotten Passwords
Modifying Workflow Process to Query Null Fields
Modifying Workflow Process to Request Different Identification Data
Modifying the User Interface for User Registration
Modifying Input Arguments for the Workflow Process
Internal Administration of Users
About Adding a User to the Siebel Database
Adding a New Employee
Completing Employee Setup
Deactivating an Employee
About Adding a New Partner User
Adding a New Contact User
Promoting a Contact to a Contact User
Modifying the New Responsibility for a User Record
Delegated Administration of Users
User Authentication Requirements for Delegated Administration
Access Considerations for Delegated Administration
Registering Contact Users (Delegated Administration)
Registering Partner Users (Delegated Administration)
Maintaining a User Profile
Editing Personal Information
Changing a Password
Changing the Active or Primary Position
Changing the Active Position in a Siebel Employee Application
Changing the Primary Position in a Siebel Partner Application
9
Configuring Access Control
About Access Control
Access Control for Parties
Access Control for Data
Data Categorization for Master Data
Access Control Mechanisms
About Personal Access Control
About Position Access Control
About Single-Position Access Control
About Team (Multiple-Position) Access Control
About Manager Access Control
Business Component Uses Position Access Control
Business Component Uses Personal Access Control
About Organization Access Control
About Single-Organization and Multiple-Organization Access Control
About Suborganization Access Control
About All Access Control
About Access-Group Access Control
Planning for Access Control
Access Control and Business Environment Structure
Benefits of Multiple Organizations
Deciding Whether to Set Up Multiple Organizations
About Planning for Divisions
About Planning for Organizations
About Planning for Positions
Positions and Employees
Position Administration
About Planning for Responsibilities
Setting Up Divisions, Organizations, Positions, and Responsibilities
Setting Up Divisions
Setting Up Organizations
Setting Up Positions
Setting Up Responsibilities and Adding Views and Users
About View and Data Access Control
Listing the Views in an Application
Responsibilities and Access Control
About Associating a Responsibility with Organizations
Local Access for Views and Responsibilities
Read Only View for Responsibilities
Assigning a Responsibility to a Person
Using Responsibilities to Allow Limited Access to Server Administration Views
Viewing Business Component View Modes
Configuring Access to Business Components from Scripting Interfaces
Configuring the Scripting Operations Permitted on Business Components (Siebel Server Parameter)
Configuring the Scripting Operations Permitted on Business Components (Business Component User Property)
Viewing an Applet's Access Control Properties
Listing View Access Control Properties
Example of Flexible View Construction
About Implementing Access-Group Access Control
Scenario That Applies Access-Group Access Control
Implementing the Reseller Resources Access Control Structure
Viewing Categorized Data (Users)
Implementing Access-Group Access Control
About Administering Catalogs of Data
Administration Tasks for Positions, Organizations, Households, and User Lists
About Administering Positions
About Administering Organizations
About Administering Households
Administering User Lists
Administering Access Groups
Creating an Access Group
Modifying an Access Group
Modifying an Access Group Hierarchy
Associating Access Groups with Data
Associating an Access Group with a Catalog
Associating an Access Group with a Category
Managing Tab Layouts Through Responsibilities
Specifying Tab Layouts for Responsibilities
Assigning a Primary Responsibility
Exporting and Importing Tab Layouts
Exporting Tab Layouts
Importing Tab Layouts
Managing Tasks Through Responsibilities
Associating Responsibilities with a Task
Creating Task Links for a Responsibility
Administering Access Control for Business Services
Associating a Business Service with a Responsibility
Associating a Responsibility with a Business Service
Example of Associating a Responsibility with Business Service Methods
Clearing Cached Business Services
Disabling Access Control for Business Services
Administering Access Control for Business Processes
Clearing Cached Responsibilities
About Configuring Visibility of Pop-Up and Pick Applets
About Setting Visibility of the Pick List Object Definition
About Using the Visibility Auto All Property
About Using the Special Frame Class and User Properties
About Configuring Drilldown Visibility
Drilldown Visibility Within the Same Business Object
Drilldown Visibility Between Different Business Objects
Visibility Rules for the Drilldown Object Type
Visibility Rules for the Link Object Type
Example of Visibility in a Drilldown Between Different Business Objects
Party Data Model
How Parties Relate to Each Other
Person (Contact) Data Model
User Data Model
Employee Data Model
Position Data Model
Account Data Model
Division Data Model
Organization Data Model
Partner Organization Data Model
Household Data Model
User List Data Model
Access Group Data Model
10
Troubleshooting Security Issues
Troubleshooting User Authentication Issues
Troubleshooting User Registration Issues
Troubleshooting Access Control Issues
Troubleshooting Secure Parameter Settings
A
Configuration Parameters Related to Authentication
Server Parameters for Siebel Gateway
Security Profile Configuration for Siebel Gateway
Parameters for Configuring Security Adapter Authentication
Authentication and Security-Related Parameters in the Enterprise Profile
Security-Related Parameters in the Server Profile
Siebel Application Interface Profile Parameters
Authentication Parameters in Siebel Application Interface Profile
About the Active Session Timeout Value Parameter
Application Object Manager Parameters in Siebel Application Interface Profile
SWE Parameters in Siebel Application Interface Profile
REST Inbound Authentication Parameters in Siebel Application Interface Profile
Siebel Application Configuration Parameters
Parameters for Database Security Adapter (DBSecAdpt)
Parameters for LDAP Security Adapter (LDAPSecAdpt)
Parameters for Custom Security Adapter (CustSecAdpt)
B
Seed Data
Seed Employee
Seed Users
Special Users and Privileges
Seed Users Provided as Seed Data
Seed User Modifications for Siebel Financial Services Applications
About Seed Position and Organization Division Records
Seed Responsibilities
Seed Responsibilities for Siebel Financial Services Applications
Listing Views Associated with Responsibilities
C
Siebel Security Hardening
About This Appendix
Overview of Security Threats, Recommendations, and Standards
Security Threats and Vulnerabilities
General Security Recommendations
Patch Management
Critical Patch Updates for Siebel Business Applications
Security Standards and Programs
About the Oracle Software Security Assurance Program
About Using Transport Layer Security with Siebel CRM
Securing the Network and Infrastructure
About Securing the Network Infrastructure
Network Zones and Firewalls
Guidelines for Assigning Ports on Firewalls
Guidelines for Deploying Siebel Business Applications Across a Firewall
Routers
Network Address Translation
Load Balancers
Proxy Servers
Forward Proxy Servers
Reverse Proxy Servers
Virtual Private Networks
About Using Internet Protocol Security
Preventing Denial of Service Attacks
Recommended Network Topologies
Network Configuration for Medium-Scale Deployments of Siebel Business Applications
Network Configuration for Large-Scale Siebel Deployments
Network Authentication and Monitoring
Enabling Encryption of Network Traffic
Enabling Encryption Between the Web Client Browser and Web Server
Enabling Encryption Between the Web Server and Siebel Server
Enabling Encryption Between the Siebel Server and Siebel Database
Enabling Encryption for Security Adapters
About Using TLS with Siebel Enterprise Application Integration (EAI)
Securing the Siebel Web Server
Implementing a Proxy Server
Monitoring Disk Space
Removing Unnecessary Subdirectories (Windows)
Encrypting Communications to the Web Server
Seeded Tomcat Web Server User
Securing the Siebel Server
Encrypting Communications to the Siebel Server
Restricting Siebel Server Access
Securing the Siebel Client
Deploying Siebel Open UI
Enabling ActiveX Controls for Siebel Open UI Clients
Encrypting Communications for Web Clients
Providing Physical Security for the Client Device
Defining a Policy for Unattended Personal Computer Sessions
Keeping Browser Software Updated
Updating Security Patches
Securing Mobile Clients
Securing Siebel Remote
Securing the Synchronization Framework
Authenticating the Mobile Web Client
Encrypting Communications
Encrypting DX Transaction Files
Using a VPN When Synchronizing Through the Internet
Encrypting Data in the Local Database and File System
Local Database
Local Siebel File System
Defining Password Management Procedures
Securing Mobile Devices Running Siebel Business Applications
Securing the Siebel Document Server
Securing Email Communications
Securing the Email Server
Encrypting Communications Between the Siebel Server and the Email Server
Deleting Processed Email Messages
Securing the Siebel Reports Environment
Guidelines for Providing Additional Security for Oracle BI Publisher
Securing the Operating Systems
Protecting Files and Resources
Securing the Siebel File System
Assigning Rights to the Siebel File System
Assigning Rights to the Siebel File System on Windows
Assigning Rights to the Siebel File System on UNIX
Excluding Unsafe File Types from the Siebel File System
About Potentially Unsafe File Types
Enabling File Extension Checking
About File Extension Checking on the Siebel Mobile Web Client
Assigning Rights to the Siebel Service Owner Account
Assigning Rights to the Siebel Service Owner Account on Windows
Assigning Rights to the Siebel Service Owner Account on UNIX
Applying Patches and Updates
Securing the Siebel Database
Restricting Access to the Siebel Database
Reviewing Authorization Policies
Protecting Sensitive Data in the Siebel Database
Maintaining Database Backups
Securing Siebel Business Applications
About Securing Applications
Guidelines for Deploying Siebel Business Applications
About Disabling Siebel Components
About User Authentication
Implementing Password Management Policies
General Password Policies
Defining Rules for Password Syntax
About Configuring Password Hashing for Users
Reviewing Special User Privileges
About Implementing Authorization and Access Control
View-Level Access Control
Record-Level Access Control
Implementing Personal Visibility for the User Profile View
About Securing Application Data During Configuration
About Using Web Services
About Defending Data from HTML Injection
Displaying HTML Content
Specifying Trusted Server Names
About Using External Business Components
About Using HTTP Methods
About Message Broadcasting
About Securing Third-Party Applications
Implementing Auditing
Operating System Auditing
Database Auditing
Siebel Business Applications Event Logging
About Siebel Audit Trail
Performing Security Testing
About Performing Security Assessments
About the Common Vulnerability Scoring System
Using Masked Data for Testing
Methods of Masking Data
Supported Security Standards
Payment Card Industry Data Security Standard
Common Criteria for Information Technology Security Evaluation
Federal Information Processing Standard (FIPS) 140
Default Port Allocations
Port Allocations for Siebel CRM Release 8.x
Index