3Changing and Managing Passwords
Changing and Managing Passwords
This chapter provides guidelines on how to manage and change passwords. It includes the following topics:
About Managing and Changing Passwords
It is recommended that a password management policy is implemented in all Siebel Business Applications implementations to ensure that only authorized users can access the applications. The password management policy that is most appropriate varies according to site-specific variables, such as the size of the implementation and users’ business needs. However, all password management policies ought to provide guidelines relating to how frequently end users must change their passwords, whether or not password expiry periods are enforced, and the circumstances in which passwords must be changed.
Password management policies must also be applied to accounts that are used to manage and maintain the Siebel implementation, such as the Siebel administrator account. The topics in this chapter provide information on changing and managing the passwords for these accounts. For information on how end users can change their passwords, see Changing a Password. For additional information on implementing password management policies, see Defining Password Management Procedures.
Guidelines for Changing Passwords
Before changing passwords in your environment, review the following general points:
For end users, the availability of the Password and Verify Password fields in the Siebel application (User Preferences screen, User Profile view) depends on several factors:
For an environment using Lightweight Directory Access Protocol (LDAP) authentication, the underlying security mechanism must allow this functionality. See also Requirements for the LDAP Directory.
In addition, the Propagate Change parameter must be TRUE for the LDAP security adapter. The default value is TRUE. For Siebel Developer Web Clients, the system preference, SecThickClientExtAuthent, must also be TRUE. For more information, see Security Adapter Authentication.
For an environment using database authentication, the Database Security Adapter Propagate Changes parameter must be TRUE for the database security adapter. The default value is FALSE. For more information, see Security Adapter Authentication.
If you are using a third-party load balancer for Siebel Server load balancing, then make sure load-balancer administration passwords are set. Also make sure that the administrative user interfaces for your load-balancer products are securely protected.
If you set and change passwords at the Siebel Enterprise level, then the changes are inherited at the component level. However, if you set a password parameter at the component level, then from that point forward, the password can be changed only at the component level. Changing it at the Enterprise level does not cause the new password to be inherited at the component level, unless the override is deleted at the component level. For more information, see Siebel System Administration Guide.
For information about changing the local DBA password on Mobile Web Clients, see Siebel Remote and Replication Manager Administration Guide. For information about configuring and using hashed user passwords and database credentials passwords through your security adapter, see About Password Hashing.
Characters Supported in Siebel Passwords
It is recommended that you implement a password policy in your organization that defines the requirements for creating and changing Siebel passwords. For example:
The password value must not be the same as the user name.
Password values must be a minimum length, usually 8 characters.
Password values must include a variety of supported characters.
Supported Characters
Siebel CRM supports the use of the following characters in passwords:
The alphabetic characters a to z (uppercase and lowercase).
The numerals 0 to 9.
The following special characters: Number sign (#).
Unsupported Characters
You cannot use the special characters shown in the following table when creating or changing passwords used in your Siebel implementation.
Table Special Characters Not Supported in Siebel Passwords
Character |
Description |
Hexadecimal |
---|---|---|
! |
exclamation point |
21 |
" |
double quote |
22 |
$ |
dollar sign |
24 |
% |
Percent sign |
25 |
& |
ampersand |
26 |
' |
Single quote |
27 |
( |
Opening parenthesis |
28 |
) |
Closing parenthesis |
29 |
* |
Asterisk (star) |
2A |
+ |
Plus |
2B |
, |
Comma |
2C |
- |
Minus (hyphen) |
2D |
. |
Period |
2E |
/ |
Forward slash |
2F |
: |
Colon |
3A |
; |
Semi-colon |
3B |
< |
Less-than sign |
3C |
= |
Equal sign |
3D |
> |
Greater-than sign |
3E |
? |
Question mark |
3F |
@ |
At-sign |
40 |
[ |
Opening bracket |
5B |
\ |
Back slash |
5C |
] |
Closing bracket |
5D |
^ |
Caret |
5E |
_ |
Underscore |
5F |
` |
Grave accent |
60 |
{ |
Opening brace |
7B |
| |
Vertical bar |
7C |
} |
Closing brace |
7D |
~ |
tilde |
7E |
´ |
Acute accent |
B4 |
About Default Accounts
The Siebel installation process and the seed data provided with Siebel Business Applications create several default accounts. These accounts are used to manage and maintain your Siebel implementation. You assign passwords to these accounts when they are created. However, to safeguard the security of your implementation, change the passwords for these accounts regularly or delete any accounts you do not require.
Database Accounts
The following database accounts are created during the Siebel installation process. If you are using an Oracle or Microsoft SQL Server database, then you create these accounts when you run the grantusr.sql script. If you are using a DB2 database, then the database administrator manually creates these accounts. You must ensure these accounts have been created in the RDBMS and you must assign passwords to these accounts before you can configure the Siebel database:
Siebel administrator database account (default user ID is SADMIN)
A database account for users who are authenticated externally (default user ID is LDAPUSER)
A database table owner (DBO) account
For information on creating and assigning passwords to the SADMIN, database table owner, and LDAPUSER accounts, see Siebel Installation Guide for the operating system you are using. For information on changing and managing the passwords for the SADMIN and database table owner accounts, see the following topics:
Changing System Administrator Passwords on Microsoft Windows
Troubleshooting Password Changes By Checking for Failed Server Tasks
For additional information on the LDAPUSER account, see About Creating a Database Login for Externally Authenticated Users.
applicationcontainer/webapps/siebel/web-inf
. You must also be licensed to use DB2390 and arrange a license for same. All other client drivers are licensed and packaged in the Siebel product.
Siebel User Accounts
The following Siebel application user account records are provided as seed data during the Siebel installation process. These user accounts are not installed with default passwords and their use is optional:
A seed system administrator user record (SADMIN)
A seed employee user record for customer users (PROXYE)
Seed guest accounts: GUESTCST (customer applications), GUESTCP (Siebel Partner Portal), GUESTERM (Siebel Financial Services ERM)
You can use a seed guest account as the Siebel user account for the anonymous user. To use a seed guest account, you must set the following parameters, either when configuring the Siebel Application Interface profile (recommended), or by editing the Siebel Application Interface profile manually:
Anonymous User Name. Set this parameter to the user ID of the anonymous user, for example, GUESTCST.
Anonymous User Password. Set this parameter to the password associated with the anonymous user.
The anonymous user password is written to the Siebel Application Interface profile in encrypted form by default if you add or change this value using the Siebel Management Console.
For more information on defining the anonymous user when you configure the Siebel Application Interface profile, see Configuring the Anonymous User, Authentication Parameters in Siebel Application Interface Profile and Siebel Installation Guide for the operating system you are using.
Changing System Administrator Passwords on Microsoft Windows
Before you run the Database Configuration Wizard to configure the Siebel database on the RDBMS, you must create a Siebel administrator account, either manually (on IBM DB2) or using the grantusr.sql script. The default user ID for the Siebel administrator account is SADMIN (case-sensitive). You must also create a password for the account. The password you assign to the administrator account cannot be the same as the user name of the account.
To increase the security of your Siebel implementation, it is recommended that you change the Siebel administrator password at regular intervals. You might also have to change the password for the Siebel service owner account, which is the Windows user who starts the Siebel Server system service. This topic outlines procedures for performing both tasks. For more information about setting up these accounts for initial use, see the Siebel Installation Guide for the operating system you are using.
Changing the Password for the Siebel Service Owner Account
Use the following procedure to modify the password for the Siebel service owner; this is the Microsoft Windows user account that starts the Siebel Server system service.
To change the password for the Siebel service owner account
Change the Windows domain login password for the Siebel service owner account.
For more information on changing domain passwords, refer to your Windows documentation.
Change the password for the Siebel Server system service.
From the Windows Start menu, choose Settings, Control Panel, Administrative Tools, and then the Services item.
Right-click on the Siebel Server System Service, and select Properties.
In the Properties dialog box for this service, click the Log On tab.
Enter the password in the Password and Confirm Password fields, and click OK.
Note: The password specified here must correspond to the Windows domain login password you modified earlier in this procedure.
Stop and restart the Siebel Server system service. For details, see Siebel System Administration Guide.
Changing the Password for the Siebel Administrator Account
Use the following procedure to modify the password for the Siebel administrator database account. You must also change the corresponding password parameter for the Siebel Enterprise, and then delete the Siebel Server system service and re-create it using the new password.
To change the Siebel administrator password
Change the value of the Siebel administrator’s Enterprise password parameter using either the Server Manager command or the Siebel user interface.
The following steps describe how to change the password using the Siebel user interface:
Log into a Siebel employee application, such as Siebel Call Center.
Navigate to the Administration - Server Configuration screen, then the Enterprises view.
Click the Parameters tab.
In the Enterprise Parameters list, select the Password parameter.
In the Value field, enter the new password, then commit the record.
Log out of the Siebel application (all users must log out).
Change the Siebel administrator’s password in the database.
For more information, refer to your RDBMS documentation on changing passwords.
On each Siebel Server in your Siebel Enterprise, delete the existing Siebel Server system service, then re-create it with the new administrator password as follows:
Delete the Siebel Server system service using the following command:
siebctl -d -S siebsrvr -i "EnterpriseName_SiebelServerName"
where:
EnterpriseName
is the name of your Siebel EnterpriseSiebelServerName
is the name of the Siebel Server
For example:
siebctl -d -S siebsrvr -i "sia8x_app01"
Re-create the Siebel Server system service using the following command:
siebctl -h SIEBSRVR_ROOT -S siebsrvr -i "EnterpriseName_SiebelServerName" -a -g "-g GatewayServerHostname:port -e EnterpriseName -s SiebelServerName -u sadmin" -e NewPassword -u Account -p Password
where:
SIEBSRVR_ROOT
is the full path to the Siebel Server installation directoryEnterpriseName
is the name of your Siebel EnterpriseSiebelServerName
is the name of the Siebel ServerGatewayServerHostname
is the name of the Siebel Gateway hostport
is the port number of the Siebel Gatewaysadmin
is the administrator user IDNewPassword
is the new Siebel administrator password in plaintext. The siebctl utility encrypts the password.Account
is the Siebel service owner account namePassword
is the Siebel service owner account password
For example:
D:\sia8x\siebsrvr\BIN>siebctl -h "d:\sia8x\siebsrvr" -S siebsrvr -i "sia8x_app01" -a -g "-g localhost:2320 -e sia8x -s app01 -u sadmin" -e sadmin -u .\SADMIN -p xxxxxxxx
Start the Siebel Server system service.
For information on how to start the Siebel Server system service, see Siebel System Administration Guide.
Changing the Anonymous User Password When a User Account is set to Anonymous User
If you set a Siebel user account (such as GUESTCST) with minimum responsibilities (for example, access to the login view) to Anonymous User Name, then you must do the following to change the Anonymous User Password:
Change the password associated with the anonymous user (Anonymous User Password) in the Siebel Application Interface profile. For more information, see Changing Encrypted Passwords Using the Siebel Management Console.
Restart the Web server for the changes in Siebel Application Interface profile to take effect.
For more information about the anonymous user, see Configuring the Anonymous User.
Changing the Siebel Administrator Password on UNIX
Before you run the Database Configuration Wizard to configure the Siebel database on the RDBMS, you must create a Siebel administrator account, either manually (on IBM DB2) or using the grantusr.sql script. The default user ID for the Siebel administrator account is SADMIN (case-sensitive). You must also create a password for the account. For information about setting up this account for initial use, see the Siebel Installation Guide for the operating system you are using.
To increase the security of your Siebel implementation, it is recommended that you change the Siebel administrator password at regular intervals as described in the following procedure.
To change the Siebel administrator password on UNIX
End all client sessions and shut down the Siebel Server. Use the following command to shut down the server:
SIEBSRVR_ROOT/bin/stop_server all
Note: In order to stop all Siebel Servers in the Siebel Enterprise, you must run this command on all Siebel Server computers.Change the Siebel administrator’s database account password using either the Server Manager command or the Siebel user interface.
The following steps describe how to change the password using the Server Manager command:
Log in at the Enterprise level:
srvrmgr -g SiebelGatewayName -e EnterpriseServerName -u UserName -p Password
At the Server Manager prompt, enter the following command:
change enterprise param Password=NewPassword
Change the password in the database.
For more information, refer to your RDBMS documentation on changing passwords.
Change the password in the service (svc) file on each Siebel Server in your Siebel Enterprise.
Caution: Do not edit the svc file manually; doing so can corrupt the file. Instead, make a backup copy of the existing svc file, then re-create the svc file with the new password using the siebctl utility.The following procedure describes how to re-create the svc file with a new administrator database account password:
Navigate to the
$siebsrvr/sys
directory and rename the existing svc file. The svc file name is in a format similar to the following:svc.siebsrvr.siebel:siebsrvrname
where
siebsrvrname
is the name of the Siebel Server.In the
$siebsrvr/bin
directory, run the following command to re-create the svc file with the new Siebel administrator password:siebctl -r ''$Siebsrvr'' -S siebsrvr -i EnterpriseName:SiebsrvrName -a -g "-g GatewayServerHostName:gtwyport -e EnterpriseName -s SiebsrvrName -u sadmin" -e NewPassword -L ENU
where:
''$Siebsrvr''
is the installation directory of the Siebel ServerEnterpriseName
is the name of your Siebel EnterpriseSiebsrvrName
is the name of the Siebel ServerGatewayServerHostname
is the name of the Siebel Gateway hostgtwyport
is the port number of the Siebel Gatewaysadmin
is the administrator user IDNewPassword
is the new Siebel administrator password (in plaintext). The siebctl utility encrypts the password.
For example:
siebctl -r "/data/siebel/sia8x/siebsrvr" -S siebsrvr -i TRN_ENTP:TRSIEBSRV2 -a -g "-g HBGNOVOAS04:2320 -e TRN_ENTP -s TRSIEBSRV2 -u sadmin" -e passwordnewxyz -L ENU
The siebctl utility re-creates the svc file with the new encrypted password value.
Stop and restart the Siebel Gateway using the following commands:
$SIEBEL_ROOT/SiebelGatewayName/bin/stop_ns $SIEBEL_ROOT/SiebelGatewayName/bin/start_ns
Restart all Siebel Servers using the following command:
$SIEBEL_ROOT/ServerName/bin/start_server all
Perform this step for each applicable Siebel Server.
Connect to the Server Manager and verify the password change:
srvrmgr -g SiebelGatewayName -e EnterpriseServerName -s SiebelServerName -u SADMIN -p NewPassword
You can now log in as SADMIN with the new password.
Changing the Table Owner Password
This topic describes the steps to perform if you want to change the table owner password. Before you run the Database Configuration Wizard to configure the Siebel database on the RDBMS, you must create a database table owner (DBO) account with the appropriate permissions to modify the Siebel database tables. The table owner is used to reference table names in SQL statements that are generated by the Siebel application (for example, SELECT * FROM SIEBEL.S_APP_VER).
You create the database table owner account manually (on IBM DB2) or using the grantusr.sql script (Oracle or Microsoft SQL Server). For information on creating the table owner account, see the Siebel Installation Guide for the operating system you are using. Select a user ID for the table owner that meets your organization’s naming conventions. Also specify a password for the database table owner account.
A corresponding parameter named Table Owner (see Parameters for Configuring Security Adapter Authentication) is configured for the Siebel Enterprise. Siebel application modules such as Application Object Managers use this parameter value to provide the table owner name when generating SQL for database operations. You specify the table owner name during Siebel Enterprise Server configuration, which provides a value for this parameter.
A related parameter is Table Owner Password (example alias: TableOwnPass). For most database operations performed for Siebel Business Applications, the table owner password does not have to be provided. For this reason, this parameter is not configured during Siebel Enterprise Server configuration. However, if the Table Owner Password parameter is not defined, then the table owner password might sometimes have to be provided manually.
Note the following requirements for changing the table owner password:
If you have not defined the Table Owner Password parameter, then the table owner password only has to be changed in the Siebel database. (The changed password might also have to be provided manually for certain operations.)
If you have defined the Table Owner Password parameter, then you must also update the value for this parameter when you change the password in the Siebel database.
To change the password for the table owner account
Change the table owner password for the Enterprise as follows:
Log into a Siebel employee application, such as Siebel Call Center.
Navigate to the Administration - Server Configuration screen, then the Enterprises view.
Click the Parameters tab.
In the Enterprise Parameters list, locate the Table Owner Password parameter (alias TableOwnPass).
In the Value field, type in the new value, then commit the record.
Change the password in the database.
For more information on changing passwords, refer to your RDBMS documentation.
Restart the Siebel Server.
Troubleshooting Password Changes By Checking for Failed Server Tasks
If you change the Siebel administrator (SADMIN) password or the Table Owner password, then you can verify that the password change has not caused errors by checking that all server tasks are still running. If a server task has failed, then update the password for the task. The following procedure describes how to troubleshoot password changes.
To troubleshoot password changes
After the Siebel Server restarts:
Log into a Siebel employee application, such as Siebel Call Center.
Navigate to the Administration - Server Management screen, then the Servers view.
In the Siebel Servers list, select the applicable Siebel Server.
Click the Tasks tab and check to see if any server tasks have an error.
For example, if you are running Call Center Object Manager, then check if there is a task for this component that has an error.
For each Server Task that displays an error, update passwords for both the Siebel administrator account and the Table Owner for that task.
Navigate to the Administration - Server Configuration screen, then the Enterprises view.
Click the Component Definitions tab.
Select the component that initiated the failed task.
For example, if Call Center Object Manager had a failed task, then display the record for the Call Center Object Manager component definition.
Click the Parameters view tab to display parameters for this component definition.
Respecify password values for the applicable parameters for this component definition.
For example, if the Password or Table Owner Password parameters are not set correctly for the Call Center Object Manager component definition, that might be the reason for the failed tasks. If so, then respecifying the correct values will solve the problem.
Restart the Siebel Server computer, and check again if any tasks failed.
About Siebel Gateway Authentication Password
To make sure that only authorized users can make changes to the enterprise configuration parameters on Siebel Gateway, users connecting to the gateway must supply a valid authentication user name and password. Authentication user name and password values are verified by the security adapter specified for Siebel Gateway. The security adapter can be one of the following: database, LDAP, or custom.
The user account you use for Siebel Gateway authentication must have the same privileges as the Siebel administrator account created during the Siebel installation process; these privileges are required to connect to the gateway.
You can choose to use the Siebel administrator account for Siebel Gateway authentication, or you can create a new database user account, ensuring you assign it the same level of rights and privileges as the Siebel administrator account. If you are using an LDAP or a custom security adapter, then you must also add the gateway authentication user name and password to the directory server.
You can change the Siebel Gateway authentication password at any point by changing the password for the gateway authentication account in the database and in the LDAP directory (if you are using LDAP authentication). For more information, refer to your RDBMS documentation or your directory server documentation. For more information on gateway authentication, see About Authentication for Siebel Gateway Access and Siebel Installation Guide for the operating system you are using.
Using Siebel Utilities to Access Siebel Gateway
When using any of the Siebel utilities that connect to Siebel Gateway, for example the srvrmgr utility, you must specify the gateway authentication user name and password.
You can pass the gateway authentication user name and password in the command line as command flags, for example:
srvrmgr /g gateway1 /e enterprise1 /s server1 /u username /p password(Windows) srvrmgr -g gateway1 -e enterprise1 -s server1 -u username -p password (UNIX)
where:
username
is a valid user name that has been assigned Siebel administrator privilegespassword
is the password associated withusername
You must enter a value for the /u username
or -u username
flag. If you do not specify a value for the /p password
or -p password
flag, then you are prompted for this value when you submit the command.
Encrypted Passwords in Siebel Application Interface Profile Configuration
The AES algorithm encrypts passwords stored in the Siebel Application Interface profile with a 256-bit encryption key. Passwords are written in encrypted form when you configure the Siebel Application Interface profile. Values for the following parameters are subject to encryption in the Siebel Application Interface profile:
Anonymous User Password
Trust Token
When an anonymous user password is used (during application login or anonymous browsing sessions), the encrypted password is decrypted and compared to the value stored for the database account (specified using the Anonymous User Name parameter).
The account and password are created using the standard Siebel database scripts, and must already exist in the Siebel database when you configure the Siebel Application Interface profile. If you change the password for this account after setting up your system, then you must update the password stored in the Siebel Application Interface profile. For information about changing encrypted passwords, see Changing Encrypted Passwords Using the Siebel Management Console.
Changing Encrypted Passwords Using the Siebel Management Console
Using the Siebel Management Console to change an anonymous user password automatically saves the password in encrypted form.
Although the anonymous user has limited privileges, it is generally recommended to use more secure passwords for production deployments of your Siebel Business Applications. For anonymous user accounts, changing passwords involves changing passwords for database accounts and changing passwords in the Siebel Application Interface profile.
The following procedure describes how to change an encrypted password using the Siebel Management Console.
To change encrypted passwords using the Siebel Management Console
Log in to the Siebel Management Console.
Click Profiles in the navigation menu, and then click Application Interface.
Existing application interface profiles are listed, if any.
Select the application interface profile that you want to modify, and then click Edit.
Go to the Basic Information section, click Authentication and change the Anonymous User Password.
To change the anonymous password specific to other applications (such as Siebel Call Center, EAI, or REST API), then do the following:
Go to the Applications section, and select the check box next to the application you want to modify.
Click Authentication, and change the Anonymous User Password as required.
About Encryption of Siebel Gateway Password Parameters
The Siebel Gateway registry stores the information required by the gateway. This includes operational and connectivity information as well as configuration information for the Siebel Enterprise and Siebel Servers. If a gateway configuration parameter requires a password value, then the Siebel encryptor writes the password to the Siebel Gateway registry in encrypted format.
In the current release, passwords in the Siebel Gateway registry are encrypted using the AES algorithm. The encryptor generates the encrypted password using an encryption key that is unique to each parameter. The encryption key itself is generated based on repository information.
If you choose, you can increase the encryption key length for encrypting passwords. If you do increase the encryption key length for encrypted passwords in the Siebel Gateway registry, then the passwords have to be encrypted again using the new key. For more information, see Running the Encryption Upgrade Utility.
For a list of some of the password parameters that are encrypted in the Siebel Gateway registry, and for information on how to reencrypt them, see Reencrypting Password Parameters in Siebel Gateway Registry.
Upgrading to Siebel CRM
You must reset any passwords on the Siebel Gateway that were previously encrypted using RC4 encryption. In the current release, such passwords are encrypted using AES instead of RC4. For more information about reencrypting these passwords, see Running the Encryption Upgrade Utility. Furthermore, the Siebel Server system service and server components do not work after a migration installation until you have updated them to use AES password encryption. Make these changes in coordination, as described in Siebel Installation Guide for the operating system you are using.
Determining Encrypted Parameters and Values in Siebel Gateway Registry
Passwords in the Siebel Gateway registry are encrypted using 128-bit AES encryption. If you have many components in your system and you want to obtain a list of the encrypted passwords including the encryption value for each password, then complete the following procedure. This procedure assumes that Siebel Application Object Managers have been created for the components in your system.
To determine the encrypted parameters and values in Siebel Gateway registry
Obtain the list of components and component types in your system.
For each component type, list the parameters for the component using the following srvrmgr commands:
list params . . . list advanced params . . . list hidden params . . .
In the list of parameters returned, the encrypted parameters and their associated values are preceded with an asterisk (*) symbol.
Reencrypt the parameter values using srvrmgr if required.
For more information, see Reencrypting Password Parameters in Siebel Gateway Registry.