5Security Adapter Authentication
Security Adapter Authentication
This chapter describes how to set up security adapter authentication for Siebel Business Applications. It includes the following topics:
About User Authentication
Authentication is the process of verifying the identity of a user. Siebel Business Applications support multiple approaches for authenticating users. You choose either security adapter authentication or Web SSO authentication for your application users:
Security adapter authentication. Siebel Business Applications provide a security adapter framework to support several different user authentication scenarios:
Database authentication. Siebel Business Applications support authentication against the underlying database. In this architecture, the security adapter authenticates users against the Siebel database. Siebel Business Applications provide a database security adapter (it is configured as the default security adapter). For more information, see About Database Authentication and Implementing Database Authentication.
Note: Database authentication is supported for development environments only, it is not supported for production environments.Lightweight Directory Access Protocol (LDAP) authentication. Siebel Business Applications support authentication against LDAP-compliant directories or Microsoft Active Directories. In this architecture, the security adapter authenticates users against the directory. Siebel Business Applications provide the LDAP Security Adapter to authenticate against directory servers. For more information, see About Authentication for LDAP Security Adapter and Process of Implementing LDAP Security Adapter Authentication.
Custom. You can use a custom adapter you provide, and configure the Siebel Business Applications to use this adapter. For more information, see Security Adapter SDK.
Web Single Sign-On (Web SSO). This approach uses an external authentication service to authenticate users before they access the Siebel application. In this architecture, a security adapter does not authenticate the user. The security adapter simply looks up and retrieves a user’s Siebel user ID and database account from the directory based on the identity key that is accepted from the external authentication service. For more information, see Single Sign-On Authentication.
You can choose the approach for user authentication individually for each application in your environment, based on the specific application requirements. However, there are administrative benefits to using a consistent approach across all of your Siebel Business Applications, because a consistent approach lowers the overall complexity of the deployment.
Configuration parameter values determine how your authentication architecture components interact. For information about the purpose of configuration parameters, see Configuration Parameters Related to Authentication For information about the seed data related to authentication, user registration, and user access that is installed with Siebel Business Applications, see Seed Data.
Issues for Developer and Mobile Web Clients
The following special issues apply for authentication for deployments using Siebel Developer Web Client or Mobile Web Client:
For a particular Siebel application, when users connect from the Siebel Developer Web Client to the server database, the authentication mechanism must be the same as that used for Siebel Web Client users. This mechanism could be database authentication or a supported external authentication strategy, such as LDAP.
When connecting to the local database from the Mobile Web Client, mobile users must use database authentication. For information about authentication options for local database synchronization, see Siebel Remote and Replication Manager Administration Guide.
Comparison of Authentication Strategies
The following table highlights the capabilities of each authentication method to help guide your decision. Several options are available for each basic strategy. Comparisons do not apply for Siebel Mobile Web Client, for which only database authentication is available.
Table Functionality Supported in Different Authentication Methods
Functionality |
Database Security Adapter |
LDAP Security Adapter |
Web SSO |
|---|---|---|---|
Requires additional infrastructure components. |
No |
Yes |
Yes |
Centralizes storage of user credentials and roles. |
No |
Yes |
Yes |
Limits number of database accounts on the application database. |
No |
Yes |
Yes |
Supports dynamic user registration. Users are created in real-time through self-registration or administrative views. |
No |
Yes |
Siebel Business Applications do not support the feature, but it might be supported by third-party components. For Web SSO, user registration is the responsibility of the third-party authentication architecture. It is not logically handled by the Siebel architecture. |
Supports account policies. You can set policies such as password expiration, password syntax, and account lockout. |
Only password expiration is supported and only on supported IBM DB2 RDBMS operating systems. |
Yes |
Siebel Business Applications do not support the feature, but it might be supported by third-party components. For Web SSO, account policy enforcement is handled by the third-party infrastructure. |
Supports Web Single Sign-On, the capability to log in once and access all the applications within a Web site or portal. |
No |
No |
Yes |
The Siebel LDAP security adapter supports the Internet Engineering Task Force (IETF) password policy draft (09) for handling password policy violations and error reporting. As a result, the LDAP security adapter returns meaningful error messages and takes appropriate actions when password policy violations occur, provided the adapter is used with directory servers that are compliant with the draft. For additional information on the IETF password policy draft, go the IETF Web site at
http://tools.ietf.org/html/draft-behera-ldap-password-policy-09
About Siebel Security Adapters
When you install your Siebel Business Applications, these security adapters are provided for user authentication:
Database security adapter (selected by default). For more information, see About Database Authentication.
LDAP (Lightweight Directory Access Protocol) security adapter. For more information, see About Authentication for LDAP Security Adapter.
The security adapter is a plug-in to the authentication manager. The security adapter uses the credentials entered by a user (or supplied by an authentication service) to authenticate the user, as necessary, and allow the user access to the Siebel application.
You can implement a security adapter other than one of those provided by Siebel Business Applications provided the adapter you implement supports the Siebel Security Adapter Software Development Kit. For more information, see Security Adapter SDK.
You can implement LDAP authentication for application object manager components and for EAI components. Do not use the LDAP security adapter to authenticate access for batch components such as, for example, the Communications Outbound Manager. Configure batch components to use the database security adapter instead. Batch components access the Siebel database directly and, as a result, must use the database security adapter. Note also that Siebel Server infrastructure and system management components such as Server Manager, Server Request Broker, and Server Request Processor access the Siebel database directly. For this reason, these components cannot use the LDAP security adapter.
Authentication Directories
An LDAP directory is a store in which information that is required to allow users to connect to the Siebel database, such as database accounts or Siebel user IDs, is maintained external to the Siebel database, and is retrieved by the security adapter. For specific information about third-party directory servers supported by the security adapters provided with Siebel Business Applications, see Directory Servers Supported by Siebel CRM and the Certifications tab on My Oracle Support.
Security Adapter Authentication
In general, the process of security adapter authentication includes the following principal stages:
The user provides identification credentials.
The user’s Siebel user ID and database account are retrieved from a directory, from the Siebel database, or from another external source (for Web Single Sign-On).
The user’s identity is verified.
The user is granted access to the Siebel application and the Siebel database.
Depending on how you configure your authentication architecture, the security adapter might function in one of the following modes, with respect to authentication:
With authentication (LDAP security adapter authentication mode). The security adapter uses credentials entered by the user to verify the user’s existence and access rights in the directory. If the user exists, then the adapter retrieves the user’s Siebel user ID, a database account, and, optionally, a set of roles which are passed to the Application Object Manager to grant the user access to the Siebel application and the database. This adapter functionality is typical in a security adapter authentication implementation.
Without authentication (Web SSO mode). The security adapter passes an identity key supplied by a separate authentication service to the directory. Using the identity key to identify the user in the directory, the adapter retrieves the user’s Siebel user ID, a database account, and, optionally, a set of roles that are passed to the Application Object Manager to grant the user access to the Siebel application and the database. This adapter functionality is typical in a Web SSO implementation.
For information on the most commonly reported error messages when implementing standard Siebel security adapters, see 477528.1 (Article ID) on My Oracle Support.
Event Logging for Siebel Security Adapters
Siebel Business Applications provide the following event types to set log levels for security adapters:
Security Adapter Log
This event type traces security adapter events.
Security Manager Log
This event type traces security manager events.
Modify the values for these two event types to set the log levels that the Application Object Manager writes to the log file. For more information about how to set the log levels for event types, see Siebel System Monitoring and Diagnostics Guide. For more information about configuring the log events for Siebel Mobile applications and saving the log information, see Siebel Mobile Guide: Disconnected.
About Database Authentication
If you do not use LDAP authentication, then you must create a unique database account for each user. When an administrator adds a new user to the database, the User ID field must match the user name for a database account. The user enters the database user name and password when the user logs into a Siebel application.
Database Authentication Process
The stages in a database authentication process are:
The user enters a database account’s user name and password to a Siebel application login form.
The Siebel Application Interface passes the user credentials to the Application Object Manager, which in turn passes them to the authentication manager.
The authentication manager hashes the password, if Hash User Password is TRUE for the data source specified for the database security adapter, and passes the user credentials to the database security adapter.
If the user credentials match a database account, then the user is logged into the database and is identified with a user record whose user ID is the same as the database account’s user name.
In other words, the database security adapter validates each user’s credentials by trying to connect to the Siebel database.
Features Not Available for Database Authentication
Some of the features that other authentication strategies provide are not available with database authentication, including:
A single user-authentication method that is valid for Siebel Business Applications and other applications
User self-registration (typically used with customer applications)
External delegated administration of users (typically used with partner applications)
Creation of users on the database server by adding users from the Administration - User screen in the Siebel application.
Implementing Database Authentication
This topic describes how to implement database authentication. Database authentication is typically implemented for a Siebel employee application, such as Siebel Call Center or Siebel Sales.
When creating a profile using Siebel Management Console, the database security adapter is selected by default, indicating to use database authentication, but you can change this and select to use an LDAP or a custom security adapter as required.
About Implementing the Database Security Adapter
You implement the database security adapter using the Enterprise Security Authentication Profile (Security Adapter Mode) parameter and the Security Adapter Name (named subsystem) parameter. You can set these parameters for the Siebel Gateway, the Siebel Enterprise Server, for a particular Siebel Server, for an individual Application Object Manager component, or for the Synchronization Manager component (for Siebel Remote).
You can configure the Security Adapter Mode and Security Adapter Name parameters using the Siebel Management Console.
The following procedure describes how to implement database authentication.
To implement database authentication
Specify that you want to use the database security adapter by setting values for the following parameters:
Set the Security Adapter Mode parameter to DB.
Set the Security Adapter Name parameter to DBSecAdpt, or to a security adapter (enterprise profile or named subsystem) with a different name.
For more information about parameters for the database security adapter, see Configuration Parameters Related to Authentication.
If you want to implement user password hashing, then set the Hash User Password parameter to True.
For detailed information on this task, see Configuring User Password Hashing.
User password hashing maintains a hashed password in the database account while an unhashed version of the password is provided to the user for logging in. When user password hashing is enabled, a hashing algorithm is applied to the user’s password before it is compared to the hashed password stored in the database. It is recommended that you implement password hashing for user passwords.
Note: For database authentication, password hashing parameters are specified for a data source referenced from the database security adapter, rather than specified directly for the security adapter.Provide each user with access to Siebel Business Applications and the Siebel database as follows:
Create a database account for the user using your database management functionality.
Create a Siebel user record in the Siebel database; the user ID must match the user name for the database account.
You add users to the Siebel database through an employee application such as Siebel Call Center. For detailed information about adding users, see About Adding a User to the Siebel Database.
If you are implementing database authentication with an MS SQL Server database, then perform the task described in Implementing Database Authentication with Microsoft SQL Server.
About Password Expiration
If you use database authentication, then it is recommended that you implement database password expiration policies on the database server if this functionality is supported by your RDBMS. For example, it is recommended that you configure database passwords to expire after a defined time period unless they are changed.
On some RDBMSs this functionality is provided by default; on others this functionality, if provided, must be configured. For information on the password expiration policies supported by your RDBMS, see the appropriate RDBMS vendor documentation.
Implementing Database Authentication with Microsoft SQL Server
This topic describes additional tasks you must perform when implementing database authentication if you are using Siebel Business Applications with an MS SQL Server database. For information on implementing database authentication, see Implementing Database Authentication.
When you install the Siebel Server, an ODBC data source name (DSN) is created, which the Siebel Server uses to connect to the Siebel database. If you implement database authentication, and you are using Siebel Business Applications with a Microsoft SQL Server database, then make sure that you select the correct ODBC DSN configuration settings; if you do not, Siebel Web Clients can log in to the Siebel application without providing a password.
When you configure the ODBC DSN settings for an MS SQL Server database, you can choose from the following authentication options:
Windows authentication using the network login ID
This option allows users to access applications on the server by entering a network login ID only. If you select this option, then Siebel Web Clients attempting to access the Siebel application are not required to enter a password.
SQL Server authentication using a login ID and password entered by the user
This option requires users attempting to access applications on the server to enter a valid user ID and password. Select this option to make sure that Siebel Web Clients must enter both a Siebel user ID and a password to access the Siebel application.
The following procedure describes how to set the MS SQL Server ODBC data source settings on your Siebel Server.
To set ODBC data source values for Microsoft SQL Server
On the Siebel Server computer, from the Start menu, choose Settings, Control Panel, Administrative Tools, and then the Data Sources (ODBC) item.
On the ODBC Data Source Administrator dialog box, select the System DSN tab.
Select the Siebel data source name, and click Configure. The default Siebel data source name (DSN) is EnterpriseName_DSN, where EnterpriseName is the name you assigned the Siebel Enterprise when you configured it.
The Microsoft SQL Server DSN Configuration screen appears.
You are presented with the following authentication options:
Windows authentication using the network login ID.
Do not select this option.
SQL Server authentication using a login ID and password entered by the user.
Select this option to make sure that Siebel Web Clients must enter both a Siebel user ID and a password to access the Siebel application.
Amend any other configuration options as required, then click Next.
Click Finish.
About Authentication for LDAP Security Adapter
Siebel Business Applications include security adapters that are based on LDAP standards, allowing customers to use LDAP directory products for user authentication. LDAP security adapter authentication can offer the following benefits:
User authentication external to the database
Automatic updating of the directory with new or modified user information entered through the Siebel Business Applications user interface by an internal administrator, a delegated administrator, or a self-registering user
Security adapter authentication provides a user with access to the Siebel application for which the security adapter is configured. Different Siebel Business Applications can be configured to use different security adapters.
Before implementing security adapter authentication for LDAP security adapters, note the following:
You must install the Oracle Database Client, which contains the Oracle LDAP Client, on the Siebel Server or Siebel Gateway computer if you choose the LDAP security adapter.
How you configure communications encryption between the Siebel security adapter and the directory server differs depending on the security adapter you use. TLS encryption is supported with the LDAP security adapter. For more information, see Configuring Secure Communications for Security Adapters.
For more information about LDAP security adapter authentication, see the following topics:
LDAP Security Adapter Authentication Process
In an implementation using LDAP authentication, the security adapter authenticates a user’s credentials against the directory and retrieves database login credentials from the directory. The security adapter functions as the authentication service in this architecture. The steps in the LDAP security adapter authentication process are:
The user enters credentials to a Siebel Business Applications login form.
These user credentials (a user name and password) can vary depending on the way you configure the security adapter. For example, the user name could be the Siebel user ID or an identifier such as an email address or telephone number. The user credentials are passed to the Siebel Application Interface and then to the Application Object Manager, which in turn passes them to the authentication manager.
The authentication manager determines how to process the user credentials and calls the security adapter to validate the credentials against the directory.
Note: The LDAP security adapter used with Siebel Business Applications allows special characters in passwords. Be aware, however, that only a limited number of special characters are supported for use in Siebel passwords. Passwords are also subject to the requirements and limitations imposed by the external directory service. For additional information, see Characters Supported in Siebel Passwords.The security adapter returns the Siebel user ID and a database credential assigned to this user to the authentication manager. (If roles are used, they are also returned to the authentication manager.)
The Application Object Manager (or other module that requested authentication services) uses the returned credentials to connect the user to the database and to identify the user.
Directory Servers Supported by Siebel CRM
This topic outlines the directory servers supported by the Siebel LDAP security adapters. Siebel CRM supports the following directory servers:
LDAP directory servers. Siebel CRM supports any directory server that meets both of the following requirements:
The LDAP directory server is compliant with the LDAP 3.0 standard
Password management is handled in either one of the following ways:
The directory server implements the IETF password policy draft (09) standard.
Password management functions, such as password expiry and other password-messaging features, are handled externally to the directory server.
Administering the Directory through Siebel Business Applications
If you choose to administer the LDAP directory through Siebel Business Applications, then be aware that in large implementations timeout issues can occur. To prevent timeout issues:
Use the LDAP security adapter.
Do not set the Base DN to the root level of your directory server.
For help with overall design recommendations and performance improvement, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance.
Communicating with More Than One Authentication Server
The LDAP security adapter provided with Siebel Business Applications currently does not support communication with more than one directory server. However, the following options are available:
Failover functionality can be implemented to a limited degree for the LDAP security adapter. To implement failover functionality, specify the names of the primary and secondary servers for the Server Name parameter of the LDAP security adapter profile. For example:
ServerName=ldap1 ldap2
If communication cannot be established between the Siebel Application Object Manager and the primary LDAP server, then failover to the secondary LDAP server occurs. If the Application Object Manager can communicate with the primary server, but LDAP functionality on the server is not available, then failover to the secondary server does not occur.
Oracle provides products that enable LDAP security adapters to communicate with multiple LDAP-compliant directories. For information on Oracle Virtual Directory, go to
http://www.oracle.com/technetwork/testcontent/index-093158.html
Requirements for the LDAP Directory
If you implement LDAP security adapter authentication with Siebel Business Applications, then you must provide a directory product that meets the requirements outlined in this topic. The directory product you provide can be one of the directory servers supported by the security adapters provided with Siebel Business Applications, or another directory server of your choice. The following options are available:
If you provide one of the directory servers supported by Siebel Business Applications (that is, a supported LDAP directory), then you can use a security adapter provided by Siebel Business Applications, or you can create your own security adapter that complies with Siebel Business Applications.
If you provide a directory other than those supported by the security adapters provided with Siebel Business Applications, then you are responsible for implementing a security adapter that supports this directory.
For specific information about directory server products supported by Siebel Business Applications, see the Certifications tab on My Oracle Support.
About Setting Up the LDAP Directory
To provide user access to a Siebel application implementing an LDAP security adapter, the Siebel application must be able to retrieve credentials to access the database and the user’s Siebel user ID. Therefore you must set up a directory from which a database account and a Siebel user ID can be retrieved for each user.
Your LDAP directory must store, at a minimum, the following data for each user. Each piece of data is contained in an attribute of the directory:
Siebel user ID. This attribute value must match the value in the user ID field for the user’s Person record in the Siebel database. It is used to identify the user’s database record for access-control purposes.
Database account. This attribute value must be of the form
username=Upassword=P, where U and P are credentials for a database account. You can have any amount of space between the two key-value pairs, but you cannot have any space within each pair. The keywords, username and password, must be lowercase.If you choose, you can configure a designated directory entry to contain credentials of a database account that is shared by many users; this is the shared database account. If you implement a shared database account, then you can specify the value for the shared database account user name and password in profile parameters for the LDAP Security Adapter profile instead of in an attribute value for the directory entry. For more information, see Configuring the Shared Database Account.
Note: Even if you use a shared database account with external directory authentication, you must create a separate database account for any user who requires administrator access to Siebel Business Applications functionality, for example, any user who has to perform Siebel Server management and configuration tasks. The database account user ID and password you create for the user must match the user ID and password specified for the user in the external directory.Username. This attribute value is the key passed to the directory that identifies the user. In a simple implementation, the user name might be the Siebel user ID, and so it might not have to be a separate attribute.
Password. Stores a user’s login password for the LDAP server. Whether or not the password is stored in the directory depends on whether or not you are using Web SSO:
If the user authenticates through the LDAP directory using the LDAP security adapter, then the login password must be stored in the
userPasswordattribute of the LDAP directory.If the user is authenticated by an authentication service, such as in a Web SSO implementation, then a password attribute is not required.
The Password Attribute Type parameter is used to specify the attribute type under which the user’s login password is stored in the directory. For additional information on the Password Attribute Type parameter, see Server Parameters for Siebel Gateway.
It is recommended that you implement password hashing for both user passwords and database credentials stored in the directory. You can also define access control lists (ACLs) to restrict access to directory objects containing password information. For information on setting up directory ACLs, see your directory vendor documentation. For information on password hashing, see About Password Hashing.
You can use additional user attributes to store data, for example, first and last name, as required by your authentication solution.
If you create a new attribute object for your directory to store Siebel attributes (for example, Siebel User ID), then you can use the Private Enterprise Number that Siebel Business Applications has registered with the Internet Assigned Numbers Authority (http://www.iana.org) to provide a unique X.500 Object ID. This number is 1.3.6.1.4.1.3856.*.
An additional type of data, roles, is supported, but is not required. Roles are an alternate means of associating Siebel responsibilities with users. Responsibilities are typically associated with users in the Siebel database, but they can instead be stored in the directory. Leave role values empty to administer responsibilities from within Siebel Business Applications. For more information, see Configuring Roles Defined in the Directory.
About Creating the Application User in the Directory
Depending on your authentication and registration strategies, and the options that you implement for your deployment, you must define a user, called the application user, in the directory.
The application user is the only user who can read or write user information in the directory. Therefore, it is critical that the application user has appropriate search and write privileges to the directory. For information on creating the application user, see Configuring the Application User.
Process of Implementing LDAP Security Adapter Authentication
This topic describes the tasks involved in implementing LDAP security adapter authentication. Implement your authentication architecture in a development environment before deploying it in a production environment.
The process outlined in this topic provides instructions for implementing and testing security adapter authentication for a single Siebel application using an LDAP security adapter with one of the supported directory servers. The security adapter authenticates a user’s credentials against the directory and retrieves login credentials from the directory. A user is authenticated by the user’s Siebel user ID and a password.
You can repeat the appropriate tasks listed in this topic to provide security adapter authentication for additional Siebel Business Applications. You can also implement components and options that are not included in this process. For additional information about security adapter authentication options, see Security Adapter Deployment Options. For information about special considerations in implementing user authentication, see Troubleshooting User Authentication Issues.
You must perform the following tasks to set up and test a typical LDAP security adapter authentication architecture:
Verify that all requirements are met. For information on the requirements, see Requirements for Implementing an LDAP Authentication Environment for Oracle LDAP Client Installation.
Review About Creating a Database Login for Externally Authenticated Users.
Set up the attributes for users in the directory. See Setting Up the LDAP Directory.
Create users in the directory: a regular user, the anonymous user, and the application user. See Creating Users in the LDAP Directory.
Add user records in the Siebel database corresponding to the users in the directory. See Adding User Records in the Siebel Database.
Edit parameters related to security adapter authentication in the Siebel Application Interface profile. See LDAP Security Adapter Authentication Parameters in the Siebel Application Interface Profile.
Select the security adapter you want to use (LDAP or Custom) and then configure parameters for the selected security adapter. Use one of the following methods:
Use Siebel Management Console
Start the Siebel Management Console, select the security adapter you want to use (LDAP or Custom), and then specify the appropriate values for the following parameters:
Enterprise Security Authentication Profile (Security Adapter Mode)
Security Adapter Name (named subsystem)
For more information, see Configuring Security Adapters Using the Siebel Management Console.
Edit the parameters directly for Siebel Gateway
You can select the security adapter you want to use, and then configure the parameters for the security adapter by editing the parameters directly using Siebel Server Manager. For more information, see Configuring Security Adapter Parameters for Siebel Gateway.
Edit the application configuration file (Developer Web Clients only)
For Developer Web Clients only, you configure parameters for the security adapter in the application configuration file. For more information, see Configuring Security Adapter Parameters for Developer Web Clients.
(Developer Web Clients only) Setting a System Preference for Developer Web Clients.
Requirements for Implementing an LDAP Authentication Environment for Oracle LDAP Client Installation
This topic describes the requirements for implementing an LDAP authentication environment. The Siebel default authentication method is database authentication but if you want to implement LDAP authentication instead, then verify that the requirements outlined in this topic are in place.
This task is a step in Process of Implementing LDAP Security Adapter Authentication and Installing and Configuring Oracle LDAP Client Software.
You must complete the following tasks before you can configure an LDAP security adapter for your environment and install Oracle LDAP Client software:
Install the Web server.
Install the LDAP directory.
Install the Siebel Enterprise Server components (Siebel Gateway, Siebel Server, and Database Configuration Utilities).
For information on this task, see Siebel Installation Guide for the operating system you are using.
Review Requirements for the LDAP Directory.
To implement LDAP authentication, you must be experienced with administering the directory. That is, you must be able to perform tasks such as creating and modifying user storage subdirectories, creating attributes, creating users, and providing privileges to users.
(LDAP only) If using LDAP authentication for non-Oracle Database deployments and for deployments with Oracle Database, then you must install the Oracle Database Client, which contains the Oracle LDAP Client software.
Consider the following requirements for the Oracle LDAP Client installation in a Siebel environment:
The Oracle LDAP Client must be installed on each Siebel Server or Siebel Gateway computer for which LDAP authentication is to be supported using the LDAP security adapter. For deployments with Oracle Database, the Oracle LDAP Client software can be installed either before or after you install the Siebel Server.
Oracle Wallet Manager, which is required if you are supporting TLS, is an application you use to generate wallets. Wallets are containers that store authentication and signing credentials, such as trusted certificates, which are required for Siebel Business Applications to communicate with LDAP directory servers.
For deployments with Oracle Database, Siebel Developer Web Client deployments only support database authentication.
For more information about the requirements for installing the Oracle LDAP Client, see Siebel Installation Guide for the operating system you are using.
Note: If you are using LDAP security adapter authentication, then you must download and install the latest Oracle Database Client (which contains the Oracle LDAP Client) from Oracle Software Delivery Cloud, even if you are using Siebel Business Applications with an Oracle Database and have previously installed the Oracle LDAP Client. Be aware that only one Oracle LDAP Client can be used in a Siebel CRM implementation, so if you download and install the latest Oracle Database Client (containing the Oracle LDAP Client) from Oracle Software Delivery Cloud to enable LDAP authentication, then you must also use this client to connect to your Oracle Database.Have available a URL or hyperlink with which users can access the login form for the Siebel application you are configuring.
About Creating a Database Login for Externally Authenticated Users
A database login must exist for all users who log in to Siebel Business Applications through an external authentication system. If you are implementing LDAP security adapter authentication, then verify that this login name is present; if it does not exist, then create it. This database login must not be assigned to any individual user.
This task is a step in Process of Implementing LDAP Security Adapter Authentication.
A database login is created for externally authenticated users during the Siebel installation process. If you are using an Oracle or Microsoft SQL Server database, then the account is created when you run the grantusr.sql script. If you are using a DB2 database, then the database administrator manually creates this account. For additional information, see Siebel Installation Guide for the operating system you are using.
The default user ID of the database login account for externally authenticated users is LDAPUSER. A password is assigned to this database account when the account is created. A Siebel application user account corresponding to the LDAPUSER database account is not provided in the seed data and is not required.
Setting Up the LDAP Directory
When you implement LDAP authentication, users are authenticated through a directory. This topic describes how to set up the directory to do the following:
Authenticate users through the directory.
Allow self-registration.
Use the Siebel user ID as the user name.
This task is a step in Process of Implementing LDAP Security Adapter Authentication.
The following procedure describes how to set up the LDAP directory. For more information about setting up the directory, review About Setting Up the LDAP Directory.
To set up the LDAP directory
Determine the Base Distinguished Name, that is, the location in the directory in which to store users. For details, see the Base Distinguished Name (DN) parameter description in Server Parameters for Siebel Gateway.
You cannot distribute the users of a single Siebel application in more than one base DN. However, you can store multiple Siebel Business Applications’ users in one base DN or in substructures such as organization units (OU), which are used for LDAP.
Define the attributes to use for the following user data. Create new attributes if you do not want to use existing attributes. Suggested attributes to use are as follows:
Siebel user ID. Suggested attribute: uid for LDAP.
Database account. Suggested attribute: dbaccount.
Password. Suggested attribute (for LDAP only): userPassword.
Optionally, use other attributes to represent first name, last name, or other user data.
Creating Users in the LDAP Directory
This topic describes the users you must create in the LDAP directory to implement LDAP security adapter authentication.
This task is a step in Process of Implementing LDAP Security Adapter Authentication.
When you use LDAP authentication, you must create the following users in the directory:
Application user. Make sure the application user has write privileges to the directory because the security adapter uses application user credentials when using the self-registration component. The application user must also have search privileges for all user records. For additional information, see Configuring the Application User.
Anonymous user. You must define an anonymous user even if your application does not allow access by unregistered users. For more information, see Configuring the Anonymous User.
Records for each user of the Siebel application. Initially, create a test user to verify the authentication system.
(Optional) A shared credentials user account. You can also store credentials for the shared database account as profile parameters for the LDAP security adapter profiles. For more information, see Configuring the Shared Database Account.
Create users in the directory using values similar to those shown in the following table. Store information for users in the directory attributes indicated in Setting Up the LDAP Directory. Optionally, complete other attribute entries for each user.
Table Records in the LDAP Directory
Type of User |
Siebel User ID |
Password |
Database Account |
|---|---|---|---|
Anonymous user |
Enter the user ID of the anonymous user record for the Siebel application you are implementing.
|
|
A database account is not required for the anonymous user if a shared database credentials account is implemented; the database credentials for the anonymous user are read from the shared database account user record or the relevant profile parameter of the LDAP security adapter. |
Application user |
|
|
A database account is not used for the application user. |
A test user |
|
|
Database account is not required for any user record, except the anonymous user or the shared credentials user account. |
Shared database credentials account user |
The user name and password you specify for the shared database account must be a valid Siebel user name and password. |
|
For information about formatting requirements for the database account attribute entry, see About Setting Up the LDAP Directory. |
The example directory entries in the table in this topic implement a shared credential. The database account for all users is stored in one object in the directory. In this example, the shared database account is stored in the SharedDBUser record. The database account must match the database account you reserve for externally authenticated users which is described in About Creating a Database Login for Externally Authenticated Users. The P symbol represents the password for that database account. For additional information, see Configuring the Shared Database Account.
Adding User Records in the Siebel Database
This topic describes how to create a record in the Siebel database that corresponds to the test user record you created in Creating Users in the LDAP Directory.
This task is a step in Process of Implementing LDAP Security Adapter Authentication.
You must confirm that the seed data record exists for the anonymous user for your Siebel customer or partner application, as described in Seed Data. This record must also match the anonymous user you created in Creating Users in the LDAP Directory.
You can adapt a seed data anonymous user or create a new anonymous user for a Siebel employee application. To adapt a seed anonymous user for a Siebel employee application, add any views to the anonymous user’s responsibility that would be required for the employee application, such as a home page view in which a login form is embedded.
For purposes of confirming connectivity to the database, use the following procedure to add the test user for any Siebel application. However, if you are configuring a Siebel employee or partner application, and you want the user to be an employee or partner user, complete with position, division, and organization, then see the instructions for adding such users in Internal Administration of Users.
The following procedure describes how to add user records to the Siebel database.
To add user records to the database
Log in as an administrator to a Siebel employee application, such as Siebel Call Center.
Navigate to the Administration - User screen, then the Users view.
In the Users list, create a new record.
Complete the following fields for the test user using values similar to those shown in the following table, then save the record. You can complete other fields, but they are not required.
Field
Guideline
Last Name
Required. Enter any name.
First Name
Required. Enter any name.
User ID
Example: TESTUSER
Required. This entry must match the uid (LDAP) attribute value for the test user in the directory. If you used another attribute, then it must match that value.
Responsibility
Required. Enter the seed data responsibility provided for registered users of the Siebel application that you implement. For example, enter Web Registered User for eService. If an appropriate seed responsibility does not exist, such as for a Siebel employee application, then assign an appropriate responsibility that you create.
New Responsibility
Optional. Enter the seed data responsibility provided for registered users of the Siebel application that you implement. For example, enter Web Registered User for eService. This responsibility is automatically assigned to new users created by this test user.
Verify that the seed data user record exists for anonymous users of the Siebel application you implement. If the record is not present, then create it using the field values in Seed Users. You can complete other fields, but they are not required.
LDAP Security Adapter Authentication Parameters in the Siebel Application Interface Profile
This topic describes the parameters you must configure in the Siebel Application Interface profile when you implement LDAP security adapter authentication.
Configure the Siebel Application Interface profile parameters using values similar to those shown in the following table. Specify values for Anonymous User Name and Anonymous User Password in the Basic Information - Authentication section of the application interface profile if you are configuring LDAP authentication for all your Siebel Business Applications. If you are implementing LDAP authentication for a single application, then specify these parameters in the Applications section of the application interface profile. For more information, see Siebel Application Interface Profile Parameters.
This task is a step in Process of Implementing LDAP Security Adapter Authentication.
Table Parameter Configuration in Siebel Application Interface Profile for LDAP Security Adapter
Section in Siebel Management Console |
Parameter |
Guideline |
|---|---|---|
Basic Information - Authentication section under Application Interface Profiles OR, Applications section under Application Interface Profiles That is, the section that is specific to your application, such as one of the following:
where /enu is the language code for U.S. English. |
Anonymous User Name |
Enter the user ID of the seed data user record provided for the application that you implement, or of the user record you create for the anonymous user. This entry also matches the uid (LDAP) entry for the anonymous user record in the directory. For example, enter |
Anonymous User Password |
Enter the password you created in the directory for the anonymous user. For information on this parameter, see Encrypted Passwords in Siebel Application Interface Profile Configuration. |
Configuring Security Adapter Parameters for Siebel Gateway
This topic describes the security-related configuration parameters you use for configuring an LDAP security adapter that are defined in the Siebel Gateway.
You can modify some Siebel Gateway configuration parameters (such as, enterprise profile and object manager parameters) using either Siebel Server Manager or the Siebel Management Console, but others can only be modified using the Siebel Management console. For example, you cannot modify security profile parameters using Siebel Server Manager, you must use the Siebel Management Console to set security profile parameters. For information on using Siebel Server Manager to edit parameters on the gateway, see Siebel System Administration Guide. For information on editing parameters using the Siebel Management Console, see Configuring Security Adapters Using the Siebel Management Console.
This task is a step in Process of Implementing LDAP Security Adapter Authentication.
You can set security adapter parameters for Siebel Gateway for the following:
Set security adapter parameters as described in each of these topics. For more information about these parameters, see Server Parameters for Siebel Gateway.
Parameters for Enterprise, Siebel Servers, or Components
This topic lists security adapter parameters you can set at the Siebel Gateway level, at the Enterprise level, at the Siebel Server level, or at the component level. Applicable components for which you can set these parameters include all Application Object Manager components and the Synchronization Manager component (for Siebel Remote).
To implement LDAP authentication for a single Siebel application, set the parameters for the applicable Application Object Manager component, such as for Siebel Call Center or Siebel eService, using values similar to those in the following table.
Table Siebel Gateway Parameters for Enterprise, Server, or Component
Subsystem |
Parameter |
Guideline |
|---|---|---|
Security Manager |
SecAdptMode For more information about setting this parameter, see the Enterprise Security Authentication Profile (Security Adapter Mode) parameter in the table in Parameters for Configuring Security Adapter Authentication. |
The security adapter mode in which to operate. For LDAP, specify |
SecAdptName For more information about setting this parameter, see the Security Adapter Name (named subsystem) parameter in the table in Parameters for Configuring Security Adapter Authentication. |
The name of the security adapter. For LDAP, specify The name represents the alias for the enterprise profile (named subsystem) for the specified security adapter. |
Parameters for Application Object Manager Components
This topic lists parameters you set for the Application Object Manager component when implementing LDAP authentication for a single Siebel application.
To implement LDAP authentication for a single Siebel application, set the parameters for the applicable Application Object Manager component, such as for Siebel Call Center or Siebel eService, using values similar to those shown in the following table.
Table Siebel Server Parameters for Application Object Manager
Subsystem |
Parameter |
Guideline |
|---|---|---|
InfraUIFramework |
AllowAnonUsers |
Enter Set this parameter to FALSE if your Siebel application does not use functionality that requires anonymous browsing, such as anonymous catalog browsing or user self-registration. |
Object Manager |
OM - Proxy Employee (ProxyName) |
Enter |
OM - Username BC Field (UsernameBCField) |
You can leave this parameter empty. |
Parameters for Security Adapter (Profile/Named Subsystem)
This topic lists parameters you set for the enterprise profile (named subsystem) for the specific security adapter you are configuring.
To implement LDAP authentication for a single Siebel application, configure parameters for the LDAP Security Adapter (defined as enterprise profile or named subsystem). Typically, the alias for this adapter is LDAPSecAdpt.
Set the security adapter parameters using values similar to those shown in the following table.
Table Siebel Gateway Parameters for Enterprise Profile /Named Subsystem
Parameter |
Guideline |
|---|---|
Security Adapter Dll Name (SecAdptDllName) |
For LDAP, e Do not include the file extension (for example, do not specify sscforacleldap |
Server Name |
Enter the name of the computer on which the LDAP directory server runs. |
Port |
For LDAP, an example entry is |
Base Distinguished Name (DN) |
The Base Distinguished Name is the root of the tree under which users are stored. Users can be added directly or indirectly after this directory. You cannot distribute the users of a single Siebel application in more than one base DN. However, you can distribute them in multiple subdirectories, such as organization units (OU), which are used for LDAP. LDAP example entry:
In the example, " |
User Name Attribute Type |
LDAP example entry is If you use a different attribute in the directory for the Siebel user ID, then enter that attribute name. |
Password Attribute Type |
The LDAP entry must be userPassword. |
Credentials Attribute |
If you are using an LDAP security adapter, an example entry is If you used a different attribute in the directory for the database account, then enter that attribute name. |
Application User Distinguished Name (DN) |
LDAP example entry:
Adjust your entry if your implementation uses a different attribute for the user name, a different user name for the application user, or a different base DN. |
Application Password |
For LDAP, enter |
Shared Database Account Distinguished Name (fully qualified domain name) |
LDAP example entry:
For example:
|
Configuring LDAP Authentication for Developer Web Clients
This topic describes the tasks you must perform if you want to implement LDAP security adapter authentication for Developer Web Clients. This task is a step in Process of Implementing LDAP Security Adapter Authentication.
To configure LDAP authentication for Developer Web Clients, perform the following tasks:
Configuring Security Adapter Parameters for Developer Web Clients
For Developer Web Clients, security adapter parameters are configured in the configuration file of the application for which you are implementing LDAP security adapter authentication rather than in the gateway.
Parameters in sections of the application configuration file that directly pertain to security adapters apply, in this context, only to the Siebel Developer Web Client. These parameters are counterparts to the parameters (for Siebel Gateway) listed in the tables in the following topics:
To configure a security adapter for the Developer Web Client, provide parameter values, as indicated by the guidelines in the following table, in the configuration for the Siebel application for which you are implementing LDAP security adapter authentication.
You can use a text editor to make changes to an application’s configuration, or you can do so using the Siebel Management Console. For more information about editing an application’s configuration and about the purposes for the parameters, see Siebel Application Configuration Parameters. For a list of Siebel application configuration files, see Siebel System Administration Guide.
Table Siebel Application Configuration File Parameters
Section |
Parameter |
|---|---|
[InfraUIFramework] |
AllowAnonUsers For the AllowAnonUsers parameter, enter Set this parameter to Note that AllowAnonUsers is a server parameter, and it is not available in the Siebel Management Console. |
[InfraSecMgr] |
SecAdptMode For the SecAdptMode parameter, specify For more information about setting this parameter, see the Enterprise Security Authentication Profile (Security Adapter Mode) parameter in the table in Parameters for Configuring Security Adapter Authentication. |
SecAdptName For the SecAdptName parameter, specify For more information about setting this parameter, see the Security Adapter Name (named subsystem) parameter in the table in Parameters for Configuring Security Adapter Authentication. |
|
[LDAPSecAdpt] |
For parameters, see Configuring Security Adapter Parameters for Siebel Gateway or Configuration Parameters Related to Authentication. |
Setting a System Preference for Developer Web Clients
If you are configuring LDAP authentication for the Siebel Developer Web Client, then you must set the SecThickClientExtAuthent.system preference to True, as described in this topic.
Setting the SecThickClientExtAuthent. parameter to True allows security adapter authentication for users who log in through the Siebel Developer Web Client. System preferences are enterprise-wide settings, however, the SecThickClientExtAuthent. system preference has no effect on security adapter authentication for users who log in through the Siebel Web Client.
Use the following procedure to specify a value for the SecThickClientExtAuthent. parameter.
To set the SecThickClientExtAuthent parameter
Log in as an administrator to a Siebel employee application.
Navigate to the Administration - Application screen, then the System Preferences view.
In the System Preferences list, select the SecThickClientExtAuthent system preference.
In the System Preference Value column, enter TRUE.
Restart the Siebel Server.
Restarting Servers
This topic describes the Windows services on the Web server computer that you must restart to activate the changes you make during the process of configuring LDAP security adapter authentication.
This task is a step in Process of Implementing LDAP Security Adapter Authentication.
Stop and restart the following services:
Siebel Server system service. Stop and restart the Siebel Server. For details, see Siebel System Administration Guide.
Siebel Gateway system service. Stop and restart the Siebel Gateway. For details, see Siebel System Administration Guide.
Testing the LDAP Authentication System
After performing all the tasks required to implement LDAP security adapter authentication, you can verify your implementation using the procedure in this topic.
This task is a step in Process of Implementing LDAP Security Adapter Authentication.
The tests outlined in this topic allow you to confirm that the security adapter provided with Siebel Business Applications, your LDAP directory, and the Siebel application you are implementing work together to:
Provide a Web page on which the user can log in.
Allow an authenticated user to log in.
Allow a user to browse anonymously, if applicable to your Siebel application.
Allow a user to self-register, if applicable to your Siebel application.
To test your LDAP authentication implementation, perform the following procedure.
To test your LDAP authentication system
In a Web browser, enter the URL to your Siebel application, for example:
http://<siebel_AI_host><port_num>/siebel/app/eservice/enu
If the authentication system has been configured correctly, then a Web page with a login form appears, confirming that the anonymous user can successfully access the login page.
Various links provide access to views intended for anonymous browsing. Some other links will require you to log in first.
Note: Employee applications, such as Siebel Call Center, typically do not allow anonymous browsing, while customer applications such as Siebel eService do.Navigate back to the Web page that contains the login text boxes, and then log in with the user ID and password for the test user you created. Enter
TESTUSERor the user ID you created, andTESTPWor the password you created.More screen tabs or other application features might appear, indicating that the test user has authenticated successfully. The user record in the database provides views through the expanded responsibility of this registered user.
Click the Log Out link.
Repeat the first step of this procedure to access the login page. If a New User button is present, then click it.
If a New User button is not present, then your Siebel application, without additional configuration, does not allow users to self-register.
In the Personal Information form, complete the required fields, as shown in the following table, and then submit the form. You can complete other fields, but they are not required.
Field
Description
Last Name
Required. Enter any name.
First Name
Required. Enter any name.
User ID
Required. Enter a simple contiguous user ID, which must be unique for each user. Typically, the user provides this user ID to log in.
Depending on how you configure authentication, the user might or might not log in with this identifier.
Password
Optional (required for some authentication implementations).
Enter a simple contiguous login password. The password must conform to the syntax requirements of your authentication system, but it is not checked for conformity in this form.
For LDAP security adapter authentication, the password is propagated to the user directory. For database authentication, the password is propagated to the database.
Verify Password
Required when Password is required.
Challenge Question
Required. Enter a phrase for which there is an "answer." If you later click Forgot Your Password?, then this phrase is displayed, and you must enter the correct answer to receive a new password.
Answer to Challenge Question
Required. Enter a word or phrase that is considered the correct answer to the challenge question.
Navigate to the page containing the login text fields.
Login using the user ID and password you created earlier in this procedure.
If the authentication system has been configured correctly, then you can log in successfully and can navigate in the screens provided for registered users.
About Authentication for Siebel Gateway Access
The Siebel Gateway registry serves as the dynamic registry for Siebel servers and components. The gateway provides startup information to the application servers and, if compromised, could propagate changes throughout the server environment. To prevent unauthorized changes to the enterprise configuration parameters on the gateway, user access to the gateway is authenticated. Authentication is not implemented for starting the gateway, only for connecting to it.
Siebel Gateway authorization is required whether you use the Siebel Management Console, Siebel Server Manager, or other utilities to access the gateway. In each case, you must specify a valid gateway authentication user name and password. For information on the gateway authentication credentials, see About Siebel Gateway Authentication Password.
Authentication Mechanisms
You can choose to use database authentication, LDAP authentication, or custom authentication for the Siebel Gateway and Enterprise.
When you configure Siebel Gateway (first time running Siebel Management Console) or create a profile subsequently, the database security adapter is selected by default, indicating to use database authentication, but you can change this and select to use an LDAP or a custom security adapter as required.
The enterprise profile that you define when configuring the Siebel Enterprise Server using the Siebel Management Console contains the Enterprise Security Authentication Profile (Security Adapter Mode) parameter, the Security Adapter Name (named subsystem) parameter and the Primary Language parameter. You use these parameters to choose the type of authentication to use for the Enterprise.
For information on implementing LDAP authentication for Siebel Gateway, see Implementing LDAP Authentication for Siebel Gateway.
Security Profile Configuration
The security profile, which is centrally stored in the registry, contains the configuration parameters that determine how access to Siebel Gateway is authenticated. When a user attempts to log in to the gateway, the user’s credentials are passed by the server to the authentication provider specified in the security profile, which checks that the user has the required administrator privileges to access the gateway. If it has, the gateway starts to process service requests.
You configure the security profile using the Siebel Management Console. For more information on the authentication configuration parameters that you must set for the gateway, see Configuring Security Adapters Using the Siebel Management Console and Parameters for Configuring Security Adapter Authentication.
Implementing LDAP Authentication for Siebel Gateway
This topic describes how to implement LDAP authentication for Siebel Gateway. This involves configuring the Siebel Enterprise Server for LDAP authentication using the Siebel Management Console, then adding parameters to the gateway security profile and the LDAP directory. These tasks are described in the following procedure.
To implement LDAP authentication for Siebel Gateway
Using the Siebel Management Console, configure your Siebel Enterprise to use the LDAP security adapter provided with Siebel Business Applications.
For information on this task, see Configuring Security Adapters Using the Siebel Management Console.
Add the following parameters to the gateway security profile to specify the security adapter you want to implement.
Section Under Security Profiles
Parameter
Value
Basic Information
[InfraSecMgr]
Enterprise Security Authentication Profile (Security Adapter Mode)
The security adapter mode to operate in:
For LDAP, specify LDAP.
Basic Information
[InfraSecMgr]
Security Adapter Name (named subsystem)
The name of the security adapter.
For LDAP, specify LDAPSecAdpt or another name of your choice.
Data Sources
[LDAPSecAdpt]
Roles Attribute
The name of the directory attribute that is used to store role information, for example, roles.
Add the following information to the LDAP directory:
The user name and password for gateway authentication.
For the gateway user, in the directory attribute that is used to store role information (for example, the roles attribute), specify the user role that is required to access the gateway. Specify Siebel Administrator as the default role.
About Authentication for Mobile Web Client Synchronization
This topic describes some of the processing that occurs to authenticate a remote user during synchronization. For detailed information about the synchronization process, see Siebel Remote and Replication Manager Administration Guide.
The following facts apply to Siebel Remote and remote users:
Remote users do not connect to the Web server.
When remote users synchronize, they connect directly from the Siebel Mobile Web Client to the Siebel Remote server, that is, the Siebel Server designated to support synchronization with remote users.
Only one user ID and password can be used to access a local database. Local databases cannot belong to more than one user.
A single user can have multiple Mobile Web Clients, such as two clients on two separate computers.
About the Synchronization Process for Remote Users
The Siebel remote user connects to a local database on their client computer, makes transaction modifications, and then synchronizes theses changes to the Siebel Remote server. This involves the following steps:
Start Siebel on the client computer, then enter a user ID and password.
In the Connect To parameter, choose Local.
The user ID and password are validated by the local database residing on the client computer.
The Siebel application appears in the Web browser and the user navigates through the application and modifies data, as appropriate (insert, update, or delete operations).
Later, the user decides to synchronize the local database changes and download updates from the Siebel Remote server. This involves the following steps:
Connect to the Siebel Remote server using a dial-up modem or LAN, WAN, or VPN connection.
Start Siebel on the client computer, then enter a user ID and password.
In the Connect To parameter, choose Local.
The user ID and password are validated by the local database residing on the client computer.
When the Siebel application appears in the Web browser, the user chooses File, and then Synchronize Database.
The user is now accessing the Siebel Remote server for synchronization, and is subject to authentication.
Once the remote user is authenticated, synchronization begins.
Authentication Options for Synchronization Manager
The Synchronization Manager server component for Siebel Remote validates each incoming Mobile Web Client request. Synchronization Manager validates the mobile user’s user ID against the list of valid Mobile Web Clients in the server database and validates that the effective end date is valid or NULL.
Synchronization Manager also verifies that the Mobile Web Client has connected to the correct Siebel Remote server. If the Mobile Web Client connects to the wrong Siebel Remote server, then Synchronization Manager reconnects the Mobile Web Client to another Siebel Remote server and updates the client’s local configuration information.
Synchronization Manager authenticates the Mobile Web Client’s password by using the method specified using the Authentication Method configuration parameter (alias Authentication). Set this parameter for Synchronization Manager using Siebel Server Manager. For details, see Siebel Remote and Replication Manager Administration Guide.
Authentication Method can be set to one of the following values:
None. Does not authenticate the Mobile Web Client’s password. This is the default setting.
Database. Uses the Mobile Web Client’s user name and password to connect to the server database. Uses the database security adapter to do this (typically, DBSecAdpt).
SecurityAdapter. Uses the security adapter specified using the parameters Security Adapter Mode and Security Adapter Name to authenticate the user. Depending on the security adapter in effect, the user can be authenticated against the database or against an LDAP directory. Password hashing is subject to the configuration of this security adapter.
The Security Adapter Mode and Security Adapter Name parameters can be set at the Enterprise or Siebel Server level, or set for the Synchronization Manager component. Database authentication is the default security adapter. You can use the same security adapter across the Siebel Enterprise, or use a different security adapter for Synchronization Manager than you do for the rest of the Enterprise. For more information, see About Siebel Security Adapters and subsequent topics, earlier in this chapter.
Siebel. Validates the Mobile Web Client’s password against the password stored in the Mobile Web Client’s screen. (This option uses the mangle encryption algorithm, which is generally no longer recommended.)
AppServer. Verifies that the password is the same as the user’s operating system password on the Siebel Server computer. (This option is generally no longer recommended.)
Installing and Configuring Oracle LDAP Client Software
Install the Oracle LDAP Client, which is part of the Oracle Database Client, only for non-Oracle Database deployments and if there is no external or existing Oracle LDAP Client installed on your machine.
To install the Oracle LDAP Client software (which includes Oracle Wallet Manager) and to configure it for your environment, perform the following tasks:
Review Requirements for Implementing an LDAP Authentication Environment for Oracle LDAP Client Installation
Perform one of the following tasks, as appropriate:
(UNIX operating systems only) Configuring the siebenv.csh and siebenv.sh Scripts for the Oracle LDAP Client
(Optional) Creating a Wallet for Certificate Files When Using LDAP Authentication with TLS
Considerations if Using LDAP Authentication with TLS
This topic provides information on using LDAP authentication with TLS. The Oracle LDAP Client requires that Oracle Wallet Manager is installed if TLS must be supported. The LDAP libraries and utilities provided with the Oracle LDAP Client use the TLS libraries provided with Oracle Wallet Manager.
This task is a step in Installing and Configuring Oracle LDAP Client Software.
If Oracle Wallet Manager is installed, then the LDAP libraries dynamically load the TLS libraries and use them to enable TLS, when TLS is configured.
If Oracle Wallet Manager is not installed and the TLS libraries are not available, then the LDAP library is fully functional, with the exception of TLS support.
By using TLS with server authentication, an LDAP application can use simple LDAP authentication (user ID and password) over an encrypted communication connection between the LDAP client application and the LDAP server. In addition, TLS provides data confidentiality (encryption) on connections protected by TLS. Authentication of servers to clients is accomplished with X.509 certificates.
It is assumed that TLS capability is, or will be, required for Siebel LDAP authentication. Therefore, the LDAP client installation process includes Oracle Wallet Manager installation as an integral part. If you are absolutely sure that TLS will never be turned on for Siebel LDAP authentication, then you do not have to install Oracle Wallet Manager.
Installing the Oracle LDAP Client Software on Windows
This topic describes how to obtain the Oracle LDAP Client installation files on Microsoft Windows and how to install the Oracle LDAP Client and Oracle Wallet Manager.
This task is a step in Installing and Configuring Oracle LDAP Client Software.
To install the Oracle LDAP Client and Oracle Wallet Manager on Windows
Log on to Microsoft Windows.
Obtain Oracle LDAP Client installation files as follows:
Go to the Certifications tab on My Oracle Support (https://support.oracle.com).
Search for Oracle Database Client and download same from Oracle Software Delivery Cloud. Oracle Database Client contains both Oracle Database and Oracle LDAP Client.
Copy the files in the
\enudirectory to a directory on the Siebel Server and Siebel Gateway where you want to install the Oracle LDAP Client.Install the Oracle LDAP Client, selecting the Runtime option when you are prompted to select the type of installation you want to perform.
For detailed information on installing Oracle LDAP Client, see Oracle® Database Client Installation Guide 12c Release 1 (12.1) for Microsoft Windows and the Certification tab on My Oracle Support. When the installation has completed, the following software is available on the Siebel Server and Siebel Gateway:
Oracle LDAP SDK
Oracle LDAP client library
Oracle Wallet Manager
Note: The Oracle LDAP client software components are embedded in the Oracle LDAP Client and are not listed as separately installed programs on the Siebel Server.Set the value of the ORACLE_HOME environment variable to the location of the directory into which you installed the Oracle LDAP Client files, for example:
set ORACLE_HOME=C:\oracle\SUN32\12C\12.1.x
Note: If you are using Siebel Business Applications with an Oracle Database, and if you have a previous Oracle LDAP Client installation, change the value of ORACLE_HOME to specify the location of the Oracle LDAP Client you have just installed. You can set the ORACLE_HOME environment variable by navigating to the following location on your machine: Computer, Properties, Advanced System Settings, Environment Variables, and then System Variables.Set the value of the Security Adapter Dll Name parameter to sscforacleldap.dll.
For information on the Security Adapter Dll Name parameter, see Parameters for Configuring Security Adapter Authentication.
Stop and restart the Siebel Server and Siebel Gateway.
Installing the Oracle LDAP Client Software on UNIX
This topic describes how to obtain the Oracle LDAP Client installation files on a UNIX operating system platform.
This task is a step in Installing and Configuring Oracle LDAP Client Software.
To install the Oracle LDAP Client and Oracle Wallet Manager on UNIX
Login as a nonroot user.
Obtain Oracle LDAP Client installation files as follows:
Go to the Certifications tab on My Oracle Support (https://support.oracle.com).
Search for Oracle Database Client and download same from Oracle Software Delivery Cloud. Oracle Database Client contains both Oracle Database and Oracle LDAP Client.
Install the Oracle Database Client.
Configuring the siebenv.csh and siebenv.sh Scripts for the Oracle LDAP Client
After you have installed the Oracle LDAP Client on your UNIX operating system, you must add the directory path of the Oracle LDAP Client libraries to the library path environment variable in either the siebenv.csh (C shell) or siebenv.sh (Bourne or Korn shell) shell scripts. When you source these scripts, they set the environment variables for your Siebel implementation.
The siebenv.csh and siebenv.sh scripts are created in the $SIEBEL_ROOT directory during the Siebel Server installation and configuration process. Edit the siebenv.csh or siebenv.sh script, as described in the following topics, where $ORACLE_HOME/lib is the installation path of your Oracle LDAP Client libraries, $ORACLE_HOME/lib.
This task is a step in Installing and Configuring Oracle LDAP Client Software.
Linux and Oracle Solaris Operating Systems
On Linux and Oracle Solaris operating systems, the name of the library path environment variable is LD_LIBRARY_PATH. Depending on whether you source the siebenv.csh or the siebenv.sh script, set the LD_LIBRARY_PATH variable as follows:
siebenv.csh
if ($?LD_LIBRARY_PATH) then setenv LD_LIBRARY_PATH ${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LD_LIBRARY_PATH} else setenv LD_LIBRARY_PATH ${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib endif
siebenv.sh
if [ a${LD_LIBRARY_PATH} = ${LD_LIBRARY_PATH}a ] then LD_LIBRARY_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib else LD_LIBRARY_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LD_LIBRARY_PATH} fi export LD_LIBRARY_PATH
AIX Operating System
On the AIX operating system, the name of the library path environment variable is LIBPATH. Depending on whether you source the siebenv.csh or the siebenv.sh script, set the LIBPATH variable as follows:
siebenv.csh
if ($?LIBPATH) then setenv LIBPATH ${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LIBPATH} else setenv LIBPATH ${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib endifsiebenv.sh
if [ a${LIBPATH} = ${LIBPATH}a ] then LIBPATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib else LIBPATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${LIBPATH} fi export LIBPATH
HP-UX Operating System
On the HP-UX operating system, the name of the library path environment variable is SHLIB_PATH. Depending on whether you source the siebenv.csh or the siebenv.sh script, set the SHLIB_PATH variable as follows:
siebenv.csh
if ($?SHLIB_PATH) then setenv SHLIB_PATH ${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${SHLIB_PATH} else setenv SHLIB_PATH ${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib endifsiebenv.sh
if [ a${SHLIB_PATH} = ${SHLIB_PATH}a ] then SHLIB_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib else SHLIB_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/$ORACLE_ HOME/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:${SHLIB_PATH} fi export SHLIB_PATH
Creating a Wallet for Certificate Files When Using LDAP Authentication with TLS
If you are using LDAP authentication with TLS, then you must use Oracle Wallet Manager to create a wallet to store the certificates required for TLS communications. This topic describes how to create the wallet, and how to enable TLS for the Siebel LDAP security adapter. For detailed information on using Oracle Wallet Manager, see Oracle® Database Advanced Security Administrator’s Guide.
By enabling TLS for the Siebel LDAP security adapter, an encrypted connection is established between the Siebel application and the LDAP server. For information on enabling TLS for an LDAP server, refer to your third-party LDAP server administration documentation. This topic assumes that the LDAP server is already TLS-enabled, that is, it accepts TLS connections.
This task is a step in Installing and Configuring Oracle LDAP Client Software.
Creating an Oracle Wallet
To enable TLS for the Siebel LDAP security adapter, an Oracle wallet must be created on the Siebel Server computer which runs the Application Object Managers or other components that must support LDAP authentication through the LDAP security adapter. The Oracle wallet must contain CA server certificates that have been issued by Certificate Authorities to LDAP servers.
Use the following procedure to create an Oracle wallet. Before creating an Oracle Wallet, note that you must be logged in to Siebel as the same user that the Siebel Server service runs under and the wallet must be located in the default location for that user.
To create an Oracle wallet
Determine which Certificate Authorities issued the server certificate for your LDAP server and obtain this CA certificate.
Copy the CA certificate to the computer where you have installed Oracle Wallet Manager.
On the Siebel Server computer where you will run the Application Object Manager components that support LDAP authentication, create an Oracle wallet using Oracle Wallet Manager.
To create the wallet, follow the detailed instructions in Oracle® Database Advanced Security Administrator’s Guide. Specify the following values:
In the New Wallet dialog box, enter a password for the wallet in the Wallet Password field, then reenter the password in the Confirm Password field.
From the Wallet Type list, select Standard, then click OK.
A new empty wallet is created.
When prompted to specify whether or not you want to add a certificate request, select No.
You return to the Oracle Wallet Manager main window.
Save the wallet by selecting Wallet, then Save In System Default to save the wallet file to the default directory location:
For UNIX the default directory location is
$ORACLE_HOME/bin/owm/wallets/username.For Windows the default directory location is
ORACLE_HOME\bin\owm\wallets\username.
You must specify this directory when configuring TLS for clients and servers. You can save the wallet to a different directory if required.
Import the CA certificate that you copied to the computer earlier in this procedure into the wallet you have created.
You can import as many CA certificates as required. For information on importing certificates, see Oracle® Database Advanced Security Administrator’s Guide.
Enabling TLS for the Siebel LDAP Security Adapter
Use the following procedure to configure TLS for the Siebel LDAP security adapter. For more information about LDAP security adapter configuration, see Configuring Security Adapters Using the Siebel Management Console.
To enable TLS for the Siebel LDAP security adapter
Copy the wallet you created in Creating an Oracle Wallet to the Siebel Server computer where you will run the Application Object Manager components that support LDAP authentication.
(Windows Only) If you are using Windows, do one of the following:
Copy the contents of the wallet directory
ORACLE_HOME\bin\owm\wallets\username into a location that the Siebel Server service owner can access, for examplec:\wallet.Alternatively, change the Siebel Server service owner account log on values so that they are the same as the account used to create the wallet described in Creating an Oracle Wallet. To change the Siebel Server service account owner log on values:
From the Windows Start menu, choose Settings, Control Panel, Administrative Tools, and then the Services item.
Right-click on the Siebel Server System Service, then select Properties.
In the Properties dialog box for this service, click the Log On tab.
Select the This Account option, then enter the name and password of the account used to create the wallet.
Modify the LDAP security adapter configuration parameters using values similar to those shown in the following table.
Parameter
Value
Port
port_number
The TLS port is configurable for the LDAP server. Verify the actual port number the LDAP server is using for TLS and specify that value. The default value is 636.
SSL
Select this check box to enable Secure Sockets Layer for socket connections to the host.
Enable SSL
Select this check box to use TLS for communications between the LDAP security adapter and the directory.
Note the following:
The wallet file (ewallet.p12) must be stored in the
keystore/truststorecentral location configured for Siebel Gateway, Siebel Application Interface, and other nodes.Oracle LDAP client libraries are required to decipher the ewallet file, which is used to make secure connections (LDAPS) to the LDAP server.
The required Oracle LDAP client library files are:
oraclepki.jar, osdt_core.jar, and osdt_cert.jar
These library files must be located in the
WEB-INF/libdirectory for the Siebel Web application.
Wallet Password
wallet_password
Specify the password you assigned to the wallet when creating the wallet.
For information on configuring parameters for the LDAP security adapter, see Configuring Security Adapters Using the Siebel Management Console and Parameters for Configuring Security Adapter Authentication.
Restart the Siebel Server (if you are configuring LDAP on a Siebel Server).
Configuring Security Adapters Using the Siebel Management Console
This topic describes how to configure a Database, LDAP, or Custom security adapter using the Siebel Management Console after you have installed Siebel Business Applications. For information on installing and configuring Siebel Business Applications, see Siebel Installation Guide for the operating system you are using.
You use the Siebel Management Console to do the following:
Configure the parameters (stored on the gateway) that set security adapter values. When you configure these parameters, the gateway must be running.
Configure security adapter settings for gateway access authentication.
Configure authentication parameters for Siebel application configuration, when configuring a Siebel Developer Web Client.
The Siebel Management Console sets authentication-related configuration parameters for Siebel Business Applications and Siebel Gateway authentication, but does not make changes to the LDAP directory. Make sure the configuration information you enter is compatible with your directory server.
When you specify LDAP as the security adapter type using the Siebel Management Console, the setting you specify provides the value for the Enterprise Security Authentication Profile (Security Adapter Mode) parameter. The Security Adapter Mode and Security Adapter Name (named subsystem) parameters can be set for Siebel Gateway, Siebel Enterprise Server, for a particular Siebel Server, for an individual Application Object Manager component, or for the Synchronization Manager component (for Siebel Remote).
When you specify LDAP as the security adapter mode, additional configuration parameters are defined for the particular LDAP security adapter. For example, the Security Adapter DLL Name (SecAdptDllName) parameter is automatically set when you specify LDAP as the security adapter mode.
The following procedure describes how to use the Siebel Management Consoleto configure security adapters (security profile) provided with Siebel Business Applications.
To configure your security adapter using Siebel Management Console
Log in to the Siebel Management Console.
Click Profiles in the navigation menu, and then click Security.
Existing security profiles are listed, if any.
Click Add (the plus (+) icon) to add a new security profile, or click the Clone button to clone an existing profile.
Specify a name for the profile.
The security profile that is created on first login is named Gateway.
Click Add (the plus (+) icon) next to Data Sources to add a new data source.
Click Datasource, and configure your security adapter.
To configure a security adapter of type Database:
Select the Database Authentication (development only) option.
Specify the settings for the selected data source, as shown in Parameters for Configuring Security Adapter Authentication.
Click Next when prompted.
To configure a security adapter of type LDAP:
Select the Lightweight Directory Access Protocol (LDAP) Authentication option.
Specify the settings for the selected data source, as shown in Parameters for Configuring Security Adapter Authentication.
Click Next when prompted.
To configure a security adapter of type Custom:
Select the Custom Security Authentication option.
Specify the settings for the selected data source, as shown in Parameters for Configuring Security Adapter Authentication.
Click Next when prompted.
When you have specified all applicable settings, click Submit and save your changes to the profile.
Migrating from Database to LDAP Authentication
After you install Siebel Business Applications, the security adapter options provided for user authentication are a database security adapter, an LDAP security adapter, and a custom security adapter. If you want to implement LDAP security adapter authentication for a Siebel application that was previously configured to use database authentication, then review the information in this topic.
Considerations in Migrating to LDAP Authentication
There are a number of issues that you have to consider in deciding the most appropriate authentication method for your Siebel implementation. For example, some features, such as user self-registration, are unavailable with database authentication while some components, such as batch and system management components, must use database authentication. For information on the benefits and limitations of different security adapter authentication options, review the following topics:
Migrating from Database to LDAP Authentication
The steps to migrate a Siebel application from database authentication to LDAP authentication are outlined in Process of Implementing LDAP Security Adapter Authentication. In addition, you must perform the following steps:
Migrate your users from the Siebel database to the external directory server; create an entry in the external directory for each user to be authenticated.
(Optional) Archive any Siebel user database accounts that are not required for LDAP authentication from the Siebel database. Do not archive the following database accounts:
The default Siebel administrator account, SYSADMIN.
The default database account, for example, LDAPUSER, that is used by Siebel LDAP security adapter to connect to the Siebel database.
Security Adapter Deployment Options
This topic describes security adapter options that can be implemented in a security adapter authentication environment or in a Web SSO environment. Unless noted otherwise, these options are supported by the Siebel LDAP security adapter and by adapters that comply with the Siebel Security Adapter Software Developer's Kit (SDK) version 3.0. For more information, see 476962.1 (Article ID) on My Oracle Support.
Depending on your security adapter or Web SSO implementation, you might have to configure the following:
Configuring the Application User
This topic describes how to configure the directory application user. The application user is not an actual user who logs into an application; it is a special user defined to handle access to the directory. The application user is defined as the only user with search, read and write privileges to the LDAP directory. This minimizes the level of access of all other users to the directory and the administration required to provide such access.
The application user must be defined in the following authentication strategies that implement a Siebel security adapter:
Security adapter authentication: LDAP, some custom security adapter implementations
You do not have to define an application user if you implement a database security adapter.
Web SSO authentication
Whether or not an application user must be defined depends on how you have implemented the Web SSO solution.
About Application User Permissions
The application user is the only user who can read or write user information in the directory. Therefore, it is critical that the application user has appropriate privileges to the directory. The application user must be defined in the directory with the following qualities:
The application user provides the initial binding of the LDAP server with the Application Object Manager when a user requests the login page. Otherwise, binding defaults to the anonymous user.
Assign the application user sufficient permissions to read any user’s information in the directory and do any necessary administration.
In a Siebel security adapter implementation, the application user must have search and write privileges for all user records in the directory. In a Web SSO implementation, the application user must have, at least, search privileges.
Permissions for the application user must be defined at the organization level (for example, OU for LDAP).
Defining the Application User
The following procedure describes how to define the application user.
To define the application user
Define a user in the directory, using the same attributes as for other users.
Assign values in appropriate attributes that contain the following information:
Username. Assign a name of your choice. If you implement an adapter-defined user name, then use that attribute (for further information, see Configuring Adapter-Defined User Name). Otherwise, use the attribute in which you store the Siebel user ID, although the application user does not have a Siebel user ID.
Password. Assign a password of your choice. Enter the password in unencrypted form.
You maintain an unencrypted password for the application user in the directory, while an encrypted version of the password is used in other phases of the authentication process. An encryption algorithm is applied to the application user password before it is sent to the database. The application user login must also be set up with the encrypted version of the password.
Assign appropriate permissions to the application user in the directory as described in About Application User Permissions.
For your Siebel security adapter, define the following parameter values for the security adapter’s enterprise profile (such as LDAPSecAdpt) on the Siebel Gateway.
Application User Distinguished Name (DN). Enter the application user’s full distinguished name (DN) in the directory.
For example, ApplicationUser can be set as in the following example:
ApplicationUser = uid=APPUSER, ou=people, o=example.com
Application Password. Enter the application user password (unencrypted).
For more information on setting these parameters, see Parameters for Configuring Security Adapter Authentication. For Developer Web Client, define these parameters in the corresponding section in the application configuration file, such as uagent.cfg for Siebel Call Center. For Siebel Gateway authentication, define these parameters in the security profile.
Application User and Password Expiration Policies
Typically, user administration in an LDAP server is performed through the application user. In addition, user policies that are set for the entire directory apply to the application user as well as to all other users.
If you implement a password expiration policy in the directory, then exempt the application user from the policy so the application user’s password will not expire. To do this, set the application user’s password policy explicitly after the application user sets the password policy for the whole directory. For more information about account policies and password expiration, see Account Policies and Password Expiration.
Configuring Checksum Validation
The checksum validation option verifies that the security adapter loaded by the authentication manager is the correct version. It is recommended that you use checksum validation to make sure that the appropriate security adapter provides user credentials to the authentication manager for all users who request access.
Checksum validation for security adapters can be implemented in the following authentication strategies:
Security adapter authentication: LDAP, custom (not database authentication)
Web SSO authentication
You can implement checksum validation with the Siebel checksum utility that is included when you install your Siebel application.
Checksum validation supports the following principles:
A CRC (cyclical redundancy check) checksum value for the security adapter library file (such as the DLL file on Windows) is stored as a configuration parameter value for the security adapter.
When a security adapter provides a user identity and database account to the Application Object Manager, a checksum value is calculated for that security adapter.
The user is granted access if the two checksum values are equal.
The following procedure outlines the steps in implementing checksum validation.
To configure checksum validation
Enter and run the following command at a command prompt, using the required security adapter library file name (such as the DLL file on Windows) as the argument:
checksum -f filenameThe utility returns the checksum value.
For example, if you are using an LDAP security adapter, then the following command:
checksum -f sscforacleldap.dll
returns something similar to:
CRC checksum for file 'sscforacleldap.dll' is f49b2be3
Note: You must specify a different DLL file if you are using a custom security adapter.For the security adapter you are using, set the CRC Checksum parameter to the checksum value that is calculated earlier in this procedure.
For information on setting configuration parameters, see Parameters for Configuring Security Adapter Authentication. For Developer Web Client, define these parameters in the corresponding section in the application configuration file, such as uagent.cfg for Siebel Call Center. For Siebel Gateway authentication, define these parameters in the security profile.
In previous Siebel CRM releases, the CRC checksum value was set using the Security Adapter CRC system preference, rather than a configuration parameter.
Note: The checksum value in this procedure is an example only. You must run the checksum utility as described to generate the value that is valid for your implementation. In addition, you must recalculate the CRC checksum value and update the CRC parameter value each time you upgrade your Siebel Business Applications, including each time you apply a Siebel Patchset.
Configuring Secure Communications for Security Adapters
This topic describes how to use TLS to transmit data between a security adapter provided with Siebel Business Applications and an LDAP directory. Secure communications for the Siebel security adapter can be implemented in the following authentication strategies:
Security adapter authentication: LDAP, custom (not database authentication)
Web SSO authentication
Configuring TLS for the LDAP Security Adapter
The following procedure describes how to configure TLS for the LDAP security adapter.
To configure TLS for the LDAP security adapter
Set the SslDatabase parameter value for the security adapter (LDAPSecAdpt) to the absolute directory path of the Oracle wallet.
The Oracle wallet, generated using Oracle Wallet Manager, contains a certificate for the certificate authority that is used by the directory server. For information about generating the database file for an LDAP authentication environment, see Creating a Wallet for Certificate Files When Using LDAP Authentication with TLS.
Set the Wallet Password parameter for the LDAP security adapter (LDAPSecAdpt) to the password assigned to the Oracle wallet.
Configuring Adapter-Defined User Name
You can configure your authentication system so that the user name presented by the user and passed to the directory to retrieve a user’s database account is not the Siebel user ID. For example, you might want users to enter an adapter-defined user name, such as their Social Security number, phone number, email address, or account number. The security adapter returns the Siebel user ID of the authenticated user and a database account from the directory to the authentication manager.
The adapter-defined user name option can be implemented in the following authentication strategies:
Security adapter authentication: LDAP, custom (not database authentication)
Web SSO authentication
The adapter-defined user name must be stored in one attribute in your directory, while the Siebel user ID is stored in another attribute. For example, users can enter their telephone number, stored in the telephonenumber attribute, while their Siebel user ID is stored in the uid attribute.
The User Name Attribute Type configuration parameter defines the directory attribute that stores the user name that is passed to the directory to identify the user, whether it is the Siebel user ID or an adapter-defined user name. The OM - Username BC Field (alias UsernameBCField) parameter for the Application Object Manager defines the field of the User business component that underlies the attribute specified by User Name Attribute Type.
Even if other requirements to administer user attributes in the directory through the Siebel client are met, you must also set the User Name Attribute Type parameter for the security adapter, and set the OM - Username BC Field parameter. If you do not define these parameters appropriately, then changes through the Siebel client to the underlying field are not propagated to the directory.
For example, for users to log in with their work phone number, you must specify User Name Attribute Type to be the directory attribute in which the phone number is stored, for example, telephonenumber, and you must define OM - Username BC Field to be Phone #, the field in the User business component for the work phone number.
The following procedure outlines how to configure an adapter-defined user name.
To configure an adapter-defined user name
For each security adapter (such as LDAPSecAdpt) that implements an adapter-defined user name, define the following parameter values:
Parameter
Value
Security Adapter Mapped User Name
Select this check box.
Siebel Username Attribute
The attribute in which you store the Siebel user ID, such as uid (LDAP).
User Name Attribute Type
The attribute in which you store the adapter-defined user name, such as
telephonenumber.For information on setting Siebel Gateway configuration parameters, see Server Parameters for Siebel Gateway. For Developer Web Client, define these parameters in the corresponding section in the application configuration file, such as uagent.cfg for Siebel Call Center. For Siebel Gateway authentication, define these parameters in the security profile.
Determine the field on the User business component that is used to populate the attribute in the directory that contains the adapter-defined user name.
The Application Object Manager parameter to be populated is OM - Username BC Field.
For information about working with Siebel business components, see Configuring Siebel Business Applications. For information about working with configuration parameters, see Siebel System Administration Guide.
Using Siebel Server Manager, specify the User business component field name as the value for the OM - Username BC Field parameter. You can provide this value at the Enterprise, Siebel Server, or component level. If this parameter is not present in the parameters list, then add it.
Note: The OM - Username BC Field parameter is case sensitive. The value you specify for this parameter must match the value specified for the parameter in Siebel Tools.If you do not specify a field in the OM - Username BC Field parameter, then the Siebel security adapter assumes that the Login Name field of the User business component (the Siebel user ID) underlies the attribute defined by the User Name Attribute Type parameter.
Configuring the Anonymous User
The anonymous user is a Siebel user with very limited access. The anonymous user (defined in the Siebel database) allows a user to access a login page or a page containing a login form. For LDAP authentication, the anonymous user must have a corresponding record in the user directory.
The anonymous user is required even if your applications do not allow access by unregistered users. When an Application Object Manager thread first starts up, it uses the anonymous user account to connect to the database and retrieve information (such as a license key) before presenting the login page.
Anonymous Browsing and the Anonymous User
If you implement security adapter or database authentication, then you can allow or disallow unregistered users to browse a subset of an application’s views. Unregistered users access Siebel application views and the database through the anonymous user record.
If you allow anonymous browsing, then users can browse views that are not flagged for explicit login. If you disallow anonymous browsing, then unregistered users have no access to any of the application’s views but do still have access to an application’s login page. For additional information on enabling anonymous browsing, see Process of Implementing Anonymous Browsing.
The following procedure describes how to configure the anonymous user. The anonymous user for employee applications must be associated with an appropriate position and responsibility.
To configure the anonymous user
If you are using database security adapter authentication, then create a database account for the anonymous user.
If you are using LDAP security adapter authentication, then define a user in the directory using the same attributes as used for other users. Assign values in appropriate attributes that contain the following information:
Siebel user ID. Enter the user ID of the anonymous user record for the Siebel application you are implementing in the attribute in which you store the Siebel user ID, for example, GUESTCST.
Password. Assign a password of your choice. Enter the password in unencrypted form.
Specify values for the following parameters, either when configuring the Siebel Application Interface profile (recommended), or by editing the application interface profile manually:
Anonymous User Name. Enter the user name required for anonymous browsing and initial access to the login pages of the application you are implementing, in this example,
GUESTCST.Anonymous User Password. Enter the password associated with the anonymous user.
You can define an anonymous user for a single application or as the default for all the Siebel Business Applications you deploy. Even if the anonymous user is specified as the default, any single application can override the default.
- If you use one anonymous user for most or all of your applications, then define the anonymous user in the Authentication section of the application interface profile. To override the default value for an individual application, list the Anonymous User Name and Anonymous User Password parameters in the Application section of the application interface profile, for example, the [/eservice] section.
Configuring Roles Defined in the Directory
Responsibilities assigned to each user in Siebel Business Applications provide users with access to particular views in the application. Responsibilities are created in the Siebel application and are stored in the Siebel database. One or more responsibilities are typically associated with each user in the Administration - Application screen.
Creating roles in the LDAP directory is another means of associating Siebel responsibilities with users. Roles are useful for managing large collections of responsibilities. A user has access to all the views associated with all the responsibilities that are directly or indirectly associated with the user.
You can choose to store users’ Siebel responsibilities as roles in a directory attribute instead of in the Siebel database in the following authentication strategies:
Security adapter authentication: LDAP, custom (not database authentication)
Web SSO authentication
Note: You can store Siebel user responsibilities as roles in a directory attribute but you cannot store Siebel user positions as roles in a directory attribute.
It is recommended that you assign responsibilities in the database or in the directory, but not in both places. If you define a directory attribute for roles, but you do not use it to associate responsibilities with users, then leave the attribute empty. If you use roles to administer user responsibilities, then create responsibilities in the Siebel application, but do not assign responsibilities to users through the Siebel Application Interface.
To configure roles defined in the directory
In the directory, define a directory attribute for roles.
To make sure that you can assign more than one responsibility to any user, define the roles directory attribute as a multivalue attribute. The security adapters supported by Siebel Business Applications cannot read more than one responsibility from a single-value attribute.
For each user, in the directory attribute for roles, enter the names of the Siebel responsibilities that you want the user to have. Enter one responsibility name, such as Web Registered User, in each element of the multivalue field. Role names are case-sensitive.
Configure the security adapters provided with Siebel Business Applications to retrieve roles for a user from the directory by setting the Roles Attribute parameter for the LDAP security adapter. For example, for the LDAP security adapter, define the following parameter:
RolesAttributeType= attribute_in_which_roles_are_storedFor information on setting configuration parameters for Siebel Gateway, see Configuring Security Adapters Using the Siebel Management Console and Parameters for Configuring Security Adapter Authentication. For Developer Web Client, define these parameters in the corresponding section in the application configuration file, such as uagent.cfg for Siebel Call Center. For Siebel Gateway authentication, define these parameters in the security profile.
Security Adapters and the Siebel Developer Web Client
The Siebel Developer Web Client relocates business logic from the Siebel Server to the client. The authentication architecture for the Developer Web Client differs from the authentication architecture for the standard Web Client, because it locates the following components on the client instead of the Siebel Server:
Application Object Manager (through the siebel.exe program)
Application configuration file
Authentication manager and security adapter
Oracle LDAP Client (where applicable)
Note: Siebel Business Applications support for the Siebel Developer Web Client is restricted to administration, development, and troubleshooting usage scenarios only. Siebel Business Applications does not support the deployment of this client to end users.
When you implement security adapter authentication for Siebel Developer Web Clients, observe the following principles:
It is recommended to use the remote configuration option, which can help you make sure that all clients use the same configuration settings. This option is described later in this topic.
Authentication-related configuration parameters stored in application configuration files on client computers, or stored in remote configuration files, must generally contain the same values as the corresponding parameters in the Siebel Gateway (for Siebel Web Client users). Distribute the appropriate configuration files to all Siebel Developer Web Client users. For information about setting parameters in Siebel application configuration files on the Siebel Developer Web Client, see Siebel Application Configuration Parameters.
It is recommended that you use checksum validation to make sure that the appropriate security adapter provides user credentials to the authentication manager for all users who request access. For information about checksum validation, see Configuring Checksum Validation.
In a security adapter authentication implementation, you must set the security adapter configuration parameter Propagate Change to
TRUE, and set the Siebel system preference SecThickClientExtAuthent to TRUE, if you want to implement:Security adapter authentication of Siebel Developer Web Client users.
Propagation of user administration changes from the Siebel Developer Web Client to an external directory such as LDAP. (For example, if a user changes his or her password in the Developer Web Client, then the password change is also propagated to the directory.)
For more information, see Siebel Application Configuration Parameters and Configuring LDAP Authentication for Developer Web Clients.
In some environments, you might want to rely on the data server itself to determine whether to allow Siebel Developer Web Client users to access the Siebel database and run the application. In the application configuration file on the local client, you can optionally define the IntegratedSecurity parameter for the server data source (typically, in the [ServerDataSrc] section of the configuration file).
This parameter can be set to TRUE or FALSE. The default value is FALSE. When TRUE, the Siebel client is prevented from prompting the user for a user name and password when the user logs in. Facilities provided in your existing data server infrastructure determine if the user is allowed to log into the database.
You can set the IntegratedSecurity parameter to TRUE with the database security adapter. See also About Database Authentication.
Note: Integrated Security is only supported for Siebel Developer Web clients that access Oracle and Microsoft SQL Server databases. This functionality is not available for Siebel Web Clients or Siebel Mobile Web clients.
For additional information on integrated authentication, refer to your third-party documentation. For Oracle, refer to the OPS$ and REMOTE_OS_AUTHENT features. For Microsoft SQL Server, refer to Integrated Security. For more information about the Siebel Developer Web Client, see the Siebel Installation Guide for the operating system you are using and the Siebel System Administration Guide.
Sample LDAP Configuration
The following sample is an example of LDAP configuration information generated by the Siebel Management Console when you configure an LDAP security adapter for Developer Web Clients. For more information, see Configuring Security Adapters Using the Siebel Management Console. For information about setting Siebel configuration parameters, see Siebel Application Configuration Parameters.
[LDAPSecAdpt] SecAdptDllName = sscforacleldap ServerName = ldapserver.example.com Port = 636 BaseDN = ou=people, o=example.com SharedCredentialsDN = uid=HKIM, ou=people, o=example.com UsernameAttributeType = uid PasswordAttributeType = userPassword CredentialsAttributeType = mail RolesAttributeType = roles SslDatabase =file:c:\sslSLwallet ApplicationUser = uid=APPUSER, ou=people, o=example.com ApplicationPassword = APPUSERPW HashDBPwd = TRUE PropagateChange = TRUE CRC = SingleSignOn = TRUE TrustToken = mydog UseAdapterUsername = TRUE SiebelUsernameAttributeType = PHONE HashUserPwd = TRUE HashAlgorithm = RSASHA1
Remote Configuration Option for Developer Web Client
This option applies only to the Siebel Developer Web Client. The remote configuration option can be implemented in the following authentication strategies:
Security adapter authentication: LDAP, custom (not database authentication)
Web SSO authentication
With this approach, you create a separate text file that defines any parameter values that configure a security adapter. You configure all security adapter parameters, such as those in a section like [LDAPSecAdpt], in the remote file, not in the application configuration file.
Storing configuration parameters in a centralized location can help you reduce administration overhead. All Developer Web Clients can read the authentication-related parameters stored in the same file at a centralized remote location.
The following examples show how a remote configuration file can be used to provide parameters for a security adapter that is implemented by Siebel eService in a Web SSO environment. The following example is from the configuration file uagent.cfg for Siebel Call Center:
[InfraSecMgr] SecAdptMode = LDAP SecAdptName = LDAPSecAdpt UseRemoteConfig = \\it_3\vol_1\private\ldap_remote.cfg
In this case, the configuration file ldap_remote.cfg would contain an [LDAPSecAdpt] section. It could be defined similarly to the example earlier in this topic, and would contain no other content. The application configuration file would contain the [InfraSecMgr] section as defined in the preceding example. It would not contain an [LDAPSecAdpt] section and, even if it did, it would be ignored.
To implement remote security configuration for Siebel Developer Web Clients, follow these guidelines:
The [InfraSecMgr] section in the Siebel configuration file must include the
UseRemoteConfigparameter, which provides the path to a remote configuration file. The path is specified in universal naming convention format, for example,\\server\vol\path\ldap_remote.cfg.The remote security configuration file contains only a section for configuring the security adapter, such as the [LDAPSecAdpt] section.
Each Developer Web Client user must have read privileges on the remote configuration file and the disk directory where it resides.
About Password Hashing
This topic describes the password hashing options available with Siebel Business Applications. User passwords and database credentials passwords can be hashed for greater security. Hashing passwords is recommended.
Unlike encryption that involves two-way algorithms (encryption and decryption), hashing uses a one-way algorithm. A clear-text version of a password is hashed using a Siebel utility, then stored in the database or in an external directory such as LDAP. During login, a clear-text version of a password is provided (such as by a user), which is then hashed and compared to the stored hashed password.
The password hashing options available with Siebel Business Applications are as follows:
User password hashing. When you are using security adapter authentication (including database, LDAP, or custom security adapters), user passwords can be hashed.
A hashed password is maintained for each user, while the user logs in with an unhashed (clear-text) version of the password. This password is hashed during login.
Password hashing is a critical tool for preventing unauthorized users from bypassing Siebel Business Applications and logging directly into the Siebel database using an RDBMS tool such as SQL*Plus. It also prevents passwords intercepted over the network from being used to access the applications, because an intercepted hashed password will itself be hashed when login is attempted, leading to a failed login.
Adding salt values to user passwords. In the current release, if you are using an LDAP or a custom security adapter you can choose to prefix a user’s password with a salt value (a random string) before the password is hashed. The result of the hash function and the salt value are then stored in the security adapter directory. During authentication, the user password supplied is prefixed with the stored salt value and hashing is applied. If this computed value matches the hash value in the directory, then the user is authenticated.
Note: Adding salt values to user passwords is not supported if you are using Web Single Sign-On or database authentication. The Salt User Password parameter is ignored if the Configure Web Single Sign-On parameter is set to TRUE.Adding salt values to user passwords provides protection against dictionary attacks on the hashed passwords. By making passwords longer and more random, salt values lessen the likelihood that the hashed passwords can be deciphered. For additional information on the Salt User Password parameter, see Parameters for Configuring Security Adapter Authentication.
Database credentials password hashing. When you are using security adapter authentication other than database authentication (LDAP or custom security adapters), or if you are using Web SSO authentication, database credentials passwords can be hashed.
A hashed password for a database account is maintained in the database, while an unhashed (clear-text) version of the password is stored in the external directory. This password is hashed and compared during database login.
Credentials password hashing prevents users from being able to log into the Siebel database directly using a password obtained through unauthorized access to the external directory because the unhashed password in the directory will not match the hashed version stored in the database.
Password hashing utility. Siebel Business Applications provide a password hashing utility called hashpwd.exe which uses the RSA SHA-1 hashing algorithm by default. For existing customers, the Siebel proprietary hashing algorithm (the mangle algorithm) is also available as an option for the hashpwd.exe utility.
For information about managing encrypted passwords in Siebel Application Interface configuration, see Encrypted Passwords in Siebel Application Interface Profile Configuration. The password encryption mechanism described there is unrelated to the password hashing mechanism described in this topic.
Login Scenario for Password Hashing
This topic describes the login process for a Siebel application user when password hashing has been implemented. A user is logged into the Siebel application by the following process:
The user logs in with user credentials that include the unhashed password.
The Application Object Manager receives the user credentials, and passes them to the authentication manager.
If user password salting is enabled, then the authentication manager retrieves the salt value associated with the user password from the LDAP or custom security adapter directory and prefixes it to the user provided password.
The authentication manager hashes the password, according to the configuration of the security adapter.
In a database authentication environment:
The authentication manager passes the user credentials (user ID and hashed password) to the database security adapter.
The database security adapter verifies that the hashed password matches the hashed password stored in the database for the user. It validates the credential by trying to connect to the database server. The security adapter confirms to the Application Object Manager, through the authentication manager, that the credentials are valid.
In an LDAP authentication environment:
The authentication manager passes the user credentials, including the hashed password, to the LDAP security adapter.
The LDAP security adapter verifies that the hashed password matches the hashed password stored in the directory for the user, and then returns the database account and the Siebel user ID to the Application Object Manager through the authentication manager.
The Application Object Manager initiates a Siebel application session for the user.
Related Topics
Process of Configuring User and Credentials Password Hashing
Process of Configuring User and Credentials Password Hashing
This topic describes how to implement password hashing for user passwords or for database credentials, how to implement the use of salt values for user passwords, and how to specify the default hashing algorithm.
Configuration parameters for all security adapters provided with Siebel Business Applications, and for custom security adapters you implement, specify the password hashing settings in effect. For LDAP authentication, parameters are specified for the security adapter. For database authentication, the relevant parameters are specified for a data source referenced from the database security adapter, rather than specified directly for the security adapter.
To configure password hashing, perform the following tasks:
Perform either or both of the following tasks, as appropriate:
Configuring Password Hashing of Database Credentials
Note: Some steps in these procedures, such as those for setting configuration parameter values using Siebel Server Manager, can alternatively be accomplished by using the Siebel Management Console.
Guidelines for Password Hashing
This topic describes the factors to consider if you choose to implement password hashing with Siebel Business Applications.
This task is a step in Process of Configuring User and Credentials Password Hashing.
Guidelines for using password hashing with Siebel Business Applications include the following:
The password hashing utility, hashpwd.exe, does not automatically store hashed passwords or salt values in the Siebel database or LDAP directory. The administrator is responsible for defining and storing the hashed passwords and salt values. A hashed password is stored in one of the following locations:
In a database authentication environment, the hashed password is set as the valid password for the database account.
In an LDAP authentication environment, the hashed password is stored in the attribute specified for the user’s password. The password salt value is stored in the attribute specified for the salt value.
The unhashed version of the password is given to a user to use when logging in.
Stored passwords must first be hashed (after salt values are added, if applicable) with the same hashing algorithm (typically, RSA SHA-1) that is applied to the passwords in the authentication process.
Database credentials passwords stored outside of the Siebel database must be stored in unhashed form, because such passwords are hashed during the authentication process. For additional information, see About Password Hashing.
With database authentication, the Siebel Server components that log in to the database must use the hashed password value stored in the Siebel database. Otherwise, the component login will fail.
For example, when you run the Generate Triggers (GenTrig) component, the value provided for the PrivUserPass parameter (used along with the PrivUser parameter) must be the hashed password value.
To determine if a Siebel Server component uses a hashed password, select the component from the Enterprise Component Definition View and query for the component parameter OM - Data Source. If the value that OM - Data Source references has DSHashAlgorithm set to a hashing algorithm and DSHashUserPwd set to TRUE, then it means that the component can accept an unhashed password and hash it using the specified parameters.
Password hashing and use of salt values must be specified consistently for all Siebel Enterprise components that will work together. For example, all Siebel Servers subject to Application Object Manager load balancing must use the same security adapter settings, including those for password hashing, or component login will fail.
For the Siebel Mobile Web Client, password hashing for the local database password has the following requirements:
The parameter Encrypt client Db password (alias EncryptLocalDbPwd) must have been set to TRUE for the server component Database Extract (alias DbXtract) at the time the user’s local database was extracted. See Siebel Remote and Replication Manager Administration Guide for details.
The database security adapter must be in effect for the Mobile Web Client, and the DSHashUserPwd and DSHashAlgorithm parameters must be set appropriately for the data source specified for the security adapter. For more information, see About Database Authentication and Siebel Application Configuration Parameters.
Configuring User Password Hashing
The procedure in this topic describes how to configure user password hashing with Siebel Business Applications.
This task is a step in Process of Configuring User and Credentials Password Hashing.
To implement user password hashing
For each user, create and record a user name and a password.
To hash one or more passwords, run the hashpwd.exe utility at a command prompt. For command syntax options, see Running the Password Hashing Utility.
For each user, do one of the following:
In a database authentication environment, set the credentials for a database account to the user name and the hashed password. For information about setting credentials for database accounts, see your RDBMS documentation.
In an LDAP authentication environment, set the values in the directory attributes for user name, password, and salt to the user name, hashed password, and salt value returned by the hashpwd.exe utility.
Using Siebel Server Manager, configure the security adapter for user password hashing as follows:
For the database security adapter (typically, DBSecAdpt):
Set the DataSourceName parameter to the name of the applicable data source (for example,
ServerDataSrc).For the applicable data source, set the DSHashUserPwd parameter to
TRUE.For the applicable data source, set the DSHashAlgorithm parameter to
RSASHA1(this is the default value) orSIEBELHASH(the Siebel proprietary algorithm).
For the LDAP security adapter (typically, LDAPSecAdpt):
Set the Hash User Password parameter to
TRUE.Set the Hash Algorithm parameter to
RSASHA1(this is the default value) orSIEBELHASH(the Siebel proprietary algorithm).(Optional) Set the Salt User Password parameter to
TRUEto specify that salt values can be added to user passwords.(Optional) Set the Salt Attribute Type parameter to specify the attribute that is to store the salt value.
Note: The Siebel Gateway security profile does not support SiebelHash (the Siebel proprietary algorithm) and so must not be used anywhere in the Siebel Enterprise.
Provide each user with the user name and the clear-text password for logging in.
Related Topics
Configuring Password Hashing of Database Credentials
The procedure in this topic describes how to configure database credentials password hashing with Siebel Business Applications.
This task is a step in Process of Configuring User and Credentials Password Hashing.
To implement database credentials password hashing
For each applicable database account, create and record a login name and a password.
To hash one or more passwords, run the hashpwd.exe utility at a command prompt. For command syntax options, see Running the Password Hashing Utility.
For each database account, assign the hashed passwords to their corresponding database accounts.
For information about setting credentials for database accounts, see your RDBMS documentation.
In the LDAP directory, specify the unhashed version of the password for the attribute that contains the database account.
The database credentials password must be stored in unhashed form in the directory because the password is hashed during the authentication process. Users cannot log into the Siebel database using a password obtained through unauthorized access to the directory because the unhashed password in the directory will not match the hashed version stored in the database.
As an additional security measure, however, you can define an access control list (ACL) to restrict access to the directory attribute containing the unhashed version of the password or, if you are implementing a shared database account, the shared database login name and hashed password can be specified as profile parameters for the LDAP Security Adapter profile.
For information about required attributes in the directory, see Requirements for the LDAP Directory. For information on setting up directory ACLs, see your directory vendor documentation.
Using Siebel Server Manager, configure the security adapter for credentials password hashing. For the LDAP security adapter:
Set the Hash DB Password parameter to
TRUE.The hash algorithm is based on the setting you previously made for the Hash Algorithm parameter when you configured user password hashing.
Related Topics
Running the Password Hashing Utility
This topic describes how to hash user passwords and generate salt values using the hashpwd.exe utility. The hashpwd.exe utility is located in SIEBSRVR_ROOT\bin (Siebel Server installation directory) or SIEBEL_CLIENT_ROOT\bin (Siebel Mobile or Developer Web Client installation directory).
When you have hashed user passwords using hashpwd.exe, store the hashed passwords and salt values in the directory or database, as appropriate. For information on storing hashed passwords, see Guidelines for Password Hashing. For information about the password hashing options mentioned in the procedures in this topic, see About Password Hashing.
You can hash passwords using the SHA-1 hashing algorithm. The following procedure describes how to hash passwords using the SHA-1 algorithm.
Hashing Passwords Using the RSA SHA-1 Algorithm
The following procedure describes how to run the hashpwd.exe utility using the default password hashing algorithm, RSA SHA-1.
To hash passwords using the RSA SHA-1 algorithm
To hash a password using the RSA SHA-1 algorithm, run the hashpwd.exe utility using one of the following syntaxes:
To hash individual passwords, use the following syntax:
hashpwd password1 password2 ... hashpwd -a rsasha1 password1 password2 ...
To hash individual passwords and generate salt values for each password, use the following syntax:
hashpwd -a rsasha1 -s salt_length password1 password2 ...where salt_length specifies the length, in bytes, of the salt value. Enter a value between 1 and 16. For example, for the clear text password, PassWord02, the hash values generated by the hashpwd.exe utility using the default rsasha1 option are as follows:
Salt : HyviRlb2yP Password: UctMxQ+DoRlQZgiHIl7ghDy1bJM=
To hash multiple passwords using a batch file, enter the passwords into a batch file (for example, the file might be named passwords.txt), and then specify the filename using the following syntax:
hashpwd @password_file_name