7Security Features of Siebel Application Interface
Security Features of Siebel Application Interface
This chapter describes several options that relate to security issues and the Siebel Application Interface. It includes the following topics:
About the Siebel Web Client and Using HTTPS
Siebel Web Client is configured for HTTPS by the Siebel installer. Certificate and certificate store creation is a prerequisite for the Siebel installer to pick and use during HTTPS configuration. For more information, see the following:
Siebel Installation Guide for the operating system you are using
Implementing Secure Login
Secure login is enabled when Siebel Web Client is configured and accessible over HTTPS. The Siebel installer enforces HTTPS for Web server access. For more information, see the topic about installing Siebel Business applications in Siebel Installation Guide for the operating system you are using.
With secure login, the Siebel Web application server transmits user credentials entered in a login form from the browser to the Web server using TLS, that is, over HTTPS.
For information about administering Siebel Server components, see Siebel System Administration Guide.
Logging Out of a Siebel Application
Siebel application users can end a Siebel session by using the Siebel application log out features or by closing the browser window.
If you select the Siebel application Log Out menu option, you are logged out of the Siebel application and the user session is ended immediately. Alternatively, you can close the browser window to end the Siebel session.
If you are using Siebel Business Applications, clicking Close (the X icon) closes the window but does not terminate the Siebel user session until the session timeout is reached. The value of the session timeout is determined by the Active Session Timeout Value parameter set in the Siebel Application Interface profile for the application interface. For more information about this parameter, see Siebel Application Interface Profile Parameters.
Login User Names and Passwords
The following features are typically available on the Siebel login dialog box to assist users:
The Remember My User ID check box
This feature is provided by your browser (and not by Siebel).
The Forgot Your Password? link
For information on retrieving forgotten passwords, see Retrieving a Forgotten Password (Users).
Account Policies and Password Expiration
For enhanced security, you might want to implement the following account policies. Account policies are functions of your authentication service. If you want to implement account policies, then you are responsible for setting them up through administration features provided by the authentication service vendor.
Password syntax rules, such as minimum password length.
When creating or changing passwords, minimum length requirements and other syntax rules defined in the external directory are enforced by the Siebel application.
An account lockout after a specified number of failed attempts to log in.
Account lockout protects against password guessing attacks. Siebel Business Applications support lockout conditions for accounts that have been disabled by the external directory.
Password expiration after a specified period of time.
The external directory can be configured to expire passwords and warn users that passwords are about to expire. Password expiration warnings issued by the external directory are recognized by Siebel Business Applications and users are notified to change their passwords.
About Password Expiration
Password expiration can be implemented in the following authentication strategies:
Security adapter authentication: LDAP or applicable custom security adapter
Database authentication where supported by the RDBMS
If you are using an LDAP security adapter, then password expiration is handled by the external LDAP directory, and is subject to the configuration of this behavior for the third-party directory product.
For example, when a password is about to expire, the directory might provide warning messages to the Siebel application to display when the user logs in. Such a warning would indicate the user’s password is about to expire and must be changed. If the user ignores such warnings and allows the password to expire, then the user might be required to change the password before logging into the application. Or, the user might be locked out of the application once the password has expired.
Password expiration configuration steps for each directory vendor will vary. For more information, see the documentation provided with your directory product.
About Using Cookies with Siebel CRM
Siebel Business Applications running in the Web browser use cookies for a variety of purposes. This topic describes the types of cookies used and provides instructions for enabling cookies for Siebel CRM.
All cookies used by Siebel CRM are encrypted using standard encryption algorithms. Siebel CRM uses the following kinds of cookies:
Session cookie. Manages user sessions for Siebel Web Client users. For details, see Session Cookie.
Auto-login credential cookie. Stores user credentials for Siebel Web Client users. For details, see Auto-Login Credential Cookie.
Using cookies helps to maintains user session information. Browsers with cookies disabled cannot maintain a Siebel user session. Siebel does not support or recommend cookieless mode.
Related Topic
Session Cookie
The session cookie consists of the session ID generated for a user’s session. This cookie is used to manage the state of the user’s session. The session cookie applies to the Siebel Web Client only.
Web browsers with cookie handling disabled cannot maintain a Siebel user session.
When a Siebel Web Client user successfully logs into Siebel Business Applications, a unique session ID is generated for that user. The steps involved in a user session are as follows:
The components of the session ID are generated in the Siebel Server and sent to the Session Manager running in the Siebel Application Interface.
The session ID is passed to the client in a cookie.
The following occurs:
The session ID is passed to the user’s browser in the form of a nonpersistent cookie which is stored in memory. It stays in the browser for the duration of the session, and is deleted when the user logs out or is timed out.
For every application request that the user makes during the session, the cookie is passed to the Web server in an HTTP header as part of the request.
The Siebel Application Interface parses the incoming cookie to obtain the session ID and, if the ID is valid, processes the request. If the HTTP header does not include a cookie containing a valid session ID, then the Web server does not honor that request.
Session cookie is used to maintain a stateful session and the SRN, which is generated after an explicit user login is used to maintain a secure session for the logged in user. SRN protects all writer operations in a user session.
Using Secure Cookies
To increase the security of session cookies, Siebel Business Applications assign the Secure attribute to all session cookies by default. Setting the Secure attribute for cookies specifies that the cookies are to be transmitted to Web servers only over HTTPS connections, that is, to Web servers that have enabled TLS.
Session ID Encryption
Siebel session ID is encrypted with AES256.
Auto-Login Credential Cookie
This cookie consists of the user name for a given user, and the URL string used to access the application. The auto-login credential cookie is persistent and is stored on the user’s browser in encrypted form (it is always encrypted). The AES algorithm encrypts this cookie. The result of this encryption is then encoded using base64 Content-Transfer-Encoding. This cookie applies to the Siebel Web Client only.
The auto-login credential cookie is not mandatory. It is an optional way to allow users not to have to enter their user name every time they log in. If the user subsequently accesses the application URL through another browser window, then the user information is provided to the application so the user does not have to provide it again.
The format of the auto-login credential cookie is as follows:
start.swe=encrypted_user_information
Enabling Cookies for Siebel CRM
This topic describes how to enable the Microsoft Internet Explorer Web browser to handle cookies used by Siebel CRM. These instructions can vary depending on your supported browser version.
To enable cookies using Internet Explorer
Choose Tools, and then Internet Options.
Click the Privacy tab.
In Privacy settings, click Advanced.
Verify that Override automatic cookie handling is checked. Also consider:
If First-party Cookies is set to Accept, then all Siebel cookies are enabled.
If First-party Cookies are blocked, then you can still enable the session cookie by checking Always allow session cookies.
Click OK, then click OK again.