Contents

• Title and Copyright Information
• Preface
• 1 What's New in This Release
  • What’s New in Siebel Security Guide, Siebel CRM 18.12 Update
  • What’s New in Siebel Security Guide, Siebel CRM 18.10 Update
  • What’s New in Siebel Security Guide, Siebel CRM 18.9 Update
  • What’s New in Siebel Security Guide, Siebel 2018
  • What's New in Siebel Security Guide, Siebel Innovation Pack 2017, Rev. A
  • What’s New in Siebel Security Guide, Siebel Innovation Pack 2017
• 2 About Security for Siebel CRM
  • About Security for Siebel CRM
  • About This Guide
  • General Security Concepts
  • Industry Standards for Security
  • About Supported Security Products
  • Siebel Security Architecture
    • User Authentication for Secure System Access
      • Security Adapter for Database Authentication
      • Security Adapters for LDAP Authentication
      • Web Single Sign-On
      • Security Adapter SDK
    • End-to-End Encryption for Data Confidentiality
    • About Controlling Access to Data
      • View-Level Access Control
      • Record-Level Access Control
    • Support for Auditing in a Siebel Environment
    • Secure Physical Deployment to Prevent Intrusion
    • Security for Mobile Solutions
      • Mobile Device User Authentication
    • Security Settings for the Web Browser
  • Web Sites with Security Information
  • Using Transport Layer Security with Siebel CRM
  • Supported TLS Versions and RSA SHA
  • About Siebel Open UI
  • Roadmap for Configuring Security
• 3 Changing and Managing Passwords
  • Changing and Managing Passwords
  • About Managing and Changing Passwords
    • Guidelines for Changing Passwords
    • Characters Supported in Siebel Passwords
      • Supported Characters
      • Unsupported Characters
  • About Default Accounts
    • Database Accounts
    • Siebel User Accounts
  • Changing System Administrator Passwords on Microsoft Windows
    • Changing the Password for the Siebel Service Owner Account
    • Changing the Password for the Siebel Administrator Account
    • Changing the Anonymous User Password When a User Account is set to Anonymous User
  • Changing the Siebel Administrator Password on UNIX
  • Changing the Table Owner Password
  • Troubleshooting Password Changes By Checking for Failed Server Tasks
  • About Siebel Gateway Authentication Password
    • Using Siebel Utilities to Access Siebel Gateway
  • Encrypted Passwords in Siebel Application Interface Profile Configuration
  • Changing Encrypted Passwords Using the Siebel Management Console
  • About Encryption of Siebel Gateway Password Parameters
    • Upgrading to Siebel CRM
    • Determining Encrypted Parameters and Values in Siebel Gateway Registry
• 4 Communications and Data Encryption
  • Communications and Data Encryption
  • Types of Encryption
    • Communications Encryption
      • Certificate Requirements for Communications
      • About Importing Certificates into Keystore and Truststore
      • About Generating Keystore and Truststore Files
      • Modifying Keystore and Truststore Files
      • Disabling Certificate Based Mutual Authentication
    • Data Encryption
  • About Certificates and Key Files Used for TLS Authentication
    • About Supported Values for Certificate Encryption Keys
  • Process of Configuring Secure Communications
  • Installing Certificate Files
    • About Installing Certificate Files on Windows
    • About Installing Certificate Files on UNIX
    • Installing Certificate Files on UNIX for Client Authentication
    • Setting HTTP Proxy for UNIX Using the mwcontrol Utility
  • Configuring TLS Mutual Authentication for SHA-2 Certificates Using EAI HTTP Transport
  • About Configuring Encryption for Siebel Enterprise and Siebel Application Interface
  • About Key Exchange for TLS Encryption
  • Configuring TLS Encryption for a Siebel Enterprise or Siebel Server
    • Deploying TLS for a Siebel Enterprise or Siebel Server
    • Setting Additional Parameters for Siebel Server TLS
  • Configuring TLS Encryption for Siebel Application Interface
  • Enabling SSL Acceleration for Web Server and Web Client Communications
  • About Configuring Encryption for Web Clients
    • About Session Cookies and Web Clients
  • Configuring Encryption for Mobile Web Client Synchronization
  • About Data Encryption
    • How Data Encryption Works
    • Requirements for Data Encryption
    • Encrypted Database Columns
    • Upgrade Issues for Data Encryption
  • Configuring Encryption and Search on Encrypted Data
  • Encrypting Columns in a Business Component
  • Managing the Key File Using the Key Database Manager
    • Adding New Encryption Keys
    • Changing the Key File Password
  • Process of Upgrading Data to a Higher Encryption Level
    • Requirements for Upgrading to a Higher Encryption Level
    • Modifying the Input File
    • About Using the Where Clause and Flags in the Input File
    • Running the Encryption Upgrade Utility
  • About Siebel Encryption
  • Reencrypting Password Parameters in Siebel Gateway Registry
  • Security Considerations for Unicode Support
    • Using Non-ASCII Characters in a Unicode Environment
    • Logging In to a Siebel Application
    • Encrypted Data
  • About Encoding UI Values
• 5 Security Adapter Authentication
  • Security Adapter Authentication
  • About User Authentication
    • Issues for Developer and Mobile Web Clients
    • Comparison of Authentication Strategies
  • About Siebel Security Adapters
    • Authentication Directories
    • Security Adapter Authentication
    • Event Logging for Siebel Security Adapters
  • About Database Authentication
    • Database Authentication Process
    • Features Not Available for Database Authentication
  • Implementing Database Authentication
    • About Implementing the Database Security Adapter
    • About Password Expiration
    • Implementing Database Authentication with Microsoft SQL Server
  • About Authentication for LDAP Security Adapter
    • LDAP Security Adapter Authentication Process
    • Directory Servers Supported by Siebel Business Applications
    • Administering the Directory through Siebel Business Applications
    • Communicating with More Than One Authentication Server
    • Requirements for the LDAP Directory
      • About Setting Up the LDAP Directory
      • About Creating the Application User in the Directory
  • Process of Implementing LDAP Security Adapter Authentication
    • Requirements for Implementing an LDAP Authentication Environment for Oracle LDAP Client Installation
    • About Creating a Database Login for Externally Authenticated Users
    • Setting Up the LDAP Directory
    • Creating Users in the LDAP Directory
    • Adding User Records in the Siebel Database
    • LDAP Security Adapter Authentication Parameters in the Siebel Application Interface Profile
    • Configuring Security Adapter Parameters for Siebel Gateway
      • Parameters for Enterprise, Siebel Servers, or Components
      • Parameters for Application Object Manager Components
      • Parameters for Security Adapter (Profile/Named Subsystem)
    • Configuring LDAP Authentication for Developer Web Clients
      • Configuring Security Adapter Parameters for Developer Web Clients
      • Setting a System Preference for Developer Web Clients
    • Restarting Servers
    • Testing the LDAP Authentication System
  • About Authentication for Siebel Gateway Access
    • Authentication Mechanisms
    • Security Profile Configuration
    • Implementing LDAP Authentication for Siebel Gateway
  • About Authentication for Mobile Web Client Synchronization
    • About the Synchronization Process for Remote Users
    • Authentication Options for Synchronization Manager
  • Installing and Configuring Oracle LDAP Client Software
    • Considerations if Using LDAP Authentication with TLS
    • Installing the Oracle LDAP Client Software on Windows
    • Installing the Oracle LDAP Client Software on UNIX
    • Configuring the siebenv.csh and siebenv.sh Scripts for the Oracle LDAP Client
      • Linux and Oracle Solaris Operating Systems
      • AIX Operating System
      • HP-UX Operating System
    • Creating a Wallet for Certificate Files When Using LDAP Authentication with TLS
      • Creating an Oracle Wallet
      • Enabling TLS for the Siebel LDAP Security Adapter
  • Configuring Security Adapters Using the Siebel Management Console
  • Migrating from Database to LDAP Authentication
    • Considerations in Migrating to LDAP Authentication
    • Migrating from Database to LDAP Authentication
  • Security Adapter Deployment Options
    • Configuring the Application User
      • About Application User Permissions
      • Defining the Application User
      • Application User and Password Expiration Policies
    • Configuring Checksum Validation
    • Configuring Secure Communications for Security Adapters
      • Configuring TLS for the LDAP Security Adapter
    • Configuring the Shared Database Account
      • Shared Database Accounts and Administrative Users
      • Storing Shared Database Account Credentials as Directory Attributes
      • Storing Shared Database Account Credentials as Profile Parameters
    • Configuring Adapter-Defined User Name
    • Configuring the Anonymous User
      • Anonymous Browsing and the Anonymous User
    • Configuring Roles Defined in the Directory
  • Security Adapters and the Siebel Developer Web Client
    • Sample LDAP Configuration
    • Remote Configuration Option for Developer Web Client
  • About Password Hashing
    • Login Scenario for Password Hashing
  • Process of Configuring User and Credentials Password Hashing
    • Guidelines for Password Hashing
    • Configuring User Password Hashing
    • Configuring Password Hashing of Database Credentials
  • Running the Password Hashing Utility
    • Hashing Passwords Using the RSA SHA-1 Algorithm
• 6 Single Sign-On Authentication
  • Single Sign-On Authentication
  • Supported Single Sign-On Solutions for Siebel Deployment
  • About Web Single Sign-On
    • Web Single Sign-On Limitations
    • Web Single Sign-On and Silent Login
  • About Implementing Web Single Sign-On
    • Web Single Sign-On Implementation Considerations
    • Web Single Sign-On Options
  • Web Single Sign-On Authentication Process
  • Requirements for Standards-Based Web Single Sign-On
  • Set up Tasks for Standards-Based Web Single Sign-On
  • Configuring the Session Timeout
    • Configuring the Session Timeout
    • Testing the Web Single Sign-On Session Timeout Configuration
  • Configuring Siebel CRM and Oracle Business Intelligence Enterprise Edition for Web Single Sign-On
  • Web Single Sign-On Authentication Process When Using Siebel REST and Web Services in Portal Application
  • About Implementing Federated Single Sign-On
  • Federated Single Sign-On Authentication Process for Interactive User Interfaces
    • About Configuring Interactive User Interfaces for Federated Single Sign-On
  • Identity Provider-Initiated Single Sign-On Authentication Process
  • About Oracle API Gateway Role in Single Sign-On Authentication Process
• 7 Security Features of Siebel Application Interface
  • Security Features of Siebel Application Interface
  • About the Siebel Web Client and Using HTTPS
  • Implementing Secure Login
  • Logging Out of a Siebel Application
  • Login User Names and Passwords
  • Account Policies and Password Expiration
    • About Password Expiration
  • About Using Cookies with Siebel Business Applications
    • Session Cookie
      • Using Secure Cookies
      • Session ID Encryption
    • Auto-Login Credential Cookie
    • Enabling Cookies for Siebel Business Applications
• 8 User Administration
  • User Administration
  • About User Registration
    • Requirements for User Registration
    • Seed Data for User Registration
  • About Anonymous Browsing
  • Process of Implementing Anonymous Browsing
    • Anonymous Browsing and the Anonymous User Record
    • Setting Configuration Parameters for Anonymous Browsing
    • Configuring Views for Anonymous Browsing or Explicit Login
  • About Self-Registration
  • User Experience for Self-Registration
  • Process of Implementing Self-Registration
    • Self-Registration and the Anonymous User Record
    • Setting the Propagate Change Parameter for Self-Registration
    • About Activating Workflow Processes for Self-Registration
      • About the Self-Registration Workflow Processes
      • About the Self-Registration Workflow Process Views
    • (Optional) Modifying Self-Registration Views and Workflows
      • Replacing the License Agreement Text
      • About Revising a Workflow Process
      • Custom Business Services
      • Redefining Required Fields
      • Adding or Deleting Fields in an Existing View
      • About Changing the Physical Appearance of a View or Applet
      • About Creating a New View for Self-Registration
    • (Optional) Managing Duplicate Users
      • Modifying Updated Fields for a Duplicate User
      • Modifying Fields Used to Determine a Duplicate User
      • Deactivating the Duplicate User Check
  • Identifying Disruptive Workflows
  • About Managing Forgotten Passwords
    • Retrieving a Forgotten Password (Users)
    • Defining Password Length for Retrieved Passwords
    • Architecture for Forgotten Passwords
    • About Modifying the Workflow Process for Forgotten Passwords
    • Modifying Workflow Process to Query Null Fields
    • Modifying Workflow Process to Request Different Identification Data
    • Modifying the User Interface for User Registration
    • Modifying Input Arguments for the Workflow Process
  • Internal Administration of Users
  • About Adding a User to the Siebel Database
    • Adding a New Employee
      • Completing Employee Setup
      • Deactivating an Employee
    • About Adding a New Partner User
    • Adding a New Contact User
    • Promoting a Contact to a Contact User
    • Modifying the New Responsibility for a User Record
  • Delegated Administration of Users
    • User Authentication Requirements for Delegated Administration
    • Access Considerations for Delegated Administration
    • Registering Contact Users (Delegated Administration)
    • Registering Partner Users (Delegated Administration)
  • Maintaining a User Profile
    • Editing Personal Information
    • Changing a Password
    • Changing the Active or Primary Position
      • Changing the Active Position in a Siebel Employee Application
      • Changing the Primary Position in a Siebel Partner Application
• 9 Configuring Access Control
  • Configuring Access Control
  • About Access Control
    • Access Control for Parties
    • Access Control for Data
    • Data Categorization for Master Data
  • Access Control Mechanisms
    • About Personal Access Control
    • About Position Access Control
    • About Single-Position Access Control
    • About Team (Multiple-Position) Access Control
    • About Manager Access Control
      • Business Component Uses Position Access Control
      • Business Component Uses Personal Access Control
    • About Organization Access Control
    • About Single-Organization and Multiple-Organization Access Control
    • About Suborganization Access Control
    • About All Access Control
    • About Access-Group Access Control
  • Planning for Access Control
    • Access Control and Business Environment Structure
      • Benefits of Multiple Organizations
      • Deciding Whether to Set Up Multiple Organizations
    • About Planning for Divisions
    • About Planning for Organizations
    • About Planning for Positions
      • Positions and Employees
      • Position Administration
    • About Planning for Responsibilities
  • Setting Up Divisions, Organizations, Positions, and Responsibilities
    • Setting Up Divisions
    • Setting Up Organizations
    • Setting Up Positions
    • Setting Up Responsibilities and Adding Views and Users
  • About View and Data Access Control
  • Listing the Views in an Application
  • Responsibilities and Access Control
    • About Associating a Responsibility with Organizations
    • Local Access for Views and Responsibilities
    • Read Only View for Responsibilities
    • Assigning a Responsibility to a Person
    • Using Responsibilities to Allow Limited Access to Server Administration Views
  • Viewing Business Component View Modes
  • Configuring Access to Business Components from Scripting Interfaces
    • Configuring the Scripting Operations Permitted on Business Components (Siebel Server Parameter)
    • Configuring the Scripting Operations Permitted on Business Components (Business Component User Property)
  • Viewing an Applet’s Access Control Properties
  • Listing View Access Control Properties
  • Example of Flexible View Construction
  • About Implementing Access-Group Access Control
    • Scenario That Applies Access-Group Access Control
    • Implementing the Reseller Resources Access Control Structure
    • Viewing Categorized Data (Users)
  • Implementing Access-Group Access Control
    • About Administering Catalogs of Data
    • Administration Tasks for Positions, Organizations, Households, and User Lists
      • About Administering Positions
      • About Administering Organizations
      • About Administering Households
      • Administering User Lists
    • Administering Access Groups
      • Creating an Access Group
      • Modifying an Access Group
      • Modifying an Access Group Hierarchy
    • Associating Access Groups with Data
      • Associating an Access Group with a Catalog
      • Associating an Access Group with a Category
  • Managing Tab Layouts Through Responsibilities
    • Specifying Tab Layouts for Responsibilities
    • Assigning a Primary Responsibility
    • Exporting and Importing Tab Layouts
      • Exporting Tab Layouts
      • Importing Tab Layouts
  • Managing Tasks Through Responsibilities
    • Associating Responsibilities with a Task
    • Creating Task Links for a Responsibility
  • Administering Access Control for Business Services
    • Associating a Business Service with a Responsibility
    • Associating a Responsibility with a Business Service
    • Example of Associating a Responsibility with Business Service Methods
    • Clearing Cached Business Services
    • Disabling Access Control for Business Services
  • Administering Access Control for Business Processes
  • Clearing Cached Responsibilities
  • About Configuring Visibility of Pop-Up and Pick Applets
    • About Setting Visibility of the Pick List Object Definition
    • About Using the Visibility Auto All Property
    • About Using the Special Frame Class and User Properties
  • About Configuring Drilldown Visibility
    • Drilldown Visibility Within the Same Business Object
    • Drilldown Visibility Between Different Business Objects
      • Visibility Rules for the Drilldown Object Type
      • Visibility Rules for the Link Object Type
      • Example of Visibility in a Drilldown Between Different Business Objects
  • Party Data Model
    • How Parties Relate to Each Other
    • Person (Contact) Data Model
    • User Data Model
    • Employee Data Model
    • Position Data Model
    • Account Data Model
    • Division Data Model
    • Organization Data Model
    • Partner Organization Data Model
    • Household Data Model
    • User List Data Model
    • Access Group Data Model
• 10 Troubleshooting Security Issues
  • Troubleshooting Security Issues
  • Troubleshooting User Authentication Issues
  • Troubleshooting User Registration Issues
  • Troubleshooting Access Control Issues
  • Troubleshooting Secure Parameter Settings
• 11 Configuration Parameters Related to Authentication
  • Configuration Parameters Related to Authentication
  • Server Parameters for Siebel Gateway
  • Security Profile Configuration for Siebel Gateway
  • Parameters for Configuring Security Adapter Authentication
  • Authentication and Security-Related Parameters in the Enterprise Profile
  • Security-Related Parameters in the Server Profile
  • Siebel Application Interface Profile Parameters
    • Authentication Parameters in Siebel Application Interface Profile
    • About the Active Session Timeout Value Parameter
    • Application Object Manager Parameters in Siebel Application Interface Profile
    • SWE Parameters in Siebel Application Interface Profile
    • REST Inbound Authentication Parameters in Siebel Application Interface Profile
  • Siebel Application Configuration Parameters
    • Parameters for Database Security Adapter (DBSecAdpt)
    • Parameters for LDAP Security Adapter (LDAPSecAdpt)
    • Parameters for Custom Security Adapter (CustSecAdpt)
• 12 Seed Data
  • Seed Data
  • Seed Employee
  • Seed Users
    • Special Users and Privileges
    • Seed Users Provided as Seed Data
    • Seed User Modifications for Siebel Financial Services Applications
    • About Seed Position and Organization Division Records
  • Seed Responsibilities
    • Seed Responsibilities for Siebel Financial Services Applications
    • Listing Views Associated with Responsibilities
• 13 Siebel Security Hardening
  • Siebel Security Hardening
  • About This Chapter
  • Overview of Security Threats, Recommendations, and Standards
    • Security Threats and Vulnerabilities
    • General Security Recommendations
      • Patch Management
      • Critical Patch Updates for Siebel Business Applications
      • CSV Export Functionality
    • Security Standards and Programs
    • About the Oracle Software Security Assurance Program
    • About Using Transport Layer Security with Siebel CRM
  • Securing the Network and Infrastructure
    • About Securing the Network Infrastructure
      • Network Zones and Firewalls
      • Guidelines for Assigning Ports on Firewalls
      • Guidelines for Deploying Siebel Business Applications Across a Firewall
      • Routers
      • Network Address Translation
      • Load Balancers
      • Proxy Servers
      • Forward Proxy Servers
      • Reverse Proxy Servers
      • Enabling Support for the Translation of Port Numbers
      • Virtual Private Networks
      • About Using Internet Protocol Security
      • Preventing Denial of Service Attacks
    • Recommended Network Topologies
      • Network Configuration for Medium-Scale Deployments of Siebel Business Applications
      • Network Configuration for Large-Scale Siebel Deployments
    • Network Authentication and Monitoring
    • Enabling Encryption of Network Traffic
      • Enabling Encryption Between the Web Client Browser and Web Server
      • Enabling Encryption Between the Web Server and Siebel Server
      • Enabling Encryption Between the Siebel Server and Siebel Database
      • Enabling Encryption for Security Adapters
      • About Using TLS with Siebel Enterprise Application Integration (EAI)
    • Securing the Siebel Web Server
      • Implementing a Proxy Server
      • Monitoring Disk Space
      • Removing Unnecessary Subdirectories (Windows)
      • Encrypting Communications to the Web Server
      • Seeded Tomcat Web Server User
    • Securing the Siebel Server
      • Encrypting Communications to the Siebel Server
      • Restricting Siebel Server Access
        • Encrypting the jndi.properties File
    • Securing the Siebel Client
      • Deploying Siebel Open UI
      • Encrypting Communications for Web Clients
      • Providing Physical Security for the Client Device
      • Defining a Policy for Unattended Personal Computer Sessions
      • Keeping Browser Software Updated
      • Updating Security Patches
    • Securing Mobile Clients
    • Securing Siebel Remote
      • Securing the Synchronization Framework
      • Authenticating the Mobile Web Client
      • Encrypting Communications
      • Encrypting DX Transaction Files
      • Using a VPN When Synchronizing Through the Internet
      • Encrypting Data in the Local Database and File System
      • Local Database
      • Local Siebel File System
      • Defining Password Management Procedures
    • Securing Mobile Devices Running Siebel Business Applications
    • Securing the Siebel Document Server
    • Securing Email Communications
      • Securing the Email Server
      • Encrypting Communications Between the Siebel Server and the Email Server
      • Deleting Processed Email Messages
    • Securing the Siebel Reports Environment
      • Guidelines for Providing Additional Security for Oracle BI Publisher
  • Securing the Operating Systems
    • Protecting Files and Resources
    • Securing the Siebel File System
      • Assigning Rights to the Siebel File System
      • Assigning Rights to the Siebel File System on Windows
      • Assigning Rights to the Siebel File System on UNIX
      • Excluding Unsafe File Types from the Siebel File System
      • About Potentially Unsafe File Types
      • Enabling File Extension Checking
      • About File Extension Checking on the Siebel Mobile Web Client
    • Assigning Rights to the Siebel Service Owner Account
      • Assigning Rights to the Siebel Service Owner Account on Windows
      • Assigning Rights to the Siebel Service Owner Account on UNIX
    • Applying Patches and Updates
  • Securing the Siebel Database
    • Restricting Access to the Siebel Database
    • Reviewing Authorization Policies
    • Protecting Sensitive Data in the Siebel Database
    • Maintaining Database Backups
  • Securing Siebel Business Applications
    • About Securing Applications
    • Guidelines for Deploying Siebel Business Applications
    • About Disabling Siebel Components
    • About User Authentication
    • Implementing Password Management Policies
      • General Password Policies
      • Defining Rules for Password Syntax
      • About Configuring Password Hashing for Users
    • Reviewing Special User Privileges
    • About Implementing Authorization and Access Control
      • View-Level Access Control
      • Record-Level Access Control
    • Implementing Personal Visibility for the User Profile View
    • About Securing Application Data During Configuration
      • About Using Web Services
      • About Defending Data from HTML Injection
      • Displaying HTML Content
      • Specifying Trusted Server Names
      • About Using External Business Components
      • About Using HTTP Methods
    • About Message Broadcasting
    • About Securing Third-Party Applications
  • Implementing Auditing
    • Operating System Auditing
    • Database Auditing
    • Siebel Business Applications Event Logging
    • About Siebel Audit Trail
  • Performing Security Testing
    • About Performing Security Assessments
    • About the Common Vulnerability Scoring System
    • Using Masked Data for Testing
      • Methods of Masking Data
  • Supported Security Standards
    • Payment Card Industry Data Security Standard
    • Common Criteria for Information Technology Security Evaluation
    • Federal Information Processing Standard (FIPS) 140
  • Default Port Allocations