1. Security Guide
  2. What's New in This Release

3Changing and Managing Passwords

About Managing and Changing Passwords

It is recommended that a password management policy is implemented in all Siebel Business Applications implementations to ensure that only authorized users can access the applications. The password management policy that is most appropriate varies according to site-specific variables, such as the size of the implementation and users’ business needs. However, all password management policies ought to provide guidelines relating to how frequently end users must change their passwords, whether or not password expiry periods are enforced, and the circumstances in which passwords must be changed.

Password management policies must also be applied to accounts that are used to manage and maintain the Siebel implementation, such as the Siebel administrator account. The topics in this chapter provide information on changing and managing the passwords for these accounts. For information on how end users can change their passwords, see Changing a Password. For additional information on implementing password management policies, see Defining Password Management Procedures.

Note: Use the Siebel Management Console installed with Siebel Business Applications to perform the initial configuration of Siebel Gateway, Siebel Server, and Web server. This initial configuration process includes specifying names and passwords for accounts described in this chapter, and choosing whether or not to encrypt passwords. Using the Siebel Management Console simplifies the task of setting password-related values for accounts and reduces configuration errors.

Guidelines for Changing Passwords

Before changing passwords in your environment, review the following general points:

  • For end users, the availability of the Password and Verify Password fields in the Siebel application (User Preferences screen, User Profile view) depends on several factors:

    • For an environment using Lightweight Directory Access Protocol (LDAP) authentication, the underlying security mechanism must allow this functionality. See also Requirements for the LDAP Directory.

      In addition, the Propagate Change parameter must be TRUE for the LDAP security adapter. The default value is TRUE. For Siebel Developer Web Clients, the system preference, SecThickClientExtAuthent, must also be TRUE. For more information, see Security Adapter Authentication.

    • For an environment using database authentication, the Database Security Adapter Propagate Changes parameter must be TRUE for the database security adapter. The default value is FALSE. For more information, see Security Adapter Authentication.

  • If you are using a third-party load balancer for Siebel Server load balancing, then make sure load-balancer administration passwords are set. Also make sure that the administrative user interfaces for your load-balancer products are securely protected.

  • If you set and change passwords at the Siebel Enterprise level, then the changes are inherited at the component level. However, if you set a password parameter at the component level, then from that point forward, the password can be changed only at the component level. Changing it at the Enterprise level does not cause the new password to be inherited at the component level, unless the override is deleted at the component level. For more information, see Siebel System Administration Guide.

For information about changing the local DBA password on Mobile Web Clients, see Siebel Remote and Replication Manager Administration Guide. For information about configuring and using hashed user passwords and database credentials passwords through your security adapter, see About Password Hashing.

Characters Supported in Siebel Passwords

It is recommended that you implement a password policy in your organization that defines the requirements for creating and changing Siebel passwords. For example:

  • The password value must not be the same as the user name.

  • Password values must be a minimum length, usually 8 characters (maximum length is 18 characters).

  • Password values must include a variety of supported characters.

Supported Characters

Siebel CRM supports the use of the following characters in passwords:

  • The alphabetic characters a to z (uppercase and lowercase).

  • The numerals 0 to 9.

  • The following special characters: Number sign (#).

Unsupported Characters

You cannot use the special characters shown in the following table when creating or changing passwords used in your Siebel implementation.

Note: The LDAP security adapter used with Siebel Business Applications allows special characters in passwords, including characters not supported in Siebel passwords.

Character

Description

Hexadecimal
!

Exclamation point

21
"

Double quote

22
$

Dollar sign

24
%

Percent sign

25
&

Ampersand

26
'

Single quote

27
(

Open parenthesis

28
)

Close parenthesis

29
*

Asterisk (star)

2A
+

Plus

2B
,

Comma

2C
-

Minus (hyphen)

2D
.

Period

2E
/

Forward slash

2F
:

Colon

3A
;

Semi-colon

3B
<

Less-than sign

3C
=

Equal sign

3D
>

Greater-than sign

3E
?

Question mark

3F
@

At-sign

40
[

Open bracket

5B
\

Back slash

5C
]

Close bracket

5D
^

Caret

5E
_

Underscore

5F
`

Grave accent

60
{

Open brace

7B
|

Vertical bar

7C
}

Close brace

7D
~

Tilde

7E
´

Acute accent

B4

About Default Accounts

The Siebel installation process and the seed data provided with Siebel Business Applications create several default accounts. These accounts are used to manage and maintain your Siebel implementation. You assign passwords to these accounts when they are created. However, to safeguard the security of your implementation, change the passwords for these accounts regularly or delete any accounts you do not require.

Database Accounts

The following database accounts are created during the Siebel installation process. If you are using an Oracle or Microsoft SQL Server database, then you create these accounts when you run the grantusr.sql script. If you are using a DB2 database, then the database administrator manually creates these accounts. You must ensure these accounts have been created in the RDBMS and you must assign passwords to these accounts before you can configure the Siebel database:

  • Siebel administrator database account (default user ID is SADMIN)

  • A database account for users who are authenticated externally (default user ID is LDAPUSER)

  • A database table owner (DBO) account

For information on creating and assigning passwords to the SADMIN, database table owner, and LDAPUSER accounts, see Siebel Installation Guide for the operating system you are using. For information on changing and managing the passwords for the SADMIN and database table owner accounts, see the following topics:

For additional information on the LDAPUSER account, see About Creating a Database Login for Externally Authenticated Users.

Note: A prerequisite to configuring and using DB2390 is that you must manually copy the db2jcc_license_cisuz.jar file (which is a DB2390-specific license jar file) from your DB2 client location to the following location: applicationcontainer/webapps/siebel/web-inf. You must also be licensed to use DB2390 and arrange a license for same. All other client drivers are licensed and packaged in the Siebel product.

Siebel User Accounts

The following Siebel application user account records are provided as seed data during the Siebel installation process. These user accounts are not installed with default passwords and their use is optional:

  • A seed Siebel/system administrator user record (SADMIN)

  • A seed employee user record for customer users (PROXYE)

  • Seed guest accounts: GUESTCST (customer applications), GUESTCP (Siebel Partner Portal), GUESTERM (Siebel Financial Services ERM)

You can use a seed guest account as the Siebel user account for the anonymous user. To use a seed guest account, you must set the following parameters, either when configuring the Siebel Application Interface profile (recommended), or by editing the Siebel Application Interface profile manually:

  • Anonymous User Name. Set this parameter to the user ID of the anonymous user, for example, GUESTCST.

  • Anonymous User Password. Set this parameter to the password associated with the anonymous user.

    The anonymous user password is written to the Siebel Application Interface profile in encrypted form by default if you add or change this value using the Siebel Management Console.

For more information on defining the anonymous user when you configure the Siebel Application Interface profile, see Configuring the Anonymous User, Authentication Parameters in Siebel Application Interface Profile and Siebel Installation Guide for the operating system you are using.

Changing Siebel Administrator Account Password

Before you run the Database Configuration Wizard to configure the Siebel database on the RDBMS, you must create a Siebel administrator account, either manually (on IBM DB2) or using the grantusr.sql script. The default user ID for the Siebel administrator account is SADMIN (case-sensitive). You must also create a password for the account. The password you assign to the Siebel administrator account cannot be the same as the user name of the account. The password for the Siebel administration account must not exceed 18 characters - for more information, see Characters Supported in Siebel Passwords.

Note: It is strongly recommended not to change the name of the Siebel administrator account, SADMIN. This account must be created so that you can log in to Siebel applications as Siebel administrator. For more information about setting up the Siebel administrator account (SADMIN) for initial use, see Siebel Installation Guide for the operating system you are using.

Changing Siebel Administrator Account Password on UNIX

To increase the security of your Siebel implementation, it is recommended that you change the Siebel administrator account (SADMIN) password at regular intervals. For more information about setting up this account for initial use, see Siebel Installation Guide for the operating system you are using.

Use the following procedure to modify the password for the Siebel administrator database account on UNIX. You must change the corresponding password parameter for Siebel Enterprise, then rename the Siebel Server system service and re-create it using the new password. This procedure applies to Siebel CRM 18.11 Update and later releases.

To change the Siebel administrator account (SADMIN) password on UNIX

  1. End all client sessions and shut down Siebel Servers using the following command: 

    SIEBSRVR_ROOT/bin/stop_server all

    You must run this command on all Siebel Server computers to stop all servers in the Siebel Enterprise.

  2. Use Server Manager to change the SADMIN password as follows:

    1. Log in at the Enterprise level: 

      srvrmgr -g SiebelGatewayHostName:TLS_Port# -e EnterpriseServerName -u UserName -p Password

    2. At the Server Manager prompt, enter the following command: 

      change enterprise param Password=NewPassword

    If using this SADMIN user and password on another profile, such as the Application Interface or Migration profiles, then it will be revised for those profiles as well.

  3. Change the password for SADMIN in the database. For more information, refer to your RDBMS documentation on changing passwords.

  4. On each Siebel Server in your Siebel Enterprise, rename the existing Siebel Server system service (svc file) and then recreate the Siebel service with the new administrator database account password (SADMIN) as follows:

    Caution: Do not edit the svc file manually as doing so can corrupt the file. Instead, make a backup copy of the existing svc file, then re-create the svc file with the new password using the siebctl utility. Do not store the backup copy of the svc file in the same directory as the original file as this may interfere with normal server startup.

    1. To rename the existing Siebel service file, navigate to the $siebsrvr/sys directory and rename the file. To avoid issues when starting up the environment, store the renamed svc file in a different location to $siebsrvr/sys. The Siebel service file name is in a format similar to the following, where siebsrvrname is the name of the Siebel Server: 

      svc.siebsrvr.siebel:siebsrvrname

    2. To recreate the Siebel service file with the new SADMIN password, run the following command in the $siebsrvr/bin directory: 

      siebctl -r "SIEBSRVR_ROOT" -S siebsrvr -i EnterpriseName:SiebelServerName -a -g "-g GatewayServerHostName:TLS_Port# -e EnterpriseName -s SiebelServerName -u sadmin" -e NewPassword -L ENU

      where:

      • "SIEBSRVR_ROOT" is the installation directory of the Siebel Server

      • EnterpriseName is the name of your Siebel Enterprise

      • SiebelServerName is the name of the Siebel Server

      • GatewayServerHostname is the name of the Siebel Gateway host

      • TLS_Port# is the port number of the Siebel Gateway

      • sadmin is the administrator user ID

      • NewPassword is the new Siebel administrator password (in plaintext). The siebctl utility encrypts the password.

      For example: 

      siebctl -r "/data/siebel/ses/siebsrvr" -S siebsrvr -i ENTP_TRN:SIEBSRV2 -a -g "-g GTWNOVA04:2020 -e ENTP_TRN -s SIEBSRV2 -u sadmin" -e sadmin1 -L ENU

      The siebctl utility re-creates the Siebel service file (svc file) with the new encrypted password value. Make sure the Siebel service file is created without any errors.

  5. Restart Siebel Gateway and Siebel Server system service (the application container for the Cloud Gateway should be running as well).

    • To stop and restart Siebel Gateway:

      $SIEBEL_ROOT/SiebelGatewayName/bin/stop_ns 
$SIEBEL_ROOT/SiebelGatewayName/bin/start_ns
    • To start the Siebel Server system service:

      1. On the Siebel Server, log in as the Siebel Service owner user.

      2. Run the siebenv.sh or siebenv.csh script to set Siebel environment variables.

      3. Run the ps command and check whether the application container for the Siebel Server is running. Start it if necessary.

      4. Enter the following command, where siebel_server_name is the name of the Siebel Server: 

         start_server siebel_server_name

      For further information on administering the Siebel Server system service on UNIX, see Siebel System Administration Guide.

  6. Connect to the Server Manager (srvmgr) with the new password to verify the password change: 

    srvrmgr -g SiebelGatewayHostName:TLS_Port# -e EnterpriseServerName -s SiebelServerName -u SADMIN -p NewPassword

  7. If Step 6 is successful, start Siebel Server. To restart all Siebel Servers:

    $SIEBEL_ROOT/ServerName/bin/start_server all

  8. To validate application access, log in to Siebel as SADMIN (with the new Siebel administrator account password) and verify the password change.

    Note: Depending on how your Siebel administrator account (SADMIN) is configured, you may be locked out of your SADMIN account if you exceed a specified number of failed login attempts.

Changing Siebel Administrator Account Password on Windows

To increase the security of your Siebel implementation, it is recommended that you change the Siebel administrator account (SADMIN) password at regular intervals. You might also have to change the password for the Siebel service owner account, which is the Windows user who starts the Siebel Server system service - see Changing the Password for the Siebel Service Owner Account. For more information about setting up these accounts for initial use, see Siebel Installation Guide for the operating system you are using.

Use the following procedure to modify the password for the Siebel administrator database account on Microsoft Windows. You must change the corresponding password parameter for Siebel Enterprise, then delete the Siebel Server system service and re-create it using the new password. This procedure applies to Siebel CRM 18.11 Update and later releases.

To change the Siebel administrator account (SADMIN) password on Windows

  1. End all client sessions and shut down Siebel Servers, for example, as follows:

    1. Go to Control Panel and double-click Computer Management.

    2. Expand Services and Applications in the Computer Management panel that appears, and then click Services.

    3. Right-click the Siebel Server system service that you want in the details panel, and then click Stop.

      Windows stops the Siebel Server system service. This operation might take a few seconds. Repeat these steps as required to stop all servers in the Siebel Enterprise.

  2. Use Server Manager to change the SADMIN password as follows:

    1. Log in at the Enterprise level: 

      srvrmgr -g SiebelGatewayHostName:TLS_Port# -e EnterpriseServerName -u UserName -p Password

    2. At the Server Manager prompt, enter the following command: 

      change enterprise param Password=NewPassword

    If using this SADMIN user and password on another profile, such as the Application Interface or Migration profiles, then it will be revised for those profiles as well.

  3. Change the password for SADMIN in the database. For more information, refer to your RDBMS documentation on changing passwords.

  4. On each Siebel Server in your Siebel Enterprise, delete the existing Siebel Server system service (svc file) and then re-create the Siebel service with the new administrator database account password (SADMIN) as follows:

    1. To delete the existing Siebel service file, go to $ses\siesrvr\bin> at the command prompt and enter the following command: 

      siebctl -d -S siebsrvr -i "<SiebelServiceFileName>"

      For example: 

      siebctl -d -S siebsrvr -i "ses_app01"

    2. To recreate the Siebel service file with the new SADMIN password, go to siebsrvr\bin and enter the following command: 

      siebctl -h SIEBSRVR_ROOT -S siebsrvr -i "EnterpriseName_SiebelServerName" -a -g "-g GatewayServerHostname:TLS_Port# -e EnterpriseName -s SiebelServerName -u sadmin" -e NewPassword -u NTAccount -p NTPassword

      where:

      • SIEBSRVR_ROOT is the full path to the Siebel Server installation directory

      • EnterpriseName is the name of your Siebel Enterprise

      • SiebelServerName is the name of the Siebel Server

      • GatewayServerHostname is the name of the Siebel Gateway host

      • TLS_Port# is the port number of the Siebel Gateway

      • sadmin is the administrator user ID

      • NewPassword is the new Siebel administrator password in plaintext. The siebctl utility encrypts the password.

      • NTAccount is the Siebel service owner account name. For example: companydomain\SADMIN.

        It is recommended that the Siebel service owner account be part of a Windows domain (and not a local domain) so that services are operated under the same account on all the Windows servers. For more information on creating the Siebel service owner account, see Siebel Installation Guide for the operating system you are using.

      • NTPassword is the Siebel service owner account password

      For example: 

      D:\ses\siebsrvr\BIN> siebctl -h "d:\siebel\ses\siebsrvr" -S siebsrvr -i "ENTP_TRN:SIEBSRV2" -a -g "-g GTWNOVA04:2020 -e ENTP_TRN -s SIEBSRV -u sadmin" -e sadmin1 -u companydomain\SADMIN -p xxxxxxxx

      The siebctl utility re-creates the Siebel service file (svc file) with the new encrypted password value. Make sure the Siebel service file is created without any errors.

  5. Restart Siebel Gateway registry by starting the Siebel Gateway system service as follows (the application container for the Cloud Gateway should be running as well):

    1. Go to Control Panel and double-click Computer Management.

    2. Expand Services and Applications in the Computer Management panel that appears, and then click Services.

    3. Right-click the Siebel Gateway Name Server that you want in the details panel, and then click Start.

      Windows starts the Siebel Gateway Name Server system service. This operation might take a few seconds.

  6. Connect to the Server Manager (srvmgr) with the new password to verify the password change: 

    srvrmgr -g SiebelGatewayHostName:TLS_Port# -e EnterpriseServerName -s SiebelServerName -u SADMIN -p NewPassword

  7. If Step 6 is successful, start the Siebel Server system service:

    1. Go to Control Panel and double-click Computer Management.

    2. Expand Services and Applications in the Computer Management panel that appears, and then click Services.

    3. Right-click the Siebel Server system service that you want in the details panel (the enterprise name and Siebel Server name are indicated within brackets), and then click Start.

      Windows starts the Siebel Server system service. This operation might take a few seconds.

    For further information on administering the Siebel Server system service on Windows, see Siebel System Administration Guide.

  8. To validate application access, log in to Siebel as SADMIN (with the new Siebel administrator account password) and verify the password change.

    Note: Depending on how your Siebel administrator account (SADMIN) is configured, you may be locked out of your SADMIN account if you exceed a specified number of failed login attempts.

Changing the Password for the Siebel Service Owner Account

Use the following procedure to modify the password for the Siebel service owner account; this is the Microsoft Windows user account that starts the Siebel Server system service.

Note: If a password expiration policy for Windows user accounts exists, then make sure that the Siebel service owner account password is updated before it is due to expire to maintain the availability of the Siebel Servers.

To change the password for the Siebel service owner account

  1. Change the Windows domain login password for the Siebel service owner account.

    For more information on changing domain passwords, refer to your Windows documentation.

  2. Change the password for the Siebel Server system service.

    1. From the Windows Start menu, choose Settings, Control Panel, Administrative Tools, and then the Services item.

    2. Right-click on the Siebel Server System Service, and select Properties.

    3. In the Properties dialog box for this service, click the Log On tab.

    4. Enter the password in the Password and Confirm Password fields, and click OK.

      Note: The password specified here must correspond to the Windows domain login password you modified earlier in this procedure.

  3. Stop and restart the Siebel Server system service. For details, see Siebel System Administration Guide.

Changing the Anonymous User Password When a User Account is set to Anonymous User

The information in this topic applies to Microsoft Windows and UNIX.

If you set a Siebel user account, such as GUESTCST, with minimum responsibilities (for example, access to the login view) to Anonymous User Name, then you must also change the password (Anonymous User Password) associated with the anonymous user in the Siebel Application Interface profile. For more information, see Changing Encrypted Passwords Using the Siebel Management Console

Caution: Never use the system administrator account (SADMIN) as the anonymous user account (Anonymous User Name) in a production environment. It is only acceptable to do so for development or test environments.

For more information about the anonymous user, see Configuring the Anonymous User.

Changing the Table Owner Password

This topic describes the steps to perform if you want to change the table owner password. Before you run the Database Configuration Wizard to configure the Siebel database on the RDBMS, you must create a database table owner (DBO) account with the appropriate permissions to modify the Siebel database tables. The table owner is used to reference table names in SQL statements that are generated by the Siebel application (for example, SELECT * FROM SIEBEL.S_APP_VER).

You create the database table owner account manually (on IBM DB2) or using the grantusr.sql script (Oracle or Microsoft SQL Server). For information on creating the table owner account, see the Siebel Installation Guide for the operating system you are using. Select a user ID for the table owner that meets your organization’s naming conventions. Also specify a password for the database table owner account.

A corresponding parameter named Table Owner (see Parameters for Configuring Security Adapter Authentication) is configured for the Siebel Enterprise. Siebel application modules such as Application Object Managers use this parameter value to provide the table owner name when generating SQL for database operations. You specify the table owner name during Siebel Enterprise Server configuration, which provides a value for this parameter.

A related parameter is Table Owner Password (example alias: TableOwnPass). For most database operations performed for Siebel Business Applications, the table owner password does not have to be provided. For this reason, this parameter is not configured during Siebel Enterprise Server configuration. However, if the Table Owner Password parameter is not defined, then the table owner password might sometimes have to be provided manually.

Note the following requirements for changing the table owner password:

  • If you have not defined the Table Owner Password parameter, then the table owner password only has to be changed in the Siebel database. (The changed password might also have to be provided manually for certain operations.)

  • If you have defined the Table Owner Password parameter, then you must also update the value for this parameter when you change the password in the Siebel database.

To change the password for the table owner account

  1. Change the table owner password for the Enterprise as follows:

    1. Log into a Siebel employee application, such as Siebel Call Center.

    2. Navigate to the Administration - Server Configuration screen, then the Enterprises view.

    3. Click the Parameters tab.

    4. In the Enterprise Parameters list, locate the Table Owner Password parameter (alias TableOwnPass).

    5. In the Value field, type in the new value, then commit the record.

  2. Change the password in the database.

    For more information on changing passwords, refer to your RDBMS documentation.

  3. Restart the Siebel Server.

Troubleshooting Password Changes By Checking for Failed Server Tasks

If you change the Siebel administrator (SADMIN) password or the Table Owner password, then you can verify that the password change has not caused errors by checking that all server tasks are still running. If a server task has failed, then update the password for the task. The following procedure describes how to troubleshoot password changes.

To troubleshoot password changes

  1. After the Siebel Server restarts:

    1. Log into a Siebel employee application, such as Siebel Call Center.

    2. Navigate to the Administration - Server Management screen, then the Servers view.

    3. In the Siebel Servers list, select the applicable Siebel Server.

    4. Click the Tasks tab and check to see if any server tasks have an error.

      For example, if you are running Call Center Object Manager, then check if there is a task for this component that has an error.

  2. For each Server Task that displays an error, update passwords for both the Siebel administrator account and the Table Owner for that task.

    1. Navigate to the Administration - Server Configuration screen, then the Enterprises view.

    2. Click the Component Definitions tab.

    3. Select the component that initiated the failed task.

      For example, if Call Center Object Manager had a failed task, then display the record for the Call Center Object Manager component definition.

    4. Click the Parameters view tab to display parameters for this component definition.

    5. Respecify password values for the applicable parameters for this component definition.

      For example, if the Password or Table Owner Password parameters are not set correctly for the Call Center Object Manager component definition, that might be the reason for the failed tasks. If so, then respecifying the correct values will solve the problem.

  3. Restart the Siebel Server computer, and check again if any tasks failed.

About Siebel Gateway Authentication Password

To make sure that only authorized users can make changes to the enterprise configuration parameters on Siebel Gateway, users connecting to the gateway must supply a valid authentication user name and password. Authentication user name and password values are verified by the security adapter specified for Siebel Gateway. The security adapter can be one of the following: database, LDAP, or custom.

The user account you use for Siebel Gateway authentication must have the same privileges as the Siebel administrator account created during the Siebel installation process; these privileges are required to connect to the gateway.

You can choose to use the Siebel administrator account for Siebel Gateway authentication, or you can create a new database user account, ensuring you assign it the same level of rights and privileges as the Siebel administrator account. If you are using an LDAP or a custom security adapter, then you must also add the gateway authentication user name and password to the directory server.

You can change the Siebel Gateway authentication password at any point by changing the password for the gateway authentication account in the database and in the LDAP directory (if you are using LDAP authentication). For more information, refer to your RDBMS documentation or your directory server documentation. For more information on gateway authentication, see About Authentication for Siebel Gateway Access and Siebel Installation Guide for the operating system you are using.

Using Siebel Utilities to Access Siebel Gateway

When using any of the Siebel utilities that connect to Siebel Gateway, for example the srvrmgr utility, you must specify the gateway authentication user name and password.

You can pass the gateway authentication user name and password in the command line as command flags, for example: 

srvrmgr /g gateway1 /e enterprise1 /s server1 /u username /p password(Windows)
srvrmgr -g gateway1 -e enterprise1 -s server1 -u username -p password (UNIX)

where:

  • username is a valid user name that has been assigned Siebel administrator privileges

  • password is the password associated with username

You must enter a value for the /u username or -u username flag. If you do not specify a value for the /p password or -p password flag, then you are prompted for this value when you submit the command.

Encrypted Passwords in Siebel Application Interface Profile Configuration

The AES algorithm encrypts passwords stored in the Siebel Application Interface profile with a 256-bit encryption key. Passwords are written in encrypted form when you configure the Siebel Application Interface profile. Values for the following parameters are subject to encryption in the Siebel Application Interface profile:

  • Anonymous User Password

  • Trust Token

When an anonymous user password is used (during application login or anonymous browsing sessions), the encrypted password is decrypted and compared to the value stored for the database account (specified using the Anonymous User Name parameter).

The account and password are created using the standard Siebel database scripts, and must already exist in the Siebel database when you configure the Siebel Application Interface profile. If you change the password for this account after setting up your system, then you must update the password stored in the Siebel Application Interface profile. For information about changing encrypted passwords, see Changing Encrypted Passwords Using the Siebel Management Console.

Changing Encrypted Passwords Using the Siebel Management Console

Using the Siebel Management Console to change an anonymous user password automatically saves the password in encrypted form.

Although the anonymous user has limited privileges, it is generally recommended to use more secure passwords for production deployments of your Siebel Business Applications. For anonymous user accounts, changing passwords involves changing passwords for database accounts and changing passwords in the Siebel Application Interface profile.

Note: If you want to use different database accounts for the anonymous user for different applications, then you must manually update the Siebel Application Interface profile.

The following procedure describes how to change an encrypted password using the Siebel Management Console.

To change encrypted passwords using the Siebel Management Console

  1. Log in to the Siebel Management Console.

  2. Click Profiles in the navigation menu, and then click Application Interface.

    Existing application interface profiles are listed, if any.

  3. Select the application interface profile that you want to modify, and then click Edit.

  4. Go to the Basic Information section, click Authentication and change the Anonymous User Password.

  5. To change the anonymous password specific to other applications (such as Siebel Call Center, EAI, or REST API), then do the following:

    1. Go to the Applications section, and select the check box next to the application you want to modify.

    2. Click Authentication, and change the Anonymous User Password as required.

About Encryption of Siebel Gateway Password Parameters

The Siebel Gateway registry stores the information required by the gateway. This includes operational and connectivity information as well as configuration information for the Siebel Enterprise and Siebel Servers. If a gateway configuration parameter requires a password value, then the Siebel encryptor writes the password to the Siebel Gateway registry in encrypted format.

Note: End user passwords are not specified as parameter values for the gateway and are not stored in the Siebel Gateway registry.

In the current release, passwords in the Siebel Gateway registry are encrypted using the AES algorithm. The encryptor generates the encrypted password using an encryption key that is unique to each parameter. The encryption key itself is generated based on repository information.

If you choose, you can increase the encryption key length for encrypting passwords. If you do increase the encryption key length for encrypted passwords in the Siebel Gateway registry, then the passwords have to be encrypted again using the new key. For more information, see Running the Encryption Upgrade Utility.

For a list of some of the password parameters that are encrypted in the Siebel Gateway registry, and for information on how to reencrypt them, see Reencrypting Password Parameters in Siebel Gateway Registry.

Upgrading to Siebel CRM

You must reset any passwords on the Siebel Gateway that were previously encrypted using RC4 encryption. In the current release, such passwords are encrypted using AES instead of RC4. For more information about reencrypting these passwords, see Running the Encryption Upgrade Utility. Furthermore, the Siebel Server system service and server components do not work after a migration installation until you have updated them to use AES password encryption. Make these changes in coordination, as described in Siebel Installation Guide for the operating system you are using.

Note: When you upgrade to the current release, the Siebel Server system service password, which is required to connect the Siebel Server to the Siebel Gateway, is automatically reencrypted using AES encryption. The Siebel Gateway password parameter, which is set at the Siebel Enterprise level, is also automatically reencrypted. You do not have to reencrypt these passwords manually.

Determining Encrypted Parameters and Values in Siebel Gateway Registry

Passwords in the Siebel Gateway registry are encrypted using 128-bit AES encryption. If you have many components in your system and you want to obtain a list of the encrypted passwords including the encryption value for each password, then complete the following procedure. This procedure assumes that Siebel Application Object Managers have been created for the components in your system.

To determine the encrypted parameters and values in Siebel Gateway registry

  1. Obtain the list of components and component types in your system.

  2. For each component type, list the parameters for the component using the following srvrmgr commands:

    list params . . .
list advanced params . . .
list hidden params . . .

    In the list of parameters returned, the encrypted parameters and their associated values are preceded with an asterisk (*) symbol.

  3. Reencrypt the parameter values using srvrmgr if required.

    For more information, see Reencrypting Password Parameters in Siebel Gateway Registry.

About the Object Manager’s First Connection and LDAP User

When using LDAP or LDAP with SSO and the Siebel Server is started, the Object Manager’s first connection to load Runtime Repository (RR) tables will use the SADMIN Username/Password credentials (which are typically inherited from the Siebel Enterprise level setting). Customers that do not have an SADMIN user created in the LDAP server will, as a result, face performance issues because the RR tables cannot be loaded. In such cases, it is recommended that you do the following:

  • Set new Username/Password parameters at the object manager component level, for another user.

  • In the LDAP server, create the Username with Password defined (it does not have to be a Siebel application user).