7Security Features of Siebel Application Interface

Security Features of Siebel Application Interface

This chapter describes several options that relate to security issues and the Siebel Application Interface. It includes the following topics:

• About the Siebel Web Client and Using HTTPS

• Implementing Secure Login

• Logging Out of a Siebel Application

• Login User Names and Passwords

• Account Policies and Password Expiration

• About Using Cookies with Siebel CRM

• About Service Discovery Initiated by Trusted and Untrusted Sources in Siebel Application Interface

About the Siebel Web Client and Using HTTPS

Siebel Web Client is configured for HTTPS by the Siebel installer. Certificate and certificate store creation is a prerequisite for the Siebel installer to pick and use during HTTPS configuration. For more information, see the following:

• Certificate Requirements for Communications

• About Generating Keystore and Truststore Files

• Siebel Installation Guide for the operating system you are using

Implementing Secure Login

Secure login is enabled when Siebel Web Client is configured and accessible over HTTPS. The Siebel installer enforces HTTPS for Web server access. For more information, see the topic about installing Siebel Business applications in Siebel Installation Guide for the operating system you are using.

With secure login, the Siebel Web application server transmits user credentials entered in a login form from the browser to the Web server using TLS, that is, over HTTPS.

Note: You cannot log into a Siebel application by presenting user credentials as parameters in a URL.

For information about administering Siebel Server components, see Siebel System Administration Guide.

Logging Out of a Siebel Application

Siebel application users can end a Siebel session by using the Siebel application log out features or by closing the browser window.

If you select the Siebel application Log Out menu option, you are logged out of the Siebel application and the user session is ended immediately. Alternatively, you can close the browser window to end the Siebel session.

If you are using Siebel Business Applications, clicking Close (the X icon) closes the window but does not terminate the Siebel user session until the session timeout is reached. The value of the session timeout is determined by the Active Session Timeout Value parameter set in the Siebel Application Interface profile for the application interface. For more information about this parameter, see Siebel Application Interface Profile Parameters.

Login User Names and Passwords

The following features are typically available on the Siebel login dialog box to assist users:

• The Remember My User ID check box

  This feature is provided by your browser (and not by Siebel).

• The Forgot Your Password? link

  For information on retrieving forgotten passwords, see Retrieving a Forgotten Password (Users).

Account Policies and Password Expiration

For enhanced security, you might want to implement the following account policies. Account policies are functions of your authentication service. If you want to implement account policies, then you are responsible for setting them up through administration features provided by the authentication service vendor.

• Password syntax rules, such as minimum password length.

  When creating or changing passwords, minimum length requirements and other syntax rules defined in the external directory are enforced by the Siebel application.

• An account lockout after a specified number of failed attempts to log in.

  Account lockout protects against password guessing attacks. Siebel Business Applications support lockout conditions for accounts that have been disabled by the external directory.

• Password expiration after a specified period of time.

  The external directory can be configured to expire passwords and warn users that passwords are about to expire. Password expiration warnings issued by the external directory are recognized by Siebel Business Applications and users are notified to change their passwords.

About Password Expiration

Password expiration can be implemented in the following authentication strategies:

• Security adapter authentication: LDAP or applicable custom security adapter

• Database authentication where supported by the RDBMS

If you are using an LDAP security adapter, then password expiration is handled by the external LDAP directory, and is subject to the configuration of this behavior for the third-party directory product.

For example, when a password is about to expire, the directory might provide warning messages to the Siebel application to display when the user logs in. Such a warning would indicate the user’s password is about to expire and must be changed. If the user ignores such warnings and allows the password to expire, then the user might be required to change the password before logging into the application. Or, the user might be locked out of the application once the password has expired.

Password expiration configuration steps for each directory vendor will vary. For more information, see the documentation provided with your directory product.

Note: Confirm all third-party directory product behavior and configuration with your third-party documentation.

About Using Cookies with Siebel Business Applications

Siebel Business Applications running in the Web browser use cookies for a variety of purposes. This topic describes the types of cookies used and provides instructions for enabling cookies for Siebel CRM.

All cookies used by Siebel CRM are encrypted using standard encryption algorithms. Siebel CRM uses the following kinds of cookies:

• Session cookie. Manages user sessions for Siebel Web Client users. For details, see Session Cookie.

• Auto-login credential cookie. Stores user credentials for Siebel Web Client users. For details, see Auto-Login Credential Cookie.

Note: It is recommended that you always run Siebel applications using HTTPS mode in order to mark cookies as secure. This ensures that security does not mix secure and insecure content. Applications run using HTTP mode will not mark cookies as secure.

Using cookies helps to maintains user session information. Browsers with cookies disabled cannot maintain a Siebel user session. Siebel does not support or recommend cookieless mode.

Related Topic

Enabling Cookies for Siebel CRM

Session Cookie

The session cookie consists of the session ID generated for a user’s session. This cookie is used to manage the state of the user’s session. The session cookie applies to the Siebel Web Client only.

Web browsers with cookie handling disabled cannot maintain a Siebel user session.

When a Siebel Web Client user successfully logs into Siebel Business Applications, a unique session ID is generated for that user. The steps involved in a user session are as follows:

1. The components of the session ID are generated in the Siebel Server and sent to the Session Manager running in the Siebel Application Interface.

2. The session ID is passed to the client in a cookie.

3. The following occurs:

   • The session ID is passed to the user’s browser in the form of a nonpersistent cookie which is stored in memory. It stays in the browser for the duration of the session, and is deleted when the user logs out or is timed out.

   • For every application request that the user makes during the session, the cookie is passed to the Web server in an HTTP header as part of the request.

   • The Siebel Application Interface parses the incoming cookie to obtain the session ID and, if the ID is valid, processes the request. If the HTTP header does not include a cookie containing a valid session ID, then the Web server does not honor that request.

Session cookie is used to maintain a stateful session and the SRN, which is generated after an explicit user login is used to maintain a secure session for the logged in user. SRN protects all writer operations in a user session.

Using Secure Cookies

To increase the security of session cookies, Siebel Business Applications assign the Secure attribute to all session cookies by default. Setting the Secure attribute for cookies specifies that the cookies are to be transmitted to Web servers only over HTTPS connections, that is, to Web servers that have enabled TLS.

Session ID Encryption

Siebel session ID is encrypted with AES256.

Note: If a user changes their password during an application session, then the password information in the session ID might no longer allow the user to access Siebel Reports during this session. This is the case when using both database authentication and password hashing. After changing the password, the user must log out and log in again in order to be able to run reports.

Auto-Login Credential Cookie

This cookie consists of the user name for a given user, and the URL string used to access the application. The auto-login credential cookie is persistent and is stored on the user’s browser in encrypted form (it is always encrypted). The AES algorithm encrypts this cookie. The result of this encryption is then encoded using base64 Content-Transfer-Encoding. This cookie applies to the Siebel Web Client only.

The auto-login credential cookie is not mandatory. It is an optional way to allow users not to have to enter their user name every time they log in. If the user subsequently accesses the application URL through another browser window, then the user information is provided to the application so the user does not have to provide it again.

The format of the auto-login credential cookie is as follows:

start.swe=encrypted_user_information

Enabling Cookies for Siebel Business Applications

This topic describes how to enable the Microsoft Internet Explorer Web browser to handle cookies used by Siebel CRM. These instructions can vary depending on your supported browser version.

Note: If you are using a browser other than Internet Explorer to run Siebel CRM, see your browser documentation for information on enabling cookies.

To enable cookies using Internet Explorer

1. Choose Tools, and then Internet Options.

2. Click the Privacy tab.

3. In Privacy settings, click Advanced.

4. Verify that Override automatic cookie handling is checked. Also consider:

   • If First-party Cookies is set to Accept, then all Siebel cookies are enabled.

   • If First-party Cookies are blocked, then you can still enable the session cookie by checking Always allow session cookies.

5. Click OK, then click OK again.

About Siebel Session Warning Message

If multiple tab browsing is not configured for your application and you try to start a second Siebel session while another session is currently active, then a Siebel session warning message similar to the following appears. For more information about configuring multiple tab browsing, see Configuring Siebel Open UI.

You have initiated a Siebel Session while another Siebel session is currently active.  
Please choose the option that applies to you:
- You already have a Sieble session with unsaved data running in another window. To save 
  data from a second session go to the already open session and either save and exit 
  or continue to use that data.
- You do no have unsaved data in your other session and wish to close it and launch a new
  session. Click here.
- You have closed your previous Siebel browser instance using the Close button instead of 
  the Logoff feature and wish to open a new Siebel session. Click here. 

After a successful UI login to Siebel application, two cookies are sent as follows:

• Siebel Session Number. This cookie is the security token passed along with the request. It is encoded and holds valuable information required to connect to the correct task. Siebel Session Number remains until you explicitly log out of the application or close your browser.

• [sameuisession]. This unique cookie is attached to the particular browser tab from where a user request is sent. It is set in javascript and expires after 3 seconds when the application unloads like it does when you close the browser (for releases prior to Siebel CRM 17.x, [sameuisession] expires after a year).

This effectively means the following:

• If you close the (first) tab, the [sameuisession] will expire after 3 seconds and if you try to use the same Siebel Session Number from another (second) tab, then the Siebel session warning message above appears.

• If you try to run the application URL from another tab, the Siebel Session Number will be sent correctly but since no [sameuisession] is set, the Siebel session warning message above appears.

About Service Discovery Initiated by Trusted and Untrusted Sources in Siebel Application Interface

External untrusted connect string URLs should not be used for production loads, testing loads, or to identify if Siebel Cloud Gateway is running. Using external URLs causes a significant increase in load on the database. Performance will differ significantly between a service discovery request triggered by Siebel Application Interface and an external call coming through the UI, REST UI, or SOAP interface.

The paths taken by trusted and untrusted requests are:

• Trusted Source. This is where service discovery is initiated by Siebel Application Interface.

  In this scenario, there is no userID/password based authentication at the gateway.

• Untrusted Source. This is where service discovery is initiated by the end-user client or browser.

  In this scenario, there is userID/password based authentication at the gateway. This is required to access the application interface and Siebel application.