1. Deploying Siebel CRM Containers on Kubernetes using Siebel Cloud Manager
  2. Enabling TLS 1.3 Support in Environments Prior to 23.11

Enabling TLS 1.3 Support in Environments Prior to 23.11

Siebel CRM 23.11 provides the capacity to enable TLS 1.3 communication from client to server and server tier to server tier. Refer "Supported TLS Versions and RSA SHA" section in "Security Guide" of Siebel CRM bookshelf for more details.

In SCM deployed pre-23.11 environments, we need to take specific action to enable TLS 1.3 communication. At this stage, the recommended action will be to rename the 'conf' folder in applicationcontainer_internal and applicationcontainer_external to, say, conf_old. Make sure to bring down the Siebel CRM environment before renaming the 'conf' folder and restart at the end.

Stop the Siebel CRM Environment

docker exec -it cloudmanager bash (Exec into the container)
source /home/opc/siebel/<ENV_ID>/k8sprofile
 
kubectl -n <namespace> get statefulset --> (Before bringing down the environment, note down the number of replicas of each statefulset)
kubectl -n <namespace> scale --replicas=0 statefulset/siebelcgw
kubectl -n <namespace> scale --replicas=0 statefulset/smc
kubectl -n <namespace> scale --replicas=0 statefulset/edge , where edge is the siebel server (bring down all other siebel servers if present)
kubectl -n <namespace> scale --replicas=0 statefulset/quantum, where quantum is the ai server (bring down all other ai servers if present)
exit

Enable TLS 1.3 Support in Pre-23.11 Environments

Rename the 'conf' folder to say 'conf_old' in below persistent paths:

  • Exec into the SCM container 
    docker exec -it cloudmanager bash
  • /home/opc/siebel/<ENV_ID>/<namespace>-siebfs*/<NAMESPACE>/CGW/siebelcgw-*/applicationcontainer_internal/conf where,
    • <namespace>-siebfs* denotes the siebel file system siebfs0,siebfs1, siebfs2 and so on.
    • siebelcgw-* denotes the cgw replicas siebelcgw-0, siebelcgw-1, siebelcgw-2 and so on.
  • /home/opc/siebel/<ENV_ID>/<namespace>-siebfs*/<NAMESPACE>/SAI/smc-0/applicationcontainer_external/conf
  • /home/opc/siebel/<ENV_ID>/<namespace>-siebfs*/<NAMESPACE>/edge/edge-0/applicationcontainer_internal/conf where,
    • edge,tibus and trust are the Siebel servers.
  • /home/opc/siebel/<ENV_ID>/<namespace>-siebfs*/<NAMESPACE>/quantum/quantum-0/applicationcontainer_external/conf where,
    • quantum,alchemist and creative are the AI servers.

Bring up the Siebel CRM Environment

docker exec -it cloudmanager bash (Exec into the container)
source /home/opc/siebel/<ENV_ID>/k8sprofile
 
kubectl -n <namespace> scale --replicas=3 statefulset/siebelcgw
kubectl -n <namespace> scale --replicas=1 statefulset/smc
kubectl -n <namespace> scale --replicas=1 statefulset/edge , where edge is the siebel server (bring down all other siebel servers if present)
kubectl -n <namespace> scale --replicas=1 statefulset/quantum, where quantum is the ai server (bring down all other ai servers if present)
kubectl -n <namespace> get pods (Verify the pods running status)
exit

Once the environment is up and running, any customizations made to server.xml have to be redone.

TLS 1.3 Support Verification

OCI Load balancer supports TLS versions till 1.2, so when the smc/application is accessed from the client, we would still see the request is served from TLS 1.2 connection protocol. For more information, refer SSL Tunneling.

But the Siebel AI requests from ingress are served by both TLS 1.2 & TLS 1.3 by default from 23.11. This can be verified from AI Tomcat's server.xml configuration. 

docker exec -it cloudmanager bash (Exec into the container)
cd /home/opc/siebel/<ENV_ID>/<env_namespace>-siebfs0/<NAMESPACE>/quantum/quantum-0/applicationcontainer_external/conf/
cat server.xml

<Connector port="4430" protocol="org.apache.coyote.http11.Http11NioProtocol"
compressableMimeType="text/css,text/javascript,application/x-javascript,application/javascript" useSendfile="off" compression="on" compressionMinSize="128" connectionTimeout="20000" noCompressionUserAgents="gozilla, traviata"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2"
               keystoreFile="/siebel/mde/applicationcontainer_external/siebelcerts/keystore.jks" keystorePass="siebel" keystoreType="JKS"
               truststoreFile="/siebel/mde/applicationcontainer_external/siebelcerts/truststore.jks" truststorePass="siebel" truststoreType="JKS"
               
               sslEnabledProtocols="TLSv1.2+TLSv1.3"
               
               clientAuth="false" relaxedQueryChars="&#x20;&#x22;&#x3C;&#x3E;&#x5B;&#x5C;&#x5D;&#x5E;&#x60;&#x7B;&#x7C;&#x7D;"
               relaxedPathChars="&#x20;&#x22;&#x3C;&#x3E;&#x5B;&#x5C;&#x5D;&#x5E;&#x60;&#x7B;&#x7C;&#x7D;"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM"
Note: Notice the following line of code in the example above: 
          sslEnabledProtocols="TLSv1.2+TLSv1.3"