Procedure to Configure Reverse Proxy

The following procedure shows how to configure reverse proxy, required for all implementations with and without SSO, to avoid exposing internal IP addresses for sensitive servers. As of Siebel CRM 20.5 Update, this is a mandatory post installation task.

To configure reverse proxy

1. Add proxy settings in the HTTP/HTTPS <Connector> element of the application interface’s server.xml file.

   Add the proxy settings to the HTTP connector if the SSL acceleration feature is enabled, otherwise add the proxy settings to the HTTPS connector as follows:

   • When SSL acceleration is enabled:

     <Connector port="9001" ... 
        proxyName="<reverseproxyhost>" 
        proxyPort="<port used in loadbalancer/reverse proxy>"
     />

   • When application interface is in HTTPS, edit the server.xml file to include separate connectors for internal and external users (who are on the same application interface) as follows:

     // Port 9999 is for external users via reverse proxy: 
     
     <Connector port="9999" 
       proxyName="<reverseproxyhostname.com>" 
       proxyPort="<port used in loadbalancer/reverse proxy(eg. 443)>" 
       protocol="org.apache.coyote.http11.Http11NioProtocol" 
       maxThreads="600" 
       SSLEnabled="true" 
       scheme="https" 
       secure="true" 
       SSLVerifyClient="require" 
       SSLEngine="on" 
       SSLVerifyDepth="2" 
       keystoreFile="..\Siebel\ai\applicationcontainer_external\siebelcerts\siebelkeystore.jks" 
       keystorePass="******1" 
       keystoreType="JKS" 
       truststoreFile="..\Siebel\ai\applicationcontainer_external\siebelcerts\siebeltruststore.jks" 
       truststorePass="*******1" 
       truststoreType="JKS" 
       ciphers="..."
       clientAuth="false" 
       sslProtocol="TLSv1.2" 
       relaxedQueryChars="..." 
       relaxedPathChars=";"
     />
     
     // Port 8443 is for internal users: 
     
     <Connector port="8443" 
       protocol="org.apache.coyote.http11.Http11NioProtocol" 
       maxThreads="600" 
       SSLEnabled="true" 
       scheme="https" 
       secure="true" 
       SSLVerifyClient="require" 
       SSLEngine="on" 
       SSLVerifyDepth="2" 
       keystoreFile="..\Siebel\ai\applicationcontainer_external\siebelcerts\siebelkeystore.jks" 
       keystorePass="******1" 
       keystoreType="JKS" 
       truststoreFile="..\Siebel\ai\applicationcontainer_external\siebelcerts\siebeltruststore.jks" 
       truststorePass="*******1" 
       truststoreType="JKS" 
       ciphers="..."
       clientAuth="false" 
       sslProtocol="TLSv1.2" 
       relaxedQueryChars="..." 
       relaxedPathChars=";"
     />
     

2. Restart the application interface for the changes to take effect.

Configuring CORS Support When Interacting with Other Applications

CORS requirements are enforced by most modern browsers. CORS typically requires that the following conditions are met:

• Same host (or alternatives provided below)
• Same port
• Same protocol (end to end)

Supporting CORS can be largely handled at a reverse proxy level for Siebel. Assuming the reverse proxy in front of Siebel is Apache HTTPd server, the proxied application can hide part of the host/domain to make domains of interacting application look the same. Relaxing the CORS requirement is configured in the HTTPd.conf file for the reverse proxy. This setting in the reverse proxy can also adjust port differences in a similar way. The setting below is a generic way to resolve this however there are more specific ways of solving it as required.

Header set Access-Control-Allow-Origin

You can find more information in specific reverse proxy documentation implemented (Siebel CRM requires a reverse proxy in front of Siebel).

HTTPS traffic is expected to match for Siebel and any other application it works with as mixed content is not supportable. This is by default, set to secure HTTP (HTTTPS)

This configuration allows Siebel UI to be embedded in any other Origin and is the recommended approach to address CORS requirements. This setting is very useful for action links in Siebel.

For releases before Siebel CRM 20.10, follow the procedure mentioned in Planning Cross-Domain Integrations

From Siebel CRM release 20.10 onwards, details available in Planning Cross-Domain Integrations are overridden by OOB Tomcat configuration. You need to apply the related configurations in applicationcontainer_external\conf\web.xml.

Attribute	Default Value	Description
antiClickJackingEnabled	True	Should the anti-click-jacking header (X-Frame-Options) be set on the response. Any anti click-jacking header already present will be replaced.
antiClickJackingOption	SAMEORIGIN	You can set it to one of the following values. SAMEORIGIN. Display the page only in a frame that resides in the same location as the page.This is the default value. ALLOW-FROM. Specify the url for antiClickJackingUri when ALLOW-FROM is set. DENY. Do not display the page in a frame or in an iFrame.
antiClickJackingUri	This attribute doesn’t exist OOB	This is required if ALLOW-FROM is used for antiClickJackingOption.Display the page only in a frame that resides in the specified location. If an external application accesses a Siebel URI, then you specify the URI that this external application uses. For example, if the external application uses https://my_url.com, then you use the following value: https://my_url.com/ If a browser (such as Chrome or Safari) does not support ALLOW-FROM, then the browser ignores it.

Hardening Procedures Through Reverse Proxy

Reverse proxies can handle Referrer-Policy and Permissions-Policy related header values. Any headers can be configured in the reverse proxy. Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS) related obstacles are also generally handled as part of reverse proxy configuration.