Deploying TLS for a Siebel Enterprise or Siebel Server

The following procedure describes running the Siebel Management Console to deploy TLS for a Siebel Server or a Siebel Enterprise. Performing this procedure adds parameters to the Siebel Gateway; these parameters can alternatively be set using Siebel Server Manager.

Note: If you configure TLS for the Siebel Enterprise, then all Siebel Servers in the Enterprise inherit all settings. These settings include the key file name and password and certificate file names. You can run the Siebel Management Console again later to separately configure individual Siebel Servers, at which time you can specify unique key file names or passwords or unique certificate file names. In order to completely configure TLS for your Siebel Servers, you must run this utility.

To deploy TLS encryption for the Siebel Server or Enterprise:

1. Before you begin, obtain and install the necessary certificate files that you need if you are configuring TLS authentication.

2. Depending on whether you are enabling TLS encryption for the Siebel Enterprise or for the Siebel Server, do one of the following:

   • If you are running the Siebel Management Console to configure the Siebel Enterprise, then do the following:

     1. Start the Siebel Management Console and configure values for the Enterprise.

        For information on this task, see Siebel Installation Guide.

     2. When the Additional Tasks for Configuring the Enterprise screen appears, select the Enterprise Network Security Encryption Type option.

     3. On the Security Encryption Level or Type screen, select the following option: SISNAPI to use TLS 1.2.

   • To run the Siebel Management Console directly on a Siebel Server computer, do the following:

     1. Start the Siebel Server Management Console directly and configure values for the Siebel Server.

        For information on this task, see Siebel Installation Guide.

     2. When the Additional Tasks for Configuring the Siebel Server screen is displayed, select the Server-Specific Security Encryption Settings option.

     3. On the Security Encryption Level or Type screen, select the following option: SISNAPI to use TLS 1.2.

   Note: If you change to a different Siebel Management Console, then you might need to redeploy the profile. The easiest way to do this is to create a new profile and apply it to the required server using Siebel Management Console (or Siebel Server Manager, although this is harder).

3. Specify the name and location of the certificate file and the certificate authority file.

   The parameters to configure in the Siebel Gateway are:

   • Certificate File Name (CertFileName)

   • Certificate Authority (CA) Certificate File Name

   For more information about these parameters, see Parameters for Configuring Security Adapter Authentication.

4. Specify the name of the private key file, and the password for the private key file, then confirm the password. The password you specify is stored in encrypted form.

   The parameters to configure in the Siebel Gateway are:

   • Private Key File Name

   • Private Key File Password

   For more information about these parameters, see Parameters for Configuring Security Adapter Authentication.

5. Specify whether or not you want to enable peer authentication.

   Peer authentication means that this Siebel Server authenticates the client (that is, Siebel Application Interface or another Siebel Server) that initiates a connection. Peer authentication is disabled (or false) by default.

   The peer authentication parameter is ignored if TLS is not deployed between the Siebel Server and the client (either the Siebel Application Interface or another Siebel Server). If peer authentication is enabled (set to True) on the Siebel Server, then a certificate from the client is authenticated provided that the Siebel Server has the certifying authority’s certificate to authenticate the client’s certificate. The client must also have a certificate. If TLS is deployed and the Siebel Application Interface has a certificate, then it is recommended that you enable peer authentication on both the Siebel Server and the Siebel Application Interface to obtain maximum security.

   The parameter to configure in the Siebel Gateway is Enable Peer Authentication.

6. Specify whether or not you require peer certificate validation.

   Peer certificate validation performs reverse-DNS lookup to independently verify that the hostname of the Siebel Server computer matches the hostname presented in the certificate. Peer certificate validation is false by default.

   The parameter to configure in the Siebel Gateway is Validate Peer Certificate.

   Depending on whether you are running Siebel Management Console for Siebel Enterprise or Siebel Server, return to either the Siebel Enterprise or the Siebel Server configuration process.

7. Continue to configure values for the Siebel Enterprise or Siebel Server, then review the settings, finish configuration, and restart the server (which is required only if you are reconfiguring TLS encryption for Siebel Enterprise or Siebel Server).

8. Perform the tasks in Setting Additional Parameters for Siebel Server TLS.

9. Repeat this procedure for each Siebel Server in your environment, as necessary.

10. Make sure you also configure each Siebel Application Interface in your environment. For information, see Configuring TLS Encryption for Siebel Application Interface.