1. Security Guide
  2. Supported TLS Versions and RSA SHA

Supported TLS Versions and RSA SHA

This topic lists the level of support for TLS. Siebel implements TLS security for the services and communication paths listed in Using Transport Layer Security with Siebel CRM.

TLS Support

It is strongly recommended that you move the following services in Siebel to a more secure TLS configuration as follows:

  • Siebel Application Interface to Client HTTPS traffic encrypted via TLS 1.2 or TLS 1.3.

  • Siebel Server to Cloud Gateway internal traffic encrypted via TLS 1.2 or TLS 1.3.

  • Siebel EAI/Web Services over HTTPS encrypted over TLS 1.2 or TLS 1.3.

  • Siebel IMAP/POP encrypted over TLS 1.2 or TLS 1.3.

  • Application Interface to Siebel Server Traffic encrypted over TLS 1.2 or TLS 1.3.

  • Siebel Enterprise SISNAPI Traffic encrypted over TLS 1.2 or TLS 1.3.

  • Siebel LDAPS client encrypted over TLS 1.2.

  • Siebel Management Server/Agent Traffic encrypted over TLS 1.2 or TLS 1.3.

  • Siebel (SSSE) to Exchange encrypted over TLS 1.2 or TLS 1.3.

  • Siebel EAI JDB via TLS 1.2 or TLS 1.3.

  • Siebel WebLogic Integrations (Such as BIP) over TLS 1.2 or TLS 1.3.

Application Interface HTTPS Traffic Using TLS 1.2 or TLS 1.3

Application Interface fully supports TLS 1.2 and TLS 1.3 encryption for client-side connections, including reverse proxy configuration. TLS configuration, including application interface and Web client encryption, for this part of the product is detailed in Communications and Data Encryption.

Application Interface always uses TLS to communicate with Siebel Gateway.

LDAPS (Encrypted) Over TLS 1.2

The LDAP service is usually hosted behind a secure firewall. Customers using Oracle LDAP client can encrypt traffic using TLS 1.2. This may require the latest patches of the Oracle Database Client certified for the product. Make sure that the latest security patches are installed for proper functionality.

Inbound EAI/Web Services Over HTTPS Encrypted Over TLS 1.2 or TLS 1.3

Siebel supports EAI inbound on all platforms using the native support for TLS 1.2 and the support of the Web Server.

Outbound EAI/Web Services Over HTTPS Encrypted Over TLS 1.2 or TLS 1.3

TLS 1.2 and TLS 1.3 are supported on all platforms. It is recommended that you host this service behind a secure firewall. Communications and Data Encryption describes how to configure TLS and components for secure communications.

The flow of message security protocols is:

Windows/Non-Windows(All platforms): Siebel Object Manager (HTTP) →Config Agent Tomcat (HTTPS) →External Application.

For more detail see SHA2 Support for Outbound Web Service

Siebel Message Queueing Support and JMS Over TLS 1.2 or TLS 1.3

You can encrypt this service using TLS 1.2. It is recommended that you host this service behind a secure firewall. Communications and Data Encryption describes how to configure TLS and components for secure communications. For encryption information, see Configuring TLS Encryption for Siebel Enterprise or Siebel Server.

Siebel EAI JDB via TLS 1.2 or TLS 1.3

Application Interface server communications always use TLS 1.2 or TLS 1.3 (if configured). Siebel EAI services via JDB standalone connect also use TLS 1.2 or TLS 1.3.

Siebel Management Server/Agent Traffic Encrypted Over TLS 1.2 or TLS 1.3

Communications and Data Encryption describes how to configure TLS and components for secure communications.

Email Response/IMAP/POP/SMTP Over TLS 1.2 or TLS 1.3

You can encrypt this service to varying degrees depending on technology. IMAP/POP3/SMTP can support TLS 1.2 or TLS 1.3. For information about TLS configuration for this part of the product and about email response and encryption, see Siebel Email Administration Guide. OpenSSL is an option for TLS 1.2 or TLS 1.3 connections with POP3. You can enable this by using the EnableOpenSSL parameter on the Mail component. OpenSSL v1.0 does support the "DHE-RSA-AES256-SHA" cipher. Use of IMAP with TLS 1.2 or TLS 1.3 requires the use of JavaMail 1.6.3 or higher.

Siebel WebLogic Integration (such as BIP)

You must enable TLS 1.2 or TLS 1.3 for WebLogic as follows:

  • Log in to the WebLogic console.

  • Click <Domain>, Environment, Servers, <Server>.

  • Under Configuration and General, make sure the SSL Listen Port Enabled check box is selected.

  • Go to the SSL tab, click Advanced, and make sure that the Use JSSE SSL check box is selected.

    Restart WebLogic for the changes to take effect.

Java Secure Socket Extension (JSSE) enablement sets WebLogic to use the TLS features of Java instead of its own SSL implementation. (WebLogic’s internal SSL implementation is not compatible with the current TLS implementations in modern browsers.) WebLogic 12.2.1.0.0 uses JSSE by default and does not have check boxes anymore to switch back to its own version of SSL. To force TLS 1.2 or TLS 1.3, set weblogic.security.SSL.protocolVersion=TLSv1.2 in the WebLogic startup parameter in setDomainEnv.sh. This will reject any client that does not support TLS 1.2 or TLS 1.3.

Note: BI Publisher does not control TLS. BIP runs on WebLogic and depends on WebLogic’s TLS/SSL environment.

SHA-2 and SHA-3 Support

Siebel implements SHA functions in a variety of use cases. The secure hashing algorithm supported is based on the certificate type implemented and the support level provided by Siebel. The level of support for SHA-2 and SHA-3 (including SHA-192, SHA-224, SHA-256, SHA-384, and SHA-512) is as follows:

  • SHA-2 and SHA-3 (limited by third party used)

    • Web server to Web Client

    • MQ and JMS

  • SHA-2

    • EAI SOAP Web services

    • EAI HTTP Transport business service

    • Email response IMAP/POP (OpenSSL can be used)

    • Oracle LDAP Client (may require the latest database clients)