Providing Client Certificate Information for TLS Mutual Authentication

Siebel CRM supports client authentication for TLS-based communications (also known as mutual authentication) using the EAI HTTP Transport business service, and for workflows and outbound Web service calls that call the EAI HTTP Transport business service.

Caution: It is strongly recommended to use Transport Layer Security (TLS) for best security, where possible. Using Secure Sockets Layer (SSL) is not supported for secure environments. See Siebel Security Guide.

Ensuring Tomcat uses the Correct Client Certificate

1. In the configagent.properties, make sure the key store file is different from the trust store jks file. Do not specify the same file for both. If you specify the same file for both the trust store and the keystore, Tomcat may pick the wrong client certificate.
2. This file is located in:
   1. Windows: SIEBEL_ROOT\applicationcontainer_internal\webapps
   2. Linux: /app/siebel/sieb/applicationcontainer/webapps
3. The key store file should contain a single certificate (and its root/intermediate Client Authentication Service (CAS)) that identifies the Siebel application to other systems. This certificate is the client certificate.
4. The client certificate gets picked up automatically by Tomcat but if multiple certificates are installed (This is likely when trust and keystore are the same file.) Tomcat may pick the wrong one.

For more information about configuring TLS mutual authentication using the EAI HTTP Transport, see Siebel Security Guide or How To Setup 3rd Party SHA1 And SHA2 Certificates For Outbound API Calls On Different Siebel Versions? KA1262