Post-Installation Configuration for Siebel Server

CA SSO Agent for Siebel Guide › Post-Installation Configuration of Servers › Post-Installation Configuration for Siebel Server

Post-Installation Configuration for Siebel Server

Sample SmSiebelSSO.conf File

Following is a sample SmSiebelSSO.conf file.

# Feel free to edit this file at will

# Where should the log data go?
LogFile=c:/logs/Test.log

# Log level is an integer between 0 and 3
# Level       Meaning
#   0          None
#   1          Errors
#   2          Information
#   3          Debug
LogLevel=3
# These settings dictate how you communicate with the Policy server

AgentName=siebel1
HostConfigFile=/home/oracle/CA/erpconn/siebel/Config/SmHost.conf
Resource=/SiebelConnector/

# And finally how do you talk to the Database?
DatabaseUser=sadmin
DatabasePassword=sadmin

Executing the Security Adapter Test

After running the configuration wizard, test Security Adapter by verifying the installation and the settings in the configuration file (SmSiebelSSO.conf).

Follow these steps:

Run the ProviderTest75 program. The output from the execution is shown in the following code:

C:\>providertest
Enter username: dsherman
Enter password: password
Testing provider with username 'dsherman' and password 'password'
Loading library... OK
Finding entry point... OK
enter Config File: test.conf
Calling SecurityLogin()...OK
Return code is OK
Test 1: GetUsername()
        Username: dsherman
Test 2: GetAccountStatus()
        Account state: ACTIVE
Test 3: GetCredentials()
        pCred->m_pType:
        pCred->m_pUsername:  DBUser
        pCred->m_pPassword:  10 characters long
Test 4: GetUserInfo:
        m_accountStatus: ACTIVE
        m_bPasswordSet: 0
        m_pCredentialsArray
                #:       Type |   Username  |   Password
                ----------------------------------------
                0:            |     DBUser  |   10 chars
        m_pNewUsername: (null)
        m_p_Password: (null)
Test 5: GetRoles()
        GetRoles returned SecurityErrOK
        Role 00: A
        Role 01: B
        Role 02: C
        Role 03: D
        Total: 4 roles

If ProviderTest75 finds a problem, it displays messages such as Provider test failed or pUser is NULL, or something similar. Check the log file specified in the configuration file. If no log file is generated, check if the path to the configuration file is correct and that the user running ProviderTest75 has permission to open that file.
When the test is successful, enable the Security Adapter:

More information:

Enable Security Adapter

Perform the following steps to enable Security:

Create Named Subsystem for Custom Security Adapter

Perform the following procedure to create a named subsystem for Custom Security Adapter.

To create a named subsystem

Log in to the server manager using the following command:
```
srvrmgr parameters
```
The parameters include the following:
- /e ent_name
- /g gtwy
- /s srvr
- /u username
- /p password
Create a named subsystem, SiteMinderSecAdpt, for the custom Security Adapter (sample output is shown in the following table), by using the following commands:
```
srvrmgr:srvr>create named subsystem SiteMinderSecAdpt for subsystem InfraSecAdpt_CUSTOM
srvrmgr:srvr>list param for named subsystem SiteMinderSecAdpt
```

PA ALIAS	PA VALUE
CustomSecAdpt_CRC	********
CustomSecAdpt_SecAdptDLLName
ConfigFileName
CustomSecAdpt_HashAlgorithm	RSASHA1
CustomSecAdpt_HashDBPwd	False
CustomSecAdpt_HashUserPwd	False
CustomSecAdpt_PropagateChange	False
ConfigSectionName
CustomSecAdpt_SingleSignOn	False
CustomSecAdpt_TrustToken	********
CustomSecAdpt_UseAdapterUsername	False
11 rows returned.

Modify the named subsystem created in Step 2 so that it uses the SiteMinder security provider library and configuration files, using the following commands:
```
srvrmgr:srvr> change param CustomSecAdpt_SecAdptDllName=SmSecurityProvider75 for named subsystem SiteMinderSecAdpt
srvrmgr:srvr> change param ConfigFileName=d:\siebel\bin\enu\SmSiebelSSO.ini for named subsystem SiteMinderSecAdpt
```
Note: The absolute path of the SmSiebelSSO.ini file must be specified in this command to modify the ConfigFileName.
```
srvrmgr:srvr> change param ConfigSectionName=SiteMinder for named subsystem SiteMinderSecAdpt
```
Note: The section name, SiteMinder, in this command to modify the ConfigSectionName, must match the section name defined in the SmSiebelSSO.ini file.
```
srvrmgr:srvr> list param for named subsystem SiteMinderSecAdpt
```
A sample output is shown in the following table:

PA ALIAS	PA VALUE
CustomSecAdpt_CRC	********
CustomSecAdpt_SecAdptDLLName	SmSecurityProvider75
ConfigFileName	d:\siebel\bin\enu\SmSiebelSSO.ini
CustomSecAdpt_HashAlgorithm	RSASHA1
CustomSecAdpt_HashDBPwd	False
CustomSecAdpt_HashUserPwd	False
CustomSecAdpt_PropagateChange	False
ConfigSectionName	SiteMinder
CustomSecAdpt_SingleSignOn	False
CustomSecAdpt_TrustToken	********
CustomSecAdpt_UseAdapterUsername	False
11 rows returned.

Configure the Components to Use Custom Adapter

Perform the following steps to configure the server components.

To configure the server components

Execute the following commands for the desired server component, such as esales_enu Object Manager:

srvrmgr:srvr > change param secadptname=SiteMinderSecAdpt for comp eSalesObjMgr_enu
srvrmgr:srvr > change param secadptmode=CUSTOM for comp eSalesObjMgr_enu

Restart the Siebel Server.

Configure External Applications to Use SWELogin.swt

By default, customer-facing applications (such as eSales) use a different login view than the SWELogin.swt required by the CA SSO Agent. (Internal Seibel applications, such as CallCenter, use SWELogin.swt by default.) Perform the following procedure to configure other applications to use SWELogin.swt.

Follow these steps:

Open the eapps.cfg file present in Siebel_SWSE_install/bin folder.
Search the application_language file (such as esales_enu) for the string corresponding to the application for which the SWELogin.swt needs to be enabled and remove or comment the “startcommand” entry defined under it.
Restart the Web Server.
Open the application.cfg file (such as esales.cfg) from Siebel_Server_Root/bin/enu folder. Search for and comment the "LoginView = Login View" entry.
Restart the Siebel application server.

Test Security Adapter within Siebel

Perform the following procedure to test Security Adapter within Siebel.

Follow these steps:

Select a user whose password within Siebel is different from the CA SSO password.
After the server is restarted, open a web browser and access the selected application. For example, select the application esales by specifying:
```
http://machine.domain.com/esales/
```
Be sure to include the full domain name so that the browser accepts cookies of CA SSO. If a CA SSO session has not yet been established, the CA SSO login screen appears. Enter a valid username and password and complete the login process.
Verify the status of the operation, and perform the following:
- If authentication is successful, the Siebel login screen appears. Provide the same credentials used to log into CA SSO and submit the form. Access to Siebel is granted. Close the web browser and open it again to destroy the existing CA SSO and Siebel sessions.
- If authentication is unsuccessful, the Siebel login page does not appear and a Server Busy message is displayed. This could indicate that Security Adapter has not been installed, configured or activated correctly. Repeat the steps described in the following section:
  Execute the Security Adapter Test.

Test Single Sign-On

When you verify that Security Adapter and Authentication Scheme are functioning correctly, SSO should also succeed.

Follow these steps:

Access the relevant URL, depending on your server:

http://machine.domain.com/SiebelConnector/testsso.asp
http://machine.domain.com/SiebelConnector/testsso.jsp
http://machine.domain.com/SiebelConnector/testsso.pl

Enter the correct URL for the Siebel application (for example, esales), which you configured in Enable Security Adapter.
Click Test Single Sign On. No additional login pages need to be presented and the application startup page automatically appears.
If single sign-on is successful, go to Direct Users Through the SSO Process.
If single sign-on is unsuccessful, examine the Security Adapter log file and the relevant Policy Server log (either Authentication or Authorization) for additional information. The most common causes for failure are the following:
- CA SSO responses.
- Failing to select the Siebel SSO Auth Scheme for the realm used by Security Adapter. Re-check the Policy Server configuration.

Direct Users Through the SSO Process

Once single signon is functioning correctly, you can have all users automatically directed through the single signon process rather than presenting the Siebel login page.

To direct users through the SSO process

Locate the Siebel Login web template file:

Siebel Agent Installation folder/Config/siebsrvr/Webtempl/SWELogin.swt

Copy it to the web templates (Webtempl) directory of the Siebel Server.
Modify the file to work with your web server (it is currently set up to work with .asp files). If you use .jsp or .pl files, open the SWELogin.swt file and change the instances of asp to jsp or pl respectively.