The initialization and configuration files for Security Adapter are located in the Siebel Agent Installation folder:
<Siebel Agent installation folder>\Siebel\Config\SecurityAdapter\SmSiebelSSO.ini <Siebel Agent installation folder>\Siebel\Config\SecurityAdapter\SmSiebelSSO.conf
You install these files on the Siebel Application Server’s Object Manager, and modify the settings in the configuration file.
If you make any changes to the configuration file(s) after Security Adapter is enabled in Siebel, restart Object Manager.
This section contains the following topics:
Specify the full path to the file that Security Adapter will use as a log file. On Windows systems, this path should include the drive, directory and file name. For example:
c:\logs\connector.log
On UNIX systems, the path should be absolute, for example:
/var/log/siebelconnector.log
Valid levels of logging are listed in the following table.
|
Level |
Log Indicator |
Meaning |
|---|---|---|
|
0 |
(not applicable) |
None; log file off. |
|
1 |
ERR |
Errors only; errors in initialization and communication are logged. |
|
2 |
INF |
Informational; indicates the general cause of the problem. |
|
3 |
DBG |
Debug; information not typically useful in production environments. |
|
4 |
XXX |
Extra; helps locate problems in the Login Library code itself, and thus is typically not intended for non-CA personnel. |
Note: At higher log levels (2 through 4) the file can increase in size very quickly. At a production site, using log level 1 is recommended.
Security Adapter must communicate with the same Policy Server or servers as the Web Agent. You may specify a single Policy Server, multiple Policy Servers, or even one or more Policy Servers running on non-default ports.
Minimally, you can set the IP address of a single Policy Server, for example:
127.0.0.1
In this case, Security Adapter assumes that the Policy Server is operating on the default ports.
For multiple Policy Servers, you can specify all IP addresses or host names. You must enter them on a single line, separating them with a space. An example of two Policy Servers is:
192.168.1.4 192.168.1.5
In this case, Security Adapter assumes that the Policy Servers are operating on the default ports.
If you do not specify ports, Security Adapter assumes that the Policy Server(s) is/are operating on the default ports, which are the following:
If a Policy Server is not operating on the default ports, you must specify the ports. Use commas (not spaces) to separate the information items in the Policy Server string:
IPAddress,AccountingPort,AuthenticationPort,AuthorizationPort
For example:
192.168.1.4,44441,44442,44443
If multiple Policy Servers are using ports other than the default, you must separate each Policy Server string (which includes Policy Server and ports) by a space, for example:
192.168.1.4,44441,44442,44443 192.168.1.5,44441,44442,44443
Although the Accounting server might not be used and this product does not connect to the CA SSO Accounting server, 44441 is entered here for consistency with Web Agent configuration file syntax as well as to allow for future expandability. (You must specify the first port as the Accounting port, even though it is not being used internally.)
Security Adapter uses AgentName and HostConfigFile settings to initiate connection to the Policy Server. AgentName must match the name entered in the CA SSO Administrative UI. The Host Configuration Object specified in the HostConfigFile must match the name specified in the CA SSO Administrative UI.
The Action and Resource settings define the strings that the Security Adapter should send to the Policy Server when validating the user’s ticket and their authorization to access Siebel. These strings are typically GET and /SiebelConnector/ and should only be changed by customers that fully understand CA SSO Policies and have a reason for not being able to use GET and /SiebelConnector/.
Once the Security Adapter is installed, Object Manager uses the username and password specified by the settings DatabaseUser and DatabasePassword whenever credentials are needed for communication to another system. The most common system for which Object Manager needs these credentials is the underlying database. Customers should refer to the section Select/Configure Database Credentials for additional information on the security implications of using the same credentials for all users when communicating with the database.
The setting DatabasePassword can be encrypted.
Using the same credentials to communicate with any other system is generally not a problem in test environments because administrative accounts tend to share a common set of credentials. In production environments, however, this can be a problem because security requirements typically dictate that common passwords may not be used for multiple systems.
To solve this problem, Security Adapter can be configured to return an alternative set of credentials for each credential type requested by the Object Manager.
For example, if a user has selected an administrative task and attempted to manage another Enterprise Server, the current Object Manager attempts to initiate communication with another Object Manager and fails. It displays a Login failed message.
In addition, the Server Manager’s log file shows the following information:
(admauth.cpp 9(148) err=901042 sys=2) ADM-01042: Login failed for specified username, password, and data source
To configure Security Adapter properly, examine the Security Adapter’s log file (with the log level set to 3) for the entry beginning with:
Requested credential type is ServerDataSrc.
To change the credentials returned, add two lines to the configuration file, one each for the username and password. Use the following format:
Credentials.Type.Username=<Username> Credentials.Type.Password =<Password>
For example, the log file entries are:
Credentials.GatewayDataSrc.Username=sadmin Credentials.GatewayDataSrc.Password=sadminpassword
The correct values vary, depending on your environment.
You may encrypt the credentials password by using the NPSEncrypt tool.
Once installed, Siebel Security Adapter is called by the Object Manager every time a username and password are presented. This feature allows CA SSO to integrate fully with Siebel and support both username and password-based signon, and the ticket-based single signon.
Having Object Manager call Security Adapter for every username and password presented does have one unintended consequence, which is that the Siebel Web Server Extension (WSE) connects to the Object Manager to download the Login page (typically SWELogin.swt file).
To make this connection, WSE sends a special username and password configured in the eapps.cfg file. By default, this username is SADMIN. When this username and password are sent to Security Adapter, Security Adapter passes it on to CA SSO for verification. As long as the user exists in the user store of CA SSO, with the password defined in eapps.cfg, WSE is able to download the login page. If the anonymous user does not exist in CA SSO, WSE returns an error saying that the server is either busy or experiencing difficulties. In these cases adding a special user to the user store is not a good solution.
This product allows sites to define one special user that this product will not verify against CA SSO. To ensure security, use this feature only for the WSE.
The configuration settings AnonUsername and AnonPassword can be set to the username and password specified in the eapps.cfg file. These are case sensitive; sadmin is not the same as SADMIN. This is intended to match the behavior of most user directories supported by CA SSO.
To encrypt AnonPassword, use NPSEncrypt.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|