CA SSO Agent for Siebel Guide › Pre-Installation Steps

Pre-Installation Steps

This section contains the following topics:

Selecting and Configuring Database Credentials

System Requirements

Following are the minimum requirements for using this product:

Policy Server
A web server with a web agent
Siebel server
Siebel COM components
SessionLinker web server plug-in

For updated information about platform and web server support, see the appropriate Platform Support Matrix available in the CA Support website.

SessionLinker

To ensure security, SessionLinker must be installed. Although this product provides single sign-on to Siebel without SessionLinker, unless SessionLinker is installed, the integration is not secure.

SessionLinker prevents session synchronization issues by monitoring the CA SSO Session ID header and the Siebel session cookie sent by the user. When the two sessions diverge, action is taken to prevent the application from operating until a new session within Siebel is established. By default, the action is to destroy the existing session, which forces Siebel to create a new session for the correct user. Another possibility is not to destroy the existing session, but instead, to redirect the user to a configured redirect URL.

Note: The configuration parameter for SessionLinker is COOKIE=_sn.

Selecting and Configuring Database Credentials

Once an external authentication system such as CA SSO is implemented, Siebel is no longer capable of employing the individual user’s credentials to connect to the database for the following reasons:

CA SSO does not store or expose the user’s credentials once the user has been authenticated. This is intentional for security reasons.
Even if CA SSO stored the user’s credentials, there is no way to know or guarantee that the database would be able to use those credentials – users might authenticate to CA SSO with certificates, SecurID or other one-time passwords, NTLM or some other authentication scheme which would not be acceptable to the database.

The Siebel Object Manager continues to communicate with the database for all data; however, because users no longer present credentials that the Object Manager can use to connect on their behalf, a special administrative account is necessary. This account’s credentials need not be published, and are not used by any person or application other than the Siebel Object Manager.

The use of a generic database user does not in any way impair the ability to audit user activity because Siebel’s internal access control, data protection, and audit capabilities continue to operate as with individual user database accounts. A database account should be created and the password set to a complex, non-guessable value.

A benefit of Siebel using a generic database account is that after this product is installed, individual database accounts are no longer necessary. This relieves the system of the administrative burden of account creation, password maintenance or synchronization, and removal upon termination of employment.