Goals To configure the Siebel Sales Application Object Manager (AOM) to use LDAP authentication
Time 25 – 35 minutes
Instructions:
In this practice, you will configure the Siebel Sales AOM to use LDAP authentication instead of database authentication. This requires configuring the LDAP server, installing the IBM Tivoli LDAP client on the Siebel Server, and configuring the appropriate parameters within the Siebel application.
Make sure that you configure the Siebel Sales AOM; this ensures that if you make a mistake, you can still log in using Siebel Call Center to adjust the parameters.
Note: While it is possible to enable LDAP authentication for an entire server or even the entire enterprise, this can significantly impact performance, as many batch and system components directly access the database. Recommended practice is to use LDAP only for AOMs to manage users logging in to the system.
Note: It is not necessary to complete this practice in order to do the rest of the practices in this course; however, be sure to perform the final step to set Siebel Sales back to database authentication if you do not complete the practice.
1. Configure the LDAP server to support Siebel users. For this class, you will be using Oracle Internet Directory service as an LDAP server. In addition to an LDAP username and password, the required parameters are a Siebel user ID, database username, and database password:
a. Start the OracleOIDProcessManager service. This service supports the Oracle Internet Directory.
i. If necessary, select Start > Programs > Administrative Tools > Services.
ii. Scroll down and locate the OracleOIDProcessManager service.
Oracle Internal & Or acle Academy Use Only
e. Enter your <machine name> as the server. Leave the port number at its default of 389.
f. Click OK.
g. Verify that the server is listed as available. Note that your machine name will be different.
h. Click OK.
i. Log in as:
User orcladmin
Password oracle1
j. Click Login.
k. Disable the default password policy. By default, OID requires strong passwords. The Siebel passwords you have been using do not meet this requirement, hence you need to disable security to be able to create the Siebel users and their passwords in the LDAP directory.
i. In the left pane, expand Password Policy Management.
ii. Select cn=default.
iii. In the right pane, change Enable OID Password Policy to Disable.
iv. Click Apply.
v. Repeat these steps to disable the “Password Policy for Realm dc=us,dc=oracle,dc=com”.
l. Add SADMIN as an LDAP user. This requires creating SADMIN as a user, and putting the Siebel database connection informations into one of the attributes (fields) for that user. You will use the description field to store the database connection information. In a production deployment, your LDAP administrator would create a new attribute to store this string.
Oracle Internal & Or acle Academy Use Only
Lesson 7: Configuring Other Authentication Mechanisms
i. Select Operation > Create Entry from the application-level menu.
ii. Click Browse next to the Distinguished Name field.
iii. Expand All Entries, then dc=com, then dc=oracle, and finally dc=us.
iv. Select cn=Users. This is the default directory for creating new users in this deployment of OID.
v. Click OK.
vi. Enter cn=SADMIN, before the other entries in the distinguished name field. The complete distinguished name of your entry should be
cn=SADMIN,cn=Users,dc=us,dc=oracle,dc=com (With no spaces)
Oracle Internal & Or acle Academy Use Only
the attributes. Note that before you select a class, you cannot add any further attributes;
once you select a class, a set of attributes appropriate to that class is made available.
viii. Scroll down to select Person and click Select. The Person class contains sufficient attributes for your work here.
ix. Under Mandatory Properties, enter SADMIN in the cn area. This is the attribute the Siebel application will use to search for the entry. It represents the top-level attribute of the Distinguished Name.
x. Enter cn=Users,dc=us,dc=oracle,dc=com in the sn area. This represents the remainder of the Distinguished Name attribute. You will enter this string in the Siebel application as the Base Directory in which to search for LDAP entries.
xi. Click the Optional Properties tab. These are the additional attributes provided by the Person class.
xii. Under description, enter username=GUESTERM password=GUESTERM
The format of the string is critical; this is the string that the Siebel application will use to connect to the database. Many LDAP issues can be traced to entering this string incorrectly; for example, by including a comma or forgetting the space.
Oracle Internal & Or acle Academy Use Only
Lesson 7: Configuring Other Authentication Mechanisms
Note: You use GUESTERM here because whatever username and password you use here will be propagated to any users created by SADMIN. For example, if SADMIN logs in to the Siebel application and creates NEWUSER, then NEWUSER is created in the LDAP directory with a connection string of username=GUESTERM
password=GUESTERM. Thus, you want to choose a database user with limited application privileges for security reasons.
xiii. Scroll to the bottom of the properties list and enter SADMIN as the userPassword.
xiv. Click OK. SADMIN should be entered with no errors.
m. Repeat these steps to add GUESTERM as a registered user. Recall that the anonymous connection uses GUESTERM to display the initial login screen, so GUESTERM must also be entered in the LDAP directory:
i. Select Operation > Create Entry from the application-level menu.
ii. Click Browse next to the Distinguished Name field.
iii. Expand All Entries, then dc=com, then dc=oracle, and finally dc=us.
iv. Select cn=Users.
v. Click OK.
vi. Enter cn=GUESTERM, before the other entries in the distinguished name field. The complete distinguished name of your entry should be
cn=GUESTERM,cn=Users,dc=us,dc=oracle,dc=com. (With no spaces) vii. Click Add to add an object class.
viii. Scroll down to select Person and click Select.
ix. Under Mandatory Properties, enter GUESTERM in the cn area.
x. Enter cn=Users,dc=us,dc=oracle,dc=com in the sn area..
xi. Click the Optional Properties tab. These are the additional attributes provided by the Person class.
xii. Under description, enter username=GUESTERM password=GUESTERM.
xiii. Scroll to the bottom of the properties list and enter GUESTERM as the userPassword.
xiv. Click OK. GUESTERM should be entered with no errors.
2. Change the access permissions to allow users to modify LDAP entries. This allows users who are logged in to the Siebel application to modify the LDAP directory. For example, you may want to allow users to change their own password, or to create new employees, as you will do later in this practice. In a real deployment, the LDAP administrator would consider these privileges
carefully, and grant certain permissions (such as user creation) to a limited number of users.
Oracle Internal & Or acle Academy Use Only
i. In the left pane, expand Entry Management, dc=com, dc=oracle, dc=us, and select cn=Users:
ii. Click the Subtree Access tab in the right pane.
iii. Click Create via Wizard under Structural Access Items.
Important Note: There are two “Create via Wizard” buttons on the screen. You will use the top one in this step, and the bottom one in a subsequent step:
iv. Click Next. You will not be filtering the object classes.
v. Click Next. With no filter, you do not need any criteria.
Oracle Internal & Or acle Academy Use Only
Lesson 7: Configuring Other Authentication Mechanisms
vi. Verify that Everyone is selected and click Next. All users will be able to perform the actions you select. In a production-level deployment, your LDAP administrator would restrict this access.
vii. Accept the default access (Browse, Add, and Delete) and click Finish. This allows all users to view the Users directory, and Add or Delete users.
b. Allow all users to modify existing LDAP entries in the Users directory:
i. Click Create via Wizard under Content Access Items (the bottom panel).
ii. Click Next. Once again, no filtering is required.
iii. Verify that Everyone is selected and click Next.
iv. Click Next.
v. Select Grant for all options (Read, Search, Write, SelfWrite, and Compare) and click Finish.
c. Select File > Exit to exit Oracle Directory Manager.
3. Test your LDAP settings:
a. Select Start > Programs > Oracle - OraDb10g_home1 > Integrated Management Tools >
Oracle Directory Manager.
b. Enter:
User cn=SADMIN,cn=Users,dc=us,dc=oracle,dc=com
Password SADMIN
Note that the user name is the Distinguished Name for SADMIN.
c. Click Login.
d. In the left pane, expand Entry Management, dc=com, dc=oracle, dc=us, and cn=Users.
e. Confirm that you can see SADMIN and GUESTERM as users. This confirms that SADMIN has access to the LDAP directory.
f. Select File > Exit to exit Oracle Directory Manager.
g. Repeat these steps to test the GUESTERM entry:
i. Select Start > Programs > Oracle - OraDb10g_home1 > Integrated Management Tools
> Oracle Directory Manager.
ii. Enter:
User cn=GUESTERM,cn=Users,dc=us,dc=oracle,dc=com
Password GUESTERM
Click Login.
Oracle Internal & Or acle Academy Use Only
c. Double-click setup.exe. Since you are not using SSL you need just the basic Tivoli client. If you were using SSL you would need to install the GSKit as well.
d. Accept English as the setup language and click OK.
e. Click Next in the Welcome screen.
f. Select “I accept the terms in the license agreement” and click Next.
g. Accept the default installation directory and click Next.
h. Uncheck GSKit so that only Client SDK 6.0 is selected and click Next.
i. Click Next to perform the installation.
j. Click Finish to exit the wizard.
k. If necessary, click Next then Finish to exit the After Intallation dialog box.
5. Configure the LDAP Security Adapter profile:
a. Start the Siebel Call Center Web Client:
i. Select Start > Programs > Internet Explorer ii. Enter Address: http://localhost/callcenter_enu.
iii. Enter:
User ID SADMIN
Password SADMIN
b. Click the arrow.
c. Navigate to Administration - Server Configuration > Enterprises > Profile Configuration.
d. In the middle applet, query the Profile column for LDAP* to locate the LDAP Security Adapter profile.
Oracle Internal & Or acle Academy Use Only
Lesson 7: Configuring Other Authentication Mechanisms
e. In the bottom applet, carefully change the parameters. Do not include the carriage returns, which were included here for space purposes:
Course Note: All of the text strings used in this course are contained in text files, allowing you to copy and paste the strings instead of having to type them manually. The strings used in the Siebel application for this practice are contained in
D:\labs\8.1_Install\Solutions\LDAP\SiebelServerStrings.txt.
Parameter Value Purpose
Application User cn=SADMIN,cn=Users, dc=us,dc=oracle,dc=com
How the Siebel application logs in to the LDAP server.
Application Password SADMIN Same.
Base Dn cn=Users,dc=us,
dc=oracle,dc=com
Specifies the LDAP directory the Siebel application will search for users.
Credentials Attribute Type description Which LDAP entity attribute contains the database connection string (the
username=GUESTERM
password=GUESTERM string you entered earlier).
Server Name <machine name> Location of the LDAP server.
Siebel Username Attribute Type cn Which LDAP entity attribute stores the Siebel User ID
Username Attribute Type cn Which LDAP entity attribute stores the LDAP user ID. In most cases, the Siebel Username Attribute Type and Username Attribute Type are the same.
Note: For a detailed list of the LDAP Security Adapter profile parameters and their purpose, see the Siebel Security Guide on Oracle Technology Network.
6. Configure the Siebel Sales Object Manager to use LDAP authentication:
a. In Siebel Call Center, navigate to Administration - Server Configuration > Enterprises >
Component Definitions. Setting the parameters at the Enterprise level ensures that any Siebel Server that runs the Siebel Sales Object Manager will use LDAP:
b. In the middle applet, query the Component column for Sales*.
c. Select the Sales Object Manager (ENU) component definition.
d. In the Component Parameters applet, query the Parameter column for Security. Two records should be returned.
Oracle Internal & Or acle Academy Use Only
f. Change the value of Security Adapter Name to LDAPSecAdpt.
7. Enable the Siebel Sales Object Manager component group:
a. In Siebel Call Center, navigate to Administration - Server Configuration > Enterprises >
Component Groups. Be very careful not to accidentally navigate to the Parameters view. This would set the LDAP security adapter enterprise-wide, which might have unexpected
consequences. If you do this, use the Siebel Developer Web client to reset the parameter.
b. In the Component Groups applet, query the Name column for Siebel Sales.
c. In the Component Group Assignments applet in the lower right of the screen, click the Enable button. The “Enabled on Server?” check mark should appear.
d. Log out of Siebel Call Center.
8. Return to the Services window and restart the Siebel Server service. This will take several minutes. Use the Task Manager to monitor its progress. Restarting the Siebel Server service applies all of your configuration changes.
Oracle Internal & Or acle Academy Use Only
Lesson 7: Configuring Other Authentication Mechanisms
9. Log in to Siebel Sales and register a new user:
a. In Internet Explorer, enter an address of http://localhost/sales_enu. Note that this is different than in previous practices; you are logging in to a different Siebel application. After a few moments, the Siebel Sales login screen should appear. If it does not, check the server logs in D:\OUses\siebsrvr\log to see whether you can determine the problem. In particular,
SSEObgMgr_enu log files will provide information about the Sales object manager. If you cannot determine the problem, contact your instructor.
b. Enter:
User ID SADMIN
Password SADMIN
c. Click the arrow.
d. Navigate to Administration - User > Employees.
e. Create a new user with the following parameters. Note that you will need to scroll down in the form applet to enter the user password.
Last Name User
First Name Install
User ID INSUSER
Responsibility Siebel Administrator Position Siebel Administrator
Password INSUSER
Confirm Password INSUSER
f. Step off the record to save it. The Siebel Server automatically communicates this update to the LDAP server.
g. Log out of Siebel Sales.
h. In the login screen, enter:
User ID INSUSER
Password INSUSER
i. Click the arrow to log in to Siebel Sales. The login should succeed.
j. Log out of Siebel Sales, and minimize the login screen.
Return to Oracle Directory Manager and confirm that INSUSER now appears as an entry in the
Oracle Internal & Or acle Academy Use Only
11. To preserve resources, shut down Oracle Directory Manager. Also disable LDAP for the Siebel Sales component group, as you will use the component group using database authentication in a later practice. Also disable the Siebel Sales component group itself.
a. Return to the Siebel Sales login screen. You need to log in as SADMIN to perform some of the system administration tasks, such as enabling or disabling component groups.
b. In the login screen, enter:
User ID SADMIN
Password SADMIN
c. Click the arrow button to log in.
d. Navigate to Administration - Server Configuration > Enterprises > Component Definitions.
e. In the middle applet, query the Component column for Sales*.
f. Select the Sales Object Manager (ENU) component definition.
g. In the Component Parameters applet, query the Parameter column for Security. Two records should be returned.
h. Change the value of Security Adapter Mode to DB.
i. Change the value of Security Adapter Name to DBSecAdpt.
j. Navigate to Administration - Server Configuration > Enterprises > Component Groups.
k. In the Component Groups applet, query the Name column for Siebel Sales.
l. In the Component Group Assignments applet in the lower right of the screen, click the Disable button. The “Enabled on Server?” check mark should disappear.
m. Log out of Siebel Sales and close Internet Explorer.
n. Return to the Services window and stop the OracleOIDProcessManager Windows service.
This may take 1-2 minutes.
o. Restart the Siebel Server [OUEnt_OUSrvr] Windows service. This applies your changes.
p. Minimize the Services window.
Oracle Internal & Or acle Academy Use Only
Lesson 8: Installing the Siebel Management Agent and Server