AuthenticationServices_4.0_SiebelSecurityAdapter.pdf

Quest Authentication Services 4.0.3

Siebel Security Adapter Administrator's Guide

Copyright 2012 Quest Software, Inc.ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnishedunder a software license or nondisclosure agreement. This software may be used or copied only in accordance with theterms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal usewithout the written permission of Quest Software, Inc.

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppelor otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products.EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATINGTO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSSOF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THISDOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representationsor warranties with respect to the accuracy or completeness of the contents of this document and reserves the right tomake changes to specifications and product descriptions at any time without notice. Quest does not make any commitmentto update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World HeadquartersLEGAL Dept5 Polaris WayAliso Viejo, CA 92656www.quest.comemail: [email protected]

Refer to our Web site for regional and international office information.

PatentsProtected by U.S. Patents #7,617,501; 7,895,332; 7,904,949; 8,086,710; 8,087,075, and 8,245,242. Additional patents pending.

TrademarksQuest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, BigBrother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery,Defender, DeployDirector, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert,Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, JClass, JProbe, LeccoTech,LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo,PerformaSure, Point, Click, Done!, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic,SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, StorageHorizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vConverter, vEcoShell, VESI,vFoglight, vPackager, vRanger,vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, VizioncorevWorkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Incin the United States of America and other countries. Other trademarks and registered trademarks are property of theirrespective owners.

Third-Party ContributionsThis product may contain one or more of the following third party components. For copies of the text of any license listed,please go to http://www.quest.com/legal/third-party-licenses.aspx .

NotesComponentApache LicenseApache Commons 1.2Version 2.0, January 2004Boost Software LicenseBoostVersion 1.0, August 2003© 1998, 1999, 2000 Thai Open Source Software Center LtdExpat 2.0.0© 2004 - 2007 Kungliga Tekniska HögskolanHeimdal Krb/GSSapi 1.2(Royal Institute of Technology, Stockholm, Sweden).All rights reserved.This product includes software developed by the OpenSSL Project for use in theOpenSSL Toolkit (http://www.openssl.org/)

OpenSSL 0.9.8d

© 1998-2008 The OpenSSL Project. All rights reserved.

http://www.quest.com/legal/third-party-licenses.aspx

Contents

Chapter 1: About This Guide......................................................................7About Quest Software.......................................................................................................................................................8Quest One Identity Solution............................................................................................................................................8Conventions..........................................................................................................................................................................8Contacting Quest Support...............................................................................................................................................9

Chapter 2: Introducing the QAS Siebel Security Adapter Solution.......11

Chapter 3: Integrating Your Siebel Installation with Active Directory..13Before You Begin the Configuration Process.........................................................................................................14

Installing the VASCLNT Package...................................................................................................................14Verifying QAS License Information..............................................................................................................14Joining the Domain...........................................................................................................................................15Source Your siebenv.sh Script.......................................................................................................................17Gather Siebel Server Information.................................................................................................................17Verify Your Siebel Server Installation..........................................................................................................17Installing the QAS Siebel Security Adapter Package.............................................................................17Install the mod_auth_vas Package (for SSO only)..................................................................................18Beginning the Active Directory Integration Process.............................................................................18

Configuring the QAS Security Adapter for Siebel.................................................................................................18Q1. At what level do you want to configure QAS/Active Directory authentication?................19Q2. What component would you like to configure QAS/Active Directory authentication for?.19Q3. What is the name of your Siebel server?............................................................................................19Q4. What is the gateway name server hostname?.................................................................................19Q5. What is the enterprise name?................................................................................................................20Q6. What is the language?..............................................................................................................................20Q7. What is the name of the Active Directory user who has rights to create users and groups in the Directory?.20Q8. What is the password for <username>?............................................................................................20Q9. What is the database username that will be used for shared database credentials?........20Q10. What is the password for the user that will be used for shared database credentials?..21Q11. What is the DN of the container where any new user objects will be created?................21Q12. What is the name of the attribute used to store the Siebel username?...............................21Q13. What is the Siebel administrative username?................................................................................21Q14. What is the Siebel administrative user password?.......................................................................21Q15. No corresponding user exists in AD, would you like to create it now?................................21Q16. What is the name of your web anonymous user?........................................................................22Q17. What is the web anonymous user password?...............................................................................22Q18. No corresponding user exists in AD, would you like to create it now?................................22

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | TOC | 5

Q19. Would you like users warned when their password is about to expire?.............................22Q20. How many days before password expiration would you like to warn a user?..................23Q21. Should role information come from Active Directory groups designated as Siebel "roles groups"?.23Q22. What is the name of the file to be used for Siebel "roles groups"?........................................23Q23. What is the name (CN) of an existing group or a role name you would like to create?..23Q24. You have not created/added the role "Web Anonymous User" would you like to do so now?.23Q25. You have not created/added the role "Siebel Administrator" would you like to do so now?.23Q26. Would you like to specify a post-authentication script?............................................................24Single Sign-On (SSO) Configuration............................................................................................................24Q27. Do you want to propagate changes?...............................................................................................24Q28. Would you like to apply this configuration now?........................................................................24After Running the Siebel Security Adapter Configuration Script.....................................................24

Configuring Single Sign-on Using mod_auth_vas...............................................................................................25Creating the Appropriate Service Account for mod_auth_vas.........................................................26Configuring Your Web Server Extensions for Single Sign-On............................................................26Configuring Your Web Server to Use mod_auth_vas for Authorization........................................27Modifying the QAS Security Adapter Authentication Subsystem for Single Sign-On..............28Internet Explorer Configuration....................................................................................................................29Limitations Associated with Single Sign-On Configuration...............................................................29

Chapter 4: Manual Provisioning of Siebel Accounts..............................31

Chapter 5: Login Time Provisioning of Siebel Accounts........................33Create a Launch Script....................................................................................................................................................34Create a User Creation Script........................................................................................................................................34Creating the Oracle Stored Procedure......................................................................................................................35

Chapter 6: Troubleshooting.....................................................................37Special Considerations....................................................................................................................................................38Capturing Debug Information.....................................................................................................................................38

6 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | TOC

Chapter

1About This Guide

The Quest Authentication Services Siebel Security Adapter Administrator's Guidecontains information about installing and configuring the Quest

Topics:

• About Quest Software Authentication Services (QAS) Siebel Security Adapter for Siebel andintegrating your Siebel Unix installation with Active Directory.• Quest One Identity Solution

• Conventions Oracle provides integrated Windows authentication for all Siebel installationsrunning on Windows platforms. But what if your Siebel installation is installed• Contacting Quest Supporton a Unix/Linux system? Siebel, and later Oracle, provide a generic "SecurityAdapter Interface" API to Siebel which allows third-party vendors to createcustom security adapters. Siebel can then utilize the interface provided by acustom security adapter to provide authentication and password changeservices to Siebel users. Until now there has never been a solution specificallydesigned to use this API to integrate Siebel Unix installations with ActiveDirectory. If your Siebel installation is on Unix/Linux, you had only two options.You could either attempt to integrate with Active Directory using a genericLDAP Security Adapter (limitations addressed in the next section), or youcould write your own custom security adapter.

The QAS Solution provides a custom security adapter written to the SiebelSecurity Adapter Interface 3.00. QAS allows Unix/Linux systems to be joinedto an Active Directory domain and provides Active Directory authenticationand identity information to all system level services. The QAS Siebel securityadapter implements integrated Windows authentication for all Unix/Linuxoperating systems supported by Siebel by building on the framework providedby the QAS client.

QAS also provides the ability to configure single sign-on for any Unix/LinuxSiebel installation that is using an Apache-based web server (such as OHS orIHS).

About Quest Software

Note: Quest Authentication Services (QAS), formerly Vintela Authentication Services (VAS), was re-brandedfor the 4.0 release.

Quest Software, Inc. simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide.Our innovative solutions make solving the toughest IT management problems easier, enabling customers to savetime and money across physical, virtual and cloud environments. Contact Quest for more information:

Contacting Quest Software

949.754.8000 (United States and Canada)Phone:

[email protected]:

Quest Software, Inc.Mail:

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656 USA

www.quest.comWeb site:

Quest One Identity Solution

This product is a component of the Quest One Identity Solution, a set of enabling technologies, products, andintegration that empowers organizations to simplify identity and access management by:

• Reducing the number of identities• Automating identity administration• Ensuring the security of identities• Leveraging existing investments, including Microsoft Active Directory

Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance byaddressing identity and access management challenges as they relate to:

• Single sign-on• Directory consolidation• Provisioning• Password management• Strong authentication• Privileged account management• Audit and compliance

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventionsapply to procedures, icons, keystrokes and cross-references.

8 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | About This Guide

http://www.quest.com

ConventionElement

This word refers to actions such as choosing orhighlighting various interface elements, such as files andradio buttons.

Select

Used to indicate elements that appear in the graphicaluser interface that you are to select such as the OKbutton.

Bold text

Interface elements that appear in Quest products, suchas menus and commands.

Italic text

Used to indicate host names, file names, program names,command names, and file paths.

courier text

Indicates an interactive link to a related topic.Blue Text

Used to highlight additional information pertinent to theprocess or topic being described.

A plus sign between two keystrokes means that you mustpress them at the same time.

+

A pipe sign between elements means that you mustselect the elements in that particular sequence.

|

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Questproduct and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, ourself-service portal.

Contact PointsInformation Sources

SupportLink: support.quest.comQuest Support

Quest SupportLink gives you access to these tools and resources:

• Product Information

Most recent product solutions, downloads, documentation, notifications andproduct lifecycle table.

• Product Downloads

Download the latest Quest product releases and patches.

• Product Documentation

Download Quest product documentation, such as installation, administrator, userguides and release notes.

• Search KnowledgeBase

Search our extensive repository for answers to Quest-product related issues orquestions.

• Case Management

Create new support cases and manage existing cases.

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | About This Guide | 9

http://support.quest.com

Contact PointsInformation Sources

Email: [email protected]

Phone: 1.800.306.9329

The Community site is a place to find answers and advice, join a discussion forum,or get the latest documentation and release information: All Things Unix Community.

Public Forum

View the Global Support Guide for a detailed explanation of support programs, onlineservices, contact information, policies and procedures. The guide is available atsupport.quest.com.

Global Support Guide

10 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | About This Guide

mailto://[email protected]

http://allthingsunix.inside.quest.com

http://support.quest.com

Chapter

2Introducing the QAS Siebel Security Adapter Solution

The QAS Active Directory support for Siebel goes far beyond the supportprovided by generic Siebel LDAP solution.

The generic LDAP security adapter plug-in only validates user passwordsagainst a conformant directory by doing an LDAP bind operation. Thisoperation is insecure unless additional measures are taken (such as theimplementation of TLS/SSL and certificate infrastructure). QAS provides manybenefits over such a configuration because it is designed specifically to workwith Active Directory. QAS takes advantage of the security protocol (Kerberos)built into Active Directory, and does not require the setup of additional security(certificate) infrastructure to ensure that authentication requests are notsubject to eavesdropping.

A generic LDAP solution (such as the one provided with Siebel) cannot provideproper password change support for Active Directory users. LDAP directoriesthat service Unix/Linux systems store password data as an attribute on a userobject. You can modify this data during a password change request; however,Active Directory does NOT store password data on any user attribute. This inturn makes it impossible for standard LDAP solutions to provide passwordchange support for Active Directory. Password changes can only beaccomplished by means of a Kerberos password change request. The QASKerberos integration provides seamless password change integration withActive Directory.

This includes allowing change of password, enforcement of password policy(minimum password length, complexity requirements, history, and so forth),and password expiration notification; none of which can be supported througha standard LDAP solution.

QAS also provides the ability to manage Siebel roles through the use of ActiveDirectory groups. You simply specify which groups are "roles" groups, andQAS returns the name of these groups as the current roles of any memberusers. This greatly simplifies management of Siebel Roles without requiringa schema extension.

Additionally QAS provides an Apache module (mod_auth_vas), whichprovides the ability to configure single sign-on for any Siebel installation thatuses any Apache-base web server (such as Oracle’s OHS or IBM’s HIS).

These are only a few of the many benefits QAS provides to Siebel Unixinstallations. A summary of all the features of the QAS solution are listedbelow.

• Support for authentication of Active Directory accounts• Support for password change at login time or afterwards• Support for all Active Directory password complexity requirements

(password history, length, and so forth)

• Support for password expiration warning at login• Support for Active Directory account lockout, account disable, and

enforcement of login hours and account expiry• Support for Active Directory account creation and administrative password

set from the Siebel UI• Single sign-on• The ability to use one shared database account for all Siebel accounts• The ability to mark certain Active Directory groups as Siebel "Roles Groups",

thereby allowing the management of Siebel Roles through Active Directoryand the ADUC MMC snap-in

• Leverages the site topology of Active Directory to distribute load andprovide redundancy

• Provides local "Disconnected Authentication" in the event that the SiebelServer cannot contact any Active Directory domain controllers

• Support for a "post-authentication" hook which you can use toauto-provision Siebel accounts for Active Directory accounts which havenot previously been provisioned in the Siebel user database

• Simple setup script automates the process of installing and configuringthe QAS security adapter

• HPUX, AIX, Solaris, and Linux support• Support for Siebel versions 7.5, 7.7, 7.8, and 8.0+

The QAS solution clearly offers superior support to a standard LDAP solutionwhen it comes to integrating Siebel Unix installations with Active Directory.The QAS Solution is the only solution designed specifically to integrate yourUnix/Linux Siebel installation with Active Directory.

12 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Introducing the QAS Siebel Security Adapter Solution

Chapter

3Integrating Your Siebel Installation with Active Directory

There are two main integration points in the process of configuring yourSiebel Unix/Linux installation to use the QAS components to integrate withActive Directory:

Topics:

• Before You Begin the ConfigurationProcess

1. Basic Active Directory integration using the QAS Security Adapter forSiebel (See Configuring the QAS Security Adapter for Siebel on page 18)

• Configuring the QAS Security Adapterfor Siebel

2. Single sign-on using mod_auth_vas (See Configuring Single Sign-onUsing mod_auth_vas on page 25)• Configuring Single Sign-on Using

mod_auth_vas

Before You Begin the Configuration ProcessQAS provides several scripts to assist you in the process of integrating your Siebel installation with Active Directory;however, before you can launch any configuration scripts, you must complete the following steps:

1. Install the vasclnt package2. Verify that you have a valid license for the QAS agent components3. Join the domain4. Source your siebenv.sh5. Verify your Siebel Server installation6. Gather Siebel Server information. (See Gather Siebel Server Information on page 17)7. Install the QAS Siebel Security Adapter package8. Install the mod_auth_vas package

Each of the following sections provides detailed instructions for each of these steps.

Installing the VASCLNT Package

To install the vasclnt package

1. Mount your QAS DVD or ISO media by running the mount command.

Mount details vary from platform to platform. Refer to your vendor documentation for specifics.

For example, this is a Linux mount command:

mount /dev/cdrom /mnt/media

2. Navigate to the path where you mounted your QAS media and execute the install.sh script.

This script is located at the root of the installation media, and guides you through the process of installing theQAS agent package.

Verifying QAS License Information

To verify that you have a valid QAS license

1. Run the following vastool command:

vastool license –q

Output similar to the following displays:

Number of Unix Enabled users in use: 150---QAS---Number of Licensed Unix Enabled Users: 1000Valid licenses: 1---QAS Siebel---Valid licenses: 1

2. If you are missing either the "QAS" or "QAS Siebel" section you do not have the necessary license to run the QASSiebel Security Adapter.

14 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory

Joining the DomainFor full Quest Authentication Services functionality on Unix, you must join the Unix system on which you installedthe QAS agent to the Active Directory domain. You can join an Active Directory domain either by running vastooljoin from the command line or the interactive join script, vasjoin.sh.

Before you join the Unix host to the Active Directory domain, you may want to determine if you are already joined.

To determine if you are joined to an Active Directory domain

Run the following command.

# /opt/quest/bin/vastool info domain

If you are joined to a valid domain this command returns the domain name. If you are not joined to a domain,you will see the following error:

ERROR: No domain could be found.ERROR: VAS_ERR_CONFIG: at ctx.c:414 in _ctx_init_default_realmdefault_realm not configured in vas.conf. Computer may not be joined to domain

Joining the Domain Using VASTOOL

You can join your Unix host to Active Directory with the vastool join command directly from the commandline.

Before you join the QAS agent to the Active Directory domain, collect the following information:

• The DNS name of the Active Directory domain of which you want the QAS agent to be a member.• The user name and password of a user that has sufficient administrative privileges to create computer objects

in Active Directory.

To join Active Directory using vastool join

1. Run the following command as the root user at a shell prompt:

# /opt/quest/bin/vastool -u <user> join <domain-name>

2. Enter the user’s password when prompted.The vastool join results are shown on the shell’s standard output.

Note: vastool join supports many options that allow you to customize theway the computer is joined to the domain. You can specify the name of the computerobject. You can join to a specific organizational unit or use a pre-created computerobject.

For a list of all vastool join options, refer to the vastool man page.

Joining the Domain Using VASJOIN Script

Rather than using the vastool join command from the command line, you can join your Unix host to ActiveDirectory using the interactive join script, vasjoin.sh. The script walks you through the domain join process,calling the vastool join command.

The vasjoin.sh script is in /opt/quest/libexec/vas/scripts/ directory. You can use most of the standardvastool join command options when running it. However, you can run the join script with no options; it onlyrequires that you supply the domain name and the name of a user with sufficient Active Directory privileges toperform the join.

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 15

Table 1: Common vasjoin Script Options

FUNCTIONOPTION

Help; displays options including how to pass vastool join options-h

Unattended or quiet mode; displays less verbose: no explanations, asks no questions-q

Interactive mode: prompts for common options-i

Simple mode; installs vasclnt and vasgp with options to add license and join domain.<none>

To join Active Directory using the vasjoin script

Run the script as the root user at a shell prompt, as follows:

/opt/quest/libexec/vas/scripts/vasjoin.sh

The script ensures that your local host's time is synchronized with that of the controller in the domain you wantto join (in order to satisfy Kerberos), then performs the join for you by running vastool join as follows:

vastool -u <username> join <domain-name>

Follow the prompts to complete the join process.

Note: Run the script in interactive mode as follows:

/opt/quest/libexec/vas/scripts/vasjoin.sh -i

In interactive mode, it prompts you for specific information and allows you to either save the resultingvastool join command in a script or execute the command immediately.

The script presents defaults as part of the prompting and if you accept them all, the result is identicalto running the script in simple mode.

The information gathered by the full, interactive mode of vasjoin.sh includes the following.

• Specific domain controllers to use• domain to join• user, usually administrator, to use in joining• keytab file• confirm fixing of Kerberos clock skew, if any• overwrite your host's existing Active Directory ComputerName object• change the name of the AD ComputerName object• AD container in which to put the ComputerName object• site name• UPM mode (yes or no)• user search path on which to look for Active Directory users• alternate group search path• workstation mode (yes or no)• alternate domains in which to search if you want cross-domain logins• self-enrollment of existing /etc/passwd users (yes or no)• shows path to lastjoin (/etc/opt/quest/vas/lastjoin)

The lastjoin file contains something similar to:

/opt/quest/bin/vastool -u administrator join -f acme.com


Source Your siebenv.sh Script

The siebenv.sh script contains several important environment variables at the root of your Siebel installation(/opt/siebel/siebsrvr/siebenv.sh). To successfully configure the Siebel Security adapter, export theenvironment variables before you install the Security Adapter package.

To source your siebenv.sh script

Run

. /opt/siebel/siebsrvr/siebenv.sh

Gather Siebel Server InformationBefore you run the QAS Siebel Security Adapter configuration script, it is important to have some information athand.

The script asks you to supply answers to numerous questions. As explained in Configuring the QAS Security Adapterfor Siebel on page 18, question 3 asks you for the Siebel Server name and question 5 asks you for the Siebel Enterprisename.

To gather Siebel Server information

Run the following command:

ls –al /opt/Siebel/siebsrvr/sys/svc.siebsrvr*

Verify Your Siebel Server Installation

The configuration of the QAS Siebel Security Adapter from Unix/Linux requires that you run several commands fromthe srvrmgr and srvrcfg utilities. These commands require authentication to complete successfully; therefore,you must have an operational Siebel Server running during setup.

To verify your Siebel server installation

1. Start your Siebel server, if it is not running.During the configuration phase, you are prompted to provide credentials (name and password) for a Siebeladministrative user. If this user cannot authenticate, configuration of the QAS Security Adapter will not succeed.After the installation and configuration of the QAS Security Adapter, users can be authenticated by the QASSecurity Adapter, but for configuration of the QAS Security Adapter to succeed, a working authenticationsubsystem is required. This means that the QAS Security Adapter configuration cannot be completed until Siebelis essentially bootstrapped with a functional pre-existing authentication subsystem (Security Adapter).In new Siebel installations this security adapter is a database security adapter. However, you can configure apre-existing Siebel installation to use a database adapter, an LDAP adapter, or different custom security adapter.

2. Verify your Siebel administrative credentials before proceeding.

Installing the QAS Siebel Security Adapter Package

You install the QAS Security Adapter package by running the install.sh script. You can find this script at theroot of your installation media.

To install the QAS Siebel Security Adapter package

Run install.sh.


Refer to Installing the VASCLNT Package on page 14 for details about mounting your QASinstallation media.

Install the mod_auth_vas Package (for SSO only)This step is optional. If you are planning to configure single sign-on with the QAS security adapter, you need to installthe mod_auth_vas Apache module package. You must install this package on the server where you have theSiebel web server extensions installed.

If your web server extensions are installed on a machine separate from the Siebel server you are initially installingthe QAS security adapter upon, you can complete the process of configuring single sign-on after you have installedand configured the QAS Security Adapter.

It is important to note that QAS does not provide single sign-on support for all web servers supported by Siebel. Themodule which facilitates the single sign-on process (mod_auth_vas) is an Apache module, and therefore you mustbe using an Apache-based web server for QAS to provide SSO support. Supported Apache-based web servers includeOracle’s OHS and IBM’s IHS; note that Sun’s web server is excluded from this list.

To install the mod_auth_vas package

Run the install.sh script found at the root of your installation media.

Refer to Installing the VASCLNT Package on page 14 for details about mounting your QASinstallation media.

Beginning the Active Directory Integration Process

The QAS security adapter package installs a script which guides you through the process of configuring:

• Active Directory integration using the QAS Security Adapter• Single sign-on configuration for the QAS adapter using mod_auth_vas

If you did not launch the configuration immediately following installation, start the QAS Security Adapter configurationby running the configure_siebel_adapter.sh script.

The script presents you with the following choices:

What components would you like to configure?1 - Active Directory Integration using the "QAS Security Adapter for Siebel"".2 - SSO configuration for Siebel Web Server extensions using mod_auth_vas.3 - All of the above

You can configure Active Directory integration without completing the SSO configuration and retain all benefits ofthe QAS Security Adapter with the exception of single sign-on support. However, SSO configuration requires thatyou first successfully configure the "QAS Security Adapter for Siebel".

If your Siebel server and web server extensions are installed on the same host, you can configure both at the sametime by choosing option #3 (All of the above).

Configuring the QAS Security Adapter for SiebelThe QAS Siebel Security Adapter configuration script asks you to supply answers to numerous questions. This sectionwalks you through each of these questions, providing clarification and examples to help you answer each questionaccurately.

If you have correctly prepared your system, the first question you are asked is, "At what level do you want to configureQAS/Active Directory authentication?" If you have not correctly prepared your system, the script may terminatebefore you are asked this question. If you are not properly joined, for example, the script terminates and notifies you


of this. As much as possible, the configuration script attempts to validate your installation and the input you areproviding. It is not possible to validate all input, however. Be extremely careful to answer all questions accuratelyespecially those noted as "not validated by the configuration script".

Note: Before you start, gather the Siebel Server information (See Gather Siebel Server Information onpage 17.)

Q1. At what level do you want to configure QAS/Active Directory authentication?This question determines the scope of Active Directory authentication.

If you select enterprise, the change is global. One important thing to realize about choosing the enterprise level isthat once you have successfully configured QAS as the enterprise authentication solution, your previous SiebelAdministrator credentials will no longer function. Later in the configuration phase you will be asked if you want tocreate a user corresponding to your Siebel Administrator in Active Directory. If you have chosen enterprise level,you must do this.

It is equally important to know if you are going to deploy Single Sign-On (SSO) with mod-auth-vas. You cannotconfigure SSO for the entire enterprise if you plan to configure SSO. It is best to configure Active DirectoryAuthentication on a per-component basis to minimize later configuration changes.

If you choose to configure SSO at the same time you configure the QAS Security Adapter for Siebel, you will not beasked this question.

Q2. What component would you like to configure QAS/Active Directory authentication for?You are only asked this question if you choose component-level configuration.

When choosing component-level configuration, you are essentially configuring QAS authentication for only oneSiebel application. The component name is the name of the Siebel object manager for that application. For example,if you want to configure QAS authentication for the English version of the Siebel Sales application, specify thecomponent as “SSEObjMgr_enu”.

[sales_enu]siebel.TCPIP.None.None://$(LoadBalancingServer)/SBA_80/SSEObjMgr_enu

Note: The last portion of the connect string contains the component name.

Q3. What is the name of your Siebel server?You are only asked this question if you selected component- or server-level authentication.

It is important to realize that this is NOT necessarily the hostname of the Siebel server. You can find the names ofyour Siebel servers by looking in the "sys" directory at the root of your Siebel installation.


-rw-r--r-- 1 sadmin users 200 Mar 4 08:40 svc.siebsrvr.SBA_80:linux-rw-r--r-- 1 sadmin users 192 Mar 4 08:40 svc.siebsrvr.SBA_80:linux.bak

The name of the server is found after the colon in any file names starting with "svc.siebsrvr" (you can ignore fileswith a .bak file type). There may be multiple servers listed. In the example given above, the name of the server is"linux".

Q4. What is the gateway name server hostname?This is the hostname of the gateway server.

Do not include the port, simply enter a resolvable network name for the gateway server.


Q5. What is the enterprise name?This is name of your Siebel Enterprise.

You can determine the name of the enterprise by looking in the sys directory at the root of your Siebel serverinstallation.


-rw-r--r-- 1 sadmin users 200 Mar 4 08:40 svc.siebsrvr.SBA_80:linux-rw-r--r-- 1 sadmin users 192 Mar 4 08:40 svc.siebsrvr.SBA_80:linux.bak

The enterprise name is found directly before the colon. In the example above the enterprise name is SBA_80.

Q6. What is the language?If your Siebel Environment script was correctly sourced, a default value is listed.

For example, the value for English is "enu".

In most cases, just accept the default value.

Q7. What is the name of the Active Directory user who has rights to create users and groups inthe Directory?

In response to this question, provide an Active Directory user who has rights to create objects in the user creationcontainer (which you are prompted for in Q11).

The following notice is also given:

These credentials will be necessary to create the web anonymous and Siebel administrator users (if necessary), and any roles groups (You will be prompted before any object is created).

You must provide these credentials. The configuration script creates two necessary users by default, the webanonymous user and the Siebel administrator user. Before creating them, it prompts you for the names of each ofthese users.

The configuration script also creates two "roles" groups, the "Siebel Administrator" and "Web Anonymous User". Itadds the new users to the appropriate roles group.

The user credentials you specify in this question and the subsequent question are the credentials used to createthese users and roles groups. The Active Directory "Administrator" user is always safe to use, but you can use anaccount with fewer privileges as long as it has rights to create users and groups in the container you specify in Q11.

Q8. What is the password for <username>?The password for the account you provided in Q7.

This is validated, so if you enter an incorrect password you are prompted again.

Q9. What is the database username that will be used for shared database credentials?Siebel requires that all users have database credentials. These credentials need not be unique.

The QAS Security Adapter supports the use of one shared database account for all users. The database user informationyou provide here is stored in the QAS Security Adapter configuration file (/etc/opt/quest/vas/sscvas3.conf).

This field is not validated by the configuration script, so ensure that the account you enter exists in your backenddatabase.


Q10. What is the password for the user that will be used for shared database credentials?This is the database password for the user entered in Q9.

This value is stored (along with the shared database username) in the QAS Security Adapter configuration file(/etc/opt/quest/vas/vas/sscvas3.conf).

Q11. What is the DN of the container where any new user objects will be created?This is the full LDAP DN of a container (CN) or organization unit (OU) where new user objects will be created by theQAS Security Adapter.

The QAS Security Adapter propagates new user additions into Active Directory into this container or organizationalunit. This is not a restrictive search base. Users outside of this container will still be able to authenticate. This relatesonly to where new users are created.

The syntax for the response should be similar to the following:

cn=users,dc=example,dc=com

Q12. What is the name of the attribute used to store the Siebel username?Which directory attribute contains the Siebel user ID?

The default is sAMAccountName. If your Siebel user IDs are not the same as your Active Directory sAMAccountName,you must specify which user attribute contains the Siebel User IDs here. It is important that you index the attributeyou specify. If you specify a custom attribute such as "siebelUsername" it is likely that it is NOT indexed. This WILLCAUSE very severe performance issues with your domain controller under any significant load.

If you specify a custom attribute, Siebel users will be required to log in by specifying one of the following:

1. Siebel User ID2. Active Directory username in the form of "Domain\sAMAccountName"3. Active Directory username in the form of "NetBiosDomain\sAMAccountName"4. Active Directory userprincipal name in the form of "Username@Domain"

If you accept the default attribute (sAMAccountName), users can log in by specifying their sAMAccountNamewithout a domain prefix (as this is also their Siebel User ID).

Q13. What is the Siebel administrative username?

This is the name of the user who has rights to perform the configuration of a new security adapter.

Q14. What is the Siebel administrative user password?

The password for the user provided in Q13.

Q15. No corresponding user exists in AD, would you like to create it now?

You are only asked this question if the user you specified in Q13 cannot be found in Active Directory. You must createthe Siebel administrative user in Active Directory if you are configuring the QAS Security Adapter enterprise wide.But even if you are not configuring the QAS Security Adapter enterprise wide, Quest recommends this as a bestpractice.


Q16. What is the name of your web anonymous user?The web anonymous user is a low privilege Siebel user used by the Web Server Extension to display the Siebel loginpage. The configured security adapter must be able to authenticate this user to display the application login page.

You can configure each application to use a different web anonymous user in the eapps.cfg file, so if you do notknow the name of your web anonymous user, look in the eapps.cfg file.

For example, the Siebel sales application may have an eapps.cfg entry that looks like this:

[sales_enu]AnonUserName = guestcstAnonPassword = mPm5a8+WAIYBivMAAA==ConnectString = siebel.TCPIP.None.None://$(LoadBalancingServer)/SBA_80/SSEObjMgr_enuWebPublicRootDir = $(SWSERoot)/public/enuSiebEntSecToken = oyBTDdYQOqgBQ/gAAA==

The "AnonUserName" is the name of the web anonymous user. If your application does not have a "AnonUserName"entry, then it uses the global default anonymous user. This configuration is also in the eapps.cfg file under the"defaults" section.

[defaults]EncryptedPassword = TrueAnonUserName = guestcstAnonPassword = ZWAVd5kEB90B2jEAAA==StatsPage = _stats.sweHTTPPort = 7777HTTPSPort = 443EnableFQDN = FalseFQDN = linux.example.comTrustToken =DoCompression = trueuestSessionTimeout = 300

The default of "guestcst" provided by the configuration script is NOT detected from the eapps.cfg file. It simplymirrors the name of the web anonymous user provided in the Siebel seed data. If you changed your web anonymoususer during installation or afterwards, do not accept the default answer to this question.

Q17. What is the web anonymous user password?This is the password for the user provided in Q16.

You must provide either the same password that exists in the eapps.cfg file for this user, or change the passwordin the eapps.cfg file.

The QAS Security Adapter authenticates the web anonymous user provided in Q16. The web server extensionprovides the pre-existing password for this user as configured in eapps.cfg; therefore, the password you providehere must match the password configured in eapps.cfg.

Q18. No corresponding user exists in AD, would you like to create it now?

You are only asked this question if the user specified in Q16 cannot be found in Active Directory. The web anonymoususer MUST exist in Active Directory, so answer "yes" to this question now, unless you intend to create the user later.

Q19. Would you like users warned when their password is about to expire?If you respond "yes" to this question, Siebel users are given a warning next time they log in that their password willexpire soon.

The password expiration warning does not support telling the user how long until their password expires, only thatpassword expiration is imminent.


Q20. How many days before password expiration would you like to warn a user?You will only be asked this question if you responded affirmatively to Q19.

This is the number of days prior to password expiry, when a user will begin seeing warning messages that theirpassword will soon expire.

Q21. Should role information come from Active Directory groups designated as Siebel "rolesgroups"?

Roles groups provide a group membership-based solution to the management of Siebel Roles.

For each Siebel role, a group is created in Active Directory. The name of the role returned to Siebel is the "CN" of thegroup. All users who are a member of a given group have that role returned from the QAS Security Adapter.

This method of managing Siebel roles in Active Directory is a unique feature of the QAS Security Adapter. Questrecommends that you use this method. It provides excellent compatibility with the management tools available toActive Directory administrators (such as ADUC) and it does not require extending the user schema.

If you choose not to use "roles groups", you will be asked to specify a user attribute that contains Siebel roles. Theattribute you specify must be a multi-valued attribute.

Q22. What is the name of the file to be used for Siebel "roles groups"?If a group is a Siebel roles group, you must specify it in this file.

Groups not contained in this file are not Siebel roles groups. Each group is identified in this file by its SID. Quest doesnot recommend that you manually add groups to this file. QAS provides a script to assist you in adding roles groupsafter the initial configuration. The script is/opt/quest/libexec/vas/scripts/siebel/add_roles_groups.sh.

While the location of the file is purely arbitrary, unless you have a specific need to place the file in another location,Quest recommends that you accept the default location.

Q23. What is the name (CN) of an existing group or a role name you would like to create?You are given the opportunity to create any roles you would like at this time.

It is not necessary to configure any specific roles during initial configuration other than the "Siebel Administrator"role and the "Web Anonymous User" role. You will be prompted later to create these required roles if you do notcreate them here. Furthermore, you can add any other roles later by running the following script.

/opt/quest/libexec/vas/scripts/siebel/add_roles_groups.sh

If you have roles you would like to create, specify them now. Enter exit when you have finished.

Q24. You have not created/added the role "Web Anonymous User" would you like to do so now?

If you did not add a role group for the "Web Anonymous User" role, reply yes now.

Replying "yes" to this question creates the "Web Anonymous User" group in Active Directory, if it does not alreadyexist. The group is then added to the configured "roles groups" file, and your web anonymous user is added as amember of the group.

Q25. You have not created/added the role "Siebel Administrator" would you like to do so now?

If you did not add a role group for the "Siebel Administrator" role, reply yes now.

Replying "yes" to this question creates a "Siebel Administrator" group in Active Directory, if such a group does notalready exist. The group is then added to the configured "roles groups" file, and your Siebel administrative user isadded as a member of the group.


Q26. Would you like to specify a post-authentication script?The QAS Security Adapter has the ability to run a script outcall after successful authentication of an Active Directoryaccount.

The post-authentication script receives three pieces of information from the QAS Security Adapter.

1. The DN of the user for whom the script was called2. The krb5 principal name of the user from whom the script was called3. The password of the user for whom the script was called

The first two items are passed as command-line arguments to the script, while the third item (user password) iswritten to stdin of the script. If you need the user’s password you will, therefore, need to use a script command (likethe shell "read" command) to read the password from stdin to some script variable. You can reference the first twoitems; however, command-line arguments are referenced by your interpreter ($1 and $2 typically). If these items arenot necessary, you need not reference them by your script.

Proper use of this outcall can enable automatic provisioning of all Active Directory users at authentication time.

Single Sign-On (SSO) Configuration

If you chose to configure both the security adapter and single sign-on using mod_auth_vas, you are now askeda number of questions about the location and configuration of web server and web server extensions.

Refer to Manual Provisioning of Siebel Accounts on page 31 for help answering these questions.

Q27. Do you want to propagate changes?This setting determines whether Siebel calls the QAS Security Adapter on interfaces that could change informationin Active Directory.

If you want password change and user creation by the QAS Security Adapter to work, you must answer yes to thisquestion.

Q28. Would you like to apply this configuration now?Until now, no actual changes to the Siebel authentication subsystem have been performed. An execution script iscreated that you can execute now or later (/tmp/configure_VasSecAdpt). If you would like to review thechanges before continuing answer no, and apply the execution script later. The execution script is retained partlyto simplify reconfiguration if a simple mistake is made during the configuration script interview. It may be easier(once the error is determined) to modify the execution script and re-execute than it would be to go through theentire configuration interview.

After Running the Siebel Security Adapter Configuration Script

1. Restart the Siebel server for changes to take effect.2. Login with Active Directory users.3. Inspect the server configuration profile.

You are now able to see the QAS custom security adapter configuration:


Configuring Single Sign-on Using mod_auth_vasOption #2 provided by running the configuration script found at/opt/quest/libexec/vas/scripts/siebel/configure_siebel_adapter.sh is to configure singlesign-on with mod_auth_vas.

If you choose this option, it walks you through the process of making the following changes:

1. Creating the appropriate service account in Active Directory for mod_auth_vas2. Configuring your web server extensions for single sign-on (eapps.cfg)3. Configuring your web server to use mod_auth_vas for authorization (httpd.conf)4. Modifying the QAS Security Adapter authentication subsystem for single sign on

Before this process begins, the script asks you to verify the following:

1. You have the mod_auth_vas package installed2. You have previously completed successful configuration of the QAS Security Adapter3. You are using an Apache-based web server4. You are proceeding with configuration on the machine where the Siebel web server extensions are installed

If your answer any of these questions, no, you must terminate the configuration and fix the problem before continuing.

Note: While the configuration script does check for the existence of the mod_auth_vas package, itdoes not determine if you have installed the correct mod_auth_vas package. The main issue to considerwhen determining whether you have the correct version installed is your particular version of ApacheHTTPD. Apache’s web server module API changes substantially between releases and modules compiledfor one version of the Apache web server are not guaranteed to function correctly with another.


Creating the Appropriate Service Account for mod_auth_vasA correct Active Directory username and password is required to successfully create the service account; however,an incorrect username or password generates a rather conspicuous failure.

A more subtle and difficult to detect error that could occur in this process occurs if you provide an incorrect groupname for the httpd process. If the script cannot detect the location of your httpd.conf file (very possible), itcomplains and provides a default user (such as nobody) that might not actually be correct. This results in applyingincorrect permissions to your service keytab which translates into the inability for any users to access your Siebelapplication from the web front end once you complete the configuration. Make certain that you locate thehttpd.conf file for your web server installation and check its group ownership.

This is sample output from this portion of the configuration process:

This script checks your local configuration for properly using mod_auth_vas.It will prompt you to create a web service object in Active Directoryif one is needed, and it will correct permissions on certain files.Commands executed will be recorded in /tmp/mod_auth_vas-setup.log.xxxx

checking privileges .................... rootlooking for Apache extension tool ...... not foundlooking for Apache configuration file .. not foundlooking for HTTP/ keytab ............... /etc/opt/quest/vas/HTTP.keytab

The Apache server process must be able to access the keytab.I didn't find a httpd.conf file so I don't know what creds it uses.Tell me what Unix group it will run as, and I'll check thekeytab file permissions so that it is readable by Apache.Group for Apache httpd process [nobody]: dbachecking keytab is readable by dba ..... yeschecking keytab can authenticate ....... yesIf you have clients using Internet Explorer, a known issue (KB899417)can see them suddenly being unable to authenticate after only 30 minutes.A workaround is to create SPN aliases with all the possible 'short-names'that the host could use to access this server (i.e. http://short-name/).SPN aliases can also be useful for servers with multiple DNS identities.Credentials required to run tests on the service account

Please login with a sufficiently privileged domain account.Username [Administrator]:

Password for [email protected]:The HTTP/ service is currently known by these SPNs (service principal names):HTTP/LINUXHTTP/linux.example.com

Enter a new SPN alias, or 'none' to finish [none]:Testing whether service password expires no (good)checking mod_auth_vas is loaded ........ unknown (need -a flag)

Configuring Your Web Server Extensions for Single Sign-On

The configuration script asks you to enter three pieces of information that relate to the configuration of the Siebelweb server extensions.

To configure your web server extensions for single sign-on

1. Enter a unique "Trust Token" for this module.The value of the trust token is not important, it is only important that the trust token which is specified here,matches the trust token configured for the QAS Security Adapter later. If you are configuring the QAS SecurityAdapter and mod_auth_vas at the same time (both Siebel server and Web server are installed on the same


machine), then the security adapter will be automatically configured to use this trust token value. If you areconfiguring mod_auth_vas separately you need to manually configure the QAS Security Adapter with thistrust token in a later step.

2. Enter the application for which you want to configure SSO.All Siebel applications have configuration sections in the eapps.cfg file. Each application begins with a headingthat includes the name of the application. For example, the configuration for sales_enu might look like this:

[/sales_enu]ConnectString = siebel.TCPIP.None.None://VirtualServer/SBA_80/SSEObjMgr_enuWebPublicRootDir = /opt/siebel/sweapp/public/enuSiebEntSecToken = oyBTDdYQOqgBQ/gAAA=

Specify the name of the application you want to configure for single sign-on. If you configured the QAS SecurityAdapter to authenticate only one component, then the application you specify should match the object managercomponent specified in Question 2 of the security adapter configuration.

3. Enter the path to your web server's eapps.cfg file:

It is necessary to respond accurately for the script to automatically modify the eapps.cfg file. Typically, theeapps.cfg file is located at (/SIEBEL_ROOT/sweapp/bin).

However, you can manually modify the eapps.cfg file., as well.

The four lines shown below in bold italics are the only changes you must make for any configured application:

[/sales_enu]SingleSignOn = TRUEUserSpec = REMOTE_USERUserSpecSource = ServerProtectedVirtualDirectory = /sales_enuConnectString = siebel.TCPIP.None.None://VirtualServer/SBA_80/SSEObjMgr_enuWebPublicRootDir = /opt/siebel/sweapp/public/enuSiebEntSecToken = oyBTDdYQOqgBQ/gAAA=

Configuring Your Web Server to Use mod_auth_vas for AuthorizationThis portion of the configuration involves modifying your web server’s httpd.conf file so as to load mod_auth_vasfor authorization. The configuration script does not modify the httpd.conf file. This must be done manually, itsimply provides a sample configuration file that shows examples of what your mod_auth_vas configuration shouldlook like.

Below is an example configuration that shows what and where to include mod_auth_vas configuration in yourhttpd.conf file.

1. Newly added lines are shown in bold, all other lines are provided as context to show you where to place theconfiguration.

============================================================Begin============================================================#mod_sweLoadModule swe_module modules/libmod_swe.so

LoadModule auth_vas_module /usr/lib/httpd/modules/mod_auth_vas.so

<IfModule mod_auth_vas.c>

AuthVasDefaultRealm EXAMPLE.COM

<Directory /opt/siebel/sweapp/public/enu> AuthType QAS Require valid-user AuthVasRemoteUserMap ldap-attr sAMAccountName


</Directory>

LimitRequestFieldSize 16382

</IfModule>

<IfModule mod_swe.cpp> AddHandler swe_service .swe .swef SWEConfigFile eapps.cfg SiebelHome /opt/siebel/sweapp Alias /ecustomer_enu /opt/siebel/sweapp/public/enu Alias /erm_enu /opt/siebel/sweapp/public/enu Alias /sales_enu /opt/siebel/sweapp/public/enu ............................. .... <many more aliases> .... .............................

<Directory /opt/siebel/sweapp/public/enu> DirectoryIndex default.htm Options Indexes MultiViews AllowOverride none Order allow,deny Allow from all </Directory></IfModule>============================================================End============================================================

Key Items to recognize when adding this configuration are:

• Load the auth_vas_module AFTER the swe_module.

If this does not happen there is a chance that the web server will fail to load the module, and fail to start.

• The AuthVasDefaultRealm must match your Active Directory domain name.• The AuthVasRemotUserMap ldap-attr value must match the attribute you are using to store your

Siebel username. (See Q12. What is the name of the attribute used to store the Siebel username? on page 21asked during the QAS Security Adapter configuration process).

• The directory specified (in this case /opt/siebel/sweapp/public/enu) must match the directory forthe alias of your Siebel application.

Note: The alias specified under mod_swe for our app "sales_enu" is also/opt/siebel/sweapp/public/enu.

2. After making these changes, restart your web server.

Modifying the QAS Security Adapter Authentication Subsystem for Single Sign-OnIf you are configuring the QAS Security Adapter and mod_auth_vas at the same time (when you have both Siebelserver and Web server installed on the same machine), skip this step as the QAS Security Adapter configurationprocess takes care of it.

To configure the QAS Security Adapter for single sign-on

1. Set single sign-on to “True”.2. Set the trust token value to match that which was set in the eapps.cfg file.


You can do these tasks through the web interface, or you can run the following commands on your Siebel serverto set these values:

srvrcfg -u <adminuser> -g <gatewayserver> -e <siebel_enterprise> -s <siebel servername> -l <language> -m namedsubsys -c VasSecAdpt -w “CustomSecAdpt_SingleSignOn=(True)"

srvrcfg -u <adminuser> -g <gatewayserver> -e <siebel_enterprise> -s <siebel servername> -l <language> -m namedsubsys -c VasSecAdpt -w “CustomSecAdpt_TrustToken=(your_unique_trusttokenvalue)"

Internet Explorer ConfigurationIf Internet Explorer continues to prompt for username and password when accessing your Siebel application evenafter configuring SSO, it is likely that Internet Explorer is not properly configured.

To remedy this situation refer to the fully illustrated step-by-step guide to configuring Internet Explorer on the QuestResource Central site at: Internet Explorer, a Quest Resource Central "How-To" Doc.

Limitations Associated with Single Sign-On ConfigurationOnce you have configured single sign-on with mod_auth_vas, you will not be able to access Siebel from theconfigured web server UNLESS you are a domain user with a Siebel account.

In other words, you will not be able to access the Siebel Login page and specify the user with which you would liketo log into Siebel.

If you are not logged into your workstation as the domain user that has a configured Siebel account, accessing theSiebel application URL from your web browser will result in an "Invalid username or password error".

If you regularly need to access the Siebel login page and specify an account other than the currently logged in user,you must configure a separate web server installation that is not configured for single sign-on.

Additionally if you logged in by means of SSO, neither password change or user creation propagation will work.


http://rc.quest.com/topics/mod_auth_vas/howto.php#iexplore

Chapter

4Manual Provisioning of Siebel Accounts

For an Active Directory user to log into Siebel he must have both a Siebelaccount and an Active Directory account. In many cases a user will alreadyhave an Active Directory account. For users with pre-existing Active Directoryaccounts to access Siebel, you must manually create a Siebel account.

When manually creating a Siebel account, ensure that your user’s Siebel loginID is stored on their Active Directory account. In other words, the attributethat you specified in Q12. What is the name of the attribute used to store theSiebel username? on page 21 asked during the QAS Security Adapterconfiguration process), contains the user’s Siebel login ID. If you acceptedthe default attribute of sAMAccountName, then you will not need to makeany modifications to your user’s Active Directory account. Simply ensure thatthe login ID you provide when you create the Siebel account matches theuser’s AD account sAMAccountName.

If you are using a custom, or otherwise empty, attribute to store the user’sSiebel login ID, you may specify a login ID you need for the newly createdSiebel account. You must then set the Siebel login ID on the user’s ActiveDirectory account.

The key to the manual provisioning process (whether using a pre-populatedattribute or not) is to ensure that the newly created Siebel account login IDmatches the value of the attribute configured to store Siebel login ID.

If you have user creation propagation configured, you will not need to worryabout checking your Active Directory account after the Siebel account iscreated. The QAS security adapter will ensure a new Active Directory accountis created with the Siebel login ID set on the appropriate attribute.

Chapter

5Login Time Provisioning of Siebel Accounts

A common deployment scenario is one in which Active Directory accountsalready exist for most (if not all) employees. Many of these users may not have

Topics:

• Create a Launch Script Siebel user identities. In order for a user to access Siebel, they must have a• Create a User Creation Script "Siebel account" as well as an Active Directory account. These Siebel accounts

are stored in various tables in the backend Siebel database.• Creating the Oracle Stored ProcedureThe main purpose of this post-authentication script is to provide a hook foran administrator to create a Siebel account in the backend Siebel databasewhen a user successfully authenticates with their Active Directory account.It would be ideal for you to be able to call a Siebel tool to create the necessaryuser information in the backend Siebel database (such as srvrmgr) thatwould allow you to create a simple user creation script requiring no knowledgeof the schema used to store user information in the backend database.However, Siebel does not provide such a tool to accomplish this. Thus, youmust create a stored procedure in your database to create Siebel accounts.You can call a stored procedure from your post-authentication script,populating the necessary tables in the backend database.

The stored-procedure method of login time provisioning requires an in-depthknowledge of the Siebel database schema. It is also important to note thatdatabase schema can easily change from one version of Siebel to the next,so it is likely that any such stored procedure would be highlyversion-dependent. The tasks below demonstrate below how to launch astored procedure from the QAS Security Adapter post-authentication scriptthat you can use to create Siebel accounts.

Create a Launch ScriptTo be able to add a user to a table in the Oracle database, you must run your post-authentication script as the localoracle account; however, the QAS Security Adapter does not run as root; it runs as the local Siebel administrativeuser. To get the post-authentication script to execute with the right privileges, you must create two separate scripts.The first script must be owned by a local Siebel administrator user with privileges to run the QAS Security Adapter.This script serves as a springboard for launching the second, root-owned, script by means of sudo.

To create a launch script

1. Create the following script.

linux:/ # ls –al launch_employee_creation.sh-rwxr-xr-x 1 sadmin dba 76 Mar 11 09:56 launch_employee_creation.shlinux:/ # cat launch_employee_creation.sh#!/bin/bashsudo /scriptlocation/post_auth_create_siebel_employee.sh "$1" "$2"

Since you will be running this script non-interactively, you must allow the local Siebel administrator (sadmin inthis example) to run the script that does the actual user creation (post_auth_create_siebel_employee.shas shown above) without specifying a password.

2. Add a sudo rule for sadmin in the /etc/sudoers file as follows (where scriptlocation is the actual locationof your script):

sadmin ALL=(ALL) NOPASSWD:/scriptlocation/post_auth_create_siebel_employee.sh

This launch script (launch_employee_creation.sh) is the script that you specify as the QAS SecurityAdapter post-authentication script (asked during the QAS Security Adapter configuration process in: Q24. Youhave not created/added the role "Web Anonymous User" would you like to do so now? on page 23). If you did notspecify this script during the initial configuration process, you can modify the QAS Security Adapter configurationfile (/etc/opt/quest/vas/sscvas3.conf). The post-authentication script is specified by the "postauthscript"option under the siebelvas heading as shown below:

[siebelvas]postauthscript = /scriptlocation/launch_employee_creation.sh

Create a User Creation ScriptThe Launch Script calls the User Creation Script and it in turn calls a stored-Oracle procedure as the Oracle user whichneeds to provide any information that your stored procedure requires to create an entry in the S_USER table. Atthe minimum, it needs a first and last name and a log in name for the user. You can use vastool search commandsto discover the necessary information about your user account.

To create a User Creation Script

Create the following script.

#!/bin/bash FIRSTNAME=`/opt/quest/bin/vastool -u host/ search -q -s base -b "$1" "(objectClass=*)" givenName`LASTNAME=`/opt/quest/bin/vastool -u host/ search -q -s base -b "$1" "(objectClass=*)" sn`# If your Siebel UID should not be equal to sAMAccountName, change # the attribute used in this search sAMAccountName=`/opt/quest/bin/vastool -u host/ search -s base -q -b "$1" "(objectClass=*)" sAMAccountName`if [ -z ${FIRSTNAME} ]; then

34 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Login Time Provisioning of Siebel Accounts

FIRSTNAME=BLANKFIRSTNAMEfiif [ -z ${LASTNAME} ]; thenLASTNAME=BLANKLASTNAMEfi

su -c ". /usr/local/bin/oracle_env.sh; echo call my_create_siebel_employee$\'$FIRSTNAME\', \'$LASTNAME\', \'$SAMACCOUNTNAME\'$\; | sqlplus / as sysdba"

oracle

This script does the following:

1. Discovers necessary user information (FirstName, LastName, sAMAccountName) by doing vastool searchcommands on the DN provided to the script by the QAS Security Adapter.

2. Runs the su command to the Oracle account and calls a PREVIOUSLY CREATED stored procedure (in this casecalled "my_create_siebel_employee") to put the information discovered in Step 1 into the SiebelS_USER table.

Note: The script searches for sAMAccountName to populate the Siebel Login ID. If you are using adifferent attribute (refer to Q12. What is the name of the attribute used to store the Siebel username? onpage 21 of the configuration process), make sure you change the vastool command that searchesfor sAMAccountName to user your custom attribute.

Creating the Oracle Stored Procedure

The Oracle-stored procedure takes information provided by the QAS Security Adapter and inserts this informationinto the various Siebel tables associated with user information. The schemata of the Siebel tables associated withuser information are highly dependent upon the version of Siebel used.

Note: The creation of an Oracle-stored procedure is outside of the scope of this document.

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Login Time Provisioning of Siebel Accounts | 35

Chapter

6Troubleshooting

These topics provide information to assist you in troubleshooting problemsassociated with the QAS Security Adapter.

Topics:

• Special Considerations• Capturing Debug Information

Special ConsiderationsThe process that loads the Siebel Security adapter does not run as root. This could be considered slightly abnormalfor an authentication process. All other QAS authentication modules run inside a process space that has super userprivileges. For example, PAM modules are almost always loaded into a privileged process space.

This lack of root privileges causes the following known problems:

1. The host.keytab cannot be accessed2. The disconnected authentication cache cannot be accessed3. Default auth facility log files may not be accessible

The Siebel adapter configuration script takes care of the first two issues by changing ownership of the host.keytaband disconnected authentication caches from root to that of the local Siebel user (the user into which the processspace the QAS Security Adapter gets loaded). Issues could arise if either of these items were manually removed andrecreated after the security adapter configuration script runs. However, this should not occur in the course of normaloperation.

You can address the third issue by altering the syslog configuration in the event that QAS Security Adapter loginformation becomes necessary.

Capturing Debug InformationThe QAS Security Adapter logs data into syslog at the auth facility. In order to see any debug information from theQAS Security Adapter, you must have syslog properly configured to log the auth facility to a custom file. Syslogconfiguration is generally contained in the /etc/syslog.conf file.

To make sure the auth facility is being logged, enter a line similar to the following in your /etc/syslog.conffile:

auth.debug /var/log/auth.logauthpriv.debug /var/log/auth.log

Note: Use the second line (authpriv.debug) on Linux systems; use the first line on all other systems.

Verify that the log destination exists and then restart the syslog daemon. Remember that the QAS Security Adapterdoes not run as root, so make sure the log destination file is writable by the local Siebel user.

By default, the QAS Security Adapter only logs exceptional issues. You can acquire verbose debug information byadding the "logdebug" parameter to the QAS Security Adapter configuration file, located at/etc/opt/quest/vas/sscvas3.conf. Under the [siebelvas] section heading, add the line logdebug= true

38 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Troubleshooting

Index

A

Active Directory (AD) integration 18configure without SSO configuration 18

C

contacting 9conventions 8

I

installing 14, 17, 18mod_auth_vas 18QAS agent 14Security Adapter package 17

J

joining domain 15determining if joined 15

joining the AD domain 15

L

Limitations: 29, 38Siebel Security adapter does not run as root 38single sign-on configuration 29

M

mod_auth_vas 18installing 18

O

Oracle stored procedure 35creating 35

Q

QAS agent 14installation 14

QAS solutions benefits 11Quest One Identity Solution 8Quest Support 9

S

Security Adapter 34creating launch script 34

Security Adapter authentication subsystem 28modifying 28

Security Adapter for Siebel 18, 19, 20, 21, 22, 23, 24configuration questions 18, 19, 20, 21, 22, 23, 24

Security Adapter logs 38configuring for debug information 38

Security Adapter package 17installing 17

service account 26creating 26

Siebel account 31manual provisioning 31

Siebel Accounts 33, 34, 35login time provisioning 33, 34, 35

Siebel Security adapter 17configuring 17

Siebel Security Adapter 17configuring 17

single sign-onconfiguring 25, 26, 27, 28, 29srvrcfg utility 17srvrmgr utility 17

T

troubleshooting tips 37, 38Troubleshooting: 15

determine if joined to AD 15

U

user creation script 34creating 34

V

vasjoin Script 15using 15

vasjoin.sh 15using 15

vastool join 15using 15

W

web server 27configuring 27

web server extensions 26configuring for single sign-on 26

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Index | 39

40 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Index

Documents

AuthenticationServices_4.0_SiebelSecurityAdapter.pdf