Академический Документы
Профессиональный Документы
Культура Документы
Copyright 2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchasers personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information.
Patents
Protected by U.S. Patents #7,617,501; 7,895,332; 7,904,949; 8,086,710; 8,087,075, and 8,245,242. Additional patents pending.
Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery, Defender, DeployDirector, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, JClass, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point, Click, Done!, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vConverter, vEcoShell, VESI,vFoglight, vPackager, vRanger, vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, Vizioncore vWorkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks are property of their respective owners.
Third-Party Contributions
This product may contain one or more of the following third party components. For copies of the text of any license listed, please go to http://www.quest.com/legal/third-party-licenses.aspx . Component Apache Commons 1.2 Boost Expat 2.0.0 Heimdal Krb/GSSapi 1.2 Notes Apache License Version 2.0, January 2004 Boost Software License Version 1.0, August 2003 1998, 1999, 2000 Thai Open Source Software Center Ltd 2004 - 2007 Kungliga Tekniska Hgskolan (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) 1998-2008 The OpenSSL Project. All rights reserved.
OpenSSL 0.9.8d
Contents
Chapter 1: About This Guide......................................................................7
About Quest Software.......................................................................................................................................................8 Quest One Identity Solution............................................................................................................................................8 Conventions..........................................................................................................................................................................8 Contacting Quest Support...............................................................................................................................................9
Chapter 2: Introducing the QAS Siebel Security Adapter Solution.......11 Chapter 3: Integrating Your Siebel Installation with Active Directory..13
Before You Begin the Configuration Process.........................................................................................................14 Installing the VASCLNT Package...................................................................................................................14 Verifying QAS License Information..............................................................................................................14 Joining the Domain...........................................................................................................................................15 Source Your siebenv.sh Script.......................................................................................................................17 Gather Siebel Server Information.................................................................................................................17 Verify Your Siebel Server Installation..........................................................................................................17 Installing the QAS Siebel Security Adapter Package.............................................................................17 Install the mod_auth_vas Package (for SSO only)..................................................................................18 Beginning the Active Directory Integration Process.............................................................................18 Configuring the QAS Security Adapter for Siebel.................................................................................................18 Q1. At what level do you want to configure QAS/Active Directory authentication?................19 Q2. What component would you like to configure QAS/Active Directory authentication for?.19 Q3. What is the name of your Siebel server?............................................................................................19 Q4. What is the gateway name server hostname?.................................................................................19 Q5. What is the enterprise name?................................................................................................................20 Q6. What is the language?..............................................................................................................................20 Q7. What is the name of the Active Directory user who has rights to create users and groups in the Directory?.20 Q8. What is the password for <username>?............................................................................................20 Q9. What is the database username that will be used for shared database credentials?........20 Q10. What is the password for the user that will be used for shared database credentials?..21 Q11. What is the DN of the container where any new user objects will be created?................21 Q12. What is the name of the attribute used to store the Siebel username?...............................21 Q13. What is the Siebel administrative username?................................................................................21 Q14. What is the Siebel administrative user password?.......................................................................21 Q15. No corresponding user exists in AD, would you like to create it now?................................21 Q16. What is the name of your web anonymous user?........................................................................22 Q17. What is the web anonymous user password?...............................................................................22 Q18. No corresponding user exists in AD, would you like to create it now?................................22
Q19. Would you like users warned when their password is about to expire?.............................22 Q20. How many days before password expiration would you like to warn a user?..................23 Q21. Should role information come from Active Directory groups designated as Siebel "roles groups"?.23 Q22. What is the name of the file to be used for Siebel "roles groups"?........................................23 Q23. What is the name (CN) of an existing group or a role name you would like to create?..23 Q24. You have not created/added the role "Web Anonymous User" would you like to do so now?.23 Q25. You have not created/added the role "Siebel Administrator" would you like to do so now?.23 Q26. Would you like to specify a post-authentication script?............................................................24 Single Sign-On (SSO) Configuration............................................................................................................24 Q27. Do you want to propagate changes?...............................................................................................24 Q28. Would you like to apply this configuration now?........................................................................24 After Running the Siebel Security Adapter Configuration Script.....................................................24 Configuring Single Sign-on Using mod_auth_vas...............................................................................................25 Creating the Appropriate Service Account for mod_auth_vas.........................................................26 Configuring Your Web Server Extensions for Single Sign-On............................................................26 Configuring Your Web Server to Use mod_auth_vas for Authorization........................................27 Modifying the QAS Security Adapter Authentication Subsystem for Single Sign-On..............28 Internet Explorer Configuration....................................................................................................................29 Limitations Associated with Single Sign-On Configuration...............................................................29
Chapter 4: Manual Provisioning of Siebel Accounts..............................31 Chapter 5: Login Time Provisioning of Siebel Accounts........................33
Create a Launch Script....................................................................................................................................................34 Create a User Creation Script........................................................................................................................................34 Creating the Oracle Stored Procedure......................................................................................................................35
Chapter 6: Troubleshooting.....................................................................37
Special Considerations....................................................................................................................................................38 Capturing Debug Information.....................................................................................................................................38
Chapter
1
About This Guide
Topics: About Quest Software Quest One Identity Solution Conventions Contacting Quest Support
The Quest Authentication Services Siebel Security Adapter Administrator's Guide contains information about installing and configuring the Quest Authentication Services (QAS) Siebel Security Adapter for Siebel and integrating your Siebel Unix installation with Active Directory. Oracle provides integrated Windows authentication for all Siebel installations running on Windows platforms. But what if your Siebel installation is installed on a Unix/Linux system? Siebel, and later Oracle, provide a generic "Security Adapter Interface" API to Siebel which allows third-party vendors to create custom security adapters. Siebel can then utilize the interface provided by a custom security adapter to provide authentication and password change services to Siebel users. Until now there has never been a solution specifically designed to use this API to integrate Siebel Unix installations with Active Directory. If your Siebel installation is on Unix/Linux, you had only two options. You could either attempt to integrate with Active Directory using a generic LDAP Security Adapter (limitations addressed in the next section), or you could write your own custom security adapter. The QAS Solution provides a custom security adapter written to the Siebel Security Adapter Interface 3.00. QAS allows Unix/Linux systems to be joined to an Active Directory domain and provides Active Directory authentication and identity information to all system level services. The QAS Siebel security adapter implements integrated Windows authentication for all Unix/Linux operating systems supported by Siebel by building on the framework provided by the QAS client. QAS also provides the ability to configure single sign-on for any Unix/Linux Siebel installation that is using an Apache-based web server (such as OHS or IHS).
8 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | About This Guide
Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance by addressing identity and access management challenges as they relate to: Single sign-on Directory consolidation Provisioning Password management Strong authentication Privileged account management Audit and compliance
Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references.
Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | About This Guide | 9
Element Select
Convention This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Used to indicate elements that appear in the graphical user interface that you are to select such as the OK button. Interface elements that appear in Quest products, such as menus and commands. Used to indicate host names, file names, program names, command names, and file paths. Indicates an interactive link to a related topic. Used to highlight additional information pertinent to the process or topic being described.
Bold text
+ |
A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.
10 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | About This Guide
Information Sources
Public Forum
The Community site is a place to find answers and advice, join a discussion forum, or get the latest documentation and release information: All Things Unix Community. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, policies and procedures. The guide is available at support.quest.com.
Chapter
2
Introducing the QAS Siebel Security Adapter Solution
The QAS Active Directory support for Siebel goes far beyond the support provided by generic Siebel LDAP solution. The generic LDAP security adapter plug-in only validates user passwords against a conformant directory by doing an LDAP bind operation. This operation is insecure unless additional measures are taken (such as the implementation of TLS/SSL and certificate infrastructure). QAS provides many benefits over such a configuration because it is designed specifically to work with Active Directory. QAS takes advantage of the security protocol (Kerberos) built into Active Directory, and does not require the setup of additional security (certificate) infrastructure to ensure that authentication requests are not subject to eavesdropping. A generic LDAP solution (such as the one provided with Siebel) cannot provide proper password change support for Active Directory users. LDAP directories that service Unix/Linux systems store password data as an attribute on a user object. You can modify this data during a password change request; however, Active Directory does NOT store password data on any user attribute. This in turn makes it impossible for standard LDAP solutions to provide password change support for Active Directory. Password changes can only be accomplished by means of a Kerberos password change request. The QAS Kerberos integration provides seamless password change integration with Active Directory. This includes allowing change of password, enforcement of password policy (minimum password length, complexity requirements, history, and so forth), and password expiration notification; none of which can be supported through a standard LDAP solution. QAS also provides the ability to manage Siebel roles through the use of Active Directory groups. You simply specify which groups are "roles" groups, and QAS returns the name of these groups as the current roles of any member users. This greatly simplifies management of Siebel Roles without requiring a schema extension. Additionally QAS provides an Apache module (mod_auth_vas), which provides the ability to configure single sign-on for any Siebel installation that uses any Apache-base web server (such as Oracles OHS or IBMs HIS). These are only a few of the many benefits QAS provides to Siebel Unix installations. A summary of all the features of the QAS solution are listed below. Support for authentication of Active Directory accounts Support for password change at login time or afterwards Support for all Active Directory password complexity requirements (password history, length, and so forth)
12 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Introducing the QAS Siebel Security Adapter Solution
Support for password expiration warning at login Support for Active Directory account lockout, account disable, and enforcement of login hours and account expiry Support for Active Directory account creation and administrative password set from the Siebel UI Single sign-on The ability to use one shared database account for all Siebel accounts The ability to mark certain Active Directory groups as Siebel "Roles Groups", thereby allowing the management of Siebel Roles through Active Directory and the ADUC MMC snap-in Leverages the site topology of Active Directory to distribute load and provide redundancy Provides local "Disconnected Authentication" in the event that the Siebel Server cannot contact any Active Directory domain controllers Support for a "post-authentication" hook which you can use to auto-provision Siebel accounts for Active Directory accounts which have not previously been provisioned in the Siebel user database Simple setup script automates the process of installing and configuring the QAS security adapter HPUX, AIX, Solaris, and Linux support Support for Siebel versions 7.5, 7.7, 7.8, and 8.0+
The QAS solution clearly offers superior support to a standard LDAP solution when it comes to integrating Siebel Unix installations with Active Directory. The QAS Solution is the only solution designed specifically to integrate your Unix/Linux Siebel installation with Active Directory.
Chapter
3
Integrating Your Siebel Installation with Active Directory
Topics: Before You Begin the Configuration Process Configuring the QAS Security Adapter for Siebel Configuring Single Sign-on Using mod_auth_vas
There are two main integration points in the process of configuring your Siebel Unix/Linux installation to use the QAS components to integrate with Active Directory: 1. Basic Active Directory integration using the QAS Security Adapter for Siebel (See Configuring the QAS Security Adapter for Siebel on page 18) 2. Single sign-on using mod_auth_vas (See Configuring Single Sign-on Using mod_auth_vas on page 25)
14 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory
Each of the following sections provides detailed instructions for each of these steps.
Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 15
Joining the Domain Using VASTOOL You can join your Unix host to Active Directory with the vastool join command directly from the command line. Before you join the QAS agent to the Active Directory domain, collect the following information: The DNS name of the Active Directory domain of which you want the QAS agent to be a member. The user name and password of a user that has sufficient administrative privileges to create computer objects in Active Directory.
To join Active Directory using vastool join 1. Run the following command as the root user at a shell prompt: # /opt/quest/bin/vastool -u <user> join <domain-name> 2. Enter the users password when prompted. The vastool join results are shown on the shells standard output. Note: vastool join supports many options that allow you to customize the way the computer is joined to the domain. You can specify the name of the computer object. You can join to a specific organizational unit or use a pre-created computer object. For a list of all vastool join options, refer to the vastool man page.
Joining the Domain Using VASJOIN Script Rather than using the vastool join command from the command line, you can join your Unix host to Active Directory using the interactive join script, vasjoin.sh. The script walks you through the domain join process, calling the vastool join command. The vasjoin.sh script is in /opt/quest/libexec/vas/scripts/ directory. You can use most of the standard vastool join command options when running it. However, you can run the join script with no options; it only requires that you supply the domain name and the name of a user with sufficient Active Directory privileges to perform the join.
16 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory
Table 1: Common vasjoin Script Options OPTION -h -q -i <none> FUNCTION Help; displays options including how to pass vastool join options Unattended or quiet mode; displays less verbose: no explanations, asks no questions Interactive mode: prompts for common options Simple mode; installs vasclnt and vasgp with options to add license and join domain.
To join Active Directory using the vasjoin script Run the script as the root user at a shell prompt, as follows: /opt/quest/libexec/vas/scripts/vasjoin.sh The script ensures that your local host's time is synchronized with that of the controller in the domain you want to join (in order to satisfy Kerberos), then performs the join for you by running vastool join as follows: vastool -u <username> join <domain-name> Follow the prompts to complete the join process. Note: Run the script in interactive mode as follows: /opt/quest/libexec/vas/scripts/vasjoin.sh -i In interactive mode, it prompts you for specific information and allows you to either save the resulting vastool join command in a script or execute the command immediately. The script presents defaults as part of the prompting and if you accept them all, the result is identical to running the script in simple mode. The information gathered by the full, interactive mode of vasjoin.sh includes the following. Specific domain controllers to use domain to join user, usually administrator, to use in joining keytab file confirm fixing of Kerberos clock skew, if any overwrite your host's existing Active Directory ComputerName object change the name of the AD ComputerName object AD container in which to put the ComputerName object site name UPM mode (yes or no) user search path on which to look for Active Directory users alternate group search path workstation mode (yes or no) alternate domains in which to search if you want cross-domain logins self-enrollment of existing /etc/passwd users (yes or no) shows path to lastjoin (/etc/opt/quest/vas/lastjoin) The lastjoin file contains something similar to: /opt/quest/bin/vastool -u administrator join -f acme.com
Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 17
18 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory
Refer to Installing the VASCLNT Package on page 14 for details about mounting your QAS installation media.
If you did not launch the configuration immediately following installation, start the QAS Security Adapter configuration by running the configure_siebel_adapter.sh script. The script presents you with the following choices: What components would you like to configure? 1 - Active Directory Integration using the "QAS Security Adapter for Siebel"". 2 - SSO configuration for Siebel Web Server extensions using mod_auth_vas. 3 - All of the above You can configure Active Directory integration without completing the SSO configuration and retain all benefits of the QAS Security Adapter with the exception of single sign-on support. However, SSO configuration requires that you first successfully configure the "QAS Security Adapter for Siebel". If your Siebel server and web server extensions are installed on the same host, you can configure both at the same time by choosing option #3 (All of the above).
Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 19
of this. As much as possible, the configuration script attempts to validate your installation and the input you are providing. It is not possible to validate all input, however. Be extremely careful to answer all questions accurately especially those noted as "not validated by the configuration script". Note: Before you start, gather the Siebel Server information (See Gather Siebel Server Information on page 17.)
Q2. What component would you like to configure QAS/Active Directory authentication for?
You are only asked this question if you choose component-level configuration. When choosing component-level configuration, you are essentially configuring QAS authentication for only one Siebel application. The component name is the name of the Siebel object manager for that application. For example, if you want to configure QAS authentication for the English version of the Siebel Sales application, specify the component as SSEObjMgr_enu. [sales_enu] siebel.TCPIP.None.None://$(LoadBalancingServer)/SBA_80/SSEObjMgr_enu Note: The last portion of the connect string contains the component name.
20 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory
Q7. What is the name of the Active Directory user who has rights to create users and groups in the Directory?
In response to this question, provide an Active Directory user who has rights to create objects in the user creation container (which you are prompted for in Q11). The following notice is also given: These credentials will be necessary to create the web anonymous and Siebel administrator users (if necessary), and any roles groups (You will be prompted before any object is created). You must provide these credentials. The configuration script creates two necessary users by default, the web anonymous user and the Siebel administrator user. Before creating them, it prompts you for the names of each of these users. The configuration script also creates two "roles" groups, the "Siebel Administrator" and "Web Anonymous User". It adds the new users to the appropriate roles group. The user credentials you specify in this question and the subsequent question are the credentials used to create these users and roles groups. The Active Directory "Administrator" user is always safe to use, but you can use an account with fewer privileges as long as it has rights to create users and groups in the container you specify in Q11.
Q9. What is the database username that will be used for shared database credentials?
Siebel requires that all users have database credentials. These credentials need not be unique. The QAS Security Adapter supports the use of one shared database account for all users. The database user information you provide here is stored in the QAS Security Adapter configuration file (/etc/opt/quest/vas/sscvas3.conf). This field is not validated by the configuration script, so ensure that the account you enter exists in your backend database.
Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 21
Q10. What is the password for the user that will be used for shared database credentials?
This is the database password for the user entered in Q9. This value is stored (along with the shared database username) in the QAS Security Adapter configuration file (/etc/opt/quest/vas/vas/sscvas3.conf).
Q11. What is the DN of the container where any new user objects will be created?
This is the full LDAP DN of a container (CN) or organization unit (OU) where new user objects will be created by the QAS Security Adapter. The QAS Security Adapter propagates new user additions into Active Directory into this container or organizational unit. This is not a restrictive search base. Users outside of this container will still be able to authenticate. This relates only to where new users are created. The syntax for the response should be similar to the following: cn=users,dc=example,dc=com
Q12. What is the name of the attribute used to store the Siebel username?
Which directory attribute contains the Siebel user ID? The default is sAMAccountName. If your Siebel user IDs are not the same as your Active Directory sAMAccountName, you must specify which user attribute contains the Siebel User IDs here. It is important that you index the attribute you specify. If you specify a custom attribute such as "siebelUsername" it is likely that it is NOT indexed. This WILL CAUSE very severe performance issues with your domain controller under any significant load. If you specify a custom attribute, Siebel users will be required to log in by specifying one of the following: 1. 2. 3. 4. Siebel User ID Active Directory username in the form of "Domain\sAMAccountName" Active Directory username in the form of "NetBiosDomain\sAMAccountName" Active Directory userprincipal name in the form of "Username@Domain"
If you accept the default attribute (sAMAccountName), users can log in by specifying their sAMAccountName without a domain prefix (as this is also their Siebel User ID).
Q15. No corresponding user exists in AD, would you like to create it now?
You are only asked this question if the user you specified in Q13 cannot be found in Active Directory. You must create the Siebel administrative user in Active Directory if you are configuring the QAS Security Adapter enterprise wide. But even if you are not configuring the QAS Security Adapter enterprise wide, Quest recommends this as a best practice.
22 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory
Q18. No corresponding user exists in AD, would you like to create it now?
You are only asked this question if the user specified in Q16 cannot be found in Active Directory. The web anonymous user MUST exist in Active Directory, so answer "yes" to this question now, unless you intend to create the user later.
Q19. Would you like users warned when their password is about to expire?
If you respond "yes" to this question, Siebel users are given a warning next time they log in that their password will expire soon. The password expiration warning does not support telling the user how long until their password expires, only that password expiration is imminent.
Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 23
Q20. How many days before password expiration would you like to warn a user?
You will only be asked this question if you responded affirmatively to Q19. This is the number of days prior to password expiry, when a user will begin seeing warning messages that their password will soon expire.
Q21. Should role information come from Active Directory groups designated as Siebel "roles groups"?
Roles groups provide a group membership-based solution to the management of Siebel Roles. For each Siebel role, a group is created in Active Directory. The name of the role returned to Siebel is the "CN" of the group. All users who are a member of a given group have that role returned from the QAS Security Adapter. This method of managing Siebel roles in Active Directory is a unique feature of the QAS Security Adapter. Quest recommends that you use this method. It provides excellent compatibility with the management tools available to Active Directory administrators (such as ADUC) and it does not require extending the user schema. If you choose not to use "roles groups", you will be asked to specify a user attribute that contains Siebel roles. The attribute you specify must be a multi-valued attribute.
Q22. What is the name of the file to be used for Siebel "roles groups"?
If a group is a Siebel roles group, you must specify it in this file. Groups not contained in this file are not Siebel roles groups. Each group is identified in this file by its SID. Quest does not recommend that you manually add groups to this file. QAS provides a script to assist you in adding roles groups after the initial configuration. The script is /opt/quest/libexec/vas/scripts/siebel/add_roles_groups.sh. While the location of the file is purely arbitrary, unless you have a specific need to place the file in another location, Quest recommends that you accept the default location.
Q23. What is the name (CN) of an existing group or a role name you would like to create?
You are given the opportunity to create any roles you would like at this time. It is not necessary to configure any specific roles during initial configuration other than the "Siebel Administrator" role and the "Web Anonymous User" role. You will be prompted later to create these required roles if you do not create them here. Furthermore, you can add any other roles later by running the following script. /opt/quest/libexec/vas/scripts/siebel/add_roles_groups.sh If you have roles you would like to create, specify them now. Enter exit when you have finished.
Q24. You have not created/added the role "Web Anonymous User" would you like to do so now?
If you did not add a role group for the "Web Anonymous User" role, reply yes now. Replying "yes" to this question creates the "Web Anonymous User" group in Active Directory, if it does not already exist. The group is then added to the configured "roles groups" file, and your web anonymous user is added as a member of the group.
Q25. You have not created/added the role "Siebel Administrator" would you like to do so now?
If you did not add a role group for the "Siebel Administrator" role, reply yes now. Replying "yes" to this question creates a "Siebel Administrator" group in Active Directory, if such a group does not already exist. The group is then added to the configured "roles groups" file, and your Siebel administrative user is added as a member of the group.
24 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory
Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 25
Before this process begins, the script asks you to verify the following: 1. 2. 3. 4. You have the mod_auth_vas package installed You have previously completed successful configuration of the QAS Security Adapter You are using an Apache-based web server You are proceeding with configuration on the machine where the Siebel web server extensions are installed
If your answer any of these questions, no, you must terminate the configuration and fix the problem before continuing. Note: While the configuration script does check for the existence of the mod_auth_vas package, it does not determine if you have installed the correct mod_auth_vas package. The main issue to consider when determining whether you have the correct version installed is your particular version of Apache HTTPD. Apaches web server module API changes substantially between releases and modules compiled for one version of the Apache web server are not guaranteed to function correctly with another.
26 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory
The Apache server process must be able to access the keytab. I didn't find a httpd.conf file so I don't know what creds it uses. Tell me what Unix group it will run as, and I'll check the keytab file permissions so that it is readable by Apache. Group for Apache httpd process [nobody]: dba checking keytab is readable by dba ..... yes checking keytab can authenticate ....... yes If you have clients using Internet Explorer, a known issue (KB899417) can see them suddenly being unable to authenticate after only 30 minutes. A workaround is to create SPN aliases with all the possible 'short-names' that the host could use to access this server (i.e. http://short-name/). SPN aliases can also be useful for servers with multiple DNS identities. Credentials required to run tests on the service account Please login with a sufficiently privileged domain account. Username [Administrator]: Password for Administrator@EXAMPLE.COM: The HTTP/ service is currently known by these SPNs (service principal names): HTTP/LINUX HTTP/linux.example.com Enter a new SPN alias, or 'none' to finish [none]: Testing whether service password expires no (good) checking mod_auth_vas is loaded ........ unknown (need -a flag)
Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 27
machine), then the security adapter will be automatically configured to use this trust token value. If you are configuring mod_auth_vas separately you need to manually configure the QAS Security Adapter with this trust token in a later step. 2. Enter the application for which you want to configure SSO. All Siebel applications have configuration sections in the eapps.cfg file. Each application begins with a heading that includes the name of the application. For example, the configuration for sales_enu might look like this: [/sales_enu] ConnectString = siebel.TCPIP.None.None://VirtualServer/SBA_80/SSEObjMgr_enu WebPublicRootDir = /opt/siebel/sweapp/public/enu SiebEntSecToken = oyBTDdYQOqgBQ/gAAA= Specify the name of the application you want to configure for single sign-on. If you configured the QAS Security Adapter to authenticate only one component, then the application you specify should match the object manager component specified in Question 2 of the security adapter configuration. 3. Enter the path to your web server's eapps.cfg file: It is necessary to respond accurately for the script to automatically modify the eapps.cfg file. Typically, the eapps.cfg file is located at (/SIEBEL_ROOT/sweapp/bin). However, you can manually modify the eapps.cfg file., as well. The four lines shown below in bold italics are the only changes you must make for any configured application: [/sales_enu] SingleSignOn = TRUE UserSpec = REMOTE_USER UserSpecSource = Server ProtectedVirtualDirectory = /sales_enu ConnectString = siebel.TCPIP.None.None://VirtualServer/SBA_80/SSEObjMgr_enu WebPublicRootDir = /opt/siebel/sweapp/public/enu SiebEntSecToken = oyBTDdYQOqgBQ/gAAA=
28 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory
</Directory> LimitRequestFieldSize 16382 </IfModule> <IfModule mod_swe.cpp> AddHandler swe_service .swe .swef SWEConfigFile eapps.cfg SiebelHome /opt/siebel/sweapp Alias /ecustomer_enu /opt/siebel/sweapp/public/enu Alias /erm_enu /opt/siebel/sweapp/public/enu Alias /sales_enu /opt/siebel/sweapp/public/enu ............................. .... <many more aliases> .... ............................. <Directory /opt/siebel/sweapp/public/enu> DirectoryIndex default.htm Options Indexes MultiViews AllowOverride none Order allow,deny Allow from all </Directory> </IfModule> ============================================================ End ============================================================ Key Items to recognize when adding this configuration are: Load the auth_vas_module AFTER the swe_module. If this does not happen there is a chance that the web server will fail to load the module, and fail to start. The AuthVasDefaultRealm must match your Active Directory domain name. The AuthVasRemotUserMap ldap-attr value must match the attribute you are using to store your Siebel username. (See Q12. What is the name of the attribute used to store the Siebel username? on page 21 asked during the QAS Security Adapter configuration process). The directory specified (in this case /opt/siebel/sweapp/public/enu) must match the directory for the alias of your Siebel application. Note: The alias specified under mod_swe for our app "sales_enu" is also /opt/siebel/sweapp/public/enu. 2. After making these changes, restart your web server.
Modifying the QAS Security Adapter Authentication Subsystem for Single Sign-On
If you are configuring the QAS Security Adapter and mod_auth_vas at the same time (when you have both Siebel server and Web server installed on the same machine), skip this step as the QAS Security Adapter configuration process takes care of it. To configure the QAS Security Adapter for single sign-on 1. Set single sign-on to True. 2. Set the trust token value to match that which was set in the eapps.cfg file.
Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 29
You can do these tasks through the web interface, or you can run the following commands on your Siebel server to set these values: srvrcfg -u <adminuser> -g <gatewayserver> -e <siebel_enterprise> -s <siebel servername> -l <language> -m namedsubsys -c VasSecAdpt -w CustomSecAdpt_SingleSignOn=(True)" srvrcfg -u <adminuser> -g <gatewayserver> -e <siebel_enterprise> -s <siebel servername> -l <language> -m namedsubsys -c VasSecAdpt -w CustomSecAdpt_TrustToken=(your_unique_trusttokenvalue)"
Chapter
4
Manual Provisioning of Siebel Accounts
For an Active Directory user to log into Siebel he must have both a Siebel account and an Active Directory account. In many cases a user will already have an Active Directory account. For users with pre-existing Active Directory accounts to access Siebel, you must manually create a Siebel account. When manually creating a Siebel account, ensure that your users Siebel login ID is stored on their Active Directory account. In other words, the attribute that you specified in Q12. What is the name of the attribute used to store the Siebel username? on page 21 asked during the QAS Security Adapter configuration process), contains the users Siebel login ID. If you accepted the default attribute of sAMAccountName, then you will not need to make any modifications to your users Active Directory account. Simply ensure that the login ID you provide when you create the Siebel account matches the users AD account sAMAccountName. If you are using a custom, or otherwise empty, attribute to store the users Siebel login ID, you may specify a login ID you need for the newly created Siebel account. You must then set the Siebel login ID on the users Active Directory account. The key to the manual provisioning process (whether using a pre-populated attribute or not) is to ensure that the newly created Siebel account login ID matches the value of the attribute configured to store Siebel login ID. If you have user creation propagation configured, you will not need to worry about checking your Active Directory account after the Siebel account is created. The QAS security adapter will ensure a new Active Directory account is created with the Siebel login ID set on the appropriate attribute.
Chapter
5
Login Time Provisioning of Siebel Accounts
Topics: Create a Launch Script Create a User Creation Script Creating the Oracle Stored Procedure
A common deployment scenario is one in which Active Directory accounts already exist for most (if not all) employees. Many of these users may not have Siebel user identities. In order for a user to access Siebel, they must have a "Siebel account" as well as an Active Directory account. These Siebel accounts are stored in various tables in the backend Siebel database. The main purpose of this post-authentication script is to provide a hook for an administrator to create a Siebel account in the backend Siebel database when a user successfully authenticates with their Active Directory account. It would be ideal for you to be able to call a Siebel tool to create the necessary user information in the backend Siebel database (such as srvrmgr) that would allow you to create a simple user creation script requiring no knowledge of the schema used to store user information in the backend database. However, Siebel does not provide such a tool to accomplish this. Thus, you must create a stored procedure in your database to create Siebel accounts. You can call a stored procedure from your post-authentication script, populating the necessary tables in the backend database. The stored-procedure method of login time provisioning requires an in-depth knowledge of the Siebel database schema. It is also important to note that database schema can easily change from one version of Siebel to the next, so it is likely that any such stored procedure would be highly version-dependent. The tasks below demonstrate below how to launch a stored procedure from the QAS Security Adapter post-authentication script that you can use to create Siebel accounts.
34 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Login Time Provisioning of Siebel Accounts
Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Login Time Provisioning of Siebel Accounts | 35
FIRSTNAME=BLANKFIRSTNAME fi if [ -z ${LASTNAME} ]; then LASTNAME=BLANKLASTNAME fi su -c ". /usr/local/bin/oracle_env.sh; echo call my_create_siebel_employee\( \'$FIRSTNAME\', \'$LASTNAME\', \'$SAMACCOUNTNAME\'\)\; | sqlplus / as sysdba" oracle This script does the following: 1. Discovers necessary user information (FirstName, LastName, sAMAccountName) by doing vastool search commands on the DN provided to the script by the QAS Security Adapter. 2. Runs the su command to the Oracle account and calls a PREVIOUSLY CREATED stored procedure (in this case called "my_create_siebel_employee") to put the information discovered in Step 1 into the Siebel S_USER table. Note: The script searches for sAMAccountName to populate the Siebel Login ID. If you are using a different attribute (refer to Q12. What is the name of the attribute used to store the Siebel username? on page 21 of the configuration process), make sure you change the vastool command that searches for sAMAccountName to user your custom attribute.
Chapter
6
Troubleshooting
Topics: Special Considerations Capturing Debug Information
These topics provide information to assist you in troubleshooting problems associated with the QAS Security Adapter.
Special Considerations
The process that loads the Siebel Security adapter does not run as root. This could be considered slightly abnormal for an authentication process. All other QAS authentication modules run inside a process space that has super user privileges. For example, PAM modules are almost always loaded into a privileged process space. This lack of root privileges causes the following known problems: 1. The host.keytab cannot be accessed 2. The disconnected authentication cache cannot be accessed 3. Default auth facility log files may not be accessible The Siebel adapter configuration script takes care of the first two issues by changing ownership of the host.keytab and disconnected authentication caches from root to that of the local Siebel user (the user into which the process space the QAS Security Adapter gets loaded). Issues could arise if either of these items were manually removed and recreated after the security adapter configuration script runs. However, this should not occur in the course of normal operation. You can address the third issue by altering the syslog configuration in the event that QAS Security Adapter log information becomes necessary.
Index
A
Active Directory (AD) integration 18 configure without SSO configuration 18 Security Adapter authentication subsystem 28 modifying 28 Security Adapter for Siebel 18, 19, 20, 21, 22, 23, 24 configuration questions 18, 19, 20, 21, 22, 23, 24 Security Adapter logs 38 configuring for debug information 38 Security Adapter package 17 installing 17 service account 26 creating 26 Siebel account 31 manual provisioning 31 Siebel Accounts 33, 34, 35 login time provisioning 33, 34, 35 Siebel Security adapter 17 configuring 17 Siebel Security Adapter 17 configuring 17 single sign-onconfiguring 25, 26, 27, 28, 29 srvrcfg utility 17 srvrmgr utility 17
C
contacting 9 conventions 8
I
installing 14, 17, 18 mod_auth_vas 18 QAS agent 14 Security Adapter package 17
J
joining domain 15 determining if joined 15 joining the AD domain 15
T
troubleshooting tips 37, 38 Troubleshooting: 15 determine if joined to AD 15
L
Limitations: 29, 38 Siebel Security adapter does not run as root 38 single sign-on configuration 29
U
user creation script 34 creating 34
M
mod_auth_vas 18 installing 18
V
vasjoin Script 15 using 15 vasjoin.sh 15 using 15 vastool join 15 using 15
O
Oracle stored procedure 35 creating 35
Q
QAS agent 14 installation 14 QAS solutions benefits 11 Quest One Identity Solution 8 Quest Support 9
W
web server 27 configuring 27 web server extensions 26 configuring for single sign-on 26
S
Security Adapter 34 creating launch script 34