Quest Authentication Services 4.0.

Siebel Security Adapter Administrator's Guide

Copyright 2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchasers personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information.

Patents
Protected by U.S. Patents #7,617,501; 7,895,332; 7,904,949; 8,086,710; 8,087,075, and 8,245,242. Additional patents pending.

Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery, Defender, DeployDirector, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, JClass, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point, Click, Done!, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vConverter, vEcoShell, VESI,vFoglight, vPackager, vRanger, vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, Vizioncore vWorkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks are property of their respective owners.

Third-Party Contributions
This product may contain one or more of the following third party components. For copies of the text of any license listed, please go to http://www.quest.com/legal/third-party-licenses.aspx . Component Apache Commons 1.2 Boost Expat 2.0.0 Heimdal Krb/GSSapi 1.2 Notes Apache License Version 2.0, January 2004 Boost Software License Version 1.0, August 2003 1998, 1999, 2000 Thai Open Source Software Center Ltd 2004 - 2007 Kungliga Tekniska Hgskolan (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) 1998-2008 The OpenSSL Project. All rights reserved.

OpenSSL 0.9.8d

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | TOC | 5

Contents
Chapter 1: About This Guide......................................................................7
About Quest Software.......................................................................................................................................................8 Quest One Identity Solution............................................................................................................................................8 Conventions..........................................................................................................................................................................8 Contacting Quest Support...............................................................................................................................................9

Chapter 2: Introducing the QAS Siebel Security Adapter Solution.......11 Chapter 3: Integrating Your Siebel Installation with Active Directory..13
Before You Begin the Configuration Process.........................................................................................................14 Installing the VASCLNT Package...................................................................................................................14 Verifying QAS License Information..............................................................................................................14 Joining the Domain...........................................................................................................................................15 Source Your siebenv.sh Script.......................................................................................................................17 Gather Siebel Server Information.................................................................................................................17 Verify Your Siebel Server Installation..........................................................................................................17 Installing the QAS Siebel Security Adapter Package.............................................................................17 Install the mod_auth_vas Package (for SSO only)..................................................................................18 Beginning the Active Directory Integration Process.............................................................................18 Configuring the QAS Security Adapter for Siebel.................................................................................................18 Q1. At what level do you want to configure QAS/Active Directory authentication?................19 Q2. What component would you like to configure QAS/Active Directory authentication for?.19 Q3. What is the name of your Siebel server?............................................................................................19 Q4. What is the gateway name server hostname?.................................................................................19 Q5. What is the enterprise name?................................................................................................................20 Q6. What is the language?..............................................................................................................................20 Q7. What is the name of the Active Directory user who has rights to create users and groups in the Directory?.20 Q8. What is the password for <username>?............................................................................................20 Q9. What is the database username that will be used for shared database credentials?........20 Q10. What is the password for the user that will be used for shared database credentials?..21 Q11. What is the DN of the container where any new user objects will be created?................21 Q12. What is the name of the attribute used to store the Siebel username?...............................21 Q13. What is the Siebel administrative username?................................................................................21 Q14. What is the Siebel administrative user password?.......................................................................21 Q15. No corresponding user exists in AD, would you like to create it now?................................21 Q16. What is the name of your web anonymous user?........................................................................22 Q17. What is the web anonymous user password?...............................................................................22 Q18. No corresponding user exists in AD, would you like to create it now?................................22

6 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | TOC

Q19. Would you like users warned when their password is about to expire?.............................22 Q20. How many days before password expiration would you like to warn a user?..................23 Q21. Should role information come from Active Directory groups designated as Siebel "roles groups"?.23 Q22. What is the name of the file to be used for Siebel "roles groups"?........................................23 Q23. What is the name (CN) of an existing group or a role name you would like to create?..23 Q24. You have not created/added the role "Web Anonymous User" would you like to do so now?.23 Q25. You have not created/added the role "Siebel Administrator" would you like to do so now?.23 Q26. Would you like to specify a post-authentication script?............................................................24 Single Sign-On (SSO) Configuration............................................................................................................24 Q27. Do you want to propagate changes?...............................................................................................24 Q28. Would you like to apply this configuration now?........................................................................24 After Running the Siebel Security Adapter Configuration Script.....................................................24 Configuring Single Sign-on Using mod_auth_vas...............................................................................................25 Creating the Appropriate Service Account for mod_auth_vas.........................................................26 Configuring Your Web Server Extensions for Single Sign-On............................................................26 Configuring Your Web Server to Use mod_auth_vas for Authorization........................................27 Modifying the QAS Security Adapter Authentication Subsystem for Single Sign-On..............28 Internet Explorer Configuration....................................................................................................................29 Limitations Associated with Single Sign-On Configuration...............................................................29

Chapter 4: Manual Provisioning of Siebel Accounts..............................31 Chapter 5: Login Time Provisioning of Siebel Accounts........................33
Create a Launch Script....................................................................................................................................................34 Create a User Creation Script........................................................................................................................................34 Creating the Oracle Stored Procedure......................................................................................................................35

Chapter 6: Troubleshooting.....................................................................37
Special Considerations....................................................................................................................................................38 Capturing Debug Information.....................................................................................................................................38

Chapter

1
About This Guide
Topics: About Quest Software Quest One Identity Solution Conventions Contacting Quest Support
The Quest Authentication Services Siebel Security Adapter Administrator's Guide contains information about installing and configuring the Quest Authentication Services (QAS) Siebel Security Adapter for Siebel and integrating your Siebel Unix installation with Active Directory. Oracle provides integrated Windows authentication for all Siebel installations running on Windows platforms. But what if your Siebel installation is installed on a Unix/Linux system? Siebel, and later Oracle, provide a generic "Security Adapter Interface" API to Siebel which allows third-party vendors to create custom security adapters. Siebel can then utilize the interface provided by a custom security adapter to provide authentication and password change services to Siebel users. Until now there has never been a solution specifically designed to use this API to integrate Siebel Unix installations with Active Directory. If your Siebel installation is on Unix/Linux, you had only two options. You could either attempt to integrate with Active Directory using a generic LDAP Security Adapter (limitations addressed in the next section), or you could write your own custom security adapter. The QAS Solution provides a custom security adapter written to the Siebel Security Adapter Interface 3.00. QAS allows Unix/Linux systems to be joined to an Active Directory domain and provides Active Directory authentication and identity information to all system level services. The QAS Siebel security adapter implements integrated Windows authentication for all Unix/Linux operating systems supported by Siebel by building on the framework provided by the QAS client. QAS also provides the ability to configure single sign-on for any Unix/Linux Siebel installation that is using an Apache-based web server (such as OHS or IHS).

8 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | About This Guide

About Quest Software

Note: Quest Authentication Services (QAS), formerly Vintela Authentication Services (VAS), was re-branded for the 4.0 release. Quest Software, Inc. simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. Contact Quest for more information: Contacting Quest Software Phone: Email: Mail: 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Web site: www.quest.com

Quest One Identity Solution

This product is a component of the Quest One Identity Solution, a set of enabling technologies, products, and integration that empowers organizations to simplify identity and access management by: Reducing the number of identities Automating identity administration Ensuring the security of identities Leveraging existing investments, including Microsoft Active Directory

Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance by addressing identity and access management challenges as they relate to: Single sign-on Directory consolidation Provisioning Password management Strong authentication Privileged account management Audit and compliance

Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references.

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | About This Guide | 9

Element Select

Convention This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Used to indicate elements that appear in the graphical user interface that you are to select such as the OK button. Interface elements that appear in Quest products, such as menus and commands. Used to indicate host names, file names, program names, command names, and file paths. Indicates an interactive link to a related topic. Used to highlight additional information pertinent to the process or topic being described.

Bold text

Italic text courier text Blue Text

+ |

A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Information Sources Quest Support Contact Points SupportLink: support.quest.com Quest SupportLink gives you access to these tools and resources: Product Information Most recent product solutions, downloads, documentation, notifications and product lifecycle table. Product Downloads Download the latest Quest product releases and patches. Product Documentation Download Quest product documentation, such as installation, administrator, user guides and release notes. Search KnowledgeBase Search our extensive repository for answers to Quest-product related issues or questions. Case Management Create new support cases and manage existing cases.

10 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | About This Guide

Information Sources

Contact Points Email: support@quest.com Phone: 1.800.306.9329

Public Forum

The Community site is a place to find answers and advice, join a discussion forum, or get the latest documentation and release information: All Things Unix Community. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, policies and procedures. The guide is available at support.quest.com.

Global Support Guide

Chapter

2
Introducing the QAS Siebel Security Adapter Solution
The QAS Active Directory support for Siebel goes far beyond the support provided by generic Siebel LDAP solution. The generic LDAP security adapter plug-in only validates user passwords against a conformant directory by doing an LDAP bind operation. This operation is insecure unless additional measures are taken (such as the implementation of TLS/SSL and certificate infrastructure). QAS provides many benefits over such a configuration because it is designed specifically to work with Active Directory. QAS takes advantage of the security protocol (Kerberos) built into Active Directory, and does not require the setup of additional security (certificate) infrastructure to ensure that authentication requests are not subject to eavesdropping. A generic LDAP solution (such as the one provided with Siebel) cannot provide proper password change support for Active Directory users. LDAP directories that service Unix/Linux systems store password data as an attribute on a user object. You can modify this data during a password change request; however, Active Directory does NOT store password data on any user attribute. This in turn makes it impossible for standard LDAP solutions to provide password change support for Active Directory. Password changes can only be accomplished by means of a Kerberos password change request. The QAS Kerberos integration provides seamless password change integration with Active Directory. This includes allowing change of password, enforcement of password policy (minimum password length, complexity requirements, history, and so forth), and password expiration notification; none of which can be supported through a standard LDAP solution. QAS also provides the ability to manage Siebel roles through the use of Active Directory groups. You simply specify which groups are "roles" groups, and QAS returns the name of these groups as the current roles of any member users. This greatly simplifies management of Siebel Roles without requiring a schema extension. Additionally QAS provides an Apache module (mod_auth_vas), which provides the ability to configure single sign-on for any Siebel installation that uses any Apache-base web server (such as Oracles OHS or IBMs HIS). These are only a few of the many benefits QAS provides to Siebel Unix installations. A summary of all the features of the QAS solution are listed below. Support for authentication of Active Directory accounts Support for password change at login time or afterwards Support for all Active Directory password complexity requirements (password history, length, and so forth)

12 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Introducing the QAS Siebel Security Adapter Solution

Support for password expiration warning at login Support for Active Directory account lockout, account disable, and enforcement of login hours and account expiry Support for Active Directory account creation and administrative password set from the Siebel UI Single sign-on The ability to use one shared database account for all Siebel accounts The ability to mark certain Active Directory groups as Siebel "Roles Groups", thereby allowing the management of Siebel Roles through Active Directory and the ADUC MMC snap-in Leverages the site topology of Active Directory to distribute load and provide redundancy Provides local "Disconnected Authentication" in the event that the Siebel Server cannot contact any Active Directory domain controllers Support for a "post-authentication" hook which you can use to auto-provision Siebel accounts for Active Directory accounts which have not previously been provisioned in the Siebel user database Simple setup script automates the process of installing and configuring the QAS security adapter HPUX, AIX, Solaris, and Linux support Support for Siebel versions 7.5, 7.7, 7.8, and 8.0+

The QAS solution clearly offers superior support to a standard LDAP solution when it comes to integrating Siebel Unix installations with Active Directory. The QAS Solution is the only solution designed specifically to integrate your Unix/Linux Siebel installation with Active Directory.

Chapter

3
Integrating Your Siebel Installation with Active Directory
Topics: Before You Begin the Configuration Process Configuring the QAS Security Adapter for Siebel Configuring Single Sign-on Using mod_auth_vas
There are two main integration points in the process of configuring your Siebel Unix/Linux installation to use the QAS components to integrate with Active Directory: 1. Basic Active Directory integration using the QAS Security Adapter for Siebel (See Configuring the QAS Security Adapter for Siebel on page 18) 2. Single sign-on using mod_auth_vas (See Configuring Single Sign-on Using mod_auth_vas on page 25)

14 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory

Before You Begin the Configuration Process

QAS provides several scripts to assist you in the process of integrating your Siebel installation with Active Directory; however, before you can launch any configuration scripts, you must complete the following steps: 1. 2. 3. 4. 5. 6. 7. 8. Install the vasclnt package Verify that you have a valid license for the QAS agent components Join the domain Source your siebenv.sh Verify your Siebel Server installation Gather Siebel Server information. (See Gather Siebel Server Information on page 17) Install the QAS Siebel Security Adapter package Install the mod_auth_vas package

Each of the following sections provides detailed instructions for each of these steps.

Installing the VASCLNT Package

To install the vasclnt package 1. Mount your QAS DVD or ISO media by running the mount command. Mount details vary from platform to platform. Refer to your vendor documentation for specifics. For example, this is a Linux mount command: mount /dev/cdrom /mnt/media 2. Navigate to the path where you mounted your QAS media and execute the install.sh script. This script is located at the root of the installation media, and guides you through the process of installing the QAS agent package.

Verifying QAS License Information

To verify that you have a valid QAS license 1. Run the following vastool command: vastool license q Output similar to the following displays: Number of Unix Enabled users in use: 150 ---QAS--Number of Licensed Unix Enabled Users: 1000 Valid licenses: 1 ---QAS Siebel--Valid licenses: 1 2. If you are missing either the "QAS" or "QAS Siebel" section you do not have the necessary license to run the QAS Siebel Security Adapter.

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 15

Joining the Domain

For full Quest Authentication Services functionality on Unix, you must join the Unix system on which you installed the QAS agent to the Active Directory domain. You can join an Active Directory domain either by running vastool join from the command line or the interactive join script, vasjoin.sh. Before you join the Unix host to the Active Directory domain, you may want to determine if you are already joined. To determine if you are joined to an Active Directory domain Run the following command. # /opt/quest/bin/vastool info domain If you are joined to a valid domain this command returns the domain name. If you are not joined to a domain, you will see the following error: ERROR: No domain could be found. ERROR: VAS_ERR_CONFIG: at ctx.c:414 in _ctx_init_default_realm default_realm not configured in vas.conf. Computer may not be joined to domain

Joining the Domain Using VASTOOL You can join your Unix host to Active Directory with the vastool join command directly from the command line. Before you join the QAS agent to the Active Directory domain, collect the following information: The DNS name of the Active Directory domain of which you want the QAS agent to be a member. The user name and password of a user that has sufficient administrative privileges to create computer objects in Active Directory.

To join Active Directory using vastool join 1. Run the following command as the root user at a shell prompt: # /opt/quest/bin/vastool -u <user> join <domain-name> 2. Enter the users password when prompted. The vastool join results are shown on the shells standard output. Note: vastool join supports many options that allow you to customize the way the computer is joined to the domain. You can specify the name of the computer object. You can join to a specific organizational unit or use a pre-created computer object. For a list of all vastool join options, refer to the vastool man page.

Joining the Domain Using VASJOIN Script Rather than using the vastool join command from the command line, you can join your Unix host to Active Directory using the interactive join script, vasjoin.sh. The script walks you through the domain join process, calling the vastool join command. The vasjoin.sh script is in /opt/quest/libexec/vas/scripts/ directory. You can use most of the standard vastool join command options when running it. However, you can run the join script with no options; it only requires that you supply the domain name and the name of a user with sufficient Active Directory privileges to perform the join.

16 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory

Table 1: Common vasjoin Script Options OPTION -h -q -i <none> FUNCTION Help; displays options including how to pass vastool join options Unattended or quiet mode; displays less verbose: no explanations, asks no questions Interactive mode: prompts for common options Simple mode; installs vasclnt and vasgp with options to add license and join domain.

To join Active Directory using the vasjoin script Run the script as the root user at a shell prompt, as follows: /opt/quest/libexec/vas/scripts/vasjoin.sh The script ensures that your local host's time is synchronized with that of the controller in the domain you want to join (in order to satisfy Kerberos), then performs the join for you by running vastool join as follows: vastool -u <username> join <domain-name> Follow the prompts to complete the join process. Note: Run the script in interactive mode as follows: /opt/quest/libexec/vas/scripts/vasjoin.sh -i In interactive mode, it prompts you for specific information and allows you to either save the resulting vastool join command in a script or execute the command immediately. The script presents defaults as part of the prompting and if you accept them all, the result is identical to running the script in simple mode. The information gathered by the full, interactive mode of vasjoin.sh includes the following. Specific domain controllers to use domain to join user, usually administrator, to use in joining keytab file confirm fixing of Kerberos clock skew, if any overwrite your host's existing Active Directory ComputerName object change the name of the AD ComputerName object AD container in which to put the ComputerName object site name UPM mode (yes or no) user search path on which to look for Active Directory users alternate group search path workstation mode (yes or no) alternate domains in which to search if you want cross-domain logins self-enrollment of existing /etc/passwd users (yes or no) shows path to lastjoin (/etc/opt/quest/vas/lastjoin) The lastjoin file contains something similar to: /opt/quest/bin/vastool -u administrator join -f acme.com

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 17

Source Your siebenv.sh Script

The siebenv.sh script contains several important environment variables at the root of your Siebel installation (/opt/siebel/siebsrvr/siebenv.sh). To successfully configure the Siebel Security adapter, export the environment variables before you install the Security Adapter package. To source your siebenv.sh script Run . /opt/siebel/siebsrvr/siebenv.sh

Gather Siebel Server Information

Before you run the QAS Siebel Security Adapter configuration script, it is important to have some information at hand. The script asks you to supply answers to numerous questions. As explained in Configuring the QAS Security Adapter for Siebel on page 18, question 3 asks you for the Siebel Server name and question 5 asks you for the Siebel Enterprise name. To gather Siebel Server information Run the following command: ls al /opt/Siebel/siebsrvr/sys/svc.siebsrvr*

Verify Your Siebel Server Installation

The configuration of the QAS Siebel Security Adapter from Unix/Linux requires that you run several commands from the srvrmgr and srvrcfg utilities. These commands require authentication to complete successfully; therefore, you must have an operational Siebel Server running during setup. To verify your Siebel server installation 1. Start your Siebel server, if it is not running. During the configuration phase, you are prompted to provide credentials (name and password) for a Siebel administrative user. If this user cannot authenticate, configuration of the QAS Security Adapter will not succeed. After the installation and configuration of the QAS Security Adapter, users can be authenticated by the QAS Security Adapter, but for configuration of the QAS Security Adapter to succeed, a working authentication subsystem is required. This means that the QAS Security Adapter configuration cannot be completed until Siebel is essentially bootstrapped with a functional pre-existing authentication subsystem (Security Adapter). In new Siebel installations this security adapter is a database security adapter. However, you can configure a pre-existing Siebel installation to use a database adapter, an LDAP adapter, or different custom security adapter. 2. Verify your Siebel administrative credentials before proceeding.

Installing the QAS Siebel Security Adapter Package

You install the QAS Security Adapter package by running the install.sh script. You can find this script at the root of your installation media. To install the QAS Siebel Security Adapter package Run install.sh.

18 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory

Refer to Installing the VASCLNT Package on page 14 for details about mounting your QAS installation media.

Install the mod_auth_vas Package (for SSO only)

This step is optional. If you are planning to configure single sign-on with the QAS security adapter, you need to install the mod_auth_vas Apache module package. You must install this package on the server where you have the Siebel web server extensions installed. If your web server extensions are installed on a machine separate from the Siebel server you are initially installing the QAS security adapter upon, you can complete the process of configuring single sign-on after you have installed and configured the QAS Security Adapter. It is important to note that QAS does not provide single sign-on support for all web servers supported by Siebel. The module which facilitates the single sign-on process (mod_auth_vas) is an Apache module, and therefore you must be using an Apache-based web server for QAS to provide SSO support. Supported Apache-based web servers include Oracles OHS and IBMs IHS; note that Suns web server is excluded from this list. To install the mod_auth_vas package Run the install.sh script found at the root of your installation media. Refer to Installing the VASCLNT Package on page 14 for details about mounting your QAS installation media.

Beginning the Active Directory Integration Process

The QAS security adapter package installs a script which guides you through the process of configuring: Active Directory integration using the QAS Security Adapter Single sign-on configuration for the QAS adapter using mod_auth_vas

If you did not launch the configuration immediately following installation, start the QAS Security Adapter configuration by running the configure_siebel_adapter.sh script. The script presents you with the following choices: What components would you like to configure? 1 - Active Directory Integration using the "QAS Security Adapter for Siebel"". 2 - SSO configuration for Siebel Web Server extensions using mod_auth_vas. 3 - All of the above You can configure Active Directory integration without completing the SSO configuration and retain all benefits of the QAS Security Adapter with the exception of single sign-on support. However, SSO configuration requires that you first successfully configure the "QAS Security Adapter for Siebel". If your Siebel server and web server extensions are installed on the same host, you can configure both at the same time by choosing option #3 (All of the above).

Configuring the QAS Security Adapter for Siebel

The QAS Siebel Security Adapter configuration script asks you to supply answers to numerous questions. This section walks you through each of these questions, providing clarification and examples to help you answer each question accurately. If you have correctly prepared your system, the first question you are asked is, "At what level do you want to configure QAS/Active Directory authentication?" If you have not correctly prepared your system, the script may terminate before you are asked this question. If you are not properly joined, for example, the script terminates and notifies you

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 19

of this. As much as possible, the configuration script attempts to validate your installation and the input you are providing. It is not possible to validate all input, however. Be extremely careful to answer all questions accurately especially those noted as "not validated by the configuration script". Note: Before you start, gather the Siebel Server information (See Gather Siebel Server Information on page 17.)

Q1. At what level do you want to configure QAS/Active Directory authentication?

This question determines the scope of Active Directory authentication. If you select enterprise, the change is global. One important thing to realize about choosing the enterprise level is that once you have successfully configured QAS as the enterprise authentication solution, your previous Siebel Administrator credentials will no longer function. Later in the configuration phase you will be asked if you want to create a user corresponding to your Siebel Administrator in Active Directory. If you have chosen enterprise level, you must do this. It is equally important to know if you are going to deploy Single Sign-On (SSO) with mod-auth-vas. You cannot configure SSO for the entire enterprise if you plan to configure SSO. It is best to configure Active Directory Authentication on a per-component basis to minimize later configuration changes. If you choose to configure SSO at the same time you configure the QAS Security Adapter for Siebel, you will not be asked this question.

Q2. What component would you like to configure QAS/Active Directory authentication for?
You are only asked this question if you choose component-level configuration. When choosing component-level configuration, you are essentially configuring QAS authentication for only one Siebel application. The component name is the name of the Siebel object manager for that application. For example, if you want to configure QAS authentication for the English version of the Siebel Sales application, specify the component as SSEObjMgr_enu. [sales_enu] siebel.TCPIP.None.None://$(LoadBalancingServer)/SBA_80/SSEObjMgr_enu Note: The last portion of the connect string contains the component name.

Q3. What is the name of your Siebel server?

You are only asked this question if you selected component- or server-level authentication. It is important to realize that this is NOT necessarily the hostname of the Siebel server. You can find the names of your Siebel servers by looking in the "sys" directory at the root of your Siebel installation. ls al /opt/Siebel/siebsrvr/sys/svc.siebsrvr* -rw-r--r-- 1 sadmin users 200 Mar 4 08:40 svc.siebsrvr.SBA_80:linux -rw-r--r-- 1 sadmin users 192 Mar 4 08:40 svc.siebsrvr.SBA_80:linux.bak The name of the server is found after the colon in any file names starting with "svc.siebsrvr" (you can ignore files with a .bak file type). There may be multiple servers listed. In the example given above, the name of the server is "linux".

Q4. What is the gateway name server hostname?

This is the hostname of the gateway server. Do not include the port, simply enter a resolvable network name for the gateway server.

20 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory

Q5. What is the enterprise name?

This is name of your Siebel Enterprise. You can determine the name of the enterprise by looking in the sys directory at the root of your Siebel server installation. ls al /opt/Siebel/siebsrvr/sys/svc.siebsrvr* -rw-r--r-- 1 sadmin users 200 Mar 4 08:40 svc.siebsrvr.SBA_80:linux -rw-r--r-- 1 sadmin users 192 Mar 4 08:40 svc.siebsrvr.SBA_80:linux.bak The enterprise name is found directly before the colon. In the example above the enterprise name is SBA_80.

Q6. What is the language?

If your Siebel Environment script was correctly sourced, a default value is listed. For example, the value for English is "enu". In most cases, just accept the default value.

Q7. What is the name of the Active Directory user who has rights to create users and groups in the Directory?
In response to this question, provide an Active Directory user who has rights to create objects in the user creation container (which you are prompted for in Q11). The following notice is also given: These credentials will be necessary to create the web anonymous and Siebel administrator users (if necessary), and any roles groups (You will be prompted before any object is created). You must provide these credentials. The configuration script creates two necessary users by default, the web anonymous user and the Siebel administrator user. Before creating them, it prompts you for the names of each of these users. The configuration script also creates two "roles" groups, the "Siebel Administrator" and "Web Anonymous User". It adds the new users to the appropriate roles group. The user credentials you specify in this question and the subsequent question are the credentials used to create these users and roles groups. The Active Directory "Administrator" user is always safe to use, but you can use an account with fewer privileges as long as it has rights to create users and groups in the container you specify in Q11.

Q8. What is the password for <username>?

The password for the account you provided in Q7. This is validated, so if you enter an incorrect password you are prompted again.

Q9. What is the database username that will be used for shared database credentials?
Siebel requires that all users have database credentials. These credentials need not be unique. The QAS Security Adapter supports the use of one shared database account for all users. The database user information you provide here is stored in the QAS Security Adapter configuration file (/etc/opt/quest/vas/sscvas3.conf). This field is not validated by the configuration script, so ensure that the account you enter exists in your backend database.

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 21

Q10. What is the password for the user that will be used for shared database credentials?
This is the database password for the user entered in Q9. This value is stored (along with the shared database username) in the QAS Security Adapter configuration file (/etc/opt/quest/vas/vas/sscvas3.conf).

Q11. What is the DN of the container where any new user objects will be created?
This is the full LDAP DN of a container (CN) or organization unit (OU) where new user objects will be created by the QAS Security Adapter. The QAS Security Adapter propagates new user additions into Active Directory into this container or organizational unit. This is not a restrictive search base. Users outside of this container will still be able to authenticate. This relates only to where new users are created. The syntax for the response should be similar to the following: cn=users,dc=example,dc=com

Q12. What is the name of the attribute used to store the Siebel username?
Which directory attribute contains the Siebel user ID? The default is sAMAccountName. If your Siebel user IDs are not the same as your Active Directory sAMAccountName, you must specify which user attribute contains the Siebel User IDs here. It is important that you index the attribute you specify. If you specify a custom attribute such as "siebelUsername" it is likely that it is NOT indexed. This WILL CAUSE very severe performance issues with your domain controller under any significant load. If you specify a custom attribute, Siebel users will be required to log in by specifying one of the following: 1. 2. 3. 4. Siebel User ID Active Directory username in the form of "Domain\sAMAccountName" Active Directory username in the form of "NetBiosDomain\sAMAccountName" Active Directory userprincipal name in the form of "Username@Domain"

If you accept the default attribute (sAMAccountName), users can log in by specifying their sAMAccountName without a domain prefix (as this is also their Siebel User ID).

Q13. What is the Siebel administrative username?

This is the name of the user who has rights to perform the configuration of a new security adapter.

Q14. What is the Siebel administrative user password?

The password for the user provided in Q13.

Q15. No corresponding user exists in AD, would you like to create it now?
You are only asked this question if the user you specified in Q13 cannot be found in Active Directory. You must create the Siebel administrative user in Active Directory if you are configuring the QAS Security Adapter enterprise wide. But even if you are not configuring the QAS Security Adapter enterprise wide, Quest recommends this as a best practice.

22 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory

Q16. What is the name of your web anonymous user?

The web anonymous user is a low privilege Siebel user used by the Web Server Extension to display the Siebel login page. The configured security adapter must be able to authenticate this user to display the application login page. You can configure each application to use a different web anonymous user in the eapps.cfg file, so if you do not know the name of your web anonymous user, look in the eapps.cfg file. For example, the Siebel sales application may have an eapps.cfg entry that looks like this: [sales_enu] AnonUserName = guestcst AnonPassword = mPm5a8+WAIYBivMAAA== ConnectString = siebel.TCPIP.None.None://$(LoadBalancingServer)/SBA_80/SSEObjMgr_enu WebPublicRootDir = $(SWSERoot)/public/enu SiebEntSecToken = oyBTDdYQOqgBQ/gAAA== The "AnonUserName" is the name of the web anonymous user. If your application does not have a "AnonUserName" entry, then it uses the global default anonymous user. This configuration is also in the eapps.cfg file under the "defaults" section. [defaults] EncryptedPassword = True AnonUserName = guestcst AnonPassword = ZWAVd5kEB90B2jEAAA== StatsPage = _stats.swe HTTPPort = 7777 HTTPSPort = 443 EnableFQDN = False FQDN = linux.example.com TrustToken = DoCompression = true uestSessionTimeout = 300 The default of "guestcst" provided by the configuration script is NOT detected from the eapps.cfg file. It simply mirrors the name of the web anonymous user provided in the Siebel seed data. If you changed your web anonymous user during installation or afterwards, do not accept the default answer to this question.

Q17. What is the web anonymous user password?

This is the password for the user provided in Q16. You must provide either the same password that exists in the eapps.cfg file for this user, or change the password in the eapps.cfg file. The QAS Security Adapter authenticates the web anonymous user provided in Q16. The web server extension provides the pre-existing password for this user as configured in eapps.cfg; therefore, the password you provide here must match the password configured in eapps.cfg.

Q18. No corresponding user exists in AD, would you like to create it now?
You are only asked this question if the user specified in Q16 cannot be found in Active Directory. The web anonymous user MUST exist in Active Directory, so answer "yes" to this question now, unless you intend to create the user later.

Q19. Would you like users warned when their password is about to expire?
If you respond "yes" to this question, Siebel users are given a warning next time they log in that their password will expire soon. The password expiration warning does not support telling the user how long until their password expires, only that password expiration is imminent.

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 23

Q20. How many days before password expiration would you like to warn a user?
You will only be asked this question if you responded affirmatively to Q19. This is the number of days prior to password expiry, when a user will begin seeing warning messages that their password will soon expire.

Q21. Should role information come from Active Directory groups designated as Siebel "roles groups"?
Roles groups provide a group membership-based solution to the management of Siebel Roles. For each Siebel role, a group is created in Active Directory. The name of the role returned to Siebel is the "CN" of the group. All users who are a member of a given group have that role returned from the QAS Security Adapter. This method of managing Siebel roles in Active Directory is a unique feature of the QAS Security Adapter. Quest recommends that you use this method. It provides excellent compatibility with the management tools available to Active Directory administrators (such as ADUC) and it does not require extending the user schema. If you choose not to use "roles groups", you will be asked to specify a user attribute that contains Siebel roles. The attribute you specify must be a multi-valued attribute.

Q22. What is the name of the file to be used for Siebel "roles groups"?
If a group is a Siebel roles group, you must specify it in this file. Groups not contained in this file are not Siebel roles groups. Each group is identified in this file by its SID. Quest does not recommend that you manually add groups to this file. QAS provides a script to assist you in adding roles groups after the initial configuration. The script is /opt/quest/libexec/vas/scripts/siebel/add_roles_groups.sh. While the location of the file is purely arbitrary, unless you have a specific need to place the file in another location, Quest recommends that you accept the default location.

Q23. What is the name (CN) of an existing group or a role name you would like to create?
You are given the opportunity to create any roles you would like at this time. It is not necessary to configure any specific roles during initial configuration other than the "Siebel Administrator" role and the "Web Anonymous User" role. You will be prompted later to create these required roles if you do not create them here. Furthermore, you can add any other roles later by running the following script. /opt/quest/libexec/vas/scripts/siebel/add_roles_groups.sh If you have roles you would like to create, specify them now. Enter exit when you have finished.

Q24. You have not created/added the role "Web Anonymous User" would you like to do so now?
If you did not add a role group for the "Web Anonymous User" role, reply yes now. Replying "yes" to this question creates the "Web Anonymous User" group in Active Directory, if it does not already exist. The group is then added to the configured "roles groups" file, and your web anonymous user is added as a member of the group.

Q25. You have not created/added the role "Siebel Administrator" would you like to do so now?
If you did not add a role group for the "Siebel Administrator" role, reply yes now. Replying "yes" to this question creates a "Siebel Administrator" group in Active Directory, if such a group does not already exist. The group is then added to the configured "roles groups" file, and your Siebel administrative user is added as a member of the group.

24 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory

Q26. Would you like to specify a post-authentication script?

The QAS Security Adapter has the ability to run a script outcall after successful authentication of an Active Directory account. The post-authentication script receives three pieces of information from the QAS Security Adapter. 1. The DN of the user for whom the script was called 2. The krb5 principal name of the user from whom the script was called 3. The password of the user for whom the script was called The first two items are passed as command-line arguments to the script, while the third item (user password) is written to stdin of the script. If you need the users password you will, therefore, need to use a script command (like the shell "read" command) to read the password from stdin to some script variable. You can reference the first two items; however, command-line arguments are referenced by your interpreter ($1 and $2 typically). If these items are not necessary, you need not reference them by your script. Proper use of this outcall can enable automatic provisioning of all Active Directory users at authentication time.

Single Sign-On (SSO) Configuration

If you chose to configure both the security adapter and single sign-on using mod_auth_vas, you are now asked a number of questions about the location and configuration of web server and web server extensions. Refer to Manual Provisioning of Siebel Accounts on page 31 for help answering these questions.

Q27. Do you want to propagate changes?

This setting determines whether Siebel calls the QAS Security Adapter on interfaces that could change information in Active Directory. If you want password change and user creation by the QAS Security Adapter to work, you must answer yes to this question.

Q28. Would you like to apply this configuration now?

Until now, no actual changes to the Siebel authentication subsystem have been performed. An execution script is created that you can execute now or later (/tmp/configure_VasSecAdpt). If you would like to review the changes before continuing answer no, and apply the execution script later. The execution script is retained partly to simplify reconfiguration if a simple mistake is made during the configuration script interview. It may be easier (once the error is determined) to modify the execution script and re-execute than it would be to go through the entire configuration interview.

After Running the Siebel Security Adapter Configuration Script

1. Restart the Siebel server for changes to take effect. 2. Login with Active Directory users. 3. Inspect the server configuration profile. You are now able to see the QAS custom security adapter configuration:

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 25

Configuring Single Sign-on Using mod_auth_vas

Option #2 provided by running the configuration script found at /opt/quest/libexec/vas/scripts/siebel/configure_siebel_adapter.sh is to configure single sign-on with mod_auth_vas. If you choose this option, it walks you through the process of making the following changes: 1. 2. 3. 4. Creating the appropriate service account in Active Directory for mod_auth_vas Configuring your web server extensions for single sign-on (eapps.cfg) Configuring your web server to use mod_auth_vas for authorization (httpd.conf) Modifying the QAS Security Adapter authentication subsystem for single sign on

Before this process begins, the script asks you to verify the following: 1. 2. 3. 4. You have the mod_auth_vas package installed You have previously completed successful configuration of the QAS Security Adapter You are using an Apache-based web server You are proceeding with configuration on the machine where the Siebel web server extensions are installed

If your answer any of these questions, no, you must terminate the configuration and fix the problem before continuing. Note: While the configuration script does check for the existence of the mod_auth_vas package, it does not determine if you have installed the correct mod_auth_vas package. The main issue to consider when determining whether you have the correct version installed is your particular version of Apache HTTPD. Apaches web server module API changes substantially between releases and modules compiled for one version of the Apache web server are not guaranteed to function correctly with another.

26 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory

Creating the Appropriate Service Account for mod_auth_vas

A correct Active Directory username and password is required to successfully create the service account; however, an incorrect username or password generates a rather conspicuous failure. A more subtle and difficult to detect error that could occur in this process occurs if you provide an incorrect group name for the httpd process. If the script cannot detect the location of your httpd.conf file (very possible), it complains and provides a default user (such as nobody) that might not actually be correct. This results in applying incorrect permissions to your service keytab which translates into the inability for any users to access your Siebel application from the web front end once you complete the configuration. Make certain that you locate the httpd.conf file for your web server installation and check its group ownership. This is sample output from this portion of the configuration process: This script checks your local configuration for properly using mod_auth_vas. It will prompt you to create a web service object in Active Directory if one is needed, and it will correct permissions on certain files. Commands executed will be recorded in /tmp/mod_auth_vas-setup.log.xxxx checking privileges .................... looking for Apache extension tool ...... looking for Apache configuration file .. looking for HTTP/ keytab ............... root not found not found /etc/opt/quest/vas/HTTP.keytab

The Apache server process must be able to access the keytab. I didn't find a httpd.conf file so I don't know what creds it uses. Tell me what Unix group it will run as, and I'll check the keytab file permissions so that it is readable by Apache. Group for Apache httpd process [nobody]: dba checking keytab is readable by dba ..... yes checking keytab can authenticate ....... yes If you have clients using Internet Explorer, a known issue (KB899417) can see them suddenly being unable to authenticate after only 30 minutes. A workaround is to create SPN aliases with all the possible 'short-names' that the host could use to access this server (i.e. http://short-name/). SPN aliases can also be useful for servers with multiple DNS identities. Credentials required to run tests on the service account Please login with a sufficiently privileged domain account. Username [Administrator]: Password for Administrator@EXAMPLE.COM: The HTTP/ service is currently known by these SPNs (service principal names): HTTP/LINUX HTTP/linux.example.com Enter a new SPN alias, or 'none' to finish [none]: Testing whether service password expires no (good) checking mod_auth_vas is loaded ........ unknown (need -a flag)

Configuring Your Web Server Extensions for Single Sign-On

The configuration script asks you to enter three pieces of information that relate to the configuration of the Siebel web server extensions. To configure your web server extensions for single sign-on 1. Enter a unique "Trust Token" for this module. The value of the trust token is not important, it is only important that the trust token which is specified here, matches the trust token configured for the QAS Security Adapter later. If you are configuring the QAS Security Adapter and mod_auth_vas at the same time (both Siebel server and Web server are installed on the same

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 27

machine), then the security adapter will be automatically configured to use this trust token value. If you are configuring mod_auth_vas separately you need to manually configure the QAS Security Adapter with this trust token in a later step. 2. Enter the application for which you want to configure SSO. All Siebel applications have configuration sections in the eapps.cfg file. Each application begins with a heading that includes the name of the application. For example, the configuration for sales_enu might look like this: [/sales_enu] ConnectString = siebel.TCPIP.None.None://VirtualServer/SBA_80/SSEObjMgr_enu WebPublicRootDir = /opt/siebel/sweapp/public/enu SiebEntSecToken = oyBTDdYQOqgBQ/gAAA= Specify the name of the application you want to configure for single sign-on. If you configured the QAS Security Adapter to authenticate only one component, then the application you specify should match the object manager component specified in Question 2 of the security adapter configuration. 3. Enter the path to your web server's eapps.cfg file: It is necessary to respond accurately for the script to automatically modify the eapps.cfg file. Typically, the eapps.cfg file is located at (/SIEBEL_ROOT/sweapp/bin). However, you can manually modify the eapps.cfg file., as well. The four lines shown below in bold italics are the only changes you must make for any configured application: [/sales_enu] SingleSignOn = TRUE UserSpec = REMOTE_USER UserSpecSource = Server ProtectedVirtualDirectory = /sales_enu ConnectString = siebel.TCPIP.None.None://VirtualServer/SBA_80/SSEObjMgr_enu WebPublicRootDir = /opt/siebel/sweapp/public/enu SiebEntSecToken = oyBTDdYQOqgBQ/gAAA=

Configuring Your Web Server to Use mod_auth_vas for Authorization

This portion of the configuration involves modifying your web servers httpd.conf file so as to load mod_auth_vas for authorization. The configuration script does not modify the httpd.conf file. This must be done manually, it simply provides a sample configuration file that shows examples of what your mod_auth_vas configuration should look like. Below is an example configuration that shows what and where to include mod_auth_vas configuration in your httpd.conf file. 1. Newly added lines are shown in bold, all other lines are provided as context to show you where to place the configuration. ============================================================ Begin ============================================================ #mod_swe LoadModule swe_module modules/libmod_swe.so LoadModule auth_vas_module /usr/lib/httpd/modules/mod_auth_vas.so <IfModule mod_auth_vas.c> AuthVasDefaultRealm EXAMPLE.COM

<Directory /opt/siebel/sweapp/public/enu> AuthType QAS Require valid-user AuthVasRemoteUserMap ldap-attr sAMAccountName

28 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory

</Directory> LimitRequestFieldSize 16382 </IfModule> <IfModule mod_swe.cpp> AddHandler swe_service .swe .swef SWEConfigFile eapps.cfg SiebelHome /opt/siebel/sweapp Alias /ecustomer_enu /opt/siebel/sweapp/public/enu Alias /erm_enu /opt/siebel/sweapp/public/enu Alias /sales_enu /opt/siebel/sweapp/public/enu ............................. .... <many more aliases> .... ............................. <Directory /opt/siebel/sweapp/public/enu> DirectoryIndex default.htm Options Indexes MultiViews AllowOverride none Order allow,deny Allow from all </Directory> </IfModule> ============================================================ End ============================================================ Key Items to recognize when adding this configuration are: Load the auth_vas_module AFTER the swe_module. If this does not happen there is a chance that the web server will fail to load the module, and fail to start. The AuthVasDefaultRealm must match your Active Directory domain name. The AuthVasRemotUserMap ldap-attr value must match the attribute you are using to store your Siebel username. (See Q12. What is the name of the attribute used to store the Siebel username? on page 21 asked during the QAS Security Adapter configuration process). The directory specified (in this case /opt/siebel/sweapp/public/enu) must match the directory for the alias of your Siebel application. Note: The alias specified under mod_swe for our app "sales_enu" is also /opt/siebel/sweapp/public/enu. 2. After making these changes, restart your web server.

Modifying the QAS Security Adapter Authentication Subsystem for Single Sign-On
If you are configuring the QAS Security Adapter and mod_auth_vas at the same time (when you have both Siebel server and Web server installed on the same machine), skip this step as the QAS Security Adapter configuration process takes care of it. To configure the QAS Security Adapter for single sign-on 1. Set single sign-on to True. 2. Set the trust token value to match that which was set in the eapps.cfg file.

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Integrating Your Siebel Installation with Active Directory | 29

You can do these tasks through the web interface, or you can run the following commands on your Siebel server to set these values: srvrcfg -u <adminuser> -g <gatewayserver> -e <siebel_enterprise> -s <siebel servername> -l <language> -m namedsubsys -c VasSecAdpt -w CustomSecAdpt_SingleSignOn=(True)" srvrcfg -u <adminuser> -g <gatewayserver> -e <siebel_enterprise> -s <siebel servername> -l <language> -m namedsubsys -c VasSecAdpt -w CustomSecAdpt_TrustToken=(your_unique_trusttokenvalue)"

Internet Explorer Configuration

If Internet Explorer continues to prompt for username and password when accessing your Siebel application even after configuring SSO, it is likely that Internet Explorer is not properly configured. To remedy this situation refer to the fully illustrated step-by-step guide to configuring Internet Explorer on the Quest Resource Central site at: Internet Explorer, a Quest Resource Central "How-To" Doc.

Limitations Associated with Single Sign-On Configuration

Once you have configured single sign-on with mod_auth_vas, you will not be able to access Siebel from the configured web server UNLESS you are a domain user with a Siebel account. In other words, you will not be able to access the Siebel Login page and specify the user with which you would like to log into Siebel. If you are not logged into your workstation as the domain user that has a configured Siebel account, accessing the Siebel application URL from your web browser will result in an "Invalid username or password error". If you regularly need to access the Siebel login page and specify an account other than the currently logged in user, you must configure a separate web server installation that is not configured for single sign-on. Additionally if you logged in by means of SSO, neither password change or user creation propagation will work.

Chapter

4
Manual Provisioning of Siebel Accounts
For an Active Directory user to log into Siebel he must have both a Siebel account and an Active Directory account. In many cases a user will already have an Active Directory account. For users with pre-existing Active Directory accounts to access Siebel, you must manually create a Siebel account. When manually creating a Siebel account, ensure that your users Siebel login ID is stored on their Active Directory account. In other words, the attribute that you specified in Q12. What is the name of the attribute used to store the Siebel username? on page 21 asked during the QAS Security Adapter configuration process), contains the users Siebel login ID. If you accepted the default attribute of sAMAccountName, then you will not need to make any modifications to your users Active Directory account. Simply ensure that the login ID you provide when you create the Siebel account matches the users AD account sAMAccountName. If you are using a custom, or otherwise empty, attribute to store the users Siebel login ID, you may specify a login ID you need for the newly created Siebel account. You must then set the Siebel login ID on the users Active Directory account. The key to the manual provisioning process (whether using a pre-populated attribute or not) is to ensure that the newly created Siebel account login ID matches the value of the attribute configured to store Siebel login ID. If you have user creation propagation configured, you will not need to worry about checking your Active Directory account after the Siebel account is created. The QAS security adapter will ensure a new Active Directory account is created with the Siebel login ID set on the appropriate attribute.

Chapter

5
Login Time Provisioning of Siebel Accounts
Topics: Create a Launch Script Create a User Creation Script Creating the Oracle Stored Procedure
A common deployment scenario is one in which Active Directory accounts already exist for most (if not all) employees. Many of these users may not have Siebel user identities. In order for a user to access Siebel, they must have a "Siebel account" as well as an Active Directory account. These Siebel accounts are stored in various tables in the backend Siebel database. The main purpose of this post-authentication script is to provide a hook for an administrator to create a Siebel account in the backend Siebel database when a user successfully authenticates with their Active Directory account. It would be ideal for you to be able to call a Siebel tool to create the necessary user information in the backend Siebel database (such as srvrmgr) that would allow you to create a simple user creation script requiring no knowledge of the schema used to store user information in the backend database. However, Siebel does not provide such a tool to accomplish this. Thus, you must create a stored procedure in your database to create Siebel accounts. You can call a stored procedure from your post-authentication script, populating the necessary tables in the backend database. The stored-procedure method of login time provisioning requires an in-depth knowledge of the Siebel database schema. It is also important to note that database schema can easily change from one version of Siebel to the next, so it is likely that any such stored procedure would be highly version-dependent. The tasks below demonstrate below how to launch a stored procedure from the QAS Security Adapter post-authentication script that you can use to create Siebel accounts.

34 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Login Time Provisioning of Siebel Accounts

Create a Launch Script

To be able to add a user to a table in the Oracle database, you must run your post-authentication script as the local oracle account; however, the QAS Security Adapter does not run as root; it runs as the local Siebel administrative user. To get the post-authentication script to execute with the right privileges, you must create two separate scripts. The first script must be owned by a local Siebel administrator user with privileges to run the QAS Security Adapter. This script serves as a springboard for launching the second, root-owned, script by means of sudo. To create a launch script 1. Create the following script. linux:/ # ls al launch_employee_creation.sh -rwxr-xr-x 1 sadmin dba 76 Mar 11 09:56 launch_employee_creation.sh linux:/ # cat launch_employee_creation.sh #!/bin/bash sudo /scriptlocation/post_auth_create_siebel_employee.sh "$1" "$2" Since you will be running this script non-interactively, you must allow the local Siebel administrator (sadmin in this example) to run the script that does the actual user creation (post_auth_create_siebel_employee.sh as shown above) without specifying a password. 2. Add a sudo rule for sadmin in the /etc/sudoers file as follows (where scriptlocation is the actual location of your script): sadmin ALL=(ALL) NOPASSWD: /scriptlocation/post_auth_create_siebel_employee.sh This launch script (launch_employee_creation.sh) is the script that you specify as the QAS Security Adapter post-authentication script (asked during the QAS Security Adapter configuration process in: Q24. You have not created/added the role "Web Anonymous User" would you like to do so now? on page 23). If you did not specify this script during the initial configuration process, you can modify the QAS Security Adapter configuration file (/etc/opt/quest/vas/sscvas3.conf). The post-authentication script is specified by the "postauthscript" option under the siebelvas heading as shown below: [siebelvas] postauthscript = /scriptlocation/launch_employee_creation.sh

Create a User Creation Script

The Launch Script calls the User Creation Script and it in turn calls a stored-Oracle procedure as the Oracle user which needs to provide any information that your stored procedure requires to create an entry in the S_USER table. At the minimum, it needs a first and last name and a log in name for the user. You can use vastool search commands to discover the necessary information about your user account. To create a User Creation Script Create the following script. #!/bin/bash FIRSTNAME=`/opt/quest/bin/vastool -u host/ search -q -s base -b "$1" "(objectClass=*)" givenName` LASTNAME=`/opt/quest/bin/vastool -u host/ search -q -s base -b "$1" "(objectClass=*)" sn` # If your Siebel UID should not be equal to sAMAccountName, change # the attribute used in this search sAMAccountName=`/opt/quest/bin/vastool -u host/ search -s base -q -b "$1" "(objectClass=*)" sAMAccountName` if [ -z ${FIRSTNAME} ]; then

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Login Time Provisioning of Siebel Accounts | 35

FIRSTNAME=BLANKFIRSTNAME fi if [ -z ${LASTNAME} ]; then LASTNAME=BLANKLASTNAME fi su -c ". /usr/local/bin/oracle_env.sh; echo call my_create_siebel_employee\( \'$FIRSTNAME\', \'$LASTNAME\', \'$SAMACCOUNTNAME\'\)\; | sqlplus / as sysdba" oracle This script does the following: 1. Discovers necessary user information (FirstName, LastName, sAMAccountName) by doing vastool search commands on the DN provided to the script by the QAS Security Adapter. 2. Runs the su command to the Oracle account and calls a PREVIOUSLY CREATED stored procedure (in this case called "my_create_siebel_employee") to put the information discovered in Step 1 into the Siebel S_USER table. Note: The script searches for sAMAccountName to populate the Siebel Login ID. If you are using a different attribute (refer to Q12. What is the name of the attribute used to store the Siebel username? on page 21 of the configuration process), make sure you change the vastool command that searches for sAMAccountName to user your custom attribute.

Creating the Oracle Stored Procedure

The Oracle-stored procedure takes information provided by the QAS Security Adapter and inserts this information into the various Siebel tables associated with user information. The schemata of the Siebel tables associated with user information are highly dependent upon the version of Siebel used. Note: The creation of an Oracle-stored procedure is outside of the scope of this document.

Chapter

6
Troubleshooting
Topics: Special Considerations Capturing Debug Information
These topics provide information to assist you in troubleshooting problems associated with the QAS Security Adapter.

38 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Troubleshooting

Special Considerations
The process that loads the Siebel Security adapter does not run as root. This could be considered slightly abnormal for an authentication process. All other QAS authentication modules run inside a process space that has super user privileges. For example, PAM modules are almost always loaded into a privileged process space. This lack of root privileges causes the following known problems: 1. The host.keytab cannot be accessed 2. The disconnected authentication cache cannot be accessed 3. Default auth facility log files may not be accessible The Siebel adapter configuration script takes care of the first two issues by changing ownership of the host.keytab and disconnected authentication caches from root to that of the local Siebel user (the user into which the process space the QAS Security Adapter gets loaded). Issues could arise if either of these items were manually removed and recreated after the security adapter configuration script runs. However, this should not occur in the course of normal operation. You can address the third issue by altering the syslog configuration in the event that QAS Security Adapter log information becomes necessary.

Capturing Debug Information

The QAS Security Adapter logs data into syslog at the auth facility. In order to see any debug information from the QAS Security Adapter, you must have syslog properly configured to log the auth facility to a custom file. Syslog configuration is generally contained in the /etc/syslog.conf file. To make sure the auth facility is being logged, enter a line similar to the following in your /etc/syslog.conf file: auth.debug /var/log/auth.log authpriv.debug /var/log/auth.log Note: Use the second line (authpriv.debug) on Linux systems; use the first line on all other systems. Verify that the log destination exists and then restart the syslog daemon. Remember that the QAS Security Adapter does not run as root, so make sure the log destination file is writable by the local Siebel user. By default, the QAS Security Adapter only logs exceptional issues. You can acquire verbose debug information by adding the "logdebug" parameter to the QAS Security Adapter configuration file, located at /etc/opt/quest/vas/sscvas3.conf. Under the [siebelvas] section heading, add the line logdebug = true

Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Index | 39

Index
A
Active Directory (AD) integration 18 configure without SSO configuration 18 Security Adapter authentication subsystem 28 modifying 28 Security Adapter for Siebel 18, 19, 20, 21, 22, 23, 24 configuration questions 18, 19, 20, 21, 22, 23, 24 Security Adapter logs 38 configuring for debug information 38 Security Adapter package 17 installing 17 service account 26 creating 26 Siebel account 31 manual provisioning 31 Siebel Accounts 33, 34, 35 login time provisioning 33, 34, 35 Siebel Security adapter 17 configuring 17 Siebel Security Adapter 17 configuring 17 single sign-onconfiguring 25, 26, 27, 28, 29 srvrcfg utility 17 srvrmgr utility 17

C
contacting 9 conventions 8

I
installing 14, 17, 18 mod_auth_vas 18 QAS agent 14 Security Adapter package 17

J
joining domain 15 determining if joined 15 joining the AD domain 15

T
troubleshooting tips 37, 38 Troubleshooting: 15 determine if joined to AD 15

L
Limitations: 29, 38 Siebel Security adapter does not run as root 38 single sign-on configuration 29

U
user creation script 34 creating 34

M
mod_auth_vas 18 installing 18

V
vasjoin Script 15 using 15 vasjoin.sh 15 using 15 vastool join 15 using 15

O
Oracle stored procedure 35 creating 35

Q
QAS agent 14 installation 14 QAS solutions benefits 11 Quest One Identity Solution 8 Quest Support 9

W
web server 27 configuring 27 web server extensions 26 configuring for single sign-on 26

S
Security Adapter 34 creating launch script 34

40 | Authentication Services 4.0.3 Siebel Security Adapter Administrator's Guide | Index