When And How To Import 3rd Party Certificates For Siebel Server Running On Windows Operating Systems Making Outbound Calls To An External System HTTPS URL?
(Doc ID 2900043.1)
Last updated on MARCH 18, 2024
Applies to:
Siebel System Software - Version 8.1.1 [21112] to 23.10 [Release V8 to V17]Microsoft Windows x64 (64-bit)
Purpose
Starting with Monthly Update 23.11, Siebel application has only one solution for SHA2 support for Outbound Web Services that works in both Windows and non-Windows environments as illustrated below. This is to configure the [EAI OutBound Subsystem] = OUTBOUNDSHA for both Windows and Linux/Unix environments. Please follow the below KM Doc ID 2226450.2 for instructions on Siebel 23.11 and above for both Windows and Linux platforms:
In particular, follow the instructions in tab [VIII. Setup SHA2 Certificate for 23.11 and above] of the KM Doc 2226450.2
Some 3rd party Soap Testing tools such as SoapUI and Chrome Postman do not need the 3rd party certificates to be imported for https calls because these tools have their own way to bypass the certificate check if no certificates are found for the 3rd party host. Thus, testing with SoapUI and Chrome Postman for https URLs may not be comparable to Siebel application's call to the same 3rd party URL.
The certificate may not be required by other applications, but it will be required on the Siebel application side to establish SSL Handshake to external systems through https protocols in the URL.
To verify/test the 3rd party URL, please perform these steps:
1. Use an IE Browser on a Windows OS machine (any Windows OS machine will do).
2. Launch the IE browser, put in the 3rd party URL and https protocol URL (the entire URL that Siebel will eventually send to) and click enter.
3. Please check if this prompts or displays any messages about certificates.
4. Please check if there is a Lock icon on the left side next to the IE browser URL. Click on that Lock icon to see what information it provides.
5. If this shows some message about the connection being secured, security warnings/messages, privacy or certificates, this means that a certificate will be required for the SSL Handshake if/when Siebel makes the call because Siebel outbound call is at the backend without any UI interactions and thus, Siebel outbound calls will not have any way to suppress any certificate related messages or notifications.
6. Please do this test and check for the above items. If there are some security, privacy or certificate warnings, then work with the 3rd party system to generate/issue and provide the certificate(s) for Siebel application to use for the SSL Handshake.
If a certificate is needed, then the following KM provides an explanation of how 3rd party certificates are handled on Siebel server that runs on a Windows OS and steps on how to import the 3rd party certificates properly.
a. When any Siebel Server version (including IP17+ release and patchsets) runs on a Windows Operating System, the following outbound calls will be handled by the Windows Operating System layer via WinInet. This applies even on IP17+ and latest patchset releases. The following Outbound calls DO NOT USE the javacontainer from IP16, nor the SES applicationcontainer in IP17+, these Outbound calls are made directly from the Windows OS to the 3rd party system:
i. Outbound EAI HTTP Transport SendReceive
ii. Outbound Web Services
If these 2 types of outbound calls are going to an https url and certificates are needed, then import the 3rd party certificates into the Siebel Server Windows OS.
Please follow the certificate import steps below in question # 2. How to import the 3rd party certificates into the Siebel Server that runs on a Windows OS?
b. When Siebel Server runs on a Windows Operating System, the following outbound calls will be need to use the javacontainer (for IP16) or the SES applicationcontainer (for IP17+):
i. Outbound REST (applicable for IP17+ and above only)
ii. Outbound EAI JMS Transport SendReceive (JMS) that uses using Java 64 bit JRE
iii. Java Business Service (JBS) that uses using Java 64 bit JRE
If these 3 types of outbound calls are being made from Siebel server on Windows OS to a secure external system url that uses https, then import the 3rd party certificates into the Siebel server javacontainer (IP16) or Siebel Server SES applicationcontainer (IP17+).
Please refer to KM article here for instructions on how to import 3rd party certificates into Siebel server javacontainer (IP16) or Siebel Server SES applicationcontainer (IP17+):
Scope
The information and steps in this KM applies ONLY to Siebel server that runs on Windows OS.
For information on importing 3rd party certificates for Siebel server running on Linux/Unix flavor OS, please refer to this KM instead:
Details
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Purpose |
| Scope |
| Details |
| References |