יום שישי, 5 באוקטובר 2012

SBL-SEC-10015: There are no database credentials assigned for this user for the specified data source.





Applies to:


Siebel System Software - Version: 7.7.1 [18306] to 8.2.2 SIA[22320] - Release: V7 to V8
Siebel System Software - Version: 7.7.1 [18306] to 8.2.2 SIA[22320]   [Release: V7 to V8]
Information in this document applies to any platform.



Symptoms


Customer was attempting to implement an External Business Component
(EBC) in Siebel 7.7.2.8 and asked how to properly pass the EBC's login
credentials when setting up to use with security adapter authentication
(specifically LDAPSecAdpt but also would be applicable to ADSISecAdpt).
He followed "Error connecting to External Data Source when using SSO and
LDAP (Doc ID 500232.1)" but was then presented with the following error
when trying to access the EBC or server administration / management
screens:

(secmgr.cpp (2955) err=7010015 sys=0) SBL-SEC-10015:
There are no database credentials assigned for this user for the
specified data source on the external authentication system.



Cause


This behavior was caused by an incorrect setup of the LDAP directories
shared credentials values. Specifically the values for the various data
sources required had to be stored as distinct entries in a multi-valued
attribute (as specified by the CredentialsAttributeTypeCredentialsAttributeType
parameter). This requirement is documented in "Error connecting to
External Data Source when using SSO and LDAP (Doc ID 500232.1)" and
similar documentation pertaining to setting up External Business
Components.

What was not clear from the documentation is that you also have to add a value for the GatewayDataSrc in order for the Administration Screens and the EBCs to work properly.


Solution


1. The credentials for the various data sources need to be stored as
separate, distinct entries in a multi-valued attribute within the shared
credentials user's LDAP record.

2. Credentials for the GatewayDataSrc must be specified in addition to the ServerDataSrc and the EBC data source.

The
exact procedures for doing this will vary depending on the LDAP
directory or Active Directory you are using. Please consult appropriate
documentation or vendor technical support for the specific external
security directory product you are using. In general terms, the
following steps should be followed:

1. Login to your external
security directory (LDAP or ADSI) administration program as a user with
adequate rights to make changes to a user's attribute values.

2.
Locate the user specified by the SharedCredentialsDN parameter in the
security adapter profile you are using (normally either LDAPSecAdpt or
ADSISecAdpt).




Important!  If you are using the LDAPSecAdpt with
Siebel 8.0 or later, there is an option to store shared database
credentials as parameters in the security adapter profile.  The use of
this functionality is not supported with EBCs.  The Shared DB Username
and Shared DB Password parameters must be blank or this solution will
not work.

_$#$_

3. Open the record for editing and locate
the attribute you specified in the CredentialsAttributeType parameter
for the security adapter profile. This must be a multi-valued attribute.
If it is not, you will either need to select a different attribute
which is multi-valued or make this attribute a multi-valued attribute
(if allowed by your external directory server).

4. Add the
following value sets to the attribute. Each one should be a distinct
entry in different values of the multi-valued attribute.

type=GatewayDataSrc username=SADMIN password=XXXXX
type=ServerDataSrc username=SADMIN password=XXXXX
type=EBCDataSrc username=EBCUSER password=XXXXX

(replace EBCDataSrc, EBCUSER, and the passwords with appropriate values.)

5. Stop and restart the Siebel Server service(s) and Gateway service.

6. Test to ensure that you can now access both the Siebel Server Administration/Management screens and the EBC view(s).












Applies to:


Siebel CRM - Version: 7.7 [18026] BETA to 8.1.1 [21112] - Release: V7 to V8
Siebel System Software - Version: 7.7 [18026] BETA to 8.1.1 [21112]   [Release: V7 to V8]
Information in this document applies to any platform.



Symptoms


Customer is attempting to implement external security adapter (ADSI or
LDAP) authentication with the standard LDAPSecAdpt or ADSISecAdpt in
Siebel 8.0. The initial anonymous user login is failing on step 9 (clean
up and database credential retrieval) with the following errors:

SBL-SEC-10015:
There are no database credentials assigned for this user for the
specified data source on the external authentication system. This is
most likely a configuration issue. Please contact your system
administrator for assistance.

SBL-DAT-00577: There are no
database credentials assigned for this user for the specified data
source on the external authentication system. This is most likely a
configuration issue. Please contact your system administrator for
assistance.

SBL-SVC-00208: Please login first.

This prevents the login page from loading and as a result no user is able to access this Siebel application.


Cause


The database credentials information held in the shared credentials
user's credentialAttributeType field contained extra spaces before and
after the = sign. As documented in the Security Guide, there should only
be a space between the value or username and the start of the password
section.

Incorrect:

username = LDAPUSER password = LDAPUSER

Correct:

username=LDAPUSER password=LDAPUSER

The
correct format for this command is documented in the Siebel Bookshelf's
Security Guide under the Security Adapter Authentication section.


Solution


To resolve this behavior you will need to go into your external LDAP or
ADSI directory and modify the shared credentials user record so that the
value in the field specified by the security adapter's
CredentialAttributeType parameter matches the following format exactly
(where USERNAME and PASSWORD are the correct values):

username=USERNAME password=PASSWORD

Specific
instructions for doing this vary depending on the specific external
directory you are using. Please refer to the appropriate vendor provided
documentation. 










Applies to:


Siebel System Software - Version: 7.8.2.2 SIA [19219] and later   [Release: V7 and later ]
Oracle Solaris on SPARC (64-bit)

Product Release: V7 (Enterprise)

Version: 7.8.2.2 [19219] Auto

Database: Oracle 9.2.0.6

Application Server OS: Sun Solaris 8

Database Server OS: Sun Solaris 9



This document was previously published as Siebel SR 38-2952877510.



Symptoms


SBL-SEC-10015Hi,

Page 115 of Siebel Security Guide (Version 7.8 Rev A) lists the Anonymous user, using
a DB credential of <username = LDAPUSER password=P>.

2 questions:
1. The syntax
for the SharedCredentials is listed on page 80 as "This attribute value must be of the form
username=U password=P, where U and P are credentials for a database account. There may be any
amount of white space between the two key-value pairs, and there must be no space within each
pair. The keywords username and password must be lowercase."   This contradicts
the example value on p 115. Which is correct?

2. On page 115, the test user example LDAP
record lists in the Database Account column "Database account is not required for any user
record, except the anonymous user."
However, on the following page, a special note reads
"NOTE: In a production environment, do not use the anonymous user as the directory object that
contains the shared credential. To do so could allow a user with minimum responsibility to log in
directly to the directory server and view shared database credentials. Using these database
credentials, a user could log in directly to the Siebel Database and see data that he or she does
not have the assigned visibility level to see."
If another DN is specified for the
SharedCredentialsDN (a user other than anonymous user) does the Anonymous user require a DB
account value pair in the attribute being used for this value (CredentialsAttributeType)?


Thanks,






Cause


Change Request 12-1D0PF6P


Solution



Message 1


For the benefit of other readers:





Per this Service Request description, customer noticed some conflicting
information in document Security Guide for Siebel Business Application
for version 7.8, Rev. A.



Please, check below the information requested:



1. The syntax for the SharedCredential is listed on page 80 as "This
attribute value must be of the form username=U password=P, where U and P
are credentials for a database account. There may be any amount of
white space between the two key-value pairs, and there must be no space
within each pair. The keywords username and password must be
lowercase."   This contradicts the example value on p 115. Which is
correct?



The correct value for the LDAP account attribute that stores the shared database credentials should be as below:



username=<username> password=<password>



Where username is the shared database account name and password is this account password.



Page 115 is using LDAPUSER as an example because this is the default
database account used in the scenario provided in this section on
documentation.



The CredentialsAttributeType parameter defines which attribute the
shared database credentials will be stored. Parameter
SharedCredentialsDN defines which LDAP account will be used to retrieve
the information stored in the attribute defined by
CredentialsAttributeType.



[Continue]


Message 2


[Continued]



2. If another DN is specified for the SharedCredentialsDN (a user other
than anonymous user) does the Anonymous user require a DB account value
pair in the attribute being used for this value
(CredentialsAttributeType)?



No, the anonymous user LDAP account does not require an attribute to
store the shared database credentials when SharedCredentialsDN is
defined to a different LDAP account. The situations where the anonymous
user LDAP account will require an attribute to stored the shared
database credentials:



a. when the anonymous user LDAP account is also defined as the SharedCredentialsDN.



b. when no SharedCredentialsDN is defined.





Change Request 12-1D0PF6P has been logged to update Security Guide and
create a dedicated SharedCredentialsDN account in section “Setting Up
Security Adapter Authentication: A Scenario”. This will remove
information from anonymous user LDAP account.





Thank you,




Applies to:


Siebel System Software - Version: 7.8.2 [19213] and later   [Release: V7 and later ]
z*OBSOLETE: Microsoft Windows Server 2003

Product Release: V7 (Enterprise)

Version: 7.8.2 [19213]

Database: Oracle 9.2.0.6

Application Server OS: Microsoft Windows 2003 Server

Database Server OS: Sun Solaris 7



This document was previously published as Siebel SR 38-2981587091.



Symptoms


SBL-DAT-00222, SBL-DAT-00541, SBL-DAT-00446We have 3 EBCs that used to work just fine until I had to re-create and rename them to make them
shorter. Also, ADSI Security Adapter has been implemented. We want them to use DSUsername and
DSPassword not ADSI, as they used to do with Database Authentication.
The problem is that is
trying to use the ADSI adapter database account to login to the 3 databases.






Cause


Change Request 12-1DN3R8F


Solution



Message 1


For the benefit of other readers,



Customer had configured External Business Components (EBC) and was using
Siebel ADSI Security Adapter version 7.8.2. The following errors
messages were logged in the Object Manager log file when trying to use
EBC:



SBL-DAT-00446: You have entered an invalid set of logon parameters. Please type in your logon parameters again.



SBL-DAT-00541: You are not able to login to the database using the
database credentials assigned to you. There may be a problem with the
data source you are attempting to log into, or the credentials may be
invalid for the data source.

Please contact your system administrator.



Siebel Web Client returned the error below:



An error has occurred creating business component '<business
component name>' used by business object '<business object
name>'. Please ask your systems administrator to check your
application configuration.(SBL-DAT-00222)





Information in Technical Note 605 and document Integration Platform
Technologies: Siebel Enterprise Application Integration for version 7.8,
chapter 10: External Business Components have been followed, however
the above error messages still occurred. Based in Technical Note 605,
the following tests were performed, with CredentialAttributeType
attribute for SharedCredentialsDN account were set as below for each
test:



[Continue]


Message 2


[Continued]



a. username=sadmin password=sadmin type=ServerDataSrc username=wsasaki password=wsasaki type=WindCity



where:



WindCity is the test external connection for EBC

sadmin is the shared database credentials

wsasaki is the external database account



Results: same error messages as above.



b. type=ServerDataSrc username=sadmin password=sadmin type=WindCity username=wsasaki password=wsasaki



Results: same error message as above



c. type=WindCity username=wsasaki password=wsasaki type=ServerDataSrc username=sadmin password=sadmin



Results: Siebel Web Client did not start, and the error message below was logged in Object Manager log file:



SBL-SEC-10015: There are no database credentials assigned for this user
for the specified data source on the external authentication system.
This is most likely a configuration issue. Please contact your system
administrator for assistance.





External Business Component only worked with Siebel LDAP/ADSI Security
Adapter version 7.8.2 after the same sadmin account was created in
external database, and removed the type parameter in
CredentialAttributeType as below:



username=sadmin password=sadmin





Change Request 12-1DN3R8F has been logged to address EBC authentication
when using Siebel LDAP/ADSI Security Adapter version 7.8.2.





The workaround, as described above, is to use the same database user name and password in Siebel Database and External Database.





Thank you,

אין תגובות:

הוסף רשומת תגובה