Siebel to OBIEE (BI) Authentication Via https Reveals Credentials in Post — Oracle Analytics

Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Siebel to OBIEE (BI) Authentication Via https Reveals Credentials in Post

Received Response
11
Views
5
Comments
user11932033
user11932033 Rank 3 - Community Apprentice

Siebel to OBIEE (BI) Authentication via https reveals credentials in post

When using the My Dashboards from Siebel, the application opens a session to the BI Application (OBIEE). This session is via https. However if you sniff the post session via wireshark, the username and password are present in the login post.

We have SSL Accelerator at load balance and Siebel Component parameter set as below.

1. Enforce SSL = False

2. Secure Browse = True

3. Secure Login = True

OBIEE Version: 11g

Siebel 15.5

Is there a way to authenticate in a different way to secure this route?

Much appreciated

Regards,

Tarang Jain

Answers

  • handat
    handat Rank 5 - Community Champion

    Please describe your architecture in more detail. From your current description, it appears that your SSL accelerator at your load balancer is doing SSL offloading so connection to your load balancer is https but anything behind it is http. I presume you are using wireshark to sniff the traffic between the load balancer and BI rather than between browser and load balancer.

  • user11932033
    user11932033 Rank 3 - Community Apprentice

    Hi Handat,

    Thanks for your reply.

    As you said "SSL accelerator at your load balancer is doing SSL offloading so connection to your load balancer is https but anything behind it is http".

    The above is true.

    To Sniff the traffic i used firefox Developer tool and then click on network and then parameters. The traffic which i am sniffing is when clicking on My Dashboard page in siebel, during that time in saw.dll  traffic i can see the username and password.

    My current Architecture is:

    (https)Client Browser -->(https)F5(Load Balancer)--> (http)Siebel Webserver -->(http)Internal Load Balancer -->(http)OHS Server-->(http)BI  and then reverse.

    Can you please provide some more information how we can secure this traffic.

    Regards,

    Tarang Jain

  • handat
    handat Rank 5 - Community Champion

    In this case, it is secure, but it will depend on how secure you want/need it. Your traffic between browser and F5 is https. That's all external entities that snoop your network traffic will see, ie encrypted http (https).

    If someone is able to snoop your internal traffic (they must have gained access somehow or are employee/contractors who are on your network), then they will see the http traffic in plain text. If you want to encrypt that as well, ie use https instead of http, then you will need to enable https for all your services and not do SSL offloading, ie your Siebel WebServer will need to have SSL enabled for https, your internal load balancer also needs https and your OHS as well as BI also need https enabled.

  • user11932033
    user11932033 Rank 3 - Community Apprentice

    Hi Handat,

    Thanks or your reply.

    for the first point :

    In this case, it is secure, but it will depend on how secure you want/need it. Your traffic between browser and F5 is https. That's all external entities that snoop your network traffic will see, ie encrypted http (https)

    This is what i was expecting that if any body snoop the traffic from browser outside my network should not be able to see the login credentials, however we tested and saw that in external network on browser it reveals the credentials.

    Any pointer on this ?

    And for your 2nd point , it means we need to make out system ssl enabled end to end. I have once question in this if we enabled SSL only at siebel web server , internal load balancer and OHS will it be fine or OBIEE components also required to be SSL?

    Thanks in advance. really appreciated your prompt responses.

    Regards,

    Tarang Jain

  • handat
    handat Rank 5 - Community Champion

    From what I understood, you used a firefox plugin to sniff the traffic. If that was the case, then since firefox is your browser it naturally has all the data in plain text since it can decrypt it. You need to use a packet analyzer outside of your browser to sniff the traffic between your machine on which the browser runs on and the load balancer/F5. Something like WireShark would be a good tool for sniffing the traffic.

    For the second question, your weakest point would be where potential eavesdroppers will be able to snoop your traffic and steal information. If your OBIEE components are in plain text then the traffic to and from OBIEE could be potentially snooped. However, all this also depends on your internal network design. If they are segmented in their own VLANs, then it would also depend on how secure your VLANs are. For example, if you had ipsec encryption on your internal network traffic then the traffic is already encrypted so having the internal traffic also go over https as well might be overkill, but depending on your security requirements, it may not be.