SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application.

Applies to:

Siebel CRM - Version: 7.7 [18026] BETA to 8.1.1 [21112] - Release: V7 to V8
Siebel System Software - Version: 7.7 [18026] BETA to 8.1.1 [21112] - Release: V7 to V8

Information in this document applies to any platform.

Symptoms

When invoking the keydbmgr.exe utility, a SBL-DAT-00565 (An internal error has occurred within the authentication subsystem ...) error occurs.

Cause

The keydbmgr.exe program is a simple and largely standalone utility that reads database connection information from the .CFG  file specified when it is executed.  It does not, however, fully integrate with the Siebel Gateway or Enterprise configuration. As a result, it is not capable of loading variable information and instead must be provided with literal (i.e. constants) data in the .CFG file's various parameters.

By default, the various application object manager .CFG files (normally found in /siebsrvr/bin/[language_code]) contain a number of parameters that use variables to reference Enterprise parameter values stored in the Siebel repository.  For example:

DataSourceName = $(DefaultDataSource)

Here $(DefaultDataSource) is an enterprise parameter variable.  The keydbmgr program requires it to contain the actual, literal value:

DataSourceName = ServerDataSrc

Solution

The solution to this error is to replace all relevant enterprise parameter variables with their constant, literal values.  Start by searching the .CFG file keydbmgr is using for all instances of "$(DefaultDataSourceDefaultDataSource)".  Replace these with "ServerDataSrc".

Then look at the [ServerDataSrc] section in the .CFG file.  You will see a number of enterprise parameter variables in the format $(Variable_Name).  Replace all of these with the appropriate values.  If you have a working Tools Client or Web Developer Client that points to this same environment, you can pull the necessary values from the specific .CFG file that the Tools or Developer Client uses. 

After doing this, save your changes and try the keydbmgr.exe command again.

References

NOTE:478088.1 - Siebel Strong Encryption Pack (SSEP) for Siebel Version 7.7

Applies to:

Siebel Communications Sales + Communications Service - Version: 8.0.0.6 [20423] - Release: V8
Information in this document applies to any platform.

Symptoms

On : 8.0.0.6 [20423] version, Security / Authentication

When attempting to change the password in "User Profile Default View "
the following error occurs.

ERROR
-----------------------
"SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application."


STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Setup an Oracle database profile with a password verify function which checks if passwords are compliant with the security guidelines.
2 Try to change the password in the view "User Profile Default View "which does not comply with the policy.
3. SBL-DAT-00565 error appears.
In previous versions (8.0 and 7.x), user would get the Oracle DB message with the details on why the new password is not accepted.

BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Users are not sure what they did wrong. Oracle message should be passed to the user saying why the new password does not satisfy the security policy.

Cause

When using DB authentication, if password policy is set in Oracle in Siebel 8.0.0.1-8.0.0.8, due to some code change, while changing the password in User Preference Screen, the message that end users receive is not user-friendly:
SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application.

The following product defect was logged for this behaviour:

Bug 12-1TXBDA9: Siebel Warning SBL-DAT-00565 is not user friendly when changing password

Solution

The problem reported in the Bug 12-1TXBDA9: Siebel Warning SBL-DAT-00565 is not user friendly when changing password, is present in all patches 8.0.0.1-8.0.0.8. The only time when the ORA error appears is with the main release 8.0.

(Example of an ORA error:

ORA-28003: password verification for the specified password failed
ORA-20001: Password length less than 8)

Possible workaround would be to use scripting to implement password verification same as in utlpwdmg.sql (function Oracle uses for password verification), prior to passing the password to Oracle.

References

BUG:12-1TXBDA9 - SIEBEL WARNING SBL-DAT-00565 IS NOT USER FRIENDLY WHEN CHANGING PASSWORD

Applies to:

Siebel System Software - Version: 8.1.1.1 SIA [21211] and later   [Release: V8 and later ]
Information in this document applies to any platform.

Symptoms

In Siebel 8.1, customer was attempting to authenticate with external security adapter authentication (LDAPSecAdpt or ADSISecAdpt). The process was failing in the bind stage with the following error pattern:

Ldap Utility: BindAsAppUser failed due to invalid password, please check the value of ApplicationPassword parameter,

SBL-SEC-10001: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
Login failed for Login name : XXXXXX

Cause

There are two common causes of this error.

1.  The password specified in the ApplicationPassword parameter in your security adapter profile does not match the password for the application user (specified in the ApplicationUserDN parameter) in the LDAP or Active Directory server.

2.  The value specified for the ApplicationUserDN parameter does not match a valid user in your LDAP or Active Directory server.

Solution

If the cause is a password mismatch, the solution is to simply update the ApplicationPassword parameter with the correct password.  In most cases you will not even need to restart the services.  You will just need to create a new clean connection with a new session.

If the cause is an invalid user, first check for typographical errors done when entering the ApplicationUserDN parameter value.  If present, correct the errors and test the behavior again.

If the issue is not a typographical error, you will need to confirm the actual fully qualified designated name (DN) of the application user in the external directory.  This is the unique value that identifies a given entry in the external directory server and its format can vary depending on external directory used and the configuration of the directory.  To determine the actual DN for an entry, check with your directory administrator or view the entry using a third party LDAP browsing tool.

The most common format for DNs on Active Directory looks similar to:

cn=Any User,ou=Siebel,dc=Fake,dc=Oracle,dc=com

With LDAP directories, there is often more flexibility as to what the fields are names and to which field forms the "key" field for determining the DN.  Some examples:

uid=Any User,cn=Siebel,o=Fake,o=Oracle.com
cn=Any User,ou=Siebel,dc=Fake,dc=Oracle,dc=com
sn=AUSER,cn=Siebel,o=Fake.Oracle.com

As you can see, the only real way to determine the correct DN is to verify the value in the Directory Server.  Normally your Active Directory or LDAP administrator can assist you with this, but if further assistance is necessary please open a service request through My Oracle Support.

Applies to:

Product Release: V8 (Enterprise)
Version: 8.0 [20405]
Database: Oracle 10.2.0.1
Application Server OS: Sun Solaris 10
Database Server OS: Sun Solaris 10

This document was previously published as Siebel SR 38-3408846288.

Symptoms

SBL-DAT-00565, SBL-SEC-10018, SBL-SEC-10001

After customer enabled SSL encryption for LDAP, error message below was returned:

SBL-SEC-10018: ldap_ssl_init failed

Solution

Message 1

For the benefit of other users,


Customer was configuring SSL communication encryption between Siebel LDAP Security Adapter version 8.0.0.1 (LDAPSecAdpt) and Sun LDAP Directory Server. The Siebel Server was running on Solaris 10 Operating System. After setup was completed, the error messages below were logged in Object Manager log files:

ldap_ssl_client_init(/siebel/siebsrvr/bin/ssldatabase/key.kdb, ...) returns 118.
ldap_ssl_init(stscdev5.va.neustar.com, 636, ...) returns 0.
Ldap Utility: GetLdapHandle returns 3
LDAP SecurityFreeErrMessage8, ErrMessage=24f9738.
SBL-SEC-10018: ldap_ssl_init failed
SBL-SEC-10001: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.

When reviewing LDAP SSL configuration in document Siebel Security Guide for version 8.0, Siebel Security Guide for version 8.0, chapter 6: Security Adapter Authentication, section Installing LDAP Client Software, under “Configuring the IBM GSKit” there is no information about where required jar files are located. They are located under <IBM GSKit 7>/classes/jre/lib/ext folder.

Change Request 12-1KGNGCP has been opened to update documentation with information regarding required *.jar files for IBM GSkit.

[Continue 1]

Message 2

[Continued 1]

Error code 118 was reproducible by Technical Support. During investigation, truss was enabled to collect information from Object Manager process ID and we found that LDAPSecAdpt was trying to use libgsk6ssl.so library instead of libgsk7ssl.so. Based in this information, we installed IBM GSKit version 6.0.4.41 in Solaris 10 machine. After this installation, SSL encryption to LDAP Directory Server worked fine in Technical Support environment. However in customer environment a crash occurred, with unmangled call stack below:

fc8c155c _lwp_kill (6, 0, fc8a4ce8, ffffffff, fc8e8288, 6) + 8
fc840118 abort    (f303d0, 1, fcdea0dc, a8274, fc8eb298, 0) + 110
fcdcca2c int SehScanInvokeTryList(SEH_THREAD_BLOCK*) (fe3910, 1087fc, fced7a14, 0, 2, 0) + 30c
fcdcd7d0 int Signal_Handler::raise(unsigned,void*,int,int,unsigned long*) (c0000005, f74f8b38, 0, 2, f74f8910, 1800) + f4
fcdcd934 void Raise_Exception::operator()(int,siginfo*,void*) (282098, b, f74f8df0, f74f8b38, fceea8bc, 2c) + a4
fe74ae14 _SigBusSegvIotHandler (b, f74f8df0, f74f8b38, fe7743c0, fe77428c, fe772c6c) + 174
fc8c0494 __sighndlr (b, f74f8df0, f74f8b38, fe74aca0, 0, 1) + c
fc8b558c call_user_handler (b, 3962b, c, 0, fc393000, f74f8b38) + 3b8
fe94037c md5_block_asm (2508d88, fe9a5fe4, 203e, 0, bbde5323, 132c0100) + 2a8

[Continue 2]

Message 3

[Continued 2]

fe93ff2c MD5_Update (2508d88, fe992e64, 9415c, fe93fe10, 0, 0) + 11c
f7fb52e0 META_EVP_DigestInit (f4b3c488, 2508d88, fe992e34, f7fb5144, fc8e8288, fc8f09b0) + 78
f7fb9e28 ???????? (24ff4e8, 25032a0, 100, f74f91e4, f74f91e0, f7fd24dc)
f7fb95e4 META_GenerateRandomSeed (19, f74fa238, 1800, 2503260, f7fd1318, f7fbfbac) + 46c
f7fb4368 META_Attach (f7fd2670, 0, 8, 24ff4e8, f4abfbfc, f7fd1318) + ad8
f7cb1010 ???????? (fe41c0, 1, 0, 0, 0, 0)
f7cb21b8 ???????? (246da04, 1, ffffffff, fffffff8, ffffffe0, fe41c0)
f7caad70 ???????? (246d9f8, f74fa80c, 0, ff2340, 0, 1)
f7ccd750 ???????? (f7cef070, f74fa80c, 98, f74fa528, 246d9f8, 246d9f8)
f7cccdfc ???????? (f74fa80c, f74fa74c, f74fa80c, f4e74e2e, fed968, 0)
f4d96f54 GSKKRYAlgorithmFactory*GSKKRYCompositeAlgorithmFactoryAttributes::getAlgorithmFactory(const char*,const char*,void*) (f4e74e25, f4e74e2e, f74fa80c, f74fa818, f4e74e10, 0) + 12c
f4d8c118 const GSKKRYAlgorithmFactory*GSKKRYCompositeAlgorithmFactory::attachImpl(const GSKKRYAttachInfo::SOFTWARE&) (24fed1c, f74fc270, 1, f74fcc10, f4fbbbf4, ff8908) + a0
f4f49d8c ???????? (24fed00, f74fd32c, 0, f74fd334, 100f210, a)
f4f2241c gsk_environment_init (100f210, 12c, 10eb8, f8abd674, 0, 100f210) + 7f4
f8abd6b4 ldap_ssl_client_init (f8af0790, 0, 0, f74fd720, 0, f74fd470) + 254
...

[Continue 3]

Message 4

[Continued 3]

Customer mentioned that during configuration of LDAPSecAdpt with IBM LDAP Client version 6.0, it was required to change LD_LIBRARY_PATH environment variable and add library path of IBM LDAP Client libraries in order to make LDAPSecAdpt working with no SSL enabled. This was not required in Technical Support environment because IBM LDAP Client version 5.1 was also installed in Solaris 10 Operating System.

Change Request 12-1KWA76R has been opened to update Siebel Security Guide regarding LD_LIBRARY_PATH requires IBM LDAP Client 6.0 library path.

After IBM LDAP Client version 5.1 was uninstalled from test machine, Technical Support was able to reproduce the call stack. The core was generated only when using IBM LDAP Client 6.0. When customer removed IBM LDAP Client 6.0 library path from LD_LIBRARY_PATH environment, and installed IBM LDAP Client version 5.1, SSL between LDAPSecAdpt and LDAP Directory Serve worked fine.

Change Request 12-1KWA78H has been opened to correct SSL between LDAPSecAdpt and LDAP Directory Server using only IBM LDAP Client 6.0 and IBM GSKit 7. The workaround for this CR is to install IBM LDAP Client 5.1, IBM GSKit version 6, and ensure that IBM LDAP Client version 6.0 library path is not available in LD_LIBRARY_PATH environment variable.


Thank you,


Siebel Technical Support

Applies to:

Siebel System Software - Version: 8.0.0.5 SIA [20420] - Release: V8

Information in this document applies to any platform.

Symptoms

Customer was not able to logon using Dedicated Web Client on one of the App Server in Siebel environment. Changed all the parameters in cfg file in WebClient\BIN\ENU folder.
There is no encryption software used here, attached log file from WebClient.

From the log, the following errors were found:
GenericLog GenericError 1 000000024a6f0a10:0 2009-07-29 15:23:31 (secmgr.cpp (2486) err=4597538 sys=127) SBL-SEC-10018: Can't load sscddcli.dll(SBL-GEN-02500)

GenericLog GenericError 1 000000024a6f0a10:0 2009-07-29 15:23:31 (secmgr.cpp (2558) err=4597521 sys=0) SBL-SEC-10001: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.

ObjMgrSessionLog Error 1 000000024a6f0a10:0 2009-07-29 15:23:31 (physmod.cpp (9244)) SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.

Cause

The cause must be related to incorrect setting in the application .cfg file:
[ServerDataSrc]
DLL = sscddcli.dll

This is not correct for Oracle DB, it should be sscdo90.dll


[ServerDataSrc]
DLL = sscdo90.dll

incorrect dll will cause a failure to connect to the DB.

Solution

After changing the application .cfg:
[ServerDataSrc]
DLL = sscddcli.dll

to

[ServerDataSrc]
DLL = sscdo90.dll

Customer is able to connect using dedicated web client.

Applies to:

Siebel Communications CRM Call Center, SPE - Version: 8.1.1 SIA [21111] - Release: V8

Information in this document applies to any platform.

Symptoms

After installing SIA 8.1.1 on Oracle 10.2.0.4 database, customer found that they are unable to connect using web client. In the OM logs, we found the following errors:

SecAdptLog API Trace 4 0000000449be4182:0 2009-03-16 17:36:01 DB SecurityLogin with username=sadmin, parameters=3ab1210.
SecAdptLog Debug 5 0000000449be4182:0 2009-03-16 17:36:01 DB security adapter: Load data source configuration
SecAdptLog Debug 5 0000000449be4182:0 2009-03-16 17:36:01 DB security adapter: Could not load or initialize data source ServerDataSrc, err=65535.
SecAdptLog API Trace 4 0000000449be4182:0 2009-03-16 17:36:01 Security DB user delete DB connectoin 0
GenericLog GenericError 1 0000000449be4182:0 2009-03-16 17:36:01 (secmgr.cpp (2676) err=4597538 sys=0) SBL-SEC-10018: Can't load sscdo90(SBL-GEN-02500)
..
GenericLog GenericError 1 0000000449be4182:0 2009-03-16 17:36:01 (secmgr.cpp (2750) err=4597521 sys=0) SBL-SEC-10001: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
ObjMgrSessionLog Error 1 0000000449be4182:0 2009-03-16 17:36:01 (physmod.cpp (9330)) SBL-DAT-00565: An internal error has occurred within the authentication subsystem for the Siebel application. Please contact your system administrator for assistance.
ObjMgrSessionLog ObjMgrLogin 3 0000000449be4182:0 2009-03-16 17:36:01 Login failed for Login name : sadmin

Cause

It was found that the customer was using Oracle 10g client, which did not work with Siebel 8.1.1. Customer was advised to install Oracle 11g client and when customer installed Oracle 11.1.0.6 client, it was found that this version does not include the lib32 library.

Solution

To workaround the behavior, customer had to install Oracle 11.1.0.7 client.

References

NOTE:477185.1 - How To Turn Up Logging on the Siebel Web Server Extension in Siebel Versions 7.x and 8.x?