SBL-SEC-10007: The password you have entered is not correct.

Applies to:

Siebel Tools - Version: 7.7.1 [18306] to 8.1 SIA [21039] - Release: V7 to V8
Information in this document applies to any platform.
""Checked for Relevance on 16/06/2010""

Symptoms

Attempting to use COM Siebel Data Control to connect to an Object Manager that is SSO enabled does not work.

Cause

The normal process to invoke the Object Manager is through SWSE (Web Server) using the Siebel Web Client (thin client).  The SSO process of translating the SSO credentials to the Siebel Credentials is handled in the SWSE portion of the process. When logging into the OM through COM or Java Data Bean, the SWSE (Web Server) step is bypassed, and therefore the conversion does not take place.

Solution

The recommendation to resolve this is to create another OM that is not SSO enabled, and direct your COM or JDB login to that OM

Applies to:

Siebel System Software - Version 8.0 [20405] and later
Information in this document applies to any platform.
***Checked for relevance on27-SEP-2012***

Symptoms

With EncryptPassword = True in the eapps.cfg file, the authentication of the anonymous user is failing with the following error:
SBL-SEC-10007: The password you have entered is not correct. Please enter your password again.

If EncryptPassword is set to False in the eapps.cfg file and the AnonUserPassword parameter switched to the plain text value, then authentication works properly.

Cause

This behavior is being caused by an incorrect or incorrectly encrypted password for the anonymous user in eapps.cfg.

Solution

The test with the plain text password shows that there is an issue with the encrypted AnonUserPassword in the eapps.cfg file. Assuming that you do not want to leave this as a plain text value (which I would not recommend), please follow these steps to re-encrypt the known good plain text password.

1. On the Siebel server, login to the console and navigate to:

[install path]/siebsrvr

2. Source in your Siebel environmental variables:

. ./siebenv.sh

3. Change directory to bin:

cd bin

4. Type the following command where XXXXX is the plain text password for your anonymous user as currently set in the eapps.cfg file:

./encryptstring XXXXX > ./string.txt

5. The file [install path]/siebsrvr/bin/string.txt now contains an updated encrypted password for the anonymous user.

6. On your web server navigate to the [install directory]/SWEAPP/bin directory.

7. Open the eapps.cfg file for editing with vi or the text editor of your choice.

8. In the [Defaults] section change the following parameters where XXXXX is the encrypted password from the string.txt file:

EncryptedPassword = TRUE
AnonPassword = XXXXX

9. Save the eapps.cfg file and exit the text editor.

10. Repeat steps 6 - 9 on all your Siebel web servers (if applicable).

11. Stop and restart the web publishing service(s).

12. Test the functionality.

References

 

 

Applies to:

Siebel Product Configurator - Version 7.8.2 [19213] to 8.1.1.4 [21225] [Release V7 to V8]
Siebel eConfigurator - Version 7.8.2 [19213] to 8.1.1.4 [21225] [Release V7 to V8]
Information in this document applies to any platform.

Symptoms

Customer changed "SADMIN" password. When the users are trying to login to remote eConfigurator the below error message is thrown:

Cfg Server Manager error: unable to connect to server abc for product 1-1HRUCXD using connect string siebel.TCPIP.None.NONE://abc:2321/abc78/eProdCfgObjMgr_ENU
Reason: SBL-SEC-10007: The password you have entered is not correct. Please enter your password again.
Users are not able to start an eConfigurator session.

Cause

Following OS parameters were not set:
1) CFG_USERNAME
2) CFG_PASSWORD

These parameters are not documented in Siebel bookshelf 7.8

Solution

Please goto all servers and create following 2 environment variables:

CFG_PASSWORD
Login password used in remote service. When remote Siebel Configurator is used, set this variable on the operating system of the Application Object Manager. It is used by the remote proxy.

CFG_USERNAME
Login user name used in remote service. When remote Siebel Configurator is used, set this variable on the operating system of the Application Object Manager. It is used by the remote proxy
Parameters are described with Siebel bookshelf 8.0 and higher.

Applies to:

Siebel eCommunications - Version: 8.0 [20405] to 8.1.1 [21112] - Release: V8 to V8
Information in this document applies to any platform.

Symptoms

A new Siebel server installation does not start up. The services gets started and stop within two minutes. Siebel gateway services can be started fine.

ERROR:
------
No error is displayed for the Administration/user

Following errors are found in the log files:
NameSrvr.log
SBL-SEC-10018: [DataDirect][ODBC Oracle driver][Oracle]ORA-12154: TNS:could not resolve the connect identifier specified
SBL-SEC-10007: The password you have entered is not correct. Please enter your password again

SiebSrvr.log

SBL-SCM-00018: Could not open connection to Siebel Gateway configuration store
SBL-SVR-00005: Stale or invalid Task handleScfEventLog
SCFMessageFacility::s_pSCFMsgFacLock is null and hence the SCFMessageFacility cannot be initializedIPCLog
SBL-SCM-00018: Could not open connection to Siebel Gateway configuration store

ENVIRONMENT:
------------
Siebel application version 8.1.1 on Windows 2003, Oracle Database

STEPS:
------
starts the gateway service
starts the siebel service

Cause

The issue is caused by the following setup:
- there was two Oracle clients installed on the server machine : Oracle 10.2.0 and Oracle 10.1.10
- tns entries was incorrect setup

Solution

For the benefit of other readers:

To implement the solution follow the steps:

1) if you have more than one Oracle client installed, check that the Oracle environment variables is pointing to the Oracle client that you want to use
2) for this Oracle client, check on tnsnames.ora for the tns alias
3) ensure that you can connect fine using sql*plus through this tns alias
4) if not, work with your dba to be able to connect fine
5) once you can connect from tns alias, check that Siebel ODBC also works fine. For this go to ODBC Data Source, System DSN tab, double click on the odbc created by the Siebel installation

In this case, after adjusting the tns alias from tnsnames.ora Siebel Server came up fine.

Applies to:

Siebel CRM - Version: 8.0 SIA [20405] and later   [Release: V8 and later ]
Information in this document applies to any platform.
Microsoft Active Directory 2003

Goal

When logging in to the Siebel application with a registered user whose corresponding Display Name attribute on the Active Directory is longer than 256 characters in length - the authentication fails with the Siebel error code SBL-SEC-10007. Why?

Solution

Active Directory does not support Display Names with a character string longer than 256 characters as documented on Microsoft Technet Website

Applies to:

Siebel System Software - Version 7.7.2 [18325] to 8.0.0.5 [20420] - DO NOT USE [Release V7 to V8]
All Platforms
This document was previously published as Siebel SR 38-1715068851.

Symptoms

Customer was implementing Password Hashing, and after changing parameter DSHashUserPwd in Server Data Source named subsystem to “TRUE” and restarting the Siebel environment, the following components did not start:

PDbXtract/DbXtract
SSEObjMgr_enu
WfProcBatchMgr
WfProcMgr
WfRecvMgr

WfRecvMgr, WfProcMgr, and WfProcBatchMgr had the following error messages:


SBL-SEC-10007: The password you have entered is not correct. Please enter your password again. (0x5a94))
SBL-SEC-10018: You have entered an invalid set of logon parameters. Please type in your logon parameters again.(SBL-DAT-00446)

SBL-SVR-00040: Internal: Informational, encrypted parameter. (0x5a8f))

SBL-OMS-00107: Object manager error: ([2] SBL-SVR-00040: Internal: Informational, encrypted parameter. (0x5a8f))
SBL-OMS-00107: Object manager error: ([1] SBL-SEC-10018: You have entered an invalid set of logon parameters. Please type in your logon parameters again.(SBL-DAT-00446)
ORA-01017: invalid username/password; logon denied

SBL-OMS-00107: Object manager error: ([0] SBL-SEC-10007: The password you have entered is not correct. Please enter your password again. (0x5a94))
SBL-OMS-00102: Error 23188 logging in to the application

SSEObjMgr had the following error messages:

SBL-DAT-00446: You have entered an invalid set of logon parameters. Please type in your logon parameters again.
SBL-SEC-10018: You have entered an invalid set of logon parameters. Please type in your logon parameters again.(SBL-DAT-00446)
ORA-01017: invalid username/password; logon denied


Components PDbXtract (during server startup) and DbXtract (at component task start) had the following error message:

SBL-GEN-04031: Internal: Error occurred during base64 decoding.

Cause

1.  Password parameter for the above components should be set to unhashed password as per Siebel Bookshelf > Security Guide > Security Adapter Authentication > Configuring Password Hashing.

2.  Error message SBL-GEN-04031 in PDbXtract and DbXtract log files occur because the password length is greater than 21 characters. If SADMIN password has more than 21 characters, PDbXtract and DbXtract components will fail with the error message.

The SADMIN password was hashed using the RSA SHA-1 encryption algorithm. When using SADMIN as password in test environment, the hashed password contained 28 characters.  Since "SADMIN" is a fairly simple and short password, we would expect that most good passwords would result in RSA SHA-1 values that are too long.
 .

Solution

1. Set the Password parameter for each component to the unhashed password for the SADMIN user and restart the environment.
2.  The workaround is to change the Hashing algorithm to use Siebel Hash instead of RSA SHA-1. Siebel Hash will encrypt passwords with a length smaller than RSA SHA-1 algorithm.  Please refer to the Security Guide for more information about how to change encryption algorithm.

Applies to:

Siebel Financial Services CRM - Version: 8.1 [21039] to 8.1.1.4 [21225] - Release: V8 to V8
Information in this document applies to any platform.
***Checked for relevance on 14-Jan-2011***

Goal

Customer use database encryption for passwords in version 7.5 and the algorithm used for 7.5 is SIEBELHASH. After upgraded to 8.1.1, the password hashing default algorithm is RSA-SHA1. In order to use SIEBELHASH algorithm, the following need to be set.

For the database security adapter (typically, DBSecAdpt):
- Set the DataSourceName parameter to the name of the applicable data source (for
example, ServerDataSrc).
- For the applicable data source (ServerDataSrc), set the following.
--> DSHashUserPwd parameter to TRUE.
--> DSHashAlgorithm parameter to SIEBELHASH
Note: For SRBroker and SRProc component that connect to DB directly without referring ServerDataSrc, set the hashed password at the server component level.  This may be done with the following commands in the server manager utility:
srvrmgr> change param password="hashed password value for SADMIN" for comp SRBroker
srvrmgr> change param password="hashed password value for SADMIN" for comp SRProc
After the above change and server restarted, customer successful in bringing up all the components and were able to login to the application with the non-encrypted password. However the server manager component is failing and they are unable to use srvrmgr command and Server-Admin screen in the GUI. ServerMgr log reported logon error as below and setting ServerMgr component password to either plain text and encrypted both does not help.

DBCLog DBCLogError 1 000000084a3f121c:0 2009-06-22 06:24:32 [DataDirect][ODBC Oracle driver][Oracle]ORA-01017: invalid username/password; logon denied

GenericLog GenericError 1 000000084a3f121c:0 2009-06-22 06:24:32 (secmgr.cpp (2679) err=4597538 sys=127) SBL-SEC-10018: [DataDirect][ODBC Oracle driver][Oracle]ORA-01017: invalid username/password; logon denied

GenericLog GenericError 1 000000084a3f121c:0 2009-06-22 06:24:32 (secmgr.cpp (2735) err=4597527 sys=0) SBL-SEC-10007: The password you have entered is not correct. Please enter your password again.

Solution

After further investigation and in-house testing, it was found that the issue is related to the new Gateway Name Server authentication feature introduce in version 8.1.1.

To rectify the issue of using srvrmgr and server administration screen, the following is performed.

1) Locate the file gateway.cfg in gtwysrvr\bin directory and add the following two entries under [ServerDataSrc] section then save the file.

DSHashUserPwd = TRUE
DSHashAlgorithm = SIEBELHASH

2) Set the following parameter setting on Gateway Datasource. You can perform this either using srvrmgr command or navigate to Administrator – Server Configuration > Enterprise Servers > Profile Configuration > Look for Gateway Datasource and on bottom screen Profile Parameters, set the following parameter.

User Password Algorithm (DSHashAlgorithm) -> SIEBELHASH
Hash User Password (DSHashUserPwd) -> True
Default username password (DSPassword) -> <sadmin plain text password>
Data source default user name (DSUsername) -> sadmin

3) Ensure that the “-ep” (password to authenticate to gateway) in execution path of Siebel Server service is using the enterprise level password parameter setting from siebns.dat.

4) Restart Gateway and Siebel Server services.

After the above, server and component all up and running and customer can connect using srvrmgr command and access server administration screen with web client successfully.

References

NOTE:520560.1 - Components fail to start after configuring password hashing

 

 

 

Applies to:

Siebel Financial Services CRM - Version: 8.1 [21039] to 8.1.1.4 [21225] - Release: V8 to V8
Information in this document applies to any platform.
***Checked for relevance on 14-Jan-2011***

Goal

Customer use database encryption for passwords in version 7.5 and the algorithm used for 7.5 is SIEBELHASH. After upgraded to 8.1.1, the password hashing default algorithm is RSA-SHA1. In order to use SIEBELHASH algorithm, the following need to be set.

For the database security adapter (typically, DBSecAdpt):
- Set the DataSourceName parameter to the name of the applicable data source (for
example, ServerDataSrc).
- For the applicable data source (ServerDataSrc), set the following.
--> DSHashUserPwd parameter to TRUE.
--> DSHashAlgorithm parameter to SIEBELHASH
Note: For SRBroker and SRProc component that connect to DB directly without referring ServerDataSrc, set the hashed password at the server component level.  This may be done with the following commands in the server manager utility:
srvrmgr> change param password="hashed password value for SADMIN" for comp SRBroker
srvrmgr> change param password="hashed password value for SADMIN" for comp SRProc
After the above change and server restarted, customer successful in bringing up all the components and were able to login to the application with the non-encrypted password. However the server manager component is failing and they are unable to use srvrmgr command and Server-Admin screen in the GUI. ServerMgr log reported logon error as below and setting ServerMgr component password to either plain text and encrypted both does not help.

DBCLog DBCLogError 1 000000084a3f121c:0 2009-06-22 06:24:32 [DataDirect][ODBC Oracle driver][Oracle]ORA-01017: invalid username/password; logon denied

GenericLog GenericError 1 000000084a3f121c:0 2009-06-22 06:24:32 (secmgr.cpp (2679) err=4597538 sys=127) SBL-SEC-10018: [DataDirect][ODBC Oracle driver][Oracle]ORA-01017: invalid username/password; logon denied

GenericLog GenericError 1 000000084a3f121c:0 2009-06-22 06:24:32 (secmgr.cpp (2735) err=4597527 sys=0) SBL-SEC-10007: The password you have entered is not correct. Please enter your password again.

Solution

After further investigation and in-house testing, it was found that the issue is related to the new Gateway Name Server authentication feature introduce in version 8.1.1.

To rectify the issue of using srvrmgr and server administration screen, the following is performed.

1) Locate the file gateway.cfg in gtwysrvr\bin directory and add the following two entries under [ServerDataSrc] section then save the file.

DSHashUserPwd = TRUE
DSHashAlgorithm = SIEBELHASH

2) Set the following parameter setting on Gateway Datasource. You can perform this either using srvrmgr command or navigate to Administrator – Server Configuration > Enterprise Servers > Profile Configuration > Look for Gateway Datasource and on bottom screen Profile Parameters, set the following parameter.

User Password Algorithm (DSHashAlgorithm) -> SIEBELHASH
Hash User Password (DSHashUserPwd) -> True
Default username password (DSPassword) -> <sadmin plain text password>
Data source default user name (DSUsername) -> sadmin

3) Ensure that the “-ep” (password to authenticate to gateway) in execution path of Siebel Server service is using the enterprise level password parameter setting from siebns.dat.

4) Restart Gateway and Siebel Server services.

After the above, server and component all up and running and customer can connect using srvrmgr command and access server administration screen with web client successfully.

References

NOTE:520560.1 - Components fail to start after configuring password hashing

 

 

 

 

Applies to:

Siebel CRM - Version: 8.0 [20405] to 8.1 [21039] - Release: V8 to V8
Information in this document applies to any platform.
*** Checked for relevance 16 Feb 2012 ***

Symptoms

Customer was not able to startup the siebel server and connect to the gateway, which was returning this error message:

Servers won't start; gateway throws error: "Fatal error (2555922): Could not open connection to Siebel Gateway configuration store (%1:%2)., exiting..."

In NameSrvr.log, this error message was found:

SBL-SEC-10018:GenericLog GenericError 1 000000024b4371f4:0 2010-01-05 20:57:26 (secmgr.cpp (2735) err=4597527 sys=0) SBL-SEC-10007: The password you have entered is not correct. Please enter your password again,=.

Cause

The issue was caused by an incorrect entry in .odbc.ini file.

The customer may have modified the entry while restored the disk, since hard disk space capacity problems were a consideration in this environment.

In the gateway server name file, siebns.dat, the parameters for the server data source connect string were set as follows:

[/enterprises/SiebelProd/named subsystems/ServerDataSrc/parameters/DSConnectString]
Persistence=full
Type=string
Value="PFFA"
Length=

In the $SIEBEL_ROOT/gtwysrvr/sys/.odbc.ini, file, the parameter "ServerName" contained a different value than that of the corresponding "ServerDataSrc-DSConnectString" parameter in the siebns.dat file.

Solution

After setting the ServerName parameter in the .odbc.ini file to the corresponding value of the "ServerDataSrv-DSConnectString" value in the siebns.dat file, the gateway and siebel servers were restarted and the issue was resolved. Customers were able to access the application in the usual manner.

 

Applies to:

Siebel Finance - Version: 8.1.1.1 SIA [21211] and later   [Release: V8 and later ]
Information in this document applies to any platform.

Symptoms

Following error returned when attempt to start Siebel Server.

Windows could not start the Siebel Server [siebelprod_prod1] on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 2555922.

Invoking srvrmgr command line return: Fatal Error (2555922)

nameserver_audit.log:

Timestamp Record Type Host Name ProcId Client Name User Name Key Name Value
2011-02-07 16:37:42 FailedLogin melycrm2 1104 java.exe Oceania\siebelws

NameSrvr.log:

GenericLog GenericError 1 000000024d4f1318:0 2011-02-07 16:37:42 (secmgr.cpp (2735) err=4597527 sys=127) SBL-SEC-10007: The password you have entered is not correct. Please enter your password again.

Changes

The gateway cluster working fine before and issue occurs after database change (change from one DB server to another) and customer attempt to perform steps as per "The Siebel Server does not start when moving the Gateway Server to different cluster node [ID 985591.1]".

Cause

It was determined that the problem was caused by incorrect ODBC connect string in gateway.cfg.

Setting system environment variable SIEBEL_LOG_EVENTS to 5 on gateway and service restarted, NameSrvr.log reported following indicated it is trying to locate and connect to ODBC name 'siebelprod_1_DSN' and could not find it.

SecAdptLog Debug 5 000000034d4f17f8:0 2011-02-07 19:22:36 ODBC security adapter configured: connectstring='siebelprod_1_DSN', tableowner='dbo'.
..
SQLTraceAll SQLTraceAll 4 000000034d4f17f8:0 2011-02-07 19:22:36 No DNS found
SecAdptLog Debug 5 000000034d4f17f8:0 2011-02-07 19:22:36 username=SADMIN : authentication failed for unknown reasons

This ODBC configuration was loaded from gateway.cfg, which contain the following.

[ServerDataSrc]
Docked = TRUE
ConnectString = siebelprod_1_DSN

Solution

Correct the ConnectString setting in gateway.cfg to match with the System DSN created/configured on gateway server, restart the gateway and Siebel servers and the problem has been resolved.

Notes of configuration / setting to verify when DB change.

- ServerDataSrc named subsystem parameter, DSConnectString
- Enterprise parameter, Connect
- System DSN (Data Source (ODBC)) of each gateway nodes and Siebel Servers should have correct data source name as per the above two parameters and is correctly pointing to the new SQL / DB Server with correct database name and running the connectivity test to ensure it is connected and authenticated successfully.

References

NOTE:985591.1 - The Siebel Server does not start when moving the Gateway Server to different cluster node