SBL-SEC-10015: There are no database credentials assigned for this user for the specified data source.

Applies to:

Siebel System Software - Version: 7.7.1 [18306] to 8.2.2 SIA[22320] - Release: V7 to V8
Siebel System Software - Version: 7.7.1 [18306] to 8.2.2 SIA[22320]   [Release: V7 to V8]
Information in this document applies to any platform.

Symptoms

Customer was attempting to implement an External Business Component (EBC) in Siebel 7.7.2.8 and asked how to properly pass the EBC's login credentials when setting up to use with security adapter authentication (specifically LDAPSecAdpt but also would be applicable to ADSISecAdpt). He followed "Error connecting to External Data Source when using SSO and LDAP (Doc ID 500232.1)" but was then presented with the following error when trying to access the EBC or server administration / management screens:

(secmgr.cpp (2955) err=7010015 sys=0) SBL-SEC-10015: There are no database credentials assigned for this user for the specified data source on the external authentication system.

Cause

This behavior was caused by an incorrect setup of the LDAP directories shared credentials values. Specifically the values for the various data sources required had to be stored as distinct entries in a multi-valued attribute (as specified by the CredentialsAttributeTypeCredentialsAttributeType parameter). This requirement is documented in "Error connecting to External Data Source when using SSO and LDAP (Doc ID 500232.1)" and similar documentation pertaining to setting up External Business Components.

What was not clear from the documentation is that you also have to add a value for the GatewayDataSrc in order for the Administration Screens and the EBCs to work properly.

Solution

1. The credentials for the various data sources need to be stored as separate, distinct entries in a multi-valued attribute within the shared credentials user's LDAP record.

2. Credentials for the GatewayDataSrc must be specified in addition to the ServerDataSrc and the EBC data source.

The exact procedures for doing this will vary depending on the LDAP directory or Active Directory you are using. Please consult appropriate documentation or vendor technical support for the specific external security directory product you are using. In general terms, the following steps should be followed:

1. Login to your external security directory (LDAP or ADSI) administration program as a user with adequate rights to make changes to a user's attribute values.

2. Locate the user specified by the SharedCredentialsDN parameter in the security adapter profile you are using (normally either LDAPSecAdpt or ADSISecAdpt).

Important!  If you are using the LDAPSecAdpt with Siebel 8.0 or later, there is an option to store shared database credentials as parameters in the security adapter profile.  The use of this functionality is not supported with EBCs.  The Shared DB Username and Shared DB Password parameters must be blank or this solution will not work.

_$#$_

3. Open the record for editing and locate the attribute you specified in the CredentialsAttributeType parameter for the security adapter profile. This must be a multi-valued attribute. If it is not, you will either need to select a different attribute which is multi-valued or make this attribute a multi-valued attribute (if allowed by your external directory server).

4. Add the following value sets to the attribute. Each one should be a distinct entry in different values of the multi-valued attribute.

type=GatewayDataSrc username=SADMIN password=XXXXX
type=ServerDataSrc username=SADMIN password=XXXXX
type=EBCDataSrc username=EBCUSER password=XXXXX

(replace EBCDataSrc, EBCUSER, and the passwords with appropriate values.)

5. Stop and restart the Siebel Server service(s) and Gateway service.

6. Test to ensure that you can now access both the Siebel Server Administration/Management screens and the EBC view(s).

Applies to:

Siebel CRM - Version: 7.7 [18026] BETA to 8.1.1 [21112] - Release: V7 to V8
Siebel System Software - Version: 7.7 [18026] BETA to 8.1.1 [21112]   [Release: V7 to V8]
Information in this document applies to any platform.

Symptoms

Customer is attempting to implement external security adapter (ADSI or LDAP) authentication with the standard LDAPSecAdpt or ADSISecAdpt in Siebel 8.0. The initial anonymous user login is failing on step 9 (clean up and database credential retrieval) with the following errors:

SBL-SEC-10015: There are no database credentials assigned for this user for the specified data source on the external authentication system. This is most likely a configuration issue. Please contact your system administrator for assistance.

SBL-DAT-00577: There are no database credentials assigned for this user for the specified data source on the external authentication system. This is most likely a configuration issue. Please contact your system administrator for assistance.

SBL-SVC-00208: Please login first.

This prevents the login page from loading and as a result no user is able to access this Siebel application.

Cause

The database credentials information held in the shared credentials user's credentialAttributeType field contained extra spaces before and after the = sign. As documented in the Security Guide, there should only be a space between the value or username and the start of the password section.

Incorrect:

username = LDAPUSER password = LDAPUSER

Correct:

username=LDAPUSER password=LDAPUSER

The correct format for this command is documented in the Siebel Bookshelf's Security Guide under the Security Adapter Authentication section.

Solution

To resolve this behavior you will need to go into your external LDAP or ADSI directory and modify the shared credentials user record so that the value in the field specified by the security adapter's CredentialAttributeType parameter matches the following format exactly (where USERNAME and PASSWORD are the correct values):

username=USERNAME password=PASSWORD

Specific instructions for doing this vary depending on the specific external directory you are using. Please refer to the appropriate vendor provided documentation. 

Applies to:

Siebel System Software - Version: 7.8.2.2 SIA [19219] and later   [Release: V7 and later ]
Oracle Solaris on SPARC (64-bit)
Product Release: V7 (Enterprise)
Version: 7.8.2.2 [19219] Auto
Database: Oracle 9.2.0.6
Application Server OS: Sun Solaris 8
Database Server OS: Sun Solaris 9

This document was previously published as Siebel SR 38-2952877510.

Symptoms

SBL-SEC-10015Hi,

Page 115 of Siebel Security Guide (Version 7.8 Rev A) lists the Anonymous user, using a DB credential of <username = LDAPUSER password=P>.

2 questions:
1. The syntax for the SharedCredentials is listed on page 80 as "This attribute value must be of the form username=U password=P, where U and P are credentials for a database account. There may be any amount of white space between the two key-value pairs, and there must be no space within each pair. The keywords username and password must be lowercase."   This contradicts the example value on p 115. Which is correct?

2. On page 115, the test user example LDAP record lists in the Database Account column "Database account is not required for any user record, except the anonymous user."
However, on the following page, a special note reads "NOTE: In a production environment, do not use the anonymous user as the directory object that contains the shared credential. To do so could allow a user with minimum responsibility to log in directly to the directory server and view shared database credentials. Using these database credentials, a user could log in directly to the Siebel Database and see data that he or she does not have the assigned visibility level to see."
If another DN is specified for the SharedCredentialsDN (a user other than anonymous user) does the Anonymous user require a DB account value pair in the attribute being used for this value (CredentialsAttributeType)?

Thanks,

Cause

Change Request 12-1D0PF6P

Solution

Message 1

For the benefit of other readers:


Per this Service Request description, customer noticed some conflicting information in document Security Guide for Siebel Business Application for version 7.8, Rev. A.

Please, check below the information requested:

1. The syntax for the SharedCredential is listed on page 80 as "This attribute value must be of the form username=U password=P, where U and P are credentials for a database account. There may be any amount of white space between the two key-value pairs, and there must be no space within each pair. The keywords username and password must be lowercase."   This contradicts the example value on p 115. Which is correct?

The correct value for the LDAP account attribute that stores the shared database credentials should be as below:

username=<username> password=<password>

Where username is the shared database account name and password is this account password.

Page 115 is using LDAPUSER as an example because this is the default database account used in the scenario provided in this section on documentation.

The CredentialsAttributeType parameter defines which attribute the shared database credentials will be stored. Parameter SharedCredentialsDN defines which LDAP account will be used to retrieve the information stored in the attribute defined by CredentialsAttributeType.

[Continue]

Message 2

[Continued]

2. If another DN is specified for the SharedCredentialsDN (a user other than anonymous user) does the Anonymous user require a DB account value pair in the attribute being used for this value (CredentialsAttributeType)?

No, the anonymous user LDAP account does not require an attribute to store the shared database credentials when SharedCredentialsDN is defined to a different LDAP account. The situations where the anonymous user LDAP account will require an attribute to stored the shared database credentials:

a. when the anonymous user LDAP account is also defined as the SharedCredentialsDN.

b. when no SharedCredentialsDN is defined.


Change Request 12-1D0PF6P has been logged to update Security Guide and create a dedicated SharedCredentialsDN account in section “Setting Up Security Adapter Authentication: A Scenario”. This will remove information from anonymous user LDAP account.


Thank you,

Applies to:

Siebel System Software - Version: 7.8.2 [19213] and later   [Release: V7 and later ]
z*OBSOLETE: Microsoft Windows Server 2003
Product Release: V7 (Enterprise)
Version: 7.8.2 [19213]
Database: Oracle 9.2.0.6
Application Server OS: Microsoft Windows 2003 Server
Database Server OS: Sun Solaris 7

This document was previously published as Siebel SR 38-2981587091.

Symptoms

SBL-DAT-00222, SBL-DAT-00541, SBL-DAT-00446We have 3 EBCs that used to work just fine until I had to re-create and rename them to make them shorter. Also, ADSI Security Adapter has been implemented. We want them to use DSUsername and DSPassword not ADSI, as they used to do with Database Authentication.
The problem is that is trying to use the ADSI adapter database account to login to the 3 databases.

Cause

Change Request 12-1DN3R8F

Solution

Message 1

For the benefit of other readers,

Customer had configured External Business Components (EBC) and was using Siebel ADSI Security Adapter version 7.8.2. The following errors messages were logged in the Object Manager log file when trying to use EBC:

SBL-DAT-00446: You have entered an invalid set of logon parameters. Please type in your logon parameters again.

SBL-DAT-00541: You are not able to login to the database using the database credentials assigned to you. There may be a problem with the data source you are attempting to log into, or the credentials may be invalid for the data source.
Please contact your system administrator.

Siebel Web Client returned the error below:

An error has occurred creating business component '<business component name>' used by business object '<business object name>'. Please ask your systems administrator to check your application configuration.(SBL-DAT-00222)


Information in Technical Note 605 and document Integration Platform Technologies: Siebel Enterprise Application Integration for version 7.8, chapter 10: External Business Components have been followed, however the above error messages still occurred. Based in Technical Note 605, the following tests were performed, with CredentialAttributeType attribute for SharedCredentialsDN account were set as below for each test:

[Continue]

Message 2

[Continued]

a. username=sadmin password=sadmin type=ServerDataSrc username=wsasaki password=wsasaki type=WindCity

where:

WindCity is the test external connection for EBC
sadmin is the shared database credentials
wsasaki is the external database account

Results: same error messages as above.

b. type=ServerDataSrc username=sadmin password=sadmin type=WindCity username=wsasaki password=wsasaki

Results: same error message as above

c. type=WindCity username=wsasaki password=wsasaki type=ServerDataSrc username=sadmin password=sadmin

Results: Siebel Web Client did not start, and the error message below was logged in Object Manager log file:

SBL-SEC-10015: There are no database credentials assigned for this user for the specified data source on the external authentication system. This is most likely a configuration issue. Please contact your system administrator for assistance.


External Business Component only worked with Siebel LDAP/ADSI Security Adapter version 7.8.2 after the same sadmin account was created in external database, and removed the type parameter in CredentialAttributeType as below:

username=sadmin password=sadmin


Change Request 12-1DN3R8F has been logged to address EBC authentication when using Siebel LDAP/ADSI Security Adapter version 7.8.2.


The workaround, as described above, is to use the same database user name and password in Siebel Database and External Database.


Thank you,