Authentication is the process of validating user credentials. Individuals who use WebFOCUS may have user IDs and passwords managed by other systems. WebFOCUS Managed Reporting and the Reporting Server can each be configured to authenticate users to an external security system, or to trust that authentication has already taken place. Users benefit because they do not have to sign in multiple times or manage separate user ID/password combinations. If a user signs in to WebFOCUS with credentials from an outside security package, the package provides some type of authentication confirmation to the WebFOCUS Client or the Reporting Server. This information may be in the form of a browser cookie or a logon ticket and may be needed by the Reporting Server in order for it to access and retrieve the data required by the WebFOCUS application.
Depending on your operating environment, user credentials can be validated by:
Multiple security providers can be configured. You can configure additional providers using the Web Console Access Control page.
Security providers must be configured from the Web Console Access Control page.
To switch to security provider LDAP, DBMS, or CUSTOM, you first need to add a new provider under the appropriate security provider on the Access Control tree. When you add a new provider, the server updates configuration file edaserve.cfg with provider blocks named LDAP_PROVIDER, DBMS_PROVIDER, or CUSTOM_PROVIDER. These blocks are inserted with all attributes that apply to the provider type between BEGIN and END dividers.
Security provider PTH is configured during installation of the server and is the default security provider when a newly installed server is started. A server administrator can configure and activate other security providers.
The OPSYS security provider is always on the list of providers. In order to make it an active provider, the server must be authorized (privileged) to start with security OPSYS. There is no need for the additional step of creating a new provider as is needed for LDAP, DBMS, and CUSTOM providers. By default, the effective server administrator ID shown on the Activate Providers page is the server administrator ID. You can change this using the Access Control Settings page. Once the server is installed, you can start adding new PTH users and PTH groups, and you can assign PTH users to PTH groups.
Security provider CUSTOM supports using non-standard security storage. You can create DBMS tables to store users, groups, and passwords. You must then write procedures to read these tables and perform the basic security tasks. This security mechanism has to be created prior to configuring the CUSTOM security provider and must be available when the CUSTOM provider is added to the server provider configuration. It must perform the following standard security tasks:
Once the provider is added, you can change security providers from the Access Control page. Right-click the Security Providers folder and select Activate Providers to switch to a newly added provider. At this point, edaserve.cfg is updated with the security_provider attribute that specifies the provider name.
Multiple security providers can be configured. When you configure OPSYS as one of multiple security providers:
The Access Control Settings page lets you enter valid OS credentials.
When you configure multiple providers, you choose one to be primary on the Access Control Activate Providers page. Drop-down lists are available for assigning the other providers as secondary providers or inactive. The primary provider defines the security under which the server is running:
During connection to the server, all provider users are connected with a two-part user ID consisting of the provider name and the user ID, for example, MyLDAP\User1 or MyDBMS\User2, where MyLDAP or MyDBMS is the name of a configured secondary provider.
This naming convention is also used when users and groups are registered to server roles. Users and groups are registered with a two-part name. If the PTH provider is a secondary provider, PTH users and groups are registered (and used on connection) as PTH\userid and PTH\groupid.
The following is an example of a security_provider attribute and security provider block for starting the server with security LDAP (provider name MyLDAP):
security_provider = MyLDAP LDAP_PROVIDER = MyLDAP BEGIN ldap_host = ldaphost ldap_port = post ldap_secure_connection = n ldap_user_base = dc=ibi,dc=com ldap_user_scope = subtree ldap_user_class = person ldap_user_attribute = uid . . . END
The following is an example of a security_provider attribute and security provider block for starting the server with security DBMS (provider name MyDBMS):
security_provider = MyDBMS DBMS_PROVIDER = MyDBMS BEGIN security_dbms = MSSSQL security_connection =CON01 END
Topics: |
When security provider OPSYS is configured, the user credentials from the client connection are authenticated by the native security system of the operating system. The server then allocates a data access agent that impersonates the user so that access to files or other objects is controlled by the native system.
Profiles for operating-system users are supported on all platforms. On Windows, Active Directory groups are supported based on the win_primgroup_adsi setting.
Details about OPSYS security requirements are provided in the Server Installation manual, where specific sections are provided for each platform. Refer to this manual for installation instructions and platform-specific setup steps. The following is a summary of the OPSYS requirements:
On Windows, the Server Administrator password is required for this security provider. If the password is not provided in the configuration, the server starts in safe mode and displays a message to that effect. Multiple administrators are allowed. For more information on creating server administrators and other roles, see Registering Users and Groups in a Role.
Note that some system specific settings in the edaserve.cfg file are provided to allow further adjustments of the authentication mechanism. Those relevant for some UNIX systems are:
For Windows systems, the logon_method setting (for interactive, network, or batch) is relevant to explicit connections.
Note: For more information on limiting user access to the Web Console, see Configuring General Server and Web Console Actions.
If the environment variable EDAEXTSEC is explicitly set to OPSYS, and the server fails to start because it lacks system privileges to start configured for an OPSYS security provider, the server start aborts and error messages are written to the edaprint log file.
This feature prevents an unsecured server start after a software upgrade if any of the required post-upgrade reauthorization steps are missed on a UNIX, IBM i, or z/OS HFS deployment. This is not applicable to other platforms. The setting may be placed in any normal server start-up shell or profile that a site is using or in the server edaenv.cfg configuration file. The messages vary slightly by platform.
The edaprint messages are:
Configured security is 'ON' as set by EDAEXTSEC variable.
Server has no root privilege. (UNIX)
Server is not APF-authorized. (z/OS HFS)
TSCOM300.PGM has no QSECOFR authority. (IBM i)
Workspace initialization aborted.
(EDA13171) UNABLE TO START SERVER
How to: |
Starting with z/OS 1.8, IBM introduced password phrases which can be used for authentication, and starting with z/OS 1.10 password phrases can be used for TSO Logon as well. Password phrases can be from 14 to 100 characters long.
z/OS IDs can have both a password (1 to 8 bytes) and a passphrase (from 14 to 100 bytes). The two forms of credentials are independent. Changing one does not change the other. The server recognizes the type of credential being presented by its size (sizes between 9 and 13 are invalid on z/OS).
No special configuration is needed to enable password phrases.
When a user logs into the Web Console, there are two possible ways they can change their passwords or passphrases:
By default, passwords cannot be changed on the Web Console Logon page because the following parameter is in effect:
password_change_wclogin = n
To enable the option to change passwords when logging into the Web Console:
On the same configuration page, you can change the delimiter used to separate the user ID from the password or passphrase to any valid character accepted by the operating system. By default, the delimiter is a comma:
password_change_delimiter= ,
Once the option to change passwords on the Web Console Logon page is enabled, users can change their passwords or passphrases by entering the following in the password field of the Web Console Logon page (if the password delimiter has been changed, use that character between the old and new passwords instead of the comma):
old_password,new_password
When password_change_wclogin = y, passwords and passphrases cannot contain the password delimiter character.
When password_change_wclogin = n (the default), the setting for password_change_delimiter is ignored, and passwords can contain all valid characters allowed by the operating system.
In a Linux or AIX environment, OPSYS security can be configured to use Pluggable Authentication Modules.
The Access Control Page opens.
This parameter is only applicable for the Linux and AIX operating systems. The parameter defines if the server uses the Pluggable Authentication Modules mechanism to implement security. If y, the server uses PAM calls, if n the server uses native UNIX security calls.
A server started with security provider OPSYS can be configured for Kerberos connections.
To implement the single sign on Kerberos security:
The OPSYS Security Configuration page opens.
The edaserve.cfg file is updated with this attribute.
The odin.cfg file is updated with this attribute.
When the server is started, a user can connect to the Web Console from Internet Explorer without a prompt for user ID and password. The Login Info shows connection type Kerberos. The connection is done using the Kerberos ticket from the browser. The connected user ID is derived from this ticket.
Connection to the server requires that there is a local OPSYS user ID with the same name as the Kerberos user ID on the operating system running the server. This user ID is used for tscom3 process impersonation.
If a user signs off from the Kerberos connection, the user can make explicit connections with the local Unix user ID and password. Connection with another Kerberos user ID as an explicit connection will not work.
Topics: |
How to: |
By default, the server installation process establishes PTH security with a PTH server administrator user ID and password. If you deleted the PTH server administrator ID, you can reconfigure PTH security.
The PTH security provider only controls access to the Web Console. When the server is configured for this security provider, there is no impersonation by data agents or authentication of a non-Web Console connected user. From the operating system point of view, all server processes run as a single user ID, and access to the Web Console is controlled by authenticating names against those defined in the admin.cfg file unless authenticate_all_pthuser is set to y. The setting is available on the PTH Security Configuration page, which can be accessed by right-clicking PTH in the Security Providers folder on the Access Control resources tree.
You must configure the Server Administrator password before starting a server configured for a PTH security provider, either by providing it at installation time or by configuring it in the Web Console. For details, see Registering Users and Groups in a Role.
The PTH security provider supports profiles for users and groups on all platforms.
Note: For more information on limiting user access to the Web Console, see Configuring General Server and Web Console Actions.
When the Server Administrator creates or updates a user under a PTH security provider, by default the password never expires, can be any length, and is not case-sensitive.
The Server Administrator can configure a new or existing user password to expire after a specified number of days, can set a minimum length for passwords, can enable case-sensitive passwords, and set other password properties.
The PTH Users and Groups Management page opens.
By default,Password never expires is checked.
When the password expires, the user gets a password expired message on the logon screen and is provided with a New Password field in order to enter a new password.
At this time, the new password and new password change date are recorded in admin.cfg.
Note that changing the password by selecting Change Password from the My Console menu also resets the password change date.
The current date is saved in admin.cfg as admin_passdate for this user. This is the last password change date.
The Security Configuration PTH page opens
You can disable an account that is registered in admin.cfg under the PTH security provider in order to prevent a user from signing in to the server with that account.
To disable a PTH account:
The PTH Users and Groups Management page opens, listing all registered users on the left, and all registered groups on the right.
The PTH User properties dialog box opens.
An x is displayed in the Disabled column for that user on the PTH Users and Groups Management page.
With a DBMS security provider, there is no impersonation by data agents, but connection credentials are authenticated against a configured DBMS. This technique is called password passthru, as user IDs and passwords supplied by the client are passed to the DBMS for authentication.
A DBMS security provider supports profiles for users on all platforms. Profiles for groups are not supported.
Note: For more information on limiting user access to the Web Console, see Configuring General Server and Web Console Actions.
With an LDAP (Lightweight Directory Access Protocol) security provider, there is no impersonation by data agents, but connection credentials are authenticated against the established directory services. From the operating system point of view, all server processes run as a single user ID.
An LDAP security provider is presently supported on Windows, UNIX, IBM i, and the Unified Server (HFS and PDS deployments).
An LDAP security provider supports profiles for LDAP users and LDAP groups.
Note: For more information on limiting user access to the Web Console, see Configuring General Server and Web Console Actions.
Topics: |
CUSTOM security providers are used when the installation maintains non-standard repositories for users and groups, that is, when the standard methods like OPSYS and LDAP do not apply. An example of such a setup can be having RDBMS tables containing valid user IDs and their encrypted passwords, and also containing the mapping of users to groups. The customer may chose to access these tables using SQL SELECT statements, SQL Stored Procedures, or Web Services. Typically these methods already exist and are used by other non-Information Builders components.
To enable the custom server security provider, the administrator needs to provide code that allows the server security module to perform these tasks:
The code for performing these tasks is written in the WebFOCUS language as TABLE FILE or SQL SELECT commands against the synonyms representing the SQL table, SQL Stored Procedure, or Web Service. The code can be debugged by running the server with security OFF and running the glue code from application folders. Once debugged, the code is deployed in EDACONF/catalog/custom, and the CUSTOM provider made active.
A tutorial sample called WebFOCUS - Custom SQL Security Provider is available that creates examples of user and group storage and custom procedures that can be used as prototypes. To generate a tutorial, right-click an application on the Application page, point to New, and click Tutorials from the context menu.
You can configure Custom Provider authentication to encode passwords so that they cannot be viewed when they are passed as parameters to the authentication procedure.
The CUSTOM Security Provider Configuration page opens.
When a user is authenticated, the server will send SHA-256 hashed passwords to the authentication procedure. This means that the passwords will be transformed into values that will be unusable for signing in to the Web Console and server. The hashed values have to be stored as passwords in the SQL database being used for authentication. As an alternative, you can create a utility called from the CUSTOM provider authentication procedure that decodes hashed passwords before sending a request to the SQL database for authentication.
The Reporting Server can search across multiple LDAP sources, DBMS providers, an OPSYS provider, and a PTH server when authenticating users.
When authenticating or assigning privileges for a provider that is not the primary provider, the user ID is a two-part name consisting of the provider name and the user ID:
provider\userid
The authentication is done based on a two-part name.
The Server Administrator can add and remove security providers from the list at any time.
For instructions on configuring PTH and LDAP security providers, see Configuring Authentication or Configuring Authentication.
You can enable trusted connections separately for each security provider.
You can configure a security provider to accept trusted connections by setting its trust_ext value to y.
The Configuration page for that security provider opens.
This setting is available for all types of security providers.
When multiple security providers are configured, one must be identified as the default provider for trusted connections when WebFOCUS or other client software sends a trusted group ID without a security provider to the server.
To set the default provider for trusted groups:
The Access Control Settings page opens, as shown in the following image.
An authorized server administrator can set an anonymous user ID that can access the Web Console when the user ID/password fields on the Web Console sign in screen are blank and the user clicks Sign in.
This anonymous user ID provides the ID and, in turn, the user rights for the Web Console and the server. Further configuration for the anonymous user can be achieved by creating a user profile for the anonymous user ID. If an anonymous ID matches a user in the admin.cfg list, the applicable role and privileges are applied.
Note: On Windows, for security provider OPSYS only, you must turn IWA security off to use this feature. From the Workspace page, open the Special Services and Listeners folder, right-click TCP/HTTP, and select Properties. Click the Security IWA check box to deselect it.
The Access Control Settings page opens.
Topics: |
How to: |
You can configure the following password settings for any security provider:
When an application has the option to change a user password, the old and new passwords are sent to the server using a separator character (by default, a comma). For example:
old_password,new_password
The separator character is defined by the password_change_delimiter field. The separator needs to be reset if the current separator character is contained in the password itself or if it is allowed by the server.
This feature is not supported when Security is OFF.
The Access Control Settings page opens.
Note that you cannot use the designated password_change_delimiter character in a password.
A Server Administrator can allow users to change their password from the Web Console sign-in page. By default, users cannot change their passwords from the Web Console sign-in page.
The Access Control Settings page opens.
On Operating Systems that support password expiration, you can specify that a warning message be displayed a specified number of days prior to the expiration date. The message will appear after the initial sign-in screen. You must then click the Continue button to open the Web Console. Users can employ standard tools to change their passwords before expiration occurs.
Note: The password expiration warning is supported only on operating systems where IDs are configured to expire, and this extended security feature is active for the user ID. However, expiration warning is not currently supported on Windows platforms.
WebFOCUS | |
Feedback |