Securing the WebFOCUS Administration Console
By default, the WebFOCUS Administration Console is
configured for no authentication of users. It also gives administrator
privileges to the default admin ID established during WebFOCUS installation. You can change this default by specifying
administrator IDs and by choosing between two authentication options.
Note: You may also be able to use J2EE role security as
a third authentication option. For information,
see Technical Memo 4606, Protecting the WebFOCUS 7.1
Administration Console With Tomcat.
In the Startup Parameters section of the WebFOCUS Administration Console, the
variable named ADMINISTRATORS specifies the user IDs that have administrator
privileges when they access the Console. The variable named DEVELOPERS
specifies the user IDs that have developer privileges. Developers
can access the Quick Links.
In addition, the IBIWFC_AUTHENTICATION variable defines how users
accessing the Console will be authenticated. The valid values for
IBIWFC_AUTHENTICATION are:
-
No authentication. With
this setting, the user ID is not authenticated. That is, no password
is required or checked. However, only those user IDs specified in
the ADMINISTRATORS and/or DEVELOPERS variable have access to the Console.
-
WEB. With
this setting, the Web server authenticates users and WebFOCUS uses the value found in REMOTE_USER to determine Console
privileges. To have administrative access to the Console, a user
ID must be successfully authenticated by the Web server and specified in
the ADMINISTRATORS variable. The Web server must be configured to
authenticate users and to pass credentials to the WebFOCUS Client
in its REMOTE_USER environment variable.
-
EDA. With
this setting, the WebFOCUS Reporting
Server authenticates users by checking the user ID and password
submitted on the Console logon screen. To have administrative access
to the Console, a user ID must be successfully authenticated by
the WebFOCUS Reporting Server and specified
in the ADMINISTRATORS variable.
-
EDA node. With this setting, authentication takes place
against the selected Reporting Server. Any user ID stored in the
ADMINSTRATORS or DEVELOPERS variables will be able to connect to
the specified Reporting Server.
-
WEBHDR. With this setting, the Web server authentication
takes place against the user ID found in the HTTP variable specified
in this setting.
-
MR. With this setting, authentication takes place against
Managed Reporting. The user ID specified for ADMINSTRATORS must
be a valid Managed Reporting user ID.
Before selecting Web server or Reporting Server authentication
for the Console, you must make sure that at least one ID listed
in the ADMINISTRATORS variable is a valid ID for that type of authentication.
If you do not, you will lose administrative access to the Console.
x
Procedure: How to Configure External Authentication for the WebFOCUS Administration Console
Decide
which individuals will be authorized to use the administrative and
developer functions of the WebFOCUS Administration Console.
- For Web server
authentication (using the REMOTE_USER environment variable), add
the list of authorized Web server IDs to the ADMINISTRATORS setting using
a semi-colon as the separator. Also change the IBIWFC_AUTHENTICATION
setting to WEB.
- For Reporting
Server authentication add the list of authorized WebFOCUS Reporting Server IDs to
the ADMINISTRATORS setting using a semi-colon as the separator.
Also change the IBIWFC_AUTHENTICATION setting to EDA, as shown in
the following image.
Be sure
to complete changes to both settings before leaving this pane of
the console, or you will lose access to the console. These changes
control the authentication method and valid IDs for the WebFOCUS Administration Console.
By
default, the ID admin exists. It has no password, but has
administrative privileges. After establishing at least one other
valid administrator ID for the Console, you may want to consider
removing the ID admin, which is well known.
When accessing
the WebFOCUS Administration Console, the credentials you supply
to the Web server or WebFOCUS Reporting
Server will be checked against the list of IDs found in the ADMINISTRATORS and
DEVELOPERS keywords to determine your access rights.
If you
supply your credentials to the Web server with an NT domain prefix
(for example, IBI\jt01234), only enter the ID portion to the keyword
(for example, jt01234). WebFOCUS trims any NT domain prefix
found on REMOTE_USER before looking for a match in the ADMINSTRATORS
keyword.
Important: We suggest that all configuration
changes be made through the console, however, you can also make
these changes using a text editor. (Note that due to formatting
commands in a file, some text editors may not display the file content
properly. In this case, choose another text editor to work with.)
You can use this technique to manually restore the original values
for the ADMINISTRATORS variable if necessary. For example, if you
enable WEB or EDA authentication without adding your valid Web server
or Reporting Server ID, you will lose administrative access to the
Console. You can open the file \ibi\WebFOCUS77\client\wfc\web\cgi\ibiweb.cfg,
where these variable values are stored, in a text editor and manually
change the ADMINISTRATORS values to include your ID. If you are
using the Servlet implementation of the WebFOCUS Client, you must also reload
your WebFOCUS Web application in order for the new version of ibiweb.cfg
to be read.