WebFOCUS Reporting Server Security

WebFOCUS Reporting Server Security Modes

WebFOCUS Reporting Server security runs in one of the following modes:

Security OPSYS means that the user credentials from the client connection are authenticated by the native security system of the operating system. The server then allocates a data access agent that fully impersonates that user so that access control to files or other objects is guaranteed by the native system.
Security DBMS means that users are authenticated using a list of user IDs stored in a relational data source. In this mode there is no impersonation or authentication at the level of operating system security for any user credentials supplied by the client connection. Instead, the users may be defined on the DBMS server or WebFOCUS subserver. This technique is called password passthru, as user IDs and passwords supplied by the client are passed to the next level for authentication.
Security PTH means that access to the Reporting Server Web Console is controlled by authenticating against the user list defined at the configuration level (user IDs and passwords have to be configured in admin.cfg). When security is set to PTH, there is no impersonation or authentication at the level of the operating system. All server processes run as a single user ID from the operating system point of view. There is no impersonation of data agents.
Security LDAP means that the user credentials from the client connection are authenticated through the established directory services. Impersonation is not applicable for this security mode.
Security OFF means that the user is not authenticated by the built-in WebFOCUS Reporting Server security, and that all agents created by the server will run with the security profile of the user that started the server. A security plug-in can be used as an alternative means for authenticating the user (for more information, see
Developing a Reporting Server Authentication Exit).
Important:
- While this is a flexible feature, keep in mind that it could have ramifications. On Windows, for example, if you want security off, the WebFOCUS Reporting Server should never be started with an Administrator or system account, since all connecting users would by default have system privileges. For more information, see the WebFOCUS and ReportCaster Installation and Configuration manual for your specific platform.
- When security is off, other security measures (such as Web server security, firewalls, and exits) should be in place in order to ensure that any unauthorized access is denied.

For details on how to issue this security setting, see your Server documentation.

The security behavior of the agent process of the user varies depending on your WebFOCUS Reporting Server security setting. Make sure you match the following settings with your requirements.

Security Setting	Effective User of Workspace Manager Process	Effective User of Individual Agent Processes
OPSYS	z/OS: An APF authorized user ID. UNIX: Root user (accomplished using the Set User Privilege). OpenVMS: Selectable user ID with SYSPRIV. Windows: Typically, the system account.	Private deployment: Operating system user ID of the authenticated user. Limits access to the security profile privileges of that user. Connection Pooling: Configurable user ID. For more information, see WebFOCUS Reporting Server Deployment Options.
DBMS	Users defined on the DBMS server or on the WebFOCUS sub-server. This technique is called passthru, as user IDs and passwords supplied by the client are passed to the next level for authentication.	All the server processes run as a single user ID.
PTH	Authenticated user matching a username listed as admin_id in admin.cfg.	All the server processes run as a single user ID.
LDAP	In LDAP mode, the user credentials from the client connection are authenticated through the established directory. You must configure the Server Administrator password before starting a server in this security mode, either by providing it during installation or by starting the server with security OFF and configuring the administrator password from the Workspace, Configure, Access Control panel of the Web Console of the server.	All the server processes run as a single user ID from the operating system point of view. There is no impersonation of data agents. Supported on Windows and UNIX only.
OFF	Operating system user ID of the user who started Workspace Manager. The assigned user ID should only have privileges to access resources associated with the WebFOCUS Reporting Server.	The same as the Effective User of Workspace Manager Process. All users have the same access rights.

When security is on, the WebFOCUS Reporting Server needs privileged authority to access the APIs that authenticate users to the operating system. For more detailed information, see the WebFOCUS and ReportCaster Installation and Configuration manual for your platform. Some administrators believe that running the WebFOCUS Reporting Server from a privileged account such as the root (or localsystem) account is a security exposure. If you do not run your server with a privileged account, you can enable user authentication for the WebFOCUS Reporting Server using a security plug-in (for more information, see Developing a Reporting Server Authentication Exit).

WebFOCUS Reporting Server Deployment Options

Reference:

Optional WebFOCUS Reporting Server Deployment Options

The following are ways to deploy WebFOCUS Reporting Server resources:

Private Deployment. Indicates that for each client connection request, a dedicated application agent is assigned. The privileges of each application agent depend on the security setting of the WebFOCUS Reporting Server.
When security is on, authentication is processed for every client that logs on to the server. If the client user ID passes authentication, the agent will have the privileges associated with that user ID.

When security is off, authentication is not required. Requests are processed with the same user context as that of the Workspace Manager process.
Connection Pooling. Allows a predetermined number of application agents to support a large community of users, provided that the application is designed to support the small Logical Unit of Work (LUW) concept. These application agents establish their application environments on startup and maintain their environments (including database connections between LUWs) during user connections.
Connection pooling executes the global server profile and service profiles when an agent is started, and pooled user profiles are executed on each connection. Therefore, each application agent inherits the privileges of one user account. The context is cleared once the session is established for a new connection, and then the pooled user profile is executed. Determining the user ID that all application agents will share depends on what operating system you are using, and whether or not you have set security on (OPSYS, DBMS, LDAP) or off. With security on, all users have the same rights because the effective user is the pooled ID that was supplied during configuration regardless of the ID of the connecting user.

Top of page

Reference: Optional WebFOCUS Reporting Server Deployment Options

Prestarted agents are an optional startup setting of the WebFOCUS Reporting Server that allow quicker initialization of WebFOCUS Reporting Server agents. Both private and pooled deployment schemes support prestarted agents. Prestarted pooled agents are started with the user ID of the pooled user and maintain that context upon connection.

Regardless of whether WebFOCUS Reporting Server security is on or off, prestarted private agents are started under the same user ID as the WebFOCUS Reporting Server. When server security is on, that is usually a system-like ID. However, as soon as a user is authenticated and connected with a prestarted agent, the user context of that agent impersonates the connecting user, thus limiting the agent to access privileges.

WebFOCUS Reporting Server Authentication Modes

For WebFOCUS Reporting Servers running with security on (OPSYS, DBMS, LDAP) or using a customized security plug-in (see Developing a Reporting Server Authentication Exit), the following are possible modes of operation:

Explicit Verification Processing. A user ID and password are required to connect to the server. This is the default setting.
Trusted (Already Verified Processing). Requires that the WebFOCUS Client send only the user ID, along with a flag indicating that authentication has already taken place. This option is not supported when the Reporting Server is running on Windows.

IP Restriction Filtering

A server may restrict certain originating IP addresses for service requests to the communications blocks for the TCP Listener (LST_TCP) and HTTP Listener (LST_HTTP). This is accomplished using the keyword (RESTRICT_TO_IP) in the server communications configuration file (odin.cfg).

For example:

NODE=LST_TCP
BEGIN
 PROTOCOL=TCP
 SERVICE=8100
 CLASS=AGENT
 RESTRICT_TO_IP=172.16.*.*,172.16.22.33
END

If the connecting IP is not allowed by any of the masks specified, it is rejected with a security violation message written to the server log (edaprint.log) as a dropped connection. The absence of the RESTRICT_TO_IP keyword means that any IP address is permitted. The keyword may specify up to eight masks using a comma (without any spaces before or after it) as the separator.

This may be configured using the WebFOCUS Reporting Server Console, or by manually editing the server communications configuration file. This feature is available on TCP/IP based servers other than the mainframe (z/OS and VM).

Obtaining the Identity of the User

Depending on the security setting, place the following code anywhere in the WebFOCUS Reporting Server profile (edasprof.prf) to obtain the identity of the user.

If security is on:

-SET &&USERID=GETUSER('A66');

If security is off or the WebFOCUS Reporting Server is using pooled deployment:

-SET &&USERID=CNCTUSR('A66');

where:

-SET: Is the Dialogue Manager command that is used to create variables.
&&USERID: Is the user-defined global variable that can be used for all subsequent requests.
{GETUSER|CNCTUSR}: Is the WebFOCUS function that retrieves the ID of the connected user. These functions are case sensitive and must be entered with uppercase characters. For more information about WebFOCUS functions, see the Using Functions manual.

Alternatively, you can use the following syntax in site.wfs or in the node profile of a specified server:

<SET> IBIC_user (pass)

To set a DBA password from the connected user ID, you can place the following sample code anywhere in the WebFOCUS Reporting Server profile (edasprof.prf):

-SET &&USERID = GETUSER('A66');
SET PASS = &&USERID

To set a DBA password from the connected user ID that cannot be changed in a procedure or configuration file, you can place the following sample code anywhere in the WebFOCUS Reporting Server profile (edasprof.prf):

-SET &&USERID = GETUSER('A66');
SET PERMPASS = &&USERID

You can configure a permanent password (PERMPASS) using the WebFOCUS Administration Console. For information, see WebFOCUS Client Administration.

For more information about DBA security, see the Describing Data With WebFOCUS Language manual.