In this section: |
The following topics describe important security concepts that affect WebFOCUS Reporting Server behavior.
WebFOCUS Reporting Server security runs in one of the following modes:
Important:
For details on how to issue this security setting, see your Server documentation.
The security behavior of the agent process of the user varies depending on your WebFOCUS Reporting Server security setting. Make sure you match the following settings with your requirements.
Security Setting |
Effective User of Workspace Manager Process |
Effective User of Individual Agent Processes |
---|---|---|
OPSYS |
z/OS: An APF authorized user ID. UNIX: Root user (accomplished using the Set User Privilege). OpenVMS: Selectable user ID with SYSPRIV. Windows: Typically, the system account. |
Private deployment: Operating system user ID of the authenticated user. Limits access to the security profile privileges of that user. Connection Pooling: Configurable user ID. For more information, see WebFOCUS Reporting Server Deployment Options. |
DBMS |
Users defined on the DBMS server or on the WebFOCUS sub-server. This technique is called passthru, as user IDs and passwords supplied by the client are passed to the next level for authentication. |
All the server processes run as a single user ID. |
PTH |
Authenticated user matching a username listed as admin_id in admin.cfg. |
All the server processes run as a single user ID. |
LDAP |
In LDAP mode, the user credentials from the client connection are authenticated through the established directory. You must configure the Server Administrator password before starting a server in this security mode, either by providing it during installation or by starting the server with security OFF and configuring the administrator password from the Workspace, Configure, Access Control panel of the Web Console of the server. |
All the server processes run as a single user ID from the operating system point of view. There is no impersonation of data agents. Supported on Windows and UNIX only. |
OFF |
Operating system user ID of the user who started Workspace Manager. The assigned user ID should only have privileges to access resources associated with the WebFOCUS Reporting Server. |
The same as the Effective User of Workspace Manager Process. All users have the same access rights. |
When security is on, the WebFOCUS Reporting Server needs privileged authority to access the APIs that authenticate users to the operating system. For more detailed information, see the WebFOCUS and ReportCaster Installation and Configuration manual for your platform. Some administrators believe that running the WebFOCUS Reporting Server from a privileged account such as the root (or localsystem) account is a security exposure. If you do not run your server with a privileged account, you can enable user authentication for the WebFOCUS Reporting Server using a security plug-in (for more information, see Developing a Reporting Server Authentication Exit).
Reference: |
The following are ways to deploy WebFOCUS Reporting Server resources:
When security is on, authentication is processed for every client that logs on to the server. If the client user ID passes authentication, the agent will have the privileges associated with that user ID.
When security is off, authentication is not required. Requests are processed with the same user context as that of the Workspace Manager process.
Connection pooling executes the global server profile and service profiles when an agent is started, and pooled user profiles are executed on each connection. Therefore, each application agent inherits the privileges of one user account. The context is cleared once the session is established for a new connection, and then the pooled user profile is executed. Determining the user ID that all application agents will share depends on what operating system you are using, and whether or not you have set security on (OPSYS, DBMS, LDAP) or off. With security on, all users have the same rights because the effective user is the pooled ID that was supplied during configuration regardless of the ID of the connecting user.
Prestarted agents are an optional startup setting of the WebFOCUS Reporting Server that allow quicker initialization of WebFOCUS Reporting Server agents. Both private and pooled deployment schemes support prestarted agents. Prestarted pooled agents are started with the user ID of the pooled user and maintain that context upon connection.
Regardless of whether WebFOCUS Reporting Server security is on or off, prestarted private agents are started under the same user ID as the WebFOCUS Reporting Server. When server security is on, that is usually a system-like ID. However, as soon as a user is authenticated and connected with a prestarted agent, the user context of that agent impersonates the connecting user, thus limiting the agent to access privileges.
For WebFOCUS Reporting Servers running with security on (OPSYS, DBMS, LDAP) or using a customized security plug-in (see Developing a Reporting Server Authentication Exit), the following are possible modes of operation:
A server may restrict certain originating IP addresses for service requests to the communications blocks for the TCP Listener (LST_TCP) and HTTP Listener (LST_HTTP). This is accomplished using the keyword (RESTRICT_TO_IP) in the server communications configuration file (odin.cfg).
For example:
NODE=LST_TCP BEGIN PROTOCOL=TCP SERVICE=8100 CLASS=AGENT RESTRICT_TO_IP=172.16.*.*,172.16.22.33 END
If the connecting IP is not allowed by any of the masks specified, it is rejected with a security violation message written to the server log (edaprint.log) as a dropped connection. The absence of the RESTRICT_TO_IP keyword means that any IP address is permitted. The keyword may specify up to eight masks using a comma (without any spaces before or after it) as the separator.
This may be configured using the WebFOCUS Reporting Server Console, or by manually editing the server communications configuration file. This feature is available on TCP/IP based servers other than the mainframe (z/OS and VM).
Depending on the security setting, place the following code anywhere in the WebFOCUS Reporting Server profile (edasprof.prf) to obtain the identity of the user.
If security is on:
-SET &&USERID=GETUSER('A66');
If security is off or the WebFOCUS Reporting Server is using pooled deployment:
-SET &&USERID=CNCTUSR('A66');
where:
Is the Dialogue Manager command that is used to create variables.
Is the user-defined global variable that can be used for all subsequent requests.
Is the WebFOCUS function that retrieves the ID of the connected user. These functions are case sensitive and must be entered with uppercase characters. For more information about WebFOCUS functions, see the Using Functions manual.
Alternatively, you can use the following syntax in site.wfs or in the node profile of a specified server:
<SET> IBIC_user (pass)
To set a DBA password from the connected user ID, you can place the following sample code anywhere in the WebFOCUS Reporting Server profile (edasprof.prf):
-SET &&USERID = GETUSER('A66'); SET PASS = &&USERID
To set a DBA password from the connected user ID that cannot be changed in a procedure or configuration file, you can place the following sample code anywhere in the WebFOCUS Reporting Server profile (edasprof.prf):
-SET &&USERID = GETUSER('A66'); SET PERMPASS = &&USERID
You can configure a permanent password (PERMPASS) using the WebFOCUS Administration Console. For information, see WebFOCUS Client Administration.
For more information about DBA security, see the Describing Data With WebFOCUS Language manual.
WebFOCUS |