Managed Reporting Sign-on Processing

In this section:

To gain access to Managed Reporting resources, a user must first be authenticated. Authentication takes place during sign-on processing. WebFOCUS recognizes an HTTP sign-on request for Managed Reporting when the query string contains IBIMR_action=MR_SIGNON. Typically, the sign-on request will also include the variables IBIMR_user and IBIMR_pass, but this will not be the case in special sign-on requests, such as the integrated and trusted scenarios.

Next, the privileges and authorizations of the user are retrieved in order to determine that the user logon rights were not disabled and which capabilities and resources should be exposed to the user. This information is set in an encrypted session cookie (MR_COOKIE), which is stored in memory on the workstation. The cookie does not contain any passwords.

The final step in sign-on processing is returning a Managed Reporting view to the user. By default, the view returned to the user depends on the privilege level of that user, and is defined in WebFOCUS/basedir/mrrepos.htm. This file also defines the sign-on failure page. For an example of how to specify a custom view for the user, look at how the hidden form variables are used on the page http://hostname/ibi_html/samples/mrapi.htm. When the sign-on is issued from a program you can include &IBIMR_returntype=XML on the query string to avoid returning a user interface page to the program.

In the case of a Business Intelligence Dashboard logon, the events follow a different sequence. The Dashboard controller servlet (WORP_RM) first creates a session using the credentials provided by the user on the sign-on request. These credentials are passed as the variables WORP_USER and WORP_PASS. The controller then calls WebFOCUS to process an MR sign-on request by mapping the ID and password supplied by the user to IBIMR_user and IBIMR_pass. For more information about the Dashboard logon, see Dashboard Sign-On Processing.

The Managed Reporting session for the user is represented by MR_COOKIE. As long as this cookie is presented to WebFOCUS, the user can access Managed Reporting content. Programs, including ReportCaster Distribution Server, must also comply with this sign-on process in order to access Managed Reporting content. The session persists until the user performs a logoff or closes the Web browser, or until the WebFOCUS cookie expires.

There are three types of Managed Reporting sign-on:

Note: You can develop launch pages that can run Managed Reporting reports without a Managed Reporting session. To learn more about this feature, including how to disable it for increased security, see Accessing Reports From Outside Managed Reporting.


Top of page

x
Explicit Sign-on Processing

The page logon.htm and logonsi.htm under WebFOCUS/ibi_html/workbnch, and the pages WORP_Login.jsp, WORP_Loginsi.jsp, and cmlogon.jsp in the Web application do an explicit sign-on to Managed Reporting. The pages ending in *si.* do not contain a change password link and are used for sign-on integration with the Reporting Server (see Configuring External Authentication). Developer Studio and (unless configured otherwise) ReportCaster also do an explicit sign-on. Both the CGI/ISAPI and Servlet implementations of WebFOCUS support explicit Managed Reporting sign-on processing.

The syntax for explicit sign-on request is:

IBIMR_action=MR_SIGNON&IBIMR_user=userid&IBIMR_pass=password[IBIMR_random=string]

where:

string

Is a random number designed to defeat browser caching features.


Top of page

x
Integrated Sign-on Processing

The page logonwi.htm under WebFOCUS/ibi_html/workbnch, and the JSPs WORP_Loginwi.jsp and cmlogonwi.jsp in the Web application do an integrated sign-on to Managed Reporting. Both the CGI/ISAPI and Servlet implementations of WebFOCUS support explicit Managed Reporting sign-on processing.

The syntax for an integrated sign-on request is the same as for an explicit sign-on request except that the IBIMR_user and IBIMR_pass variables are not provided.

These pages are used in combination with other WebFOCUS settings for Web server sign-on integration (see Configuring Trusted Authentication).


Top of page

x
Trusted Sign-on Processing

How to:

Trusted sign-on processing allows ReportCaster and WebFOCUSOpen Portal Services to securely impersonate a user in scenarios in which they do not have knowledge of the user password.

The syntax for a trusted sign-on request is:

IBIMR_action=MR_SIGNON&IBIMR_user=userid&IBIMR_tid=ticket[IBIMR_random=string]

where:

ticket
Is an encrypted string composed of the following pieces of information:
Encrypt(ProductId|UserId|TrustedKey|RandomData)

where:

Encrypt specifies WebFOCUS encryption. For information about WebFOCUS encryption, see WebFOCUS Encryption.

ProductId identifies the trusted client. This field is reserved for future use.

UserId is the logon ID of the user being impersonated and must match the value of IBIMR_user included in the sign-on request.

TrustedKey is a string that must match the value of IBIMR_TRUSTED_KEY in cgivars.wfs.

RandomData is eight bytes of random data.

Note: If IBIMR_pass is included then IBIMR_tid is ignored and the request is passed as explicit.

During installation, IBIMR_TRUSTED_KEY is set to a default value and written to cgivars.wfs. The string is a representation of the WebFOCUS installation time in milliseconds. It is important to keep this key secret so that someone cannot use the value to create an unauthorized trusted connection to Managed Reporting. Because this key is encrypted, along with other information, in the trusted sign-on ticket you should also consider switching WebFOCUS encryption from its default value to one of the stronger options that has an external key (see WebFOCUS Encryption). This then provides two levels of security.

You can change the key value provided that you update the key(s) for ReportCaster also. For information about setting the keys forReportCaster, see How to Configure the Trusted MR Sign-On Setting for ReportCaster .



x
Procedure: How to Configure the Trusted MR Sign-On Setting for ReportCaster
  1. Access the ReportCaster Server Configuration tool in one of the following ways:
    • If you are on a Windows platform, you can access the configuration tool from the Start Programs menu by selecting Information Builders, ReportCaster, Distribution Server, Configuration, and then clicking Edit.
    • When logged on to Managed Reporting as an administrator, click the clock icon. The ReportCaster Development and Administration Interface opens. From this interface, select the ReportCaster Server Configuration link.
    • You can also access ReportCaster independent of Managed Reporting by typing the following URL:
      http://hostname[:port]/rcaster/main/reportcaster.jsp

      where:

      hostname[:port]

      Is the host name and optional port number (specified only if you are not using the default port number) of the Application Server where the ReportCaster Web application is deployed.

      rcaster

      Is the site-customized context root for the ReportCaster Web application deployed on your Application Server. rcaster is the default value.

      In this case, since your user credentials have not been validated by Managed Reporting, you must type a valid ReportCaster administrator ID and password to log on to the ReportCaster Development and Administration Interface. From this interface, select the ReportCaster Server Configuration link.

    The ReportCaster - Server Configuration window opens displaying the General tab.

  2. In the General tab, select the Security folder and locate the Authentication Plug-in setting. From the drop-down list, select Trusted MR Sign-On.

    ReportCaster Server Configuration dialog box

  3. Click the MR Info tab.

    ReportCaster Server Configuration dialog box

  4. Verify that the Trusted Key configuration setting value matches the IBIMR_TRUSTED_KEY setting in the cgivars.wfs file located in the \ibi\WebFOCUS77\client\wfc\etc directory.

    Note:

    • When you perform an InstallShield installation on Windows or UNIX, and you install Managed Reporting and ReportCaster together, the Trusted Key value is populated automatically.
    • When ReportCaster and WebFOCUS are installed at different times, you must populate the Trusted Key field in the Server Configuration tool with the IBIMR_TRUSTED_KEY parameter value in the cgivars.wfs file.
  5. Click the Save icon, or select Save from the Action menu. A message appears asking for confirmation that you want to save the changes to the configuration file. Click Yes.
  6. Restart the ReportCaster Distribution Server.
  7. Reload the WebFOCUS and ReportCaster Web applications.
  8. After reloading the Web application(s), all users currently logged on must restart their sessions to obtain the current configuration information. Since the session of the user does not have information cached pertaining to the ReportCaster configuration, the user interfaces must be restarted to obtain any updated information.

For more information, see Configuring an Authentication Plug-in for Self-Service ReportCaster Applications in ReportCaster Security in the ReportCaster Administration manual.



x
Procedure: How to Update the Trusted MR Sign-On Key

To update a Trusted MR sign-on key value:

  1. Go to the directory that contains the cgivars.wfs file:

    On UNIX and z/OS, the cgivars.wfs file is located in:

    /ibi/WebFOCUS/client/wfc/etc

    On Windows, the cgivars.wfs file is located in:

    \ibi\WebFOCUS77\client\wfc\etc
  2. Open the cgivars.wfs file and copy the IBIMR_TRUSTED_KEY variable value.
  3. Open the ReportCaster Server Configuration tool and click the MR Info tab.
  4. Paste the copied IBIMR_TRUSTED_KEY value into the Trusted Key field.
  5. Save the ReportCaster server configuration by selecting Save from the Action menu.
  6. Restart ReportCaster by selecting Restart from the Action menu or clicking the Restart icon in the toolbar.

WebFOCUS