In this section: |
To gain access to Managed Reporting resources, a user must first be authenticated. Authentication takes place during sign-on processing. WebFOCUS recognizes an HTTP sign-on request for Managed Reporting when the query string contains IBIMR_action=MR_SIGNON. Typically, the sign-on request will also include the variables IBIMR_user and IBIMR_pass, but this will not be the case in special sign-on requests, such as the integrated and trusted scenarios.
Next, the privileges and authorizations of the user are retrieved in order to determine that the user logon rights were not disabled and which capabilities and resources should be exposed to the user. This information is set in an encrypted session cookie (MR_COOKIE), which is stored in memory on the workstation. The cookie does not contain any passwords.
The final step in sign-on processing is returning a Managed Reporting view to the user. By default, the view returned to the user depends on the privilege level of that user, and is defined in WebFOCUS/basedir/mrrepos.htm. This file also defines the sign-on failure page. For an example of how to specify a custom view for the user, look at how the hidden form variables are used on the page http://hostname/ibi_html/samples/mrapi.htm. When the sign-on is issued from a program you can include &IBIMR_returntype=XML on the query string to avoid returning a user interface page to the program.
In the case of a Business Intelligence Dashboard logon, the events follow a different sequence. The Dashboard controller servlet (WORP_RM) first creates a session using the credentials provided by the user on the sign-on request. These credentials are passed as the variables WORP_USER and WORP_PASS. The controller then calls WebFOCUS to process an MR sign-on request by mapping the ID and password supplied by the user to IBIMR_user and IBIMR_pass. For more information about the Dashboard logon, see Dashboard Sign-On Processing.
The Managed Reporting session for the user is represented by MR_COOKIE. As long as this cookie is presented to WebFOCUS, the user can access Managed Reporting content. Programs, including ReportCaster Distribution Server, must also comply with this sign-on process in order to access Managed Reporting content. The session persists until the user performs a logoff or closes the Web browser, or until the WebFOCUS cookie expires.
There are three types of Managed Reporting sign-on:
Note: You can develop launch pages that can run Managed Reporting reports without a Managed Reporting session. To learn more about this feature, including how to disable it for increased security, see Accessing Reports From Outside Managed Reporting.
The page logon.htm and logonsi.htm under WebFOCUS/ibi_html/workbnch, and the pages WORP_Login.jsp, WORP_Loginsi.jsp, and cmlogon.jsp in the Web application do an explicit sign-on to Managed Reporting. The pages ending in *si.* do not contain a change password link and are used for sign-on integration with the Reporting Server (see Configuring External Authentication). Developer Studio and (unless configured otherwise) ReportCaster also do an explicit sign-on. Both the CGI/ISAPI and Servlet implementations of WebFOCUS support explicit Managed Reporting sign-on processing.
The syntax for explicit sign-on request is:
IBIMR_action=MR_SIGNON&IBIMR_user=userid&IBIMR_pass=password[IBIMR_random=string]
where:
Is a random number designed to defeat browser caching features.
The page logonwi.htm under WebFOCUS/ibi_html/workbnch, and the JSPs WORP_Loginwi.jsp and cmlogonwi.jsp in the Web application do an integrated sign-on to Managed Reporting. Both the CGI/ISAPI and Servlet implementations of WebFOCUS support explicit Managed Reporting sign-on processing.
The syntax for an integrated sign-on request is the same as for an explicit sign-on request except that the IBIMR_user and IBIMR_pass variables are not provided.
These pages are used in combination with other WebFOCUS settings for Web server sign-on integration (see Configuring Trusted Authentication).
How to: |
Trusted sign-on processing allows ReportCaster and WebFOCUSOpen Portal Services to securely impersonate a user in scenarios in which they do not have knowledge of the user password.
The syntax for a trusted sign-on request is:
IBIMR_action=MR_SIGNON&IBIMR_user=userid&IBIMR_tid=ticket[IBIMR_random=string]
where:
Encrypt(ProductId|UserId|TrustedKey|RandomData)
where:
Encrypt specifies WebFOCUS encryption. For information about WebFOCUS encryption, see WebFOCUS Encryption.
ProductId identifies the trusted client. This field is reserved for future use.
UserId is the logon ID of the user being impersonated and must match the value of IBIMR_user included in the sign-on request.
TrustedKey is a string that must match the value of IBIMR_TRUSTED_KEY in cgivars.wfs.
RandomData is eight bytes of random data.
Note: If IBIMR_pass is included then IBIMR_tid is ignored and the request is passed as explicit.
During installation, IBIMR_TRUSTED_KEY is set to a default value and written to cgivars.wfs. The string is a representation of the WebFOCUS installation time in milliseconds. It is important to keep this key secret so that someone cannot use the value to create an unauthorized trusted connection to Managed Reporting. Because this key is encrypted, along with other information, in the trusted sign-on ticket you should also consider switching WebFOCUS encryption from its default value to one of the stronger options that has an external key (see WebFOCUS Encryption). This then provides two levels of security.
You can change the key value provided that you update the key(s) for ReportCaster also. For information about setting the keys forReportCaster, see How to Configure the Trusted MR Sign-On Setting for ReportCaster .
http://hostname[:port]/rcaster/main/reportcaster.jsp
where:
Is the host name and optional port number (specified only if you are not using the default port number) of the Application Server where the ReportCaster Web application is deployed.
Is the site-customized context root for the ReportCaster Web application deployed on your Application Server. rcaster is the default value.
In this case, since your user credentials have not been validated by Managed Reporting, you must type a valid ReportCaster administrator ID and password to log on to the ReportCaster Development and Administration Interface. From this interface, select the ReportCaster Server Configuration link.
The ReportCaster - Server Configuration window opens displaying the General tab.
Note:
For more information, see Configuring an Authentication Plug-in for Self-Service ReportCaster Applications in ReportCaster Security in the ReportCaster Administration manual.
To update a Trusted MR sign-on key value:
On UNIX and z/OS, the cgivars.wfs file is located in:
/ibi/WebFOCUS/client/wfc/etc
On Windows, the cgivars.wfs file is located in:
\ibi\WebFOCUS77\client\wfc\etc
WebFOCUS |