Configuring Authentication

In this section:

Authentication is the process of validating user credentials. Individuals who use WebFOCUS may have user IDs and passwords managed by other systems. WebFOCUS Managed Reporting and the Reporting Server can each be configured to authenticate users to an external security system, or to trust that authentication has already taken place. Users benefit because they do not have to logon multiple times or manage separate user ID/password combinations. If a user logs onto WebFOCUS with credentials from an outside security package, the package provides some type of authentication confirmation to the WebFOCUS Client or the Reporting Server. This information may be in the form of a browser cookie or a logon ticket and may be needed by the Reporting Server in order for it to access and retrieve the data required by the WebFOCUS application.

Depending on your operating environment, user credentials can be validated by:

Multiple security providers can be configured. The primary provider is identified by the EDAEXTSEC environment variable. You can configure additional providers using the Web Console Access Control page.


Top of page

x
Configuring OPSYS Authentication

In this section:

How to:

When security is set to OPSYS, the user credentials from the client connection are authenticated by the native security system of the operating system. The server then allocates a data access agent that impersonates the user so that access to files or other objects is controlled by the native system.

Profiles for operating system users are supported on all platforms. On Windows, Active Directory groups are supported based on the win_primgroup_adsi setting.

The server will automatically run in security OPSYS mode if no other security mode has been configured and the server process has been granted sufficient privileges. If the server process does not have sufficient privileges for operating system authentication, and no other security mode has been configured, the server runs with security OFF.

Details about OPSYS security requirements are provided in the Server Installation manual, where specific sections are provided for each platform. Refer to this manual for installation instructions and platform-specific setup steps. The following is a summary of the OPSYS requirements:

Note that some system specific settings in the edaserve.cfg file are provided to allow further adjustments of the authentication mechanism. Those relevant for some UNIX systems are:

For Windows systems, the logon_method setting (for interactive, network, or batch) is relevant to explicit connections.

Note: For more information on limiting user access to the Web Console, see Configuring General Server and Web Console Actions.



x
Procedure: How to Enable Primary Group Support for Windows Active Directory

When the Reporting Server runs on the Windows platform with OPSYS security mode against an Active Directory, you can set the win_primgroup_adsi keyword to support Active Directory primary group notation. When you set the parameter to y, the server uses the primary group of the user as the name for the group profile and for some access controls under the Web Console. (Note that you can only set the primary group from Windows Active Directory interface to Users management.) In order to take advantage of this setting, you must ensure that the Windows machine that hosts the server resides in the same domain as the Active Directory.

  1. Access the Web Console with a server administrator user ID.
  2. From the Workspace menu, select Access Control.

    The Access Control page opens.

  3. Open the Security Providers folder in the navigation pane.
  4. Right-click OPSYS and select Properties.

    The OPSYS Security Configuration page opens.

  5. Select y from the win_primgroup_adsi drop-down menu.
  6. Click Save.


x
Procedure: How to Configure OPSYS Security Mode

This procedure assumes that the server is already running in non-OPSYS security mode.

  1. Access the Web Console with a server administrator user ID.
  2. From the Workspace menu, select Access Control.

    The Access Control page opens.

    The server security mode is displayed on the Access Control page.

  3. Right-click the Security Providers folder in the navigation pane, and select Change Effective Security Provider(s).

    The Change Effective Security Provider(s) page opens.

    Note: For more information about changing security providers, see Considerations for Changing the List of Security Providers From the Web Console.

  4. Select OPSYS from the Security Mode drop-down menu.
  5. Supply the Server Administrator user ID and password. Alternatively, you can enter a new user ID and password. It will be added to the admin.cfg file as a Server Administrator.

  6. Click Apply and Stop Server.
  7. Note: If you change the privileges of tscom300, the server will start with security OPSYS by default. For more information, see the Server Installation manual.
  8. For z/OS Unified Server only. Starting with z/OS 1.7, the z/OS security package provides extended password support. If this option is enabled, you must add mixed_case_password=on to the edaserve configuration file before starting the server in security mode OPSYS. For HFS deployment, this file is in $EDACONF/etc and for PDS deployment it is in qualif.servertype.CONF.CFG, where servertype is determined by your license key.
  9. If the server is not running, start it using the instructions for your platform.

    The server will start in OPSYS security mode.

  10. Examine the edaprint.log file. If it indicates errors, stop the server, correct the errors, then start it with security OPSYS.
  11. Restart your browser and connect to the Web Console. When prompted, enter a valid operating system user ID and password.

If you wish to register other users in a role or group or create new roles, first connect as a Server Administrator. Then follow the instructions in Registering Users and Groups in a Role.



x
Preventing Unsecured Server Starts After Upgrades

If the explicit environment variable EDAEXTSEC is set to OPSYS (or ON), and the server cannot impersonate users because it lacks platform-specific authorization steps performed during installation and described in the installation guide, the server start aborts and error messages are written to the edaprint log file.

This feature prevents an unsecured server start after a software upgrade if any of the required post-upgrade, reauthorization steps are missed on a UNIX, IBM i, or z/OS HFS deployment. This is not applicable to other platforms. The setting may be placed in any normal server start-up shell or profile that a site is using or in the server edaenv.cfg configuration file. The messages vary slightly by platform.

The edaprint messages are:

Configured security is 'ON' as set by EDAEXTSEC variable.

Server has no root privilege. (UNIX)

Server is not APF-authorized. (z/OS HFS)

TSCOM300.PGM has no QSECOFR authority. (IBM i)

Workspace initialization aborted.
(EDA13171) UNABLE TO START SERVER


x
Using Password Phrases for Authentication on z/OS

Starting with z/OS 1.8, IBM introduced password phrases which can be used for authentication, and starting with z/OS 1.10 password phrases can be used for TSO Logon as well. Password phrases can be from 14 to 100 characters long.

z/OS IDs can have both a password (1 to 8 bytes) and a passphrase (from 14 to 100 bytes). The two forms of credentials are independent. Changing one does not change the other. The server recognizes the type of credential being presented by its size (sizes between 9 and 13 are invalid on z/OS).

No special configuration is needed to enable password phrases.

When a users log into the Web Console, there are two possible ways they can change their passwords or passphrases:



x
Procedure: How to Change Passwords on the Web Console Logon Screen

By default, passwords cannot be changed on the Web Console Logon page because the following parameter is in effect:

password_change_wclogin = n

To enable the option to change passwords when logging into the Web Console:

  1. Select Access Control from the Workspace menu.
  2. Right-click General Settings and select Configure from the context menu.
  3. Change the value of the password_change_wclogin parameter to y.

On the same configuration page, you can also set two other parameters that affect passwords and passphrases.

  • You can change the delimiter used to separate the user ID from the password or passphrase to any valid character accepted by the operating system. By default, the delimiter is a comma:
    password_change_delimiter= ,
  • You can configure the server to accept mixed-case passwords and passphrases:
    mixed_case_password={n|y}

    where no (n) is the default value.

Once the option to change passwords on the Web Console Logon page is enabled, users can change their passwords or passphrases by entering the following in the password field of the Web Console Logon page (if the password delimiter has been changed, use that character between the old and new passwords instead of the comma):

old_password,new_password

When password_change_wclogin = y, passwords and passphrases cannot contain the password delimiter character.

When password_change_wclogin = n (the default), the setting for password_change_delimiter is ignored, and passwords can contain all valid characters allowed by the operating system.


Top of page

x
Configuring PTH Authentication

In this section:

How to:

PTH security mode only controls access to the Web Console. In this security mode, there is no impersonation by data agents or authentication of a non-Web Console connected user. From the operating system point of view, all server processes run as a single user ID, and access to the Web Console is controlled by authenticating names against those defined in the admin.cfg file unless authenticate_all_pthuser is set to y. The setting is available on the PTH Security Configuration page, which can be accessed by right-clicking PTH in the Security Providers folder on the Access Control navigation pane.

You must configure the Server Administrator password before starting a server in this security mode, either by providing it at installation time or by configuring it in the Web Console. For details, see Registering Users and Groups in a Role.

PTH security mode supports profiles for users and groups on all platforms.

Note: For more information on limiting user access to the Web Console, see Configuring General Server and Web Console Actions.



x
Procedure: How to Configure a PTH Security Provider
  1. Open the Access Control page on the Workspace menu.
  2. Right-click the Security Providers folder, and select Change.

    The Change Effective Security Provider(s) page opens.

  3. Select PTH from the list of providers in the last Security Provider drop-down box.
  4. Click Apply and Restart Server.

    The Select an Option dialog box is displayed, as shown in the following image.

    Once the server has restarted, the PTH security provider has icons for adding and viewing its users and groups.

  5. If the security mode was switched from OPSYS to PTH, set the EDAEXTSEC variable as described in Platform-Specific Methods for Setting EDAEXTSEC.

    Note: For more information about changing security modes, see Considerations for Changing the List of Security Providers From the Web Console.

  6. If the server is not running, start it using the instructions for your platform.

    The server will start in PTH security mode.

  7. Examine the edaprint.log file. If it indicates errors, stop the server, then start it with security OFF to correct the errors.
  8. Restart your browser and connect to the Web Console. When prompted, enter a valid PTH user ID and password.

If you wish to add other PTH users, first connect as a PTH user defined as server administrator. Then follow the instructions in How to Create and Register Users With PTH Security.

Note: A common problem when switching from OPSYS to PTH is the existence of files in EDATEMP that cannot be removed due to insufficient privileges. To handle this problem, use edastart -cleardir (or member ICLRDIR on the z/OS platform) in EDAEXTSEC=OPSYS mode to clear the directory before switching.



x
Configuring Expiring Passwords for a PTH Security Provider

When the Server Administrator creates or updates a user under a PTH security provider, by default the password never expires.

The Server Administrator can configure a new or existing user password to expire after a specified number of days.



x
Procedure: How to Configure Expiring Passwords for a PTH Security Provider

To assign an expiring password:

  1. From the Workspace menu, select Access Control. Then:
    • For a new user, add the user by right-clicking PTH Users and selecting Add.
    • For an existing user, open the Properties page by:
      1. Right-clicking PTH Users and selecting Show All.
      2. Right-clicking the user and selecting Properties.

        By default, the Password never expires box is checked.

  2. Uncheck the Password never expires box.

    The current date is saved in admin.cfg as admin_passdate for this user. This is the last password change date.

  3. Click:
    • Save, if you are adding a new user.
    • Update, if you are updating an existing user.

    The Properties page for the user will show the number of days until password expiration.

  4. Configure the number of days before passwords expire:
    1. Right-click the PTH Security Provider and select Properties.
    2. Set pthpass_lifetime to the number of days after which the password should expire.

    3. Click Save.

    When the password expires, the user gets a password expired message on the logon screen and is provided with a New Password field in order to enter a new password.

    At this time, the new password and new password change date are recorded in admin.cfg.

    Note that changing the password by selecting Change Password from the My Console menu also resets the password change date.

  5. Optionally, configure a warning message to begin displaying a specified number of days before the password expires.

Top of page

x
Configuring DBMS Authentication

In this section:

How to:

Reference:

In this security mode, there is no impersonation by data agents, but connection credentials are authenticated against a configured DBMS. This technique is called password passthru, as user IDs and passwords supplied by the client are passed to the DBMS for authentication.

DBMS security mode supports profiles for users on all platforms. Profiles for groups are not supported.

Note: For more information on limiting user access to the Web Console, see Configuring General Server and Web Console Actions.



x
Procedure: How to Configure DBMS Authentication

This procedure assumes that the server is already running.

  1. Access the Web Console with a server administrator user ID.
  2. From the Adapter pane, configure a DBMS adapter and connection.
  3. Select the Password Passthru security option on the Adapter configuration pane.

    Note that the Test button, which appears next to the Configure button, will not work until your restart the server with Security DBMS in step 5. Do not restart the server at this point.

  4. From the Workspace menu, select Access Control. The Access Control page opens.

    The server security mode is displayed on the Access Control page.

  5. To add the DBMS provider, expand the Security Provider folder, right click DBMS, and choose New.
  6. Enter a name for the DBMS provider.
  7. Select a security_dbms from the drop-down list.

    This option identifies the database engine used to authenticate incoming requests.

  8. Select a security_connection from the drop-down list. This list shows all DBMS connections that are configured with Password Passthru.

    This option identifies the database connection used to authenticate incoming requests.

  9. At this point, it is a good idea to click the Test button to make sure the DBMS connection is working. You will be prompted for a password for the selected user ID. Click Continue. The DBMS will authenticate this ID. If it is a valid DBMS ID, a message will be returned indicating that authentication was successful. If the ID is not a valid DBMS ID, the DBMS will return messages indicating that authentication was not successful.
  10. Right-click the Security Providers folder in the navigation pane, and select Change Effective Security Provider(s).

    The Change Effective Security Provider(s) page opens.

  11. Select DBMS from the Security Mode drop-down menu.
  12. Supply the Server Administrator user ID. Alternatively, you can enter a new user ID that will be added to the admin.cfg file as a Server Administrator.

  13. If the server was started with security mode OPSYS, click the Apply and Stop Server button. Otherwise, click the Apply and Restart button.
    • If you click Apply and Stop Server, the server stops. Start it manually in DBMS security mode.
    • If you click Apply and Restart button, the server restarts in security mode DBMS, but the next time the server is restarted (other than from the security mode pane), the security mode reverts to whatever it was at the start of this procedure. This is called a dynamic restart. A message to this affect is displayed on the screen.

      To preserve the security mode DBMS, set the EDAEXTSEC variable.

    Note: For more information about changing security modes, see Considerations for Changing the List of Security Providers From the Web Console.

  14. Set the EDAEXTSEC variable as described in Platform-Specific Methods for Setting EDAEXTSEC.
  15. If the server is not running, start it using the instructions for your platform.

    The server will start in DBMS security mode.

  16. Examine the edaprint.log file. If it indicates that there were any errors, stop the server and then start it with security OFF to correct the errors.
  17. Restart your browser and connect to the Web Console. When prompted, enter a valid DBMS user ID and password.

If you wish to add other DBMS users, first connect as a DBMS user defined as server administrator. Then follow the instructions in Registering Users and Groups in a Role.

Note: A common problem when switching from OPSYS to a DBMS provider is the existence of files in EDATEMP that cannot be removed due to insufficient privileges. To handle this problem, use edastart -cleardir (or member ICLRDIR on the z/OS platform) in EDAEXTSEC=OPSYS mode to clear the directory before switching.



x
Reference: Usage Notes for DBMS Security


x
Reference: Password Passthru and Security DBMS

Security DBMS (using password passthru) is supported for the following engines:



x
Logon Ticket Authentication for Logging Onto the SAP Portal

Single sign-on (SSO) enables users to login to the SAP portal with their credentials and then access WebFOCUS components, such as the Reporting Server with the SAP R/3 and SAP BW adapters, the Web Console, and the WebFOCUS client (Managed Reporting) without a secondary logon. This is achieved in the following manner:



x
Procedure: How to Ensure Compliance With SSO Prerequisites for SAP BW and SAP R/3

Complete the following steps to ensure that prerequisites have been met:

  1. Export the public key certificate from the SAP portal into $EDACONF/etc.
  2. Set Server security to DBMS.
  3. Configure the SAP/BW or SAP R/3-ECC connection for Password-Passthru.
  4. Ensure that Security DBMS with Password-passthru to SAP/BW or SAP R/3-ECC is working.
  5. Ensure that SAP RFCSDK 6.40, SAP SSOEXT, and SAP SECULIB 5.4 are in the path. (Check your Operating System or consult a system administrator for details.)

Once prerequisites have been satisfied, complete the SSO verification procedure.



x
Procedure: How to Complete SSO Verification
  1. From the SAP portal (http://sapportal.mydomain.com:50000), execute a command that requires authentication (using a logon screen from the Portal).

    This generates an SSO cookie.

  2. Overwrite the SAP portal url with the one for the WebFOCUS Reporting Server, using the same domain (for example, http://iwayserv.mydomain.com:8101).

    At this point, no logon screen should pop up since the user is logged in and SSO login has been successfully verified.


Top of page

x
Configuring LDAP Authentication

How to:

Reference:

In LDAP (Lightweight Directory Access Protocol) security mode, there is no impersonation by data agents, but connection credentials are authenticated against the established directory services. From the operating system point of view, all server processes run as a single user ID.

LDAP security mode is presently supported on Windows, UNIX, IBM i, and the Unified Server (HFS and PDS deployments).

LDAP security mode supports profiles for LDAP users and LDAP groups.

Note: For more information on limiting user access to the Web Console, see Configuring General Server and Web Console Actions.



x
Procedure: How to Configure an LDAP Security Provider
  1. Logon to the server with Server Administrator credentials.
  2. Open the Access Control page on the Workspace menu.
  3. If this is the first LDAP security provider being configured:
    1. Right-click the LDAP folder under Security Providers, and select Properties from the context menu.
    2. Select the LDAP vendor from the drop-down list.

      If you choose OpenLDAP on LINUX, you will see two additional fields, ldap_libldap and ldap_liblber. These parameters specify the names of the OpenLDAP libraries that the server module loads at run time. The path to the libraries should be available to the server at run time. You are prompted to specify the library name at run time. If you do not supply a different name a default library name is used.

  4. Under the Security Providers folder, right-click LDAP and select New.

    The LDAP Security Provide page opens.

  5. Enter or select values for the following properties.

    Note: If the properties for a specific category are not visible, click the down arrow on the separator bar for that category to display them.

    Connection Properties

    LDAP_PROVIDER

    Specifies a name for this provider.

    ldap_host

    Is a host identifier consisting of a host name or an IPv4 dotted string representing the IP address of a host running the LDAP server to connect to.

    Alternatively, it may contain a list of space-delimited host identifiers. Each host identifier may include a trailing colon and port number. In the case where more than one host identifier is specified, each host identifier in turn will be contacted until a connection can be established. For example:

    directory.example.com 
    192.0.2.0 
    directory.example.com:1050 people.catalog.com 192.0.2.0
    ldap_port

    Is a positive integer that defines the TCP port number used to connect to the LDAP server. Note that ldap_port is ignored for any host identifier which includes a colon and port number. The server default port is 389 or 636 (for SSL connection).

    ldap_secure_connection

    Specifies whether the server uses a Secure Socket Layer (SSL) session with the LDAP server. Select No or Yes. The server default is No.

    LDAP (Lightweight Directory Access Protocol) security mode supports Secure Sockets Layer (SSL) API calls to establish an SSL/TLS connection. Using server authentication only, the Reporting Server initiates API calls to verify that the LDAP server being connected to is the same server that provided certification.

    You can set the LDAP secure connection from the Web Console:

    • Select No, the default value, if you do not wish to enable SSL.
    • Select Yes to enable an encrypted Secure Sockets Layer (SSL) session with the LDAP server.

    If you have selected IBM, Sun, or Novell as the your ldap_lib_vendor, when you select Yes in the ldap_secure_conection field, additional options are added to the Connection tab:

    • For Sun and IBM, ldap_ssl_certificate is added.
    • For Novell, ldap_ssl_certificate and ldap_ssl_certification_encoding are added.

    ldap_ssl_certificate. Enter the name of the LDAP attribute used by the API to establish the SSL/TLS connection. The server employs server authentication only, checking through API calls that the LDAP server you are connecting to is the one that provided the certificate. Values depend on the LDAP vendor, as follows:

    • Novell API specifies the file name, including path, of the Trusted Root Certificate that the LDAP server provided for authentication.
    • Sun/Netscape API specifies the path to cert7.db, Netscape certificate database, excluding the file name, that the LDAP server provided for authentication.
    • IBM API specifies the file name, including the path, for ldapkey.kdb (IBM key database file that the LDAP server provided for authentication). The ldapkey.sth password stash file should be in the same directory. Note that in addition to IBM LDAP client libraries, Global Security Kit libraries are needed to make SSL work. On Windows machines, GSK must be installed.
    • Microsoft API ignores the ldap_ssl_certificate configuration parameter since it is not used in an Active Directory. The server certificate should be installed in a certificate store.

    ldap_ssl_certificate_encoding. For Novell, select the standard used to encode the certificate from the drop-down list. Encryption and file format depend on API vendor specifications. The options are B64 and DER.

    ldap_ad_only

    When you choose Microsoft in the ldap_lib_vendor field, the ldap_ad_only field is added to the pane.

    It specifies whether authentication is performed against Active Directory utilizing a Windows specific API. Select the No or Yes radio button. The server default is No. When ldap_ad_only is set to Yes, ldap_user_attribute should have the value sAMAccountName or userPrincipalName.

    This enables you to connect to the Active Directory (ad) using the Windows-specific API, without having to code ldap_principal and ldap_credentials. (In fact, these two fields are removed from the LDAP settings pane.)

    ldap_principal

    Specifies the DN of a service account with sufficient access rights to locate user entries in the directory. Consists of attribute=value pairs, separated by commas. This parameter is required when the LDAP provider is configured with a security setting that requires credentials in order to initiate a search for a user, group, or related information.

    ldap_credentials

    Contains the password of the service account defined in ldap_principal.

    ldap_search_timeout

    Specifies the timeout in seconds for ldap_search. The server default value is 60 seconds.

    User properties

    ldap_user_base

    Specifies the DN of the entry that serves as the starting point for the search. Consists of attribute=value pairs, separated by commas.

    ldap_user_scope

    Specifies the scope with which the LDAP realm should search for users. Select Subtree, Onelevel, or Base:

    Subtree scope indicates that the LDAP realm should search everything under the base DN.

    Onelevel scope tells the LDAP server to only search entries one level down from the base DN.

    Base indicates that the search should be done at the search base only.

    The server default is Subtree.

    ldap_user_class

    Specifies the object class used when searching for user entries. The server default is person.

    ldap_user_attribute

    Specifies the LDAP attribute used when searching for user entries. uid is the default value for LDAP and sAMAccountName is the suggested value for Active Directory. One possible reason to change the default value would be to allow users to logon with an e-mail address instead of a user ID. In this case, you might change the value to mail or userPrincipalName (if this corresponds with the name of the appropriate attribute in your directory).

    ldap_user_group_attribute

    Specifies the LDAP attribute used to identify a group in a user object.

    The Active Directory standard is Memberof.

    ldap_user_description

    Specifies the name of the attribute whose value contains description of an object (user, group). The server default is description.

    ldap_user_email

    Specifies the name of the attribute whose value contains the user e-mail address. The server default is mail.

    Group properties

    ldap_group_base

    Specifies the DN of the entry that serves as the starting point for the search. The server default is the ldap_user_base value.

    ldap_group_scope

    Specifies the scope with which the LDAP realm should search for groups. Select Subtree, Onelevel, or Base:

    Subtree scope indicates that the LDAP realm should search everything under the base DN.

    Onelevel scope tells the LDAP server to only search entries one level down from the base DN.

    Base indicates that the search should be done at the search base only.

    The server default is Subtree.

    ldap_group_class

    Specifies the object class used when searching for group entries. The server default is groupofuniquenames. The Active Directory standard is group.

    ldap_group_attribute

    Specifies the LDAP attribute used to identify the name of the group. The server default is cn.

    ldap_member_attribute

    Specifies the LDAP attribute used to identify users in a group. The server default is uniqueMember. The Active Directory standard is Member.

    ldap_nested_groups

    Disables or enables LDAP nested groups support. Select No or Yes. The server default is No, which disables nested group support.

    Note: ldap_user_class, ldap_user_attribute, ldap_group_class, ldap_group_attribute are parameters that form a search filter.

    The search filter standard syntax conforms to the following structure:

    (&(Property_Name=Property_Value)(Property_Name=Property_Value))

    If you change value of the ldap_user_class and ldap_group_class parameters to an asterisk (*), the search filter syntax can be reduced to the following simplified form (although group support will not work properly):

    (Property_Name=Property_Value)

    By specifying an asterisk for these parameters, you achieve simplified search filter syntax, but in effect, disable group support.

  6. To test the connection, click Test.

    A Test LDAP Connection logon window opens.

    1. Enter a valid user ID and password for this LDAP security provider.
    2. Click Continue.

    If your configuration and credentials are valid, a window opens telling you that you were successfully authenticated.

    If they are not valid, you will get a corresponding message.

  7. To save this configuration, click Save.

    The Change Effective Security Provider(s) page opens.

    1. Select a Security Provider name from the drop-down list.

      Note: Each time you select an LDAP Security Provider, another Security Provider drop-down box is generated.

    2. Enter or select the user ID of the Server Administrator. The user must be a valid server administrator in the LDAP database.
    3. If the server was not started in LDAP security mode, the button at the bottom of the page says Apply and Stop Server. Click the button and manually start the server in LDAP security mode.

      If the server is already running in LDAP security mode, the button at the bottom of the page says Apply and Restart Server. Click the button and wait for the server to restart.

  8. If the server was started with security mode OPSYS, click the Apply and Stop button. Otherwise, click the Apply and Restart button.
    • If you click Apply and Stop, the server stops; proceed with Step 9.
    • If you click Apply and Restart button, the server restarts in LDAP security mode, but the next time the server is restarted (other than from the security mode pane), the security mode reverts to whatever it was at the start of this procedure. This is called a dynamic restart. A message to this affect is displayed on the screen.

      To preserve the LDAP security mode, proceed with Step 9.

    Note: For more information about changing security modes, see Considerations for Changing the List of Security Providers From the Web Console.

  9. Set the EDAEXTSEC variable according to the instructions in Platform-Specific Methods for Setting EDAEXTSEC.
  10. If the server is not running, start it using the instructions for your platform.

    The server will start in LDAP security mode.

  11. Examine the edaprint.log file. If it indicates errors, stop the server, then start it with security OFF to correct the errors.
  12. Restart your browser and connect to the Web Console. When prompted, enter a valid LDAP user ID and password.
  13. When you start the server in LDAP security mode, you can select an LDAP Provider from the Security Provider drop-down list. By default, the primary (first) LDAP security provider is selected.

Note: A common problem when switching from OPSYS to LDAP is the existence of files in EDATEMP that cannot be removed due to insufficient privileges. To handle this problem, use edastart -cleardir (or member ICLRDIR on the z/OS platform) in EDAEXTSEC=OPSYS mode to clear the directory before switching.



x
Procedure: How to Remove an LDAP Security Provider From the Web Console
  1. Logon to the server with Server Administrator credentials.
  2. From the Workspace menu, select Access Control.

    The Access Control page opens.

  3. Right-click the security provider that you want to remove in the Security Providers folder and select Remove from the context menu.

    A dialog box opens asking you to confirm that you want to remove the provider.

  4. Click OK.


x
Reference: LDAP Vendor Library Prerequisites

Important: Although the Server supports a number of vendor libraries for each platform, as described in the following chart, Information Builders recommends that, whenever possible, you use the native libraries for your Operating System.

System Requirements. LDAP Security mode requires the appropriate LDAP vendor library files to be available to the server at run time:

  1. If the LDAP vendor library files are not currently available on the server platform, download them from the appropriate vendor Web site, unzip them if necessary, and transfer them to the server platform.
  2. Edit the library path or (on Windows) the system path to include the location of the library files.

Windows: The LDAP vendor library files for Windows systems are:

Sun

IBM

Novell

Microsoft

libnspr4.dll
libplc4.dll
libplds4.dll
nsldap32v50.dll
nsldappr32v50.dll
nsldapssl32v50.dll
nss3.dll
sasl32.dll
ssl3.dll

(64 bit NA)

libidsldap.dll
libibmldapdbg.dll

ldapsdk.dll
ldapssl.dll

(64 bit NA)

wldap32.dll
advapi32.dll

IBM z/OS and IBM i: The LDAP vendor library files for IBM z/OS and IBM i systems are:

z/OS

statically linked

IBM i

statically linked

UNIX: The LDAP vendor library files for UNIX systems are:

OS

Vendor

Sun (Sun ONE Directory Server Resource Kit 5.2.1, except as noted)

IBM

Novell

OpenLDAP

AIX

libldap50.so
libnspr4.so
libnss3.so
libplc4.so
libplds4.so
libprldap50.so
libsasl.so
libssl3.so
libssldap50.so

(64 bit NA)

statically linked

libldapsdk.so

(64 bit NA)

N/A

HP

libldap50.sl
libnspr4.sl
libnss3.sl
libplc4.sl
libplds4.sl
libprldap50.sl
libsasl.sl
libssl3.sl
libssldap50.sl

(see notes following chart)

statically linked

(64 bit NA)

libldapsdk.sl
libldapssl.sl

(64 bit NA)

N/A

Linux

libldap50.so
libnspr4.so
libnss3.so
libplc4.so
libplds4.so
libprldap50.so
libsasl.so
libssl3.so
libssldap50.so

(64 bit NA)

libibmldap.so
libldapiconv.so

(64 bit NA)

libldapsdk.so
libldapssl.so

(64 bit NA)

libldap_r.so
liblber.so

SunOS 5.8

libldap50.so
libnspr4.so
libnss3.so
libplc4.so
libplds4.so
libprldap50.so
libsasl.so
libssl3.so
libssldap50.so

libibmldap.so

libldapsdk.so
libldapssl.so

(64 bit NA)

N/A

SunOS 5.9 and 5.10

libldap.so

(Native SunOS library)

libibmldap.so

libldapsdk.so
lilbldapssl.so

(64 bit NA)

N/A

Note:



Example: Making Sun LDAP Library Files Available

To make Sun LDAP library files available to the server at run time:

  1. Access the product download Web site for Sun ONE Directory Server Resource Kit 5.2.1:

    http://www.sun.com/download/products.xml?id=3f74a0db

    (Note that this URL is correct as of the date these Release Notes were published. Third-party URLs are subject to change.)

  2. Click the Download link at the bottom right of the Web page. (Do not click the Downloads menu option at the top of the page.)

    The login page opens. You will be prompted for a registered user login or to register.

  3. Enter either your Sun username and password. If you do not have an account, click Register Now and follow the prompts to create an account and then log in. This is free.
  4. Accept the license agreement.
  5. Download the appropriate platform package. Select the optimized package, not the debug version.
  6. Once downloaded, unzip the file, and then unzip the second zip file contained within the first.
  7. Navigate to the directory in which you unzipped the downloaded file, and then cd to the lib subdirectory.
  8. FTP the files you need (as indicated in LDAP Vendor Library Prerequisites), in binary format, to their own directory on the server platform.
  9. Edit the library path to include the location of the library files you just FTPed.

Top of page

x
Authenticating Users Across Multiple Security Providers

How to:

Reference:

The Reporting Server can search across multiple LDAP sources, DBMS providers, and a PTH server when authenticating users.

The first security provider on the list of providers is considered the primary provider. When authenticating or assigning privileges for a provider that is not the primary provider, the user ID is a two-part name consisting of the provider name and the user ID:

provider\userid 

The authentication is done based on the primary provider for a one-part name and based on the provider specified for a two-part name.

The Server Administrator can add and remove security providers from the list at any time.

For instructions on configuring PTH and LDAP security providers, see Configuring PTH Authentication or Configuring LDAP Authentication.



x
Procedure: How to Change the Security Provider List

If you want to change the list of security providers:

  1. Logon to the server with Server Administrator credentials.
  2. Right-click the Security Providers folder and select Change Effective Security Provider(s) from the context menu.

    The Change Effective Security Provider(s) page opens.

  3. You can select providers from the drop-down lists in the order you need.

Note: When registering and assigning privileges for a user or group for a provider that is not the primary provider, the server uses a two-part name consisting of the provider name and the user or group name (for example, ldap2/user1 or ldap2/group3). If you change the primary provider on the list, the names may not be in the correct format for the provider that was originally primary and the provider that is now primary. Therefore, you may have to re-register the users and groups for those providers.



x
Reference: Considerations for Changing the List of Security Providers From the Web Console

You can configure multiple security providers and change security modes using the Web Console. When changing security providers, it is important to make sure that there is a valid Server Administrator user ID for that provider.

Switching between security modes is done either by restarting from the Web Console or by stopping the server and setting the EDAEXTSEC environment variable before restarting manually.

Note: If the server is stopped later, and you want the server to run in the new security mode, you must set the EDAEXTSEC environment variable to the appropriate value.

In the following chart:

Current Security Mode

Target Security Mode

OPSYS

PTH

DBMS

LDAP

OFF

OPSYS

N/A

No

No

No

No

PTH

No

N/A

Yes

Yes

Yes

DBMS

No

Yes

N/A

Yes

Yes

LDAP

No

Yes

Yes

N/A

Yes

OFF

No

Yes

Yes

Yes

N/A



x
Platform-Specific Methods for Setting EDAEXTSEC

Platform

Start Method

Actions

Windows

Start Menu

Under the main software folder for the server, select Start with Alternate Security Modes, Start Security, then choose a security_mode. The options are OPSYS, PTH, DBMS, LDAP, or OFF.

As a Service under a local system account

Set the system environment variable EDAEXTSEC, under My Computer, Properties, Advanced tab, to one of the following values: OPSYS, PTH, DBMS, LDAP, or OFF.

Restart Windows to initialize.

As a Service under the current account

Set the system environment variable EDAEXTSEC, under My Computer, Properties, Advanced tab, to one of the following values: OPSYS, PTH, DBMS, LDAP, or OFF.

Restart Windows to initialize.

UNIX

Command prompt or Script that calls edastart

Export the variable setting in the edastart shell script, or before any calls to the shell script, as follows

export EDAEXTSEC=security_mode

where:

security_mode

Is one of the following: OPSYS, PTH, DBMS, LDAP, or OFF.

z/OS Unified Server

JCL

Place the variable in the EDAENV allocation of the IRUNJCL member of the configuration library

EDAEXTSEC=security_mode

where:

security_mode

Is one of the following: OPSYS, PTH, DBMS, LDAP, or OFF.

IBM i

QSH command prompt or QSH script that calls edastart

Export the variable in the edastart shell script, or before any calls to the shell script, as follows

export EDAEXTSEC=security_mode

where:

security_mode

Is one of the following: OPSYS, PTH, DBMS, LDAP, or OFF.

CALL {lib}/TSCOM300 or CL that calls TSCOM300 or CL that calls QSH, which, in turn, calls the edastart shell script

Before the call to TSCOM300, add the following

ADDENVVAR ENVVAR(EDAEXTSEC) 
VALUE(security_mode)

where:

security_mode

Is one of the following: OPSYS, PTH, DBMS, LDAP, or OFF.

OpenVMS

Command prompt or DCL script that calls edastart

Before calling edastart.com or in edastart.com, add the following

DEFINE EDAEXTSEC security_mode

where:

security_mode

Is one of the following: OPSYS, PTH, DBMS, LDAP, or OFF.

You can also define the logical EDAEXTSEC in the EDAENV.COM file.

Any

Any

Use the Web Console (Workspace, Configuration/Monitor, Configuration Files folder, Miscellaneous folder) to edit the edaenv.cfg file and add the following:

EDAEXTSEC=security_mode

where:

security_mode

Is one of the following: OPSYS, PTH, DBMS, LDAP, or OFF.

Note: After a change, a hard restart of the server must be done.



x
Enabling Trusted Connections

How to:

You can configure the server to accept trusted connections.



x
Procedure: How to Enable Trusted Connections
  1. From the Web Console menu bar, choose Workspace, then Access Control.
  2. Right-click General Settings in the navigation pane, and select Configure.

    The Access Control - General Settings page opens.

  3. Select y from the trust_ext drop-down menu. For OPSYS, the default is y. For all other security modes, the default is n.

    Note: For LDAP security mode, authentication must be configured with ldap_principal and ldap_credentials for trusted connections to work.

  4. For non-Windows server, enter y in the trust_nt field. This specifies that Windows clients can be trusted. Since Windows requires a password to impersonate a user, this cannot be used on Windows Servers. On MVS, this keyword can be set in the service section of the server configuration file. The default is n.
  5. Click the Apply and Restart button.

Top of page

x
Setting an Anonymous User ID

How to:

An authorized server administration can set an anonymous user ID that can access the Web Console when the user ID/password fields on the Web Console login screen are blank and the user clicks Log in.

This anonymous user ID provides the ID and, in turn, the user rights for the Web Console and the server. Further configuration for the anonymous user can be achieved by creating a user profile for the anonymous user ID. If an anonymous ID matches a user in the admin.cfg list, the applicable role and privileges are applied.

Note: On Windows, for security mode OPSYS only, you must turn IWA security off to use this feature. From the Workspace menu, select Configuration/Monitor, then click Special Services and Listeners, HTTP, Properties in the navigation pane, and click the Security IWA check box to deselect it.



x
Procedure: How to Set an Anonymous User ID
  1. Log on to the Web Console using a user ID that has server administration rights.
  2. From the Workspace menu, select Access Control.
  3. Right-click General Settings in the navigation pane, and select Configure.

    The Access Control - General Settings pane opens.

  4. Enter a user ID in the anonymous_id field.
  5. Enter a password in the anonymous_pass field and repeat it in the Confirm Password field.
  6. Click Apply and Restart.

Top of page

x
Configuring User Password Settings

In this section:

You can configure the following password settings for any security provider:



x
Viewing or Changing the Password Separator Character

When an application has the option to change a user password, the old and new passwords are sent to the server using a separator character (by default, a comma). For example:

old_password,new_password

The separator character is defined by the password_change_delimiter field. The separator needs to be reset if the current separator character is contained in the password itself or if it is allowed by the server.

This feature is not supported when Security Mode is OFF.



x
Procedure: How to View or Change the Password Separator Character
  1. From the Workspace menu, select Access Control.
  2. Right-click General Settings in the navigation pane, and select Configure.

    The Access Control - General Settings page opens.

  3. In the password_change_delimiter field, enter a single character to use as the delimiter between an old and new password. (The default character is a comma.)

    Note that you cannot use the designated password_change_delimiter character in a password.

  4. Click Apply and Restart.


x
Enabling Password Changes From the Web Console Login Page

You can allow users to change their password from the Web Console login page.



x
Procedure: How to Enable Password Changes From the Web Console Login Page
  1. From the Web Console menu bar, choose Workspace, then Access Control.
  2. Right-click General Settings in the navigation pane, and select Configure.

    The Access Control - General Settings page opens.

  3. Enter y in the password_change_wclogin field. The default is n.
  4. Click the Apply and Restart button.


x
Login Password Expiration Warning

On Operating Systems that support password expiration, you can specify that a warning message be displayed a specified number of days prior to the expiration date. The message will appear after the initial login screen. You must then click the Continue button to open the Web Console. Users can employ standard tools to change their passwords before expiration occurs.

Note: The password expiration warning is supported only on Operating Systems where IDs are configured to expire and this extended security feature is active for the user ID. However, expiration warning is not currently supported on the Windows platforms.



x
Procedure: How to Initiate Notification of an Imminent Password Expiration
  1. From the Workspace menu, select Configuration/Monitor.
  2. In the navigation pane, expand the Special Services and Listeners folder, then click HTTP and select Properties from the pop-up menu. The Listener Configuration pane opens.
  3. In the PASS_EXPIRE_NOTIFICATION field, enter the number of days prior to expiration that you want the warning to begin to appear when a user whose password is about to expire logs in.
  4. Click the Save and Restart button.

Top of page

x
Saving Authentication Credentials for the Next Web Console Login

The Web Console login screen has a check box for saving the current User ID and password so that the user does not have to enter them in subsequent logins.

To save your credentials, check the Remember me on this computer box and click Log in.

The credentials are stored in a browser cookie and are used for subsequent logins to the Web Console as long as the cookie is not deleted from the client computer.


iWay Software