Upload
leona-hopkins
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Copyright 2007, Information Builders. Slide 1
WebFOCUS Authentication
Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User
ConferenceJune 2008
Copyright 2007, Information Builders. Slide 2
WebFOCUS AuthenticationAgenda
We are going to learn more about WebFOCUS Authentication: General Overview – What is Authentication? Where are the WebFOCUS authentication checkpoints?
Web Tier Reporting Server
What are the Authentication options? Configuring Authentication options at security checkpoints What are some of the considerations in architecting a
secured WebFOCUS environment? A look at some common customer scenarios
Conclusion
Copyright 2007, Information Builders. Slide 3
WebFOCUS AuthenticationGeneral Overview – What is Authentication?
Authentication Process of confirming a user’s identity and whether he/she is
allowed to access the service or application Involves identity retrieval process
Via Prompt (Browser Prompt, HTML Forms, etc) Or via Secured Token (NTLM, Kerberos Token, Cookie, etc)
Involves identity validation User Id and Password Validation Token Validation (NTLM Processing, SPNEGO, etc) Cookie Validation (SiteMinder Single Sign-On/SSO Cookie,
Managed Reporting Cookie, etc)
Copyright 2007, Information Builders. Slide 4
WebFOCUS AuthenticationAuthentication Checkpoints
Developer Studio
Reporting ServerWeb-tier
Server Console
Server Console (pass-thru servlet)
WF Admin Console
Dashboard/Managed Reporting
Self-Service
ReportCaster
`
Copyright 2007, Information Builders. Slide 5
WebFOCUS AuthenticationSecurity Options
Internal Authentication Credentials are validated and stored internally in a proprietary
repository. External Authentication
Active Directory LDAP RDBMS Reporting Server Custom (Such as custom API, Web Services, etc)
Trusted Authentication Credentials are not validated User ID is provided securely by external service (Web Server,
Operating System, etc). External service (e.g SiteMinder) will pass to WebFOCUS
either REMOTE_USER or an HTTP Header with the authenticated user id.
Copyright 2007, Information Builders. Slide 6
WebFOCUS AuthenticationSecurity Options – Trusted Authentication
“Authentication” process occurs at the Web Server level. Common Web Server Authentication Scheme
Anonymous Authentication (No authentication) Basic Web Authentication Integrated Windows Authentication (IWA/NTLM) Kerberos 3rd Party Single Sign-On Applications
Example: SiteMinder, Oblix, RSA ClearTrust Common Characteristics
Use of Encrypted Cookie to maintain Single Sign-On session management
Ability to pass authentication header (REMOTE_USER) or custom headers/cookie.
Copyright 2007, Information Builders. Slide 7
WebFOCUS AuthenticationSecurity Options – External
Why would we want “External” Security? To provide better control To centralize identity management in a common system To provide better auditing/reporting capabilities
Why would we want “Trusted” Security? To avoid repeated credentials prompting Single Sign-On
Copyright 2007, Information Builders. Slide 8
WebFOCUS AuthenticationApply security options at WebFOCUS checkpoints SecurityCheckpoints
Web Tier Managed Reporting/Dashboard WebFOCUS Client Administration Console ReportCaster Self-Service Applications
Reporting Server
Copyright 2007, Information Builders. Slide 9
WebFOCUS AuthenticationWeb Tier checkpoints In the context of Internal, Trusted and External Authentication: Managed Reporting/Dashboard
Internal (User credentials verified against proprietary repository) External (User authenticated by LDAP, AD, WFRS,etc) Trusted ( User authenticated by Web Server)
WebFOCUS Client Administration Console None (Console is unprotected) External (Reporting Server) Trusted ( User authenticated by Web Server)
ReportCaster Internal ( User id and password stored in ReportCaster repository) External (User authenticated by Managed Reporting) Trusted ( User authenticated by Web Server)
Self-Service Applications Trusted ( User authenticated by Web Server) External (Reporting Server)
Copyright 2007, Information Builders. Slide 10
WebFOCUS AuthenticationReporting Server CheckpointAuthentication Options on the Reporting Server: PTH Internal, file-based authentication for HTTP
connections
TCP connections are not authenticated OPSYS TCP/HTTP Connections are authenticated by the
Operating system DBMS TCP/HTTP Connections are authenticated by the
Database Server LDAP TCP/HTTP Connections are authenticated by LDAP
Server or Active Directory.
New Trust Extension Setting, trust_ext=y Supported on all server platforms, including Windows Does not support impersonation Server secured with LDAP requires user be found Not supported with Server security DBMS
Copyright 2007, Information Builders. Slide 11
WebFOCUS AuthenticationConfiguring WebFOCUS security options Let’s go through the steps on how to configure these security
checkpoints. Then we will move on to applying the security options to some common customer scenarios.
Managed Reporting/Dashboard Login to WebFOCUS Client Administration Console From Configuration/MR Security Settings General
From here can set MR Authentication to Internal, External or Trusted
Copyright 2007, Information Builders. Slide 12
WebFOCUS AuthenticationConfiguring WebFOCUS security options WebFOCUS Client Administration Console
Login to WebFOCUS Client Administration Console From Configuration/Startup Parameters Modify IBIWFC_AUTHENTICATION
Options Include No authentication Trusted (Web/REMOTE_USER and
WEBHDR/HTTP Header) Reporting Server (EDA and EDA:edanode)
Copyright 2007, Information Builders. Slide 13
WebFOCUS AuthenticationConfiguring WebFOCUS security options ReportCaster
Open ReportCaster Configuration File General Tab/Security
Authentication Plug-In set to: “None” means “use Id/Pwd from BOTUPROF” “Trusted MR Sign-on” means connect with
owner Id only Caster Remote Authenticated is optional SSO
setting No means sign-on with Id/Pwd Yes means use Id in REMOTE_USER HTTP Header allows you to specify header for
SSO
Copyright 2007, Information Builders. Slide 14
WebFOCUS AuthenticationConfiguring WebFOCUS security options Reporting Server
Web Console/Workspace/Access Control Security Mode drop-down list
OPSYS OFF PTH DBMS LDAP
Now let’s see how we can out these options together to architect WebFOCUS secured environments.
Copyright 2007, Information Builders. Slide 15
WebFOCUS AuthenticationConfiguring WebFOCUS security options Reporting Server When do we use the different Reporting Server options?
ON/LDAP/RDBMS Preferred due to added security level by requiring an
authentication prior to connection to the service LDAP and RDBMS offer more flexibility in terms of the
authentication providers PTH/OFF/Explicit Connection ID
Useful when connection can be “trusted” into the Reporting Server tier due an “authentication” occurring up-front at the web or application tier (such as MR SIGNON)
Console is still protected under PTH mode Password is not available beyond the Web Tier Customer does not want to maintain OS level accounts for
every user
Copyright 2007, Information Builders. Slide 16
WebFOCUS AuthenticationReporting Server Impersonation Scenario 1 Enables fine-grained access control and auditing at the file
system and relational database Requires Reporting Server Security = OPSYS Requires RC Authentication Plug-in = MR Trusted Sign-on
Tip: This is always a requirement whenever MR Authentication is External or Trusted
Recommendation A – Kerberos SSO (7.6.1) MR Authentication = Trusted / REMOTE_USER WF Console Authentication = WEB RC Caster Remote Authenticated = YES Server Connection Security = KERBEROS
Copyright 2007, Information Builders. Slide 17
WebFOCUS AuthenticationReporting Server Impersonation Recommendation B – MR Sign-on Page
MR Authentication = External / WFRS WF Console Authentication = EDA Server Connection Security = Default
Recommendation C – Basic Web Authentication (7.6.1) Web Server Security = Basic Web Authentication MR Authentication = Trusted / REMOTE_USER WF Console Authentication = WEB RC Caster Remote Authenticated = YES Server Connection Security = HTTP Basic
If SSO vendor solution preferred for Web-tier, then Reporting Server will require secondary Id/Pwd prompt
Copyright 2007, Information Builders. Slide 18
WebFOCUS AuthenticationAuthenticate to Sun One LDAP Server Recommendation A - MR / WFRS
MR Authentication = External / WFRS WF Console Authentication = EDA Server Security = LDAP Server Connection Security = Default ReportCaster Data Server Settings: Run Id=User
Drawback If LDAP passwords expire periodically, user passwords stored
in ReportCaster repository will become stale, potentially resulting in failed schedule execution
Workaround Set trust_ext=y option on Server (7.6.1) ReportCaster Data Server Settings: Run Id=User,
Shared=Yes, Trusted=Passthrough
Copyright 2007, Information Builders. Slide 19
WebFOCUS AuthenticationAuthenticate to Sun One LDAP Server Alternative B - MR / LDAP
MR Authentication = LDAP Server Security = LDAP, trust_ext=y (7.6.1) WF Console Authentication = EDA Server Connection Security = Trusted: IBIMR_user (7.6.1) ReportCaster Data Server Settings: Run Id=User,
Shared=Yes, Trusted=Passthrough
Copyright 2007, Information Builders. Slide 20
WebFOCUS AuthenticationNetegrity SiteMinder SSO Consider SiteMinder Authenticates to Active Directory MR Authentication = Trusted
Trusted to HTTP Header (e.g., sm_user) or Trusted to REMOTE_USER
Server Connection Security = Trusted Trusted to HTTP Header
IBIWFC_authentication WEB or WEBHDR
Caster Remote Authenticated Yes (uses REMOTE_USER)
ReportCaster Settings: Run Id=User, Trusted=Yes HTTP Header
ReportCaster Settings: Run Id=User, Trusted=Passthrough, Shared=Yes
Copyright 2007, Information Builders. Slide 21
WebFOCUS AuthenticationNetegrity SiteMinder SSO Alternative B - MR / LDAP
MR Authentication = LDAP Server Security = LDAP, trust_ext=y (7.6.1) WF Console Authentication = EDA Server Connection Security = Trusted: IBIMR_user (7.6.1) ReportCaster Data Server Settings: Run Id=User,
Shared=Yes, Trusted=Passthrough
Copyright 2007, Information Builders. Slide 22
WebFOCUS AuthenticationConclusion We wish to extend our thanks to Jeff Rustandi and Jim Thorstad
for their contributions to this presentation.