mark nesson vashti ragoonath information builders summit 2008 user conference june 2008 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
WebFOCUS Authentication PowerPoint Presentation
Download Presentation
WebFOCUS Authentication

Loading in 2 Seconds...

play fullscreen
1 / 22

WebFOCUS Authentication - PowerPoint PPT Presentation


  • 1453 Views
  • Uploaded on

Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June 2008. WebFOCUS Authentication. WebFOCUS Authentication Agenda. We are going to learn more about WebFOCUS Authentication: General Overview – What is Authentication?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'WebFOCUS Authentication' - MikeCarlo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mark nesson vashti ragoonath information builders summit 2008 user conference june 2008
Mark Nesson, Vashti Ragoonath

Information Builders Summit 2008 User Conference

June 2008

WebFOCUS Authentication

webfocus authentication agenda
WebFOCUS AuthenticationAgenda
  • We are going to learn more about WebFOCUS Authentication:
      • General Overview – What is Authentication?
      • Where are the WebFOCUS authentication checkpoints?
        • Web Tier
        • Reporting Server
      • What are the Authentication options?
      • Configuring Authentication options at security checkpoints
      • What are some of the considerations in architecting a secured WebFOCUS environment?
      • A look at some common customer scenarios
  • Conclusion
webfocus authentication general overview what is authentication
WebFOCUS AuthenticationGeneral Overview – What is Authentication?
  • Authentication
    • Process of confirming a user’s identity and whether he/she is allowed to access the service or application
    • Involves identity retrieval process
      • Via Prompt (Browser Prompt, HTML Forms, etc)
      • Or via Secured Token (NTLM, Kerberos Token, Cookie, etc)
    • Involves identity validation
      • User Id and Password Validation
      • Token Validation (NTLM Processing, SPNEGO, etc)
      • Cookie Validation (SiteMinder Single Sign-On/SSO Cookie, Managed Reporting Cookie, etc)
webfocus authentication security options
WebFOCUS AuthenticationSecurity Options
  • Internal Authentication
      • Credentials are validated and stored internally in a proprietary repository.
  • External Authentication
      • Active Directory
      • LDAP
      • RDBMS
      • Reporting Server
      • Custom (Such as custom API, Web Services, etc)
  • Trusted Authentication
      • Credentials are not validated
      • User ID is provided securely by external service (Web Server, Operating System, etc).
        • External service (e.g SiteMinder) will pass to WebFOCUS either REMOTE_USER or an HTTP Header with the authenticated user id.
webfocus authentication security options trusted
WebFOCUS AuthenticationSecurity Options – Trusted
  • Authentication
    • “Authentication” process occurs at the Web Server level.
  • Common Web Server Authentication Scheme
    • Anonymous Authentication (No authentication)
    • Basic Web Authentication
    • Integrated Windows Authentication (IWA/NTLM)
    • Kerberos
    • 3rd Party Single Sign-On Applications
      • Example: SiteMinder, Oblix, RSA ClearTrust
      • Common Characteristics
        • Use of Encrypted Cookie to maintain Single Sign-On session management
        • Ability to pass authentication header (REMOTE_USER) or custom headers/cookie.
webfocus authentication security options external
WebFOCUS AuthenticationSecurity Options – External
  • Why would we want “External” Security?
    • To provide better control
    • To centralize identity management in a common system
    • To provide better auditing/reporting capabilities
  • Why would we want “Trusted” Security?
    • To avoid repeated credentials prompting
    • Single Sign-On
webfocus authentication apply security options at webfocus checkpoints
WebFOCUS AuthenticationApply security options at WebFOCUS checkpoints
  • SecurityCheckpoints
    • Web Tier
      • Managed Reporting/Dashboard
      • WebFOCUS Client Administration Console
      • ReportCaster
      • Self-Service Applications
    • Reporting Server
webfocus authentication web tier checkpoints
WebFOCUS AuthenticationWeb Tier checkpoints

In the context of Internal, Trusted and External Authentication:

  • Managed Reporting/Dashboard
    • Internal (User credentials verified against proprietary repository)
    • External (User authenticated by LDAP, AD, WFRS,etc)
    • Trusted ( User authenticated by Web Server)
  • WebFOCUS Client Administration Console
    • None (Console is unprotected)
    • External (Reporting Server)
    • Trusted ( User authenticated by Web Server)
  • ReportCaster
    • Internal ( User id and password stored in ReportCaster repository)
    • External (User authenticated by Managed Reporting)
    • Trusted ( User authenticated by Web Server)
  • Self-Service Applications
    • Trusted ( User authenticated by Web Server)
    • External (Reporting Server)
webfocus authentication reporting server checkpoint
WebFOCUS AuthenticationReporting Server Checkpoint

Authentication Options on the Reporting Server:

  • PTH Internal, file-based authentication for HTTP connections

TCP connections are not authenticated

  • OPSYS TCP/HTTP Connections are authenticated by the Operating system
  • DBMS TCP/HTTP Connections are authenticated by the Database Server
  • LDAP TCP/HTTP Connections are authenticated by LDAP Server or Active Directory.

New Trust Extension Setting, trust_ext=y

    • Supported on all server platforms, including Windows
    • Does not support impersonation
    • Server secured with LDAP requires user be found
    • Not supported with Server security DBMS
webfocus authentication configuring webfocus security options
WebFOCUS AuthenticationConfiguring WebFOCUS security options
  • Let’s go through the steps on how to configure these security checkpoints. Then we will move on to applying the security options to some common customer scenarios.
    • Managed Reporting/Dashboard
      • Login to WebFOCUS Client Administration Console
      • From Configuration/MR Security Settings
      • General
        • From here can set MR Authentication to Internal, External or Trusted
webfocus authentication configuring webfocus security options12
WebFOCUS AuthenticationConfiguring WebFOCUS security options
  • WebFOCUS Client Administration Console
      • Login to WebFOCUS Client Administration Console
      • From Configuration/Startup Parameters
      • Modify IBIWFC_AUTHENTICATION
        • Options Include
          • No authentication
          • Trusted (Web/REMOTE_USER and WEBHDR/HTTP Header)
          • Reporting Server (EDA and EDA:edanode)
webfocus authentication configuring webfocus security options13
WebFOCUS AuthenticationConfiguring WebFOCUS security options
  • ReportCaster
    • Open ReportCaster Configuration File
      • General Tab/Security
        • Authentication Plug-In set to:
          • “None” means “use Id/Pwd from BOTUPROF”
          • “Trusted MR Sign-on” means connect with owner Id only
        • Caster Remote Authenticated is optional SSO setting
          • No means sign-on with Id/Pwd
          • Yes means use Id in REMOTE_USER
          • HTTP Header allows you to specify header for SSO
webfocus authentication configuring webfocus security options14
WebFOCUS AuthenticationConfiguring WebFOCUS security options
  • Reporting Server
    • Web Console/Workspace/Access Control
      • Security Mode drop-down list
        • OPSYS
        • OFF
        • PTH
        • DBMS
        • LDAP
  • Now let’s see how we can out these options together to architect WebFOCUS secured environments.
webfocus authentication configuring webfocus security options15
WebFOCUS AuthenticationConfiguring WebFOCUS security options
  • Reporting Server
  • When do we use the different Reporting Server options?
    • ON/LDAP/RDBMS
      • Preferred due to added security level by requiring an authentication prior to connection to the service
      • LDAP and RDBMS offer more flexibility in terms of the authentication providers
    • PTH/OFF/Explicit Connection ID
      • Useful when connection can be “trusted” into the Reporting Server tier due an “authentication” occurring up-front at the web or application tier (such as MR SIGNON)
      • Console is still protected under PTH mode
      • Password is not available beyond the Web Tier
      • Customer does not want to maintain OS level accounts for every user
webfocus authentication reporting server impersonation
WebFOCUS AuthenticationReporting Server Impersonation
  • Scenario 1
  • Enables fine-grained access control and auditing at the file system and relational database
  • Requires Reporting Server Security = OPSYS
  • Requires RC Authentication Plug-in = MR Trusted Sign-on
    • Tip: This is always a requirement whenever MR Authentication is External or Trusted
  • Recommendation A – Kerberos SSO (7.6.1)
    • MR Authentication = Trusted / REMOTE_USER
    • WF Console Authentication = WEB
    • RC Caster Remote Authenticated = YES
    • Server Connection Security = KERBEROS
webfocus authentication reporting server impersonation17
WebFOCUS AuthenticationReporting Server Impersonation
  • Recommendation B – MR Sign-on Page
    • MR Authentication = External / WFRS
    • WF Console Authentication = EDA
    • Server Connection Security = Default
  • Recommendation C – Basic Web Authentication (7.6.1)
    • Web Server Security = Basic Web Authentication
    • MR Authentication = Trusted / REMOTE_USER
    • WF Console Authentication = WEB
    • RC Caster Remote Authenticated = YES
    • Server Connection Security = HTTP Basic
  • If SSO vendor solution preferred for Web-tier, then Reporting Server will require secondary Id/Pwd prompt
webfocus authentication authenticate to sun one ldap server
WebFOCUS AuthenticationAuthenticate to Sun One LDAP Server
  • Recommendation A - MR / WFRS
    • MR Authentication = External / WFRS
    • WF Console Authentication = EDA
    • Server Security = LDAP
    • Server Connection Security = Default
    • ReportCaster Data Server Settings: Run Id=User
  • Drawback
    • If LDAP passwords expire periodically, user passwords stored in ReportCaster repository will become stale, potentially resulting in failed schedule execution
    • Workaround
      • Set trust_ext=y option on Server(7.6.1)
      • ReportCaster Data Server Settings: Run Id=User,Shared=Yes, Trusted=Passthrough
webfocus authentication authenticate to sun one ldap server19
WebFOCUS AuthenticationAuthenticate to Sun One LDAP Server
  • Alternative B - MR / LDAP
    • MR Authentication = LDAP
    • Server Security =LDAP, trust_ext=y (7.6.1)
    • WF Console Authentication =EDA
    • Server Connection Security = Trusted: IBIMR_user (7.6.1)
    • ReportCaster Data Server Settings: Run Id=User,Shared=Yes, Trusted=Passthrough
webfocus authentication netegrity siteminder sso
WebFOCUS AuthenticationNetegrity SiteMinder SSO
  • Consider SiteMinder Authenticates to Active Directory
  • MR Authentication = Trusted
    • Trusted to HTTP Header (e.g., sm_user) or
    • Trusted to REMOTE_USER
  • Server Connection Security = Trusted
    • Trusted to HTTP Header
  • IBIWFC_authentication
    • WEB or WEBHDR
  • Caster Remote Authenticated
    • Yes (uses REMOTE_USER)
      • ReportCaster Settings: Run Id=User,Trusted=Yes
    • HTTP Header
      • ReportCaster Settings: Run Id=User,Trusted=Passthrough, Shared=Yes
webfocus authentication netegrity siteminder sso21
WebFOCUS AuthenticationNetegrity SiteMinder SSO
  • Alternative B - MR / LDAP
    • MR Authentication = LDAP
    • Server Security =LDAP, trust_ext=y (7.6.1)
    • WF Console Authentication =EDA
    • Server Connection Security = Trusted: IBIMR_user (7.6.1)
    • ReportCaster Data Server Settings: Run Id=User,Shared=Yes, Trusted=Passthrough
webfocus authentication conclusion
WebFOCUS AuthenticationConclusion
  • We wish to extend our thanks to Jeff Rustandi and Jim Thorstad for their contributions to this presentation.