Configuring WebFOCUS for External Authentication/Authorization

Ben Naphtali – Terry Schwarz
Information Builders
Summit 2016 User Conference
June 13-17, 2016

Author: Ben Naphtali

Company: Information Builders

Lab Title: Configuring WebFOCUS for External Authentication/Authorization

Abstract: In this lab you will configure WebFOCUS to authenticate and authorize users to Active Directory and use the Reporting Server access control feature along with access control templates, to authorize users to particular Application directories. This makes it possible to tightly integrate WebFOCUS into your organization's infrastructure for an installation that's more secure and easier to administer.

Your Lab Title here Page 2 of 40 5/17/2016

Copyright © 2014 Information Builders

Lab Goals

·  Learn how to configure WebFOCUS to authenticate and authorize to Active Directory and what the benefits are.

·  Understand why it’s important to integrate WebFOCUS Client and Reporting Server security.

·  Become familiar with Server Access Control and how it can be used to control access to Application directories on the Server.

·  Become familiar with Server Access Control templates and how they can be used to access Application directories on the server, based on an access control template model.

Business Case

In this lab you will configure WebFOCUS to authenticate and authorize users based on information stored in Microsoft Active Directory.

Benefits of authenticating to Active Directory:

·  Improved usability – users only need to remember a single user ID and password.

·  Reduced administration – WebFOCUS synchronizes user information with Active Directory.

Benefits of authorizing to Active Directory:

·  Reduced administration – WebFOCUS automatically creates user accounts and administrators can centrally manage access to all applications.

·  Improved security – authorization is verified during each sign-in or scheduled job execution.

Pre-authenticating users with their Windows Desktop credentials is a very popular option you should consider, but it is not covered in this lab. For more information please watch this video: http://techsupport.informationbuilders.com/tech/wbf/WFVideos/WFSEC02.mp4

WebFOCUS also offers many other options of pre-authentication as well:

·  Integrated Windows Authentication

·  Web Access Management systems

o  CA Siteminder

o  Oracle Access Manger

o  IBM Tivoli Access Manger WebSeal

o  Others

·  CAS (Central Authentication Services)

·  SAML 2.0

·  Kerberos

·  Basic

Lab Personas

During the lab you will interact with WebFOCUS in a number of different roles.

Allison Wells
WebFOCUS Administrator / Active Directory Credentials:
User ID: aw01
Password: Password1
Groups: COR-IT-BIADMIN. COR-IT-BISUPPORT / / Allison is the lead BI administrator. She will be internally authorized to WebFOCUS and to the Reporting Server.
Tony Bishop
WebFOCUS Administrator (backup) / Active Directory Credentials:
User ID: tb01
Password: Password1
Groups: COR-IT-BIADMIN / / Tony is Allison’s backup; we’ll use him to demonstrate how WebFOCUS administrators can be externally authorized
Calinda Walters
Account Manager, Chicago Office / Active Directory Credentials:
User ID: cw01
Password: Password1
Groups: BRA-CHI-SALES / / Calinda works in a sales office; we’ll use her to demonstrate how a wildcard mask in the group mapping value can be helpful.
Paul Henderson
HR Manager who has been using FOCUS for years / Active Directory Credentials:
User ID: ph01
Password: Password1
Groups: COR-HR-MGRS / / Paul is a report developer; we’ll use him to demonstrate how Server Access Control can be used to govern access to Application directories.

Task 1 – Configure an LDAP Security Provider on the Reporting Server

You will begin the lab as Allison Wells, the WebFOCUS administrator. Your first task is to configure an LDAP security provider on the Reporting Server that will authenticate users to Active Directory (AD), retrieve their full name and email, and retrieve the AD groups they belong to.

1.  Open Chrome from the Windows Taskbar. In this lab, Allison will always use Chrome to access the Server Console

2.  Click on the WebFOCUS Reporting Server shortcut on the Chrome favorites bar.

3.  Sign in to the Server Console with the following credentials:

·  User ID: srvadmin

·  Password: srvadmin

4.  You are signed in as a Server Administrator. Click on the Access Control tab.

5.  Notice that the Server is currently running with its PTH security provider active.

PTH<internal> refers to the Server’s Process Table Handler (PTH) module; the Server’s internal security provider.

6.  Right-click the Security Providers > LDAP node and then select New.

7.  In the LDAP Security Configuration panel, click Continue.

8.  Make the following changes and then click Next.

·  ldap_host: ibsummit.local

·  security: Explicit

·  ldap_principal: l

·  ldap_credentials: Password1

a

IMPORTANT: You should select the Explicit option when authenticating WebFOCUS users to Active Directory. Also, be sure the account specified for ldap_principal has a non-expiring password in Active Directory.

9.  The server automatically makes an LDAP connection to the directory server and determines if it is Active Directory server. The server fills in typical values for Active Directory in the User Search panel.

Don’t change these for the lab, but in practice you should review the settings with your Active Directory administrator.

10. Click the expand button in the Group Search properties accordion bar. You can also collapse the User Search accordion bar if you like.

11. Again, the server fills in typical values for Active Directory here. Leave these unchanged.

12. Click the expand button to advance to the Trusted Connections property.

13. Change trust_ext to y and then click the Test User Authentication button.

The trust_ext=y setting specifies that the Server should accept trusted connections coming from WebFOCUS. After sign in, the Server will not make any further connections to AD for the user.

Tip: You should take steps to ensure that unauthorized WebFOCUS Clients cannot connect to the Server after enabling trust_ext=Y such as using network or host firewalls or using the RESTRICT_TO_IP setting on the Server’s TCP and HTTP Listeners.

14. In the test dialog, enter Allison’s AD credentials and then click Continue.

·  User Name: aw01

·  Password: Password1

15. Allison’s credentials were verified and the names of her AD groups are displayed.

16. Close the test dialog by clicking the X in the upper right corner.

17. Click Save to create your new LDAP security provider.

18. Change LDAP provider status to Primary.

19. Notice that PTH is automatically changed to Secondary.

The documentation recommends leaving PTH as a secondary security provider because:

·  You can access the Server Console even when Active Directory is unreachable.

·  You can specify a PTH service account in WebFOCUS for connecting to the Server.

20. Click the Save Provider’s Status button.

21. The next panel confirms that you are enabling two security providers and that PTH\srvadmin will be the only valid Server Administrator ID after restart.

Click the Apply and Restart Server button.

22. The next panel advises you to consider further securing the Basic User Role, by adjusting Gernal Privileges and Directory/File privileges for the Basic User Role. We’ll revisit this later in the lab. Click OK button.

23. Minimize the Chrome browser session and continue to the next task.

You will return to the Server Console session later in the lab.

Task Summary: Allison configured an LDAP security provider that can authenticate users to Active Directory and retrieve user information, which includes name, email, and group membership details. She specified that the LDAP provider accept trusted connections and she configured PTH as a secondary security provider.

Task 2 – Create the Initial WebFOCUS Administrator

In this task Allison will create a WebFOCUS administrator account spelled the same as her AD account (aw01). This is necessary because once WebFOCUS is configured to authenticate to AD she will need to sign in to WebFOCUS with AD credentials.

1.  Open Internet Explorer from the Windows Taskbar.

2.  Sign in to WebFOCUS using the following credentials:

·  User Name: admin

·  Password: admin

3.  From the Administration menu select Security Center.

4.  Click the New User button.

In the New User dialog box make the following two changes and then click OK.

·  User Name: aw01

·  Description: Leave blank; this will be sychronized with AD during sign in.

·  Email Address: Leave blank; this will be sychronized with AD during sign in.

·  Password fields: Leave blank; internal passwords are ignored in the new configuration.

·  Create in Group: Administrators

5.  Click the Administrators group in the Groups pane. Confirm aw01 is shown in the member list.

6.  Click Close to exit Security Center. Remain signed in as Allison, and continue to the next task.

Task Summary: Allison created a WebFOCUS administration account spelled the same as her AD account. She can use this account to manage WebFOCUS when it has been reconfigured to authenticate to AD.

Task 3 – Configuring a Trusted Connection to the Server

In this task Allison will configure WebFOCUS to make trusted connections through the default EDASERVE Server node. Trusted connections improve performance because the Server only connects to AD during sign in; there are no connections when users run reports. Trusted connections also allow WebFOCUS to pass the user’s WebFOCUS groups to the server. We’ll use this feature later in the lab to control Paul’s access to Server Application directories.

1.  Select Administration Administration Console from the menu bar.

2.  Right-click the Reporting Servers > Sever Connections node and then select New.

3.  Add Node Description: Security Lab, and select Trusted radio button. Click Save

4.  After getting the following confirmation, Click Save.

5.  Remain on this Console page and continue to the next task.

Task Summary: Allison created a WeFOCUS Server Connection to send Trusted Connections to the configured Reporting Server.

Task 4 – Configuring WebFOCUS for External Authentication and Authorization

In this task Allison will configure WebFOCUS to use the Server and its LDAP security provider to authenticate users and return their AD user and group information.

1.  Select Security Tab from the console Menu Bar.

2.  Select Security Configuration > External from the left tree

3.  Make the following changes, then Select Connect to test the Server Service Account credentials. That will enable the remaining settings for User Authorization

Enable External Security

·  Server Administrator ID pth\srvadmin

·  Password srvadmin

4.  After receiving the following confirmation window, Click OK.

5.  Make the following additional changes:

·  User Authorization: Internal and External

·  Account Creation on Sign In: Mapped External Groups

·  Synchronize User Inoformation with

Authentication Provider :

6.  Select Save

7.  Click OK for the confirmation screens.

8.  Select Security Configuration > Advanced from the left tree

9.  Set the WebFOCUS Root credentials and unselect, Enable Password Change, click Save.

·  Root User super

·  Root Password super

·  Enable Password Change

Tip: In the event that WebFOCUS is misconfigured or the Server is down, Allison can sign into WebFOCUS using these Root credentials. It’s not necessary to create a WebFOCUS account for this user and this does not need to be an Active Directory account.

10. Click Close in the Administration Console banner.

11. Click Sign Out from the WebFOCUS banner.

12. Close Internet Explorer and continue to the next task.

Task Summary: Allison configured WebFOCUS to authenticate and authorize users to the Server. She also set the superuser credentials so she can access WebFOCUS in the event she’s misconfigured something.

Task 5 – Configuring WebFOCUS Security Tracing

In this task Allison will configure the com.ibilog logger so she can see detailed security messages in the WebFOCUS event.log. Before going into production she will return the log level back to its original value of info.

1.  Open the Utilities folder on your Windows desktop.

2.  Open the Security Lab folder.

3.  Double-click the log4j shortcut.

4.  On line 553 carefully change the com.ibilog level value from info to trace.

5.  Click Save.

6.  Close Notepad++.

7.  Close the Windows Explorer window.

8.  Open Windows Services from the Taskbar.

9.  Right-click Apache Tomcat 8.021 for WebFOCUS service and select Stop.

10. When the Service stops, Status will be empty, Right-click Apache Tomcat 8.021 for WebFOCUS service and select Start.

11. Close the Services dialog and the Utilities folder and continue to the next task

Task Summary: We configured additional logging, so that we could review additional diagnostic information withint he event.log for user authentication and authorization.

This logging can also be enabled from the console, for the duration of the application server restart.

Task 6 – Testing External Authentication

In this task Allison will test the new external authentication configuration. However, because she has not yet mapped any WebFOCUS groups to AD groups, she will be internally authorized. This is why is was necessary to create the aw01 account using Security Center (Task 2) and place it into the WebFOCUS Administrators group. Allison will use the TailMe utility to see security messages in the WebFOCUS audit.log and event.log, as well as the Server’s edaprint.log.

1.  Open TailMe icon on the Taskbar, and minimize it. We will review that output in step 6

2.  Sign in to WebFOCUS using Internet Explorer and the following credentials:

·  User Name: aw01

·  Password: Password1

3.  Notice that Allison’s full name now appears in the menubar, even though you left the user description property blank when you created her account in Security Center (Task 2).

This is because you set Syncrhonize User Information with Authentication Provider

IBI_UPDATE_USER_INFO=TRUE in Task 4.

4.  Maximize TailMe. It shows messages written to the WebFOCUS audit.log, event.log, and the Server edaprint.log (from top to bottom). The log level change you just made enables the useful DEBUG/TRACE messages in the event.log (middle panel).