Procedure for Layout Tool demo: - myTaylor Intranet …int.taylor.edu/it/eds/summit2016_presentations/labs/... · Web viewSecurity Lab, and select Trusted radio button. Click Save

Configuring WebFOCUS for External Authentication/Authorization

Ben Naphtali – Terry SchwarzInformation Builders

Summit 2016 User ConferenceJune 13-17, 2016

Author: Ben Naphtali

Company: Information Builders

Lab Title: Configuring WebFOCUS for External Authentication/Authorization

Abstract: In this lab you will configure WebFOCUS to authenticate and authorize users to Active Directory and use the Reporting Server access control feature along with access control templates, to authorize users to particular Application directories. This makes it possible to tightly integrate WebFOCUS into your organization's infrastructure for an installation that's more secure and easier to administer.

Configuring WebFOCUS for External AuthN/AuthZ Page 1 of 44 5/9/2023Copyright © 2016 Information Builders

Lab Goals Learn how to configure WebFOCUS to authenticate and authorize to Active Directory and what

the benefits are. Understand why it’s important to integrate WebFOCUS Client and Reporting Server security. Become familiar with Server Access Control and how it can be used to control access to

Application directories on the Server. Become familiar with Server Access Control templates and how they can be used to access

Application directories on the server, based on an access control template model.

Business Case

In this lab you will configure WebFOCUS to authenticate and authorize users based on information stored in Microsoft Active Directory.

Benefits of authenticating to Active Directory:

Improved usability – users only need to remember a single user ID and password.

Reduced administration – WebFOCUS synchronizes user information with Active Directory.

Benefits of authorizing to Active Directory:

Reduced administration – WebFOCUS automatically creates user accounts and administrators can centrally manage access to all applications.

Improved security – authorization is verified during each sign-in or scheduled job execution.

Pre-authenticating users with their Windows Desktop credentials is a very popular option you should consider, but it is not covered in this lab. For more information please watch this video: http://techsupport.informationbuilders.com/tech/wbf/WFVideos/WFSEC02.mp4

WebFOCUS also offers many other options of pre-authentication as well: Integrated Windows Authentication Web Access Management systems

o CA Sitemindero Oracle Access Mangero IBM Tivoli Access Manger WebSealo Others

CAS (Central Authentication Services) SAML 2.0 Kerberos Basic


http://techsupport.informationbuilders.com/tech/wbf/WFVideos/WFSEC02.mp4

Lab PersonasDuring the lab you will interact with WebFOCUS in a number of different roles.

Allison WellsWebFOCUS Administrator

Active Directory Credentials:

User ID: aw01Password: Password1Groups: COR-IT-BIADMIN. COR-IT-BISUPPORT

Allison is the lead BI administrator. She will be internally authorized to WebFOCUS and to the Reporting Server.

Tony BishopWebFOCUS Administrator (backup)


User ID: tb01Password: Password1Groups: COR-IT-BIADMIN

Tony is Allison’s backup; we’ll use him to demonstrate how WebFOCUS administrators can be externally authorized

Calinda WaltersAccount Manager, Chicago Office


User ID: cw01Password: Password1Groups: BRA-CHI-SALES

Calinda works in a sales office; we’ll use her to demonstrate how a wildcard mask in the group mapping value can be helpful.

Paul HendersonHR Manager who has been using FOCUS for years


User ID: ph01Password: Password1Groups: COR-HR-MGRS

Paul is a report developer; we’ll use him to demonstrate how Server Access Control can be used to govern access to Application directories.


Task 1 – Configure an LDAP Security Provider on the Reporting ServerYou will begin the lab as Allison Wells, the WebFOCUS administrator. Your first task is to configure an LDAP security provider on the Reporting Server that will authenticate users to Active Directory (AD), retrieve their full name and email, and retrieve the AD groups they belong to.

1. Open Chrome from the Windows Taskbar. In this lab, Allison will always use Chrome to access the Server Console

2. Click on the WebFOCUS Reporting Server shortcut on the Chrome favorites bar.

3. Sign in to the Server Console with the following credentials:

User ID: srvadmin Password: srvadmin

4. You are signed in as a Server Administrator. Click on the Access Control tab.

5. Notice that the Server is currently running with its PTH security provider active.

PTH<internal> refers to the Server’s Process Table Handler (PTH) module; the Server’s internal security provider.


6. Right-click the Security Providers > LDAP node and then select New.

7. In the LDAP Security Configuration panel, click Continue.

8. Make the following changes and then click Next. ldap_host: ibsummit.local security: Explicit ldap_principal: [email protected] ldap_credentials: Password1

a

IMPORTANT: You should select the Explicit option when authenticating WebFOCUS users to Active Directory. Also, be sure the account specified for ldap_principal has a non-expiring password in Active Directory.


9. The server automatically makes an LDAP connection to the directory server and determines if it is Active Directory server. The server fills in typical values for Active Directory in the User Search panel.

Don’t change these for the lab, but in practice you should review the settings with your Active Directory administrator.

10.Click the expand button in the Group Search properties accordion bar. You can also collapse the User Search accordion bar if you like.

11.Again, the server fills in typical values for Active Directory here. Leave these unchanged.


12.Click the expand button to advance to the Trusted Connections property.

13.Change trust_ext to y and then click the Test User Authentication button.

The trust_ext=y setting specifies that the Server should accept trusted connections coming from WebFOCUS. After sign in, the Server will not make any further connections to AD for the user.

Tip: You should take steps to ensure that unauthorized WebFOCUS Clients cannot connect to the Server after enabling trust_ext=Y such as using network or host firewalls or using the RESTRICT_TO_IP setting on the Server’s TCP and HTTP Listeners.

14. In the test dialog, enter Allison’s AD credentials and then click Continue.

User Name: aw01 Password: Password1

15.Allison’s credentials were verified and the names of her AD groups are displayed.


16.Close the test dialog by clicking the X in the upper right corner.

17.Click Save to create your new LDAP security provider.

18.Change LDAP provider status to Primary.


19.Notice that PTH is automatically changed to Secondary.

The documentation recommends leaving PTH as a secondary security provider because:

You can access the Server Console even when Active Directory is unreachable.

You can specify a PTH service account in WebFOCUS for connecting to the Server.

20.Click the Save Provider’s Status button.

21.The next panel confirms that you are enabling two security providers and that PTH\srvadmin will be the only valid Server Administrator ID after restart.

Click the Apply and Restart Server button.


22.The next panel advises you to consider further securing the Basic User Role, by adjusting Gernal Privileges and Directory/File privileges for the Basic User Role. We’ll revisit this later in the lab. Click OK button.

23.Minimize the Chrome browser session and continue to the next task.


You will return to the Server Console session later in the lab.

Task Summary: Allison configured an LDAP security provider that can authenticate users to Active Directory and retrieve user information, which includes name, email, and group membership details. She specified that the LDAP provider accept trusted connections and she configured PTH as a secondary security provider.

Task 2 – Create the Initial WebFOCUS AdministratorIn this task Allison will create a WebFOCUS administrator account spelled the same as her AD account (aw01). This is necessary because once WebFOCUS is configured to authenticate to AD she will need to sign in to WebFOCUS with AD credentials.

1. Open Internet Explorer from the Windows Taskbar.

2. Sign in to WebFOCUS using the following credentials:

User Name: admin Password: admin


3. From the Administration menu select Security Center.

4. Click the New User button.

In the New User dialog box make the following two changes and then click OK.

User Name: aw01 Description: Leave blank; this will be sychronized with AD during sign in.

Email Address: Leave blank; this will be sychronized with AD during sign in.

Password fields: Leave blank; internal passwords are ignored in the new configuration.

Create in Group:Administrators


5. Click the Administrators group in the Groups pane. Confirm aw01 is shown in the member list.

6. Click Close to exit Security Center. Remain signed in as Allison, and continue to the next task.

Task Summary: Allison created a WebFOCUS administration account spelled the same as her AD account. She can use this account to manage WebFOCUS when it has been reconfigured to authenticate to AD.

Task 3 – Configuring a Trusted Connection to the ServerIn this task Allison will configure WebFOCUS to make trusted connections through the default EDASERVE Server node. Trusted connections improve performance because the Server only connects to AD during sign in; there are no connections when users run reports. Trusted connections also allow WebFOCUS to pass the user’s WebFOCUS groups to the server. We’ll use this feature later in the lab to control Paul’s access to Server Application directories.

1. Select Administration > Administration Console from the menu bar.

2. Right-click the Reporting Servers > Sever Connections node and then select New.


3. Add Node Description: Security Lab, and select Trusted radio button. Click Save


4. After getting the following confirmation, Click Save.

5. Remain on this Console page and continue to the next task.

Task Summary: Allison created a WeFOCUS Server Connection to send Trusted Connections to the configured Reporting Server.

Task 4 – Configuring WebFOCUS for External Authentication and Authorization


In this task Allison will configure WebFOCUS to use the Server and its LDAP security provider to authenticate users and return their AD user and group information.

1. Select Security Tab from the console Menu Bar.

2. Select Security Configuration > External from the left tree

3. Make the following changes, then Select Connect to test the Server Service Account credentials. That will enable the remaining settings for User Authorization

Enable External Security

Server Administrator ID pth\srvadmin Password srvadmin

4. After receiving the following confirmation window, Click OK.


5. Make the following additional changes:

User Authorization: Internal and External Account Creation on Sign In: Mapped External Groups Synchronize User Inoformation with

Authentication Provider :

6. Select Save

7. Click OK for the confirmation screens.

8. Select Security Configuration > Advanced from the left tree


9. Set the WebFOCUS Root credentials and unselect, Enable Password Change, click Save.

Root User super Root Password super

Enable Password Change

Tip: In the event that WebFOCUS is misconfigured or the Server is down, Allison can sign into WebFOCUS using these Root credentials. It’s not necessary to create a WebFOCUS account for this user and this does not need to be an Active Directory account.


10.Click Close in the Administration Console banner.

11.Click Sign Out from the WebFOCUS banner.

12.Close Internet Explorer and continue to the next task.

Task Summary: Allison configured WebFOCUS to authenticate and authorize users to the Server. She also set the superuser credentials so she can access WebFOCUS in the event she’s misconfigured something.


Task 5 – Configuring WebFOCUS Security TracingIn this task Allison will configure the com.ibilog logger so she can see detailed security messages in the WebFOCUS event.log. Before going into production she will return the log level back to its original value of info.

1. Open the Utilities folder on your Windows desktop.

2. Open the Security Lab folder.

3. Double-click the log4j shortcut.

4. On line 553 carefully change the com.ibilog level value from info to trace.

5. Click Save.

6. Close Notepad++.

7. Close the Windows Explorer window.

8. Open Windows Services from the Taskbar.

9. Right-click Apache Tomcat 8.021 for WebFOCUS service and select Stop.


10.When the Service stops, Status will be empty, Right-click Apache Tomcat 8.021 for WebFOCUS service and select Start.

11.Close the Services dialog and the Utilities folder and continue to the next task

Task Summary: We configured additional logging, so that we could review additional diagnostic information withint he event.log for user authentication and authorization.

This logging can also be enabled from the console, for the duration of the application server restart.

12.


Task 6 – Testing External AuthenticationIn this task Allison will test the new external authentication configuration. However, because she has not yet mapped any WebFOCUS groups to AD groups, she will be internally authorized. This is why is was necessary to create the aw01 account using Security Center (Task 2) and place it into the WebFOCUS Administrators group. Allison will use the TailMe utility to see security messages in the WebFOCUS audit.log and event.log, as well as the Server’s edaprint.log.

1. Open TailMe icon on the Taskbar, and minimize it. We will review that output in step 6

2. Sign in to WebFOCUS using Internet Explorer and the following credentials:


3. Notice that Allison’s full name now appears in the menubar, even though you left the user description property blank when you created her account in Security Center (Task 2).

This is because you set Syncrhonize User Information with Authentication ProviderIBI_UPDATE_USER_INFO=TRUE in Task 4.


4. Maximize TailMe. It shows messages written to the WebFOCUS audit.log, event.log, and the Server edaprint.log (from top to bottom). The log level change you just made enables the useful DEBUG/TRACE messages in the event.log (middle panel).

5. Leave the TailMe program open and leave Allison signed into WebFOCUS.

6. Continue to the next task.


Task Summary: Allison has configured WebFOCUS to authenticate and authorize users to Active Directory, via the Server’s LDAP provider. You’ve also seen how to enable detailed tracing in the event.log to help troubleshoot configuration and authorization problems.

Task 7 – Externally Authorizing WebFOCUS AdministratorsIn this task Allison will map a subgroup underneath the Administrators group to the AD group COR-IT-BIADMIN, so her teammates can help manage WebFOCUS. By leaving the parent group Administrators as an unmapped group, Allison retains the ability to assign WebFOCUS administrators internally as well.

1. We are already signed in as aw01. Select Administration > Security Center from the WebFOCUS menubar.

2. In the Groups list, right-click the Administrators group and select New.

3. Enter External for the Group Name and then click the Browse… button.

4. In the Search field enter COR* and then click the Search icon.



5. Select COR-IT-BIADMIN and then click the >> icon to move it to the right-hand side.

In the TailMe window, find the get groups message in edaprint.log.

6. Click OK to select the external group mapping.

7. Click OK again to save the external group mapping.

8. Notice that the mapped subgroup is now shown with a different icon. Hover over the mapped group to reveal its mapping property.

9. Close Security Center.

10.Click Sign Out from the WebFOCUS menubar.

Task Summary: You can create and map subgroups to external groups as a way to allow group membership to be managed both internally as well as externally.



Task 8 – Testing External Authorization

In this task Tony will sign in to WebFOCUS for the first time. He will be externally authenticated and authorized based on his membership in the AD group COR-IT-BIADMIN.

1. Make sure TailMe is opened, but minimized.


User Name: tb01 Password: Password1

3. Notice that Tony’s full name appears in the menubar

4. Open TailMe and notice the “createUser” message in the audit.log, as well as messages about the assignment of a PortalUser.

5. Select Administration > Security Center from the menubar.

6. Scroll to the bottom of the user list and see that Tony’s account status is AUTOADD.


AUTOADD is controlled by Account Creation on Sign In (IBI_ALLOW_LOGIN_EXTERNAL_GROUPS)

Mapped External Groups (*MAPPED*) - an account will be created if the user belongs to any mapped group.

All (*) - an account will be created for all authenticated users

Group1;Group2 - an account will be created only if the user belongs to the specified external group names. This is useful if you want to manage the number of authorized users by using a special external group like COR-IT-WFUSERS.

7. Select the GROUPS > Administrators > External, then select ‘Click here to retrieve the list of external Users’

Both Tony and Allison are displayed in that list of users

8. Close Security Center.


9. Right-click the Domain Node and select New > Domain.

10. In the dialog, enter the following and click OK.

Title: Human Resources Name: HR

11.Click OK.

Note: This Domain Template, (From Business User Edition) uses Features of: Creates Application Directory on Reporting Server. Adds Application Directory to apppath Sets General Access on created Domain Creates HR Group and sub Groups Deletes associated Groups and Server application directory, when deleting Domain,.

12.Click Administration > Security Center and then expand the HR group on the right.

13.Right-click the HR/Developers group and select Edit…

14.Click the Browse… button.


15.Replace the Search field contents with COR-HR* and then click the Search button.

16.Select Paul’s group COR-HR-MGR and then click the >> button.

17.Click OK, and then click OK again to save the external group mapping.

18.Hover over the HR/Developers group to confirm the mapping.

19.Click Close to exit Security Center.

20.Click Sign Out in the WebFOCUS and minimize your browser window, and continue to the next task.

Task Summary: You learned how IBI_Allow_Login_External_Groups, group mapping, and the user’s external groups work together to determine whether an account will be AUTOADDed during their first sign in. You also mapped groups created by the Domain resource templates. You can also develop a custom resource template that automatically maps groups to your organization’s external groups; this greatly simplifies administration and more tightly integrates WebFOCUS security with your corporate processes.


Task 9 – Understanding External Authorization with Wildcard MappingWe will discuss how a wildcard mask can sometimes be a better option than mapping multiple external groups to a WebFOCUS group.

Consider that you want the entire field sales team to have Basic User access to the Sales Domain. These users exist in many Active Directory groups, including: BRA-BOS-SALES, BRA-CHI-SALES, and so on. You could select all of these groups in the Browse External Groups dialog as shown below.

But what if a new sales office opens up in San Francisco and users in this office are assigned to a new AD group BRA-SFO-SALES? You would then need to edit the group mapping in your production WebFOCUS environment before San Francisco users could see the Sales domain.

An alternative is to simply type a wildcard mask for the mapping property, rather than using the browse feature.


This way members of any Active Directory group that begins with “BRA-“ will be authorized to the Sales/BasicUsers group.

Task 10 – Reviewing WebFOCUS Groups and Server RolesIn Task 1 you configured the Server to accept trusted connections for the LDAP security provider, then in Task 3 you configured the WebFOCUS Client to make trusted connections. In this configuration the Client passes the WebFOCUS user ID and group list of authenticated WebFOCUS users to the Reporting Server.

In this task you will review specific WebFOCUS groups to specific Server Roles so that members of these groups will have the proper privileges in the Server Console when they connect to it through WebFOCUS. This creates a better user experience and simplifies administration.



2. Right-Select Security Lab, then Reporting Server Console.

3. When the Reporting Server Console opens, click the C (Console) button on top left, and select Login Info.


The Login Info page shows that User aw01 has made a trusted connection using Security Provider ldap01. This user is a member of the WebFOCUS Administrators group (through direct assignment), Administrators/External group (through LDAP group mapping) and is in the EVERYONE group. Within TailMe the edaprint.log shows the trusted connection to the server using aw01, and her trusted groups passed.

The reason Allison has been assigned the Server Administrator Role, is because we have pre-configured Administrators group under the Server Administrators Role, on this Reporting Server. She is also given a Basic User is because, we also have pre-configured Access Control Templates to obtain the user’s groups, and assign ‘most’ users some basic access and privileges.

We’ll review the registered group and the Developer’s access control

4. Close the Login Info page. Click the Access Control tab then on the left hand tree, Right Select Roles > Application Administrator > modelgrp/Developers > Directory/File Privileges


5. Note that the directory privileges for the modelgrp/Developers shows a Closed Approot model

No access to the approot (apps) directory. Read and Execute for baseapp Read,Write,Execute,List for modelapp. The Group signed in as (HR in this example)

6. Close the Server Console window using ‘x’ in top right corner, and Sign out of WebFOCUS

7. Sign in to WebFOCUS as Paul for the first time, using:

User Name: ph01 Password: Password1

8. Notice that Paul’s full name appears in the menubar


9. Open the Server Console from the Reporting Server node named Security Lab. Then check the Login Info page.

Paul has the Application Administrator Role on the Server Console, by passing the Trusted Groups of HR, HR/Developers to the server.

10.Close the Login Info page. Notice that Paul’s Server Console displays different application folders thatn the Client Reporting Server tree shows. Adjust the windows so you can see this.


11.Click on the Application Preferences button on the Server Console Ribbon.

12.Select the Show Applications not in PATH option and then click the Update button.

13.Notice now that the Server shows all the Applications; those not in APP PATH are shown in the Inactive Directories folder.

The Client and Server have a different way to organize the Applications.

What if we want Paul to have access to additional directories? APPPATH alone is not sufficient to authorize Application directories. And you cannot rely on the App Path property on Domain folders since this doesn’t affect behavior of the Reporting Server node or Server Console.

14.Close the Reporting Server Console Window, by selecting the ‘x’ in top right corner

15.Leave Paul signed into WebFOCUS and continue to the next Task.

Task Summary: You learned how to register WebFOCUS Groups to Server Roles so that users who connect trusted to the Server Console have the correct privileges. You also observed that the order of groups passed to the Server’s HTTP or TCP listener, and that groups which are registered to server roles have a security provider prefix depending on a server setting.


Task 11 – Using Server Access Control to Authorize Application DirectoriesIn the last task you saw that Paul was able to see only certain Application folders on the Reporting Server, based on the Directory/File Privileges of the modelgrp/Developers role

In this task you will modify the modelgrp/Developers role and add Write and List to the available privileges for the baseapp directory, and then add Read and List privilegs for ibisamp.

1. sSwitch to Chrome.

2. Sign in to the Reporting Server sConsole with the following credentials:

User ID: srvadmin Password: srvadmin Security Provider PTH

3. Click the Access Control tab.

4. Right-click the Application Administrator > modelgrp/Developers role and select General Privileges.


5. Although we are not doing it in this lab, this is the place you would restrict the Server’s functional privileges for users associated with this Server Role. For example, you could check NODPT and NOSYS to disable SQL Direct Passthru and Operating System commands from within FOCUS procedures.

6. Right-click the Application Administrator > modelgrp/Developers role and select Directory/File Privileges.

7. We need to check the Write and List permissions for the d:\ibi\apps\baseapp directory to add Write and List access to all Developers, then select Save


8. After Saveing, note that the modelgrp/Developers role looks like the following for baseapp

Lets also give the Server’s Application Administrator > modelgrp/Developers role Read and List to ibisamp, from the Applications tab.

9. Click on the Applications tab.

10.Right-click the ibisamp Application and select Privileges.


11.For the modelgrp/Developers role, add Read and List, then select Save


12.Leave the Chrome Console session running and switch back to Internet Explorer, that should be signed in as Paul Henderson (ph01)

13.Expand the Reporting Servers node (right-click and select Refresh if necessary). Notice the following Application folders plus foccache are shown.

14.Explore the right-click options Paul has on the baseapp and ibisamp folders. Notice that they are respecting the Server privileges you just registered.

Tip: To complete access to baseapp and ibisamp for all users. Allison would need to perform similar steps for the Basic User > modelgrp role, but not enabling Write for those users. We have skipped those steps for now, due to time constraints in the lab.

The configuration we are using, uses a closed APPROOT model. This means that end users and Developers only have access to Applications on the server, specificlaly given to them.

15.Switch back to Chrome browser where you were signed in as srvadmin


16.Click the Access Control tab.

17.Right-click the Application Administrator > modelgrp/Developers role and select Directory/File Privileges.


Roles and Access Control Templates

When there are many Applications and there is a pattern between WebFOCUS group names and the Application names, use Server Access Control Templates to automatically assign access rights, which greatly simplifies security administration and provides an integrated security environment between WebFOCUS and the Reporitng Server

.You can refer to this document for more information about Server Access Control Templates.

http://techsupport.ibi.com/tech/wbf/v8templates/ac_template_example.pdf

Task Summary: In this task you learned how Server Access Control can be used to assign Application directory access privileges to members of WebFOCUS groups through the group registration process.


http://techsupport.ibi.com/tech/wbf/v8templates/ac_template_example.pdf

Documents

Procedure for Layout Tool demo: - myTaylor Intranet …int.taylor.edu/it/eds/summit2016_presentations/labs/... · Web viewSecurity Lab, and select Trusted radio button. Click Save