WebFOCUS Online Help > WebFOCUS Administration Console > Configuration Settings > Managed Reporting Realm Driver Properties
In this section: Reference: |
Managed Reporting has the following security settings.
Specifies how users are authenticated. Valid values are:
Specifies that the Managed Reporting repository is used to authenticate users.
Specifies that an external repository is used to authenticate users. If you select this radio button, you will be asked to select a directory from a drop-down list of directories that have been configured in the mrrealm.cfg file. By default, you can choose from several relational DBMSs, the WebFOCUS Reporting Server, LDAP, and Active Directory. You can also configure new directories using the WebFOCUS Administration Console.
Specifies that the Web server authenticates users. If you select this authentication mode, you must choose whether to use the Web server REMOTE_USER variable or an HTTP header variable. If you select a header variable, you must supply the name of the variable.
Specifies how users access rights are determined. Valid values are:
Indicates that the Managed Reporting repository is used to determine user access rights.
Indicates that an external repository is used to determine user access rights. If you select this radio button, you will be asked to select a directory from a drop-down list of directories that have been configured in the mrrealm.cfg file. By default, you can choose from several relational DBMSs, LDAP, and Active Directory. You can also configure new directories using the WebFOCUS Administration Console.
Specifies whether the Managed Reporting Realm Driver should synchronize a user's privileges and groups with the ReportCaster Repository during MR (and Dashboard) sign-on. The setting is only valid when MR Authorization is set to an External Directory, and the synchronization only occurs if the user has ReportCaster privileges.
The internal default of false improves performance and should be used whenever the MR Administration tool is used to maintain the user repository. In this case, synchronization during sign-on is unnecessary because the tool updates the MR and ReportCaster repositories. You must change the value to true whenever the ReportCaster Repository does not reflect the authorization information located in the external source (such as Active Directory, LDAP, and some custom RDBMS authorization scenarios). When set to true, the driver calls createOrUpdateCasterUser() during sign-on, in the user context specified by IBIMR_RC_SVCUSER, in order to synchronize the user's privileges and groups with ReportCaster.
Used by the Realm Driver to locate the old repositories during migration.
Used by the Realm Driver to locate the new repositories during migration.
By default, the MR Realm Driver cache feature is enabled and information about MR domains, groups, roles, and users is cached. Generally speaking, you should leave the cache feature enabled to improve performance. The user cache retains information about each user that logs on. As users log on, their cache (if any) is purged to ensure that their latest privileges are retrieved from the external directory. Write-backs to the RDBMS repository option initiated from any of the MR tools also result in the cache being purged.
When using an external directory option like LDAP or Active Directory, however, there is no write-back support. Therefore, there may be a situation where the cache becomes stale. Consider the case where a new MR Group is created in Active Directory after Managed Reporting is already online and in use. To recognize this new MR Group when the cache feature is enabled, you must recycle the Web application (in order to eliminate the cache).
You can disable portions of the cache by setting one or more of the following properties to true in the MR Security Settings - Advanced panel in the WebFOCUS Administration Console:
DISABLE_USER_CACHE=true
DISABLE_DOMAINS_CACHE=true
DISABLE_GROUPS_CACHE=true
DISABLE_ROLES_CACHE=true
You can also disable the entire cache feature by setting the following property to true:
DISABLE_CACHE=true
In a development environment, you may want to disable the domains, groups, and roles cache. In a production environment, you may want to disable anything that will be changing frequently. Generally speaking, you should always leave the user cache enabled since it is purged during sign-on for each user.
Is set to ibi.uas.service.WFMRX_LdapSecurityManager when you select LDAP or Active Directory as your authentication directory. This property cannot be edited.
Is set ibi.uas.service.WFMRX_LdapRepositoryManager when you select LDAP or Active Directory as your authentication directory. This property cannot be edited.
Is the host name or IP address of your directory server and port on which the directory server listens. For example, server1:389. If you are authenticating to Active Directory, you should consider specifying the host that runs your Global Catalog, which is configured on port 3268 by default . You must specify the Global Catalog host/port when your users are in more than one domain. You can also specify multiple servers for failover support using a comma-delimited format. For example, server1:3169,server2:4310.
Determines whether the connection is encrypted. A value of false means no encryption. A value of true means SSL encryption is used. Typically, SSL requires additional setup on the directory server (for example, a certificate). See your directory server documentation for more information. You may also need to register your directory's SSL certificate with the JVM running your application server, especially if it is a self-signed or expired certificate.
Specifies whether to perform an anonymous or credential-based search for the user in the directory as a preliminary step in authenticating the user. The default value for LDAP is false, and the default value for Active Directory is true.
For example, a user John Doe enters the user ID JD123 and his password on the Business Intelligence Dashboard logon page.
If REQUIRECREDENTIALS=false, the Realm Driver first performs an anonymous search to locate John Doe's distinguished name (DN), for example, "cn=Doe\, John,ou=People,dc=informationbuilders,dc=com". Next, the Realm Driver performs an LDAP bind with the user's DN and password in order to authenticate him.
If REQUIRECREDENTIALS=true, the first connection is made with a service account's DN with sufficient rights to search the directory and locate user entries.
Note: Active Directory does not allow an anonymous search.
Contains the DN of a service account with sufficient access rights to locate user entries in the directory. This value is used only when REQUIRECREDENTIALS=true.
Contains the password of the service account. This value is used only when REQUIRECREDENTIALS=true.
Specifies the root DN where the user search starts. For performance reasons you should set this value as close as possible to your user entries. The default value for LDAP is ou=People,dc=domain,dc=com, and for Active Directory is cn=Users,dc=domain,dc=com. You must replace this with an appropriate DN for your directory.
Specifies the scope of the search. Valid values are:
subtree - indicates that the scope is a subtree rooted at the start node. This is the default value.
onelevel - indicates the immediate children of the start node only.
Specifies the object class used when searching for user entries. The default value for LDAP is inetOrgPerson, and for Active Directory it is User.
Specifies the LDAP attribute used when searching for user entries. uid is the default value for LDAP, and sAMAccountName is the default value for Active Directory.
One possible reason to change the default value would be to allow users to log on to Managed Reporting with an e-mail address instead of user ID. In this case, you might change the value to mail (if this corresponds with the name of the appropriate attribute in your directory).
You may also want to change this when your Active Directory includes several child domains. In this case there can be two people with the same ID. You can change the property to userPrincipalName so that users are required to present their ID to Managed Reporting in a domain-qualified (for example, jt01234@ibi.com) format.
To enable the connection pool feature, set this property to true and adjust the other POOL properties as desired. The default value is false.
Defines which types of connections are taken from the pool. The default value is plain, which means that only non-SSL connections are drawn from the pool. You can change this to ssl or to plain ssl to alter the behavior.
Defines the initial size of the connection pool. The default value is 1.
Defines the maximum size of the connection pool. The default value is 0, which means no limit. If the limit is reached, the Realm Driver waits for the period specified by POOL.TIMEOUT and then returns an error.
Defines the preferred size of the connection pool. When specified, connections are added and idle connections are removed to achieve value specified. The default value is 0, which means no preferred size.
Defines how long in milliseconds the Realm Driver waits for a connection from the pool. This is initially set to a value of 60000 in the configuration file (one minute). A value of 0 means no timeout.
The following additional properties must be configured using the WebFOCUS Administration Console for Active Directory authorization. To access the Active Directory authorization properties, click the External Directories menu under the MR Security Settings section and then double-click the AD radio button. In the mrrealm.cfg file, each property begins with the prefix value you selected as your authorization prefix:
Defines the attribute used to retrieve the full name of the user for display purposes in Managed Reporting. Initially set to displayName for the built-in AD prefix.
Defines the attribute used to retrieve the e-mail account of the user in order to create the ReportCaster account (if configured). In Version 7.1.3 and higher installations, this is initially set to mail for the built-in AD prefix. If you are upgrading an earlier 7.1.x release, you should change this to mail or a valid attribute in your directory.
Defines the attribute used to retrieve the group, role, and privilege entries of the user in the authorization tree. Initially set to memberOf for the built-in AD prefix.
Defines the location of the authorization tree. The container specified must contain the Domains, Groups, Privileges, and Roles containers created by the load scripts. Initially set to ou=ibimr,ou=apps,dc=domain,dc=com for the built-in AD prefix.
Defines the string prepended to the common name when searching for authorization entries. This setting is initially left blank, which means no string is prepended. This setting is required whenever there will be more than one authorization tree in a single directory since the common names of groups in a directory must be unique. Initially set to test_ for the built-in AD prefix.
Defines the class name used in the LDAP search for authorization entries. Initially set to group for the built-in AD prefix.
Defines the attribute used to retrieve the description of an authorization entry for display purposes in Managed Reporting. For example, displaying the Groups available in Dashboard View Builder. Initially set to description for the built-in AD prefix.
Defines the attribute used to retrieve the nesting group(s) of an entry in the authorization tree. For example, the MR Domain(s) available to the MR Public Group are found by following the memberOf attribute(s) on the Public Group entry. Initially set to member Of for the built-in AD prefix.
Defines the attribute used to retrieve the nested group(s) of an entry in the authorization tree. For example, the MR Group(s) with access to the MR Untitled Domain are found by following the member attribute(s) on the Untitled Domain entry. Initially set to member for the built-in AD prefix.
Defines the attribute used to locate entries in the authorization tree. Initially set to name for the built-in AD prefix.
After editing the properties, click Save to save the values or Cancel to leave them as they were before.
By default, this value is set to ibi.uas.service.WFMRX_DBSecurityManager when you select a relational DBMS directory.
Is the path to the class that contains the driver.
Is the connection string of the driver. For more information about how to configure this property, see your JDBC driver documentation.
Note: If you are not using the default instance of SQL Server, you must add a second backslash prior to the instance name. For example:
jdbc:microsoft:sqlserver://hostname\\instancename:1433; DatabaseName=databasename;SelectMethod=Cursor
Important: When using the WebFOCUS Administration Console to edit this setting, the two backslashes preceding the instance name are properly saved to mrrealm.cfg. However, the console incorrectly displays them as a single backslash. The second backslash is necessary for the prefix. DRIVER.URL setting in mrrealm.cfg to escape the single backslash required by the JDBC driver.
Is an ID that has read/write privileges on the tables in the security repository.
Is the password for USER. When updated through the WebFOCUS Administration Console, this value will always be encrypted with WebFOCUS Encryption.
Is the table owner if the tables were created by an account other than the one specified in USER.
Is the maximum number of connections. Zero specifies an unlimited number of connections.
Is the timeout value. Zero specifies no timeout.
Specifies how to authenticate the user to the database directory. When set to false (the default), WebFOCUS looks up the user's password in the WF_MRUSERS table and compares it with the value provided by the user. When set to true, the Realm Driver makes a JDBC connection to the database with the user ID and password that were entered on the Managed Reporting logon page and checks for success or failure.
Generally, this should be left set to false. If you have DBMS login accounts for your Managed Reporting users and you want to authenticate them with these credentials, you should consider configuring external authentication to the Reporting Server and having the Reporting Server validate these DBMS credentials.
When set to WFENCR (which represents WebFOCUS Encryption, the default), WebFOCUS encrypts/decrypts end-user passwords written to/read from the WF_MRUSERS table. You can specify the fully qualified class name of a custom encryption class instead of WFENCR provided that the custom class implements ibi.webfoc.wfutil.WFEncryptionInterface. If this property is commented out, no encryption is used on passwords in the WF_MRUSERS table.
Is, by default, ibi.uas.service.WFMRX_DBSecurityManager when you select the WebFOCUS Reporting Server as your authentication directory.
Is the class used by WFServlet to connect with the WebFOCUS Reporting Server. The default value is ibi.jlink.EdaDriver and should not be changed. This value is written to the WFRS.CLASS property.
Is the connection information used to connect with the WebFOCUS Reporting Server. The value is jdbc:eda://hostname:port;SERVER=servicename. Update hostname:port to the host name and port for your WebFOCUS Reporting Server. This value is written to the WFRS.URL property.
If your Reporting Server is on MVS, you must supply the service name associated with your server after the SERVER= keyword. For information about setting the service name for MVS, see your Server Installation, Configuration and Operations for MVS manual.
Note: If your Reporting Server is on any other platform, including OS/390 UNIX, leave SERVER= unchanged. You must not remove the SERVER= keyword.
| WebFOCUS |