Documente Academic
Documente Profesional
Documente Cultură
BusinessObjects 6.5
Trademarks Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are
trademarks or registered trademarks of Business Objects SA or its affiliated companies in the
United States and other countries. All other names mentioned herein may be trademarks of their
respective owners.
Use restrictions This software and documentation is commercial computer software under Federal Acquisition
regulations, and is provided only under the Restricted Rights of the Federal Acquisition
Regulations applicable to commercial computer software provided at private expense. The use,
duplication, or disclosure by the U.S. Government is subject to restrictions set forth in
subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at 252.227-
7013.
Patents Business Objects owns the following U.S. patents, which may cover products that are offered
and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and
6,289,352.
Security for Business Objects 3
Contents
Information resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Useful addresses at a glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Contents
4 Security for Business Objects
Contents
Maximizing Your Information
Resources
preface
6 Security for Business Objects
Overview
Information, services, and solutions
The Business Objects solution is supported by thousands of pages of
documentation, available from the products, on the Internet, on CD, and by
extensive online help systems and multimedia.
Packed with in-depth technical information, business examples, and advice on
troubleshooting and best practices, this comprehensive documentation set
provides concrete solutions to your business problems.
Business Objects also offers a complete range of support and services to help
maximize the return on your business intelligence investment. See in the
following sections how Business Objects can help you plan for and successfully
meet your specific technical support, education, and consulting requirements.
Information resources
Whatever your Business Objects profile, we can help you quickly access the
documentation and other information you need.
Where do I start?
Below are a few suggested starting points; there is a summary of useful web
addresses on page 10.
Documentation Roadmap
The Documentation Roadmap references all Business Objects guides and
multimedia, and lets you see at a glance what information is available, from
where, and in what format.
View or download the Business Objects Documentation Roadmap at
www.businessobjects.com/services/documentation.htm
Information resources
8 Security for Business Objects
Multimedia
Are you new to Business Objects? Are you upgrading from a previous release or
expanding, for example, from our desktop to our web solution? Would you like to
see a demonstration that shows how to use some of our more complicated or
advanced features? Access our multimedia Quick Tours or Getting Started
tutorials from the product, the Online Customer Support (OCS) website, or the
Documentation CD.
Product documentation
We regularly update and expand our documentation and multimedia offerings.
With a valid maintenance agreement, you can get the latest documentation – in
seven languages – on the Online Customer Support (OCS) website.
NOTE
If your issue concerns a Business Objects product and not the documentation,
please contact our Customer Support experts. For information about Customer
Support visit: www.businessobjects.com/services/support.htm
Services
A global network of Business Objects technology experts provides customer
support, education, and consulting to ensure maximum benefit to your business.
Services
10 Security for Business Objects
Address Content
Business Objects Documentation Overview of Business Objects documentation. Links
to Online Customer Support, Documentation Supply
www.businessobjects.com/services/ Store, Documentation Roadmap, Tips & Tricks,
documentation.htm Documentation mailbox.
documentation@businessobjects.com
Product documentation The latest Business Objects product
documentation, to download or view online.
www.businessobjects.com/services/
support.htm
Business Objects product information Information about the full range of Business
Objects products.
www.businessobjects.com
Developer Suite Online Available to customers with a valid maintenance
agreement and a Developer Suite license via the
Online Customer Support (OCS) website. Provides
www.techsupport.businessobjects.com
all the documentation, latest samples, kits and tips.
Knowledge Base (KB) Technical articles, documents, case resolutions.
Also, use the Knowledge Exchange to learn what
www.techsupport.businessobjects.com challenges other users – both customers and
employees – face and what strategies they find to
address complex issues. From the Knowledge
Base, click the Knowledge Exchange link.
Tips & Tricks Practical business-focused examples.
www.businessobjects.com/forms/
tipsandtricks_login.asp
Address Content
Online Customer Support
Audience
This guide is intended for administrators and others responsible for security in a
Business Objects system.
Convention Indicates
This font Code, SQL syntax, computer programs. For
example: @Select(Country\Country Id).
This font is also used for all paths, directories,
scripts, commands and files for UNIX.
Some code Placed at the end of a line of code, the symbol ( )
more code indicates that the next line should be entered
continuously with no carriage return.
$DIRECTORYPATHNAME The path to a directory in the Business Objects
installation/configuration directory structure. For
example:
• $INSTALLDIR refers to the Business Objects
installation directory.
• $LOCDATADIR refers to a subdirectory of the
BusinessObjects installation directory called
locData.
chapter
14 Security for Business Objects
Overview
This guide explains how security works in BusinessObjects 6.5, and how to
configure your Business Objects system so that it operates within a secure
environment.
Business Objects architecture addresses the many security concerns that affect
today’s businesses and organizations. The current release supports features
such as distributed security, SSO (single sign-on), and third-party authentication
for protection against unauthorized access.
NOTE
This guide replaces the security-related information in the version 6.5 Installation
and Configuration Guide.
Creating the Business Objects repository, then creating users and groups
Security within the Business Objects system depends upon the repository, which
stores Business Objects resources such as universes and documents, as well as
the access rights defined for users and groups. This topic starts on page 88.
part
Common Network and System
Security Options
chapter
22 Security for Business Objects
Overview
This chapter describes common network security options. This includes:
• securing web browsers and web servers
• SSL
• encryption
• firewalls
• reverse proxies
SSL
SSL (Secure Sockets Layer) is the most popular client-server encryption
mechanism used in web-based systems. It provides a secure, encrypted
connection between the server and client machine when they connect via the
Internet or other exposed network. Most popular free and commercial web
servers provide SSL encryption.
SSL sessions start with the SSL handshake, which is an exchange of messages
in which the server uses public keys to identify (authenticate) itself to the client.
The server and client then together create symmetric keys for encryption and
other security measures used during the subsequent session.
The server must have a digital certificate. The validity of the digital certificate is
signed by a CA (Certificate Authority).
The certificates used by SSL are defined in the X.509 standard issued by the
International Telecommunications Union (ITU). Among the items contained in an
X.509-compliant digital certificate are:
• Certificate owner’s name
• Certificate issuer’s name
• Owner’s public key
• Issuer’s signature
• Valid dates
SSL
26 Security for Business Objects
Encryption
Encryption means that data transmitted over a network is translated into a secret
code. You cannot read an encrypted file unless you have access to a key or
password that allows you to decrypt it. It is the best way to achieve data security.
When data is not encrypted it is called plain text, and when it is encrypted, it is
called cipher text.
There are two primary methods of encrypting data:
• Symmetric-key cryptography
• Public-key cryptography
Symmetric-key cryptography
Symmetric-key cryptography is the simpler of the two methods. It uses the same
key to encrypt and decrypt the data. The sender gives the data and the key to the
encryption engine, which encrypts the data and sends it to the receiver. The
receiver passes the encrypted data and key to the decryption engine, which runs
the process in reverse.
The problem with doing this over the network is that, at some point, the key used
to encrypt and decrypt the data has to be exchanged. Because the person
receiving the key doesn’t already have the key, transmission of the key can’t be
encrypted. A third party could theoretically intercept the unencrypted key and use
it to decrypt (and listen in on or disrupt) any later communications that use that
key.
Public-key cryptography
Public-key cryptography solves the problem of key exchange by using two keys,
one public and one private:
• The public key is available to anyone who wants to send encrypted messages
or data to you.
• The private key stays private and is used to decrypt data encrypted with the
public key.
Data encrypted with the public key can not be decrypted with it and can only be
decrypted through the use of your private key. The process of public-key
encryption works like this:
1. To begin a secure session with a server, a browser requests the server’s
public key.
2. The server sends its public key to the browser.
3. The browser receives the server’s public key, encrypts a message using the
key, and sends the message to the server.
4. The server receives the encrypted message and decrypts it using its private
key.
Note that in Step 2, the communication is not yet secure, just like in symmetric-
key cryptography. Someone could intercept B’s unencrypted public key as it
makes its way to A. The difference is that the symmetric key can be used to
decrypt the encoded data. But a public key can only be used to encrypt data.
Someone who intercepted B’s public key would only be able to send secure
messages to B, not decrypt A’s subsequent messages to B.
Most encryption schemes are actually a combination of symmetric-key and
public-key encryption. Although more secure, public-key encryption uses a
complex encryption algorithm. Symmetric-key encryption is much faster and
cheaper. Public-key encryption is used to establish the secure connection where
a randomly generated symmetric key can be exchanged, and the rest of the
transaction is encrypted by the quicker symmetric-key encryption.
Encryption
28 Security for Business Objects
Firewalls
For most 3-tier Business Objects extranet and intranet deployments, a corporate
intranet protected by double firewalls is highly recommended. For specific
intranet/extranet deployment information, see Deploying the Business Objects
System.
What is a firewall?
A firewall can be a router, a personal computer, a host, or a collection of hosts,
set up specifically to shield a site or subnet from protocols and services that can
be abused from hosts outside the subnet. It does this by implementing a set of
rules which can be configured. A firewall rule looks like this:
Authorize incoming TCP connections to <Host address> on <port>
A firewall can greatly improve network security and reduce risks to hosts on the
subnet by filtering inherently insecure services. As a result, the subnet network
environment is exposed to fewer risks because only selected protocols can pass
through the firewall.
A firewall also allows you to control access to site systems. For example, some
hosts can be made reachable from outside networks whereas others can be
effectively sealed off from unwanted access. A site can prevent outside access
to its hosts except for special cases such as mail servers or information servers.
Firewalls are also used to secure the area of communication between the web
server and the rest of the corporate intranet (including Business Objects).
Business Objects supports firewalls that use IP filtering, static NAT (Network
Address Translation), or SOCKS proxy servers, and it supports many different
configurations. Supported environments can involve multiple firewalls, web
servers, and application servers.
In addition to port filtering, a NAT firewall also performs network address (IP)
translation. This prevents the revealing of IP addresses of internal servers. If you
have private IP addresses, Business Objects recommends using a NAT-enabled
firewall.
What is a DMZ?
A DMZ is the secure buffer zone between two firewalls located between an
organization’s intranet and the Internet. It is designed to keep outside users from
accessing sensitive company data or to limit access to restricted users.
It is closely controlled by administrators so that only trusted processes are
allowed to run on machines within the DMZ. These trusted processes are closely
monitored, and if any abnormal behavior is observed, an alert is given and the
inner firewall is shut. The two firewalls allow limited sets of ports to be open. Each
set of ports is distinct from the other, and no single communication protocol can
traverse both firewalls.
Client
users Corporate
database
Application
Web server server
Network
Primary
node
Repository
Firewalls
30 Security for Business Objects
Secondary
Application server node
HTTP TCP
Intranet
External network
or Internet
Outer Inner Primary
firewall firewall node
The outer firewall, next to the external network or Internet, allows HTTP
communication between the clients and the web server (and through it, the
Business Objects cluster), by default through port 80. The connector on the
application server machines tunnels the communication with the cluster.
The inner firewall, next to the intranet, allows TCP traffic in both directions
through the ports that the web servers and application server are using to
communicate.
Both firewalls perform filtering. They may also perform IP address translation.
(Most deployments have network address translation at the inner firewall to
protect the intranets.)
Deployment schema
Application
Web server server
Database
Intranet
Secondary Secondary
node node
• Client machines on the Internet can be the clients for Business Objects server
products. All these clients communicate in HTTP with the web servers in the
DMZ.
• Web servers are always deployed within the DMZ. You can deploy several
web servers if you want.
• The application servers are always deployed inside the intranet; an
appropriate connection module is plugged into the web servers in the DMZ
with which the application servers are communicating. The application server
constructor provides these connection modules.
The communication between the web servers and application servers occurs
via these connectors, through a restricted number of TCP ports, ideally one
per server.
Constraints
In this configuration, data exchange between the clients and the database
servers is not supported.
However, all Business Objects downloads and installations through InfoView,
such as the various applets and BusinessObjects in 3-tier mode, are supported.
Firewalls
32 Security for Business Objects
Single Repository
Double firewalls Double firewalls
firewall
protecting Secondary
cluster node
ASF and
Business Objects TCP port numbers
Application server
processes
itconfig_rep.exe 10000
itconfig_rep.exe 10001
itnode_daemon.exe 10002
itnaming.exe 10003
WIProcessManager 10034
WIDispatcher 10035
WIAPIBroker 10040
WIReportServer 10041
ConnectionServer 10042
NOTE
TCP port allocation is not necessarily contiguous. Other internal ports may be
used by the Business Objects server, and other ports that may be busy when you
start the Business Objects server.
Once started, however, the ports do not change. For example, if you add a
WIReportServer instance (in addition to the one using port 10041), you must also
open an additional listening port, which you specify using the Administration
Console).
Firewalls
34 Security for Business Objects
If you have multiple Business Objects servers, you must open sets of ports for
each of these servers.
Reverse proxies
In extranets in particular, web servers represent one of the system’s weakest
points. This is because they are usually deployed inside the DMZ (and therefore
closest to the outside world), and because you need to rely on application
security.
You can protect sensitive information on your web server by deploying a DMZ
between two firewalls and using a reverse proxy to protect your Business Objects
servers from direct uncontrolled access from extranet clients.
A reverse proxy is a proxy server which appears to be a normal web server to
clients, but in fact reroutes user requests to a machine deeper into the network
(and with a different name and IP address). The responses from the web server
are routed via the reverse proxy back to the client browser.
The word “reverse” refers to the inverted role of the proxy server. While normal
proxy servers act as a proxy for the client (the request is made on behalf of the
client by the proxy server), a reverse proxy handles requests on behalf of the
server, in this case, the Business Objects cluster.
Reverse proxies
36 Security for Business Objects
chapter
38 Security for Business Objects
Overview
Authentication and authorization are two distinct but related processes:
• Authentication examines the user name and password a user enters at login
to verify that the user really is the person he or she claims to be.
• Authorization is the subsequent calculation of a user’s access rights, in order
to provide the correct access to applications and resources.
Before logging into your system, you must choose the cluster’s authentication
mode, which determines the method by which users are authenticated: Business
Objects, Windows, SSO (Single Sign-on), or Basic.
You must also choose an authentication and authorization source; that is, where
and how you are going to store user authentication and authorization information.
This chapter describes authentication and authorization, how they work, and
provides you with some of the information you need to choose the right
authentication for your Business Objects deployment.
Types of sessions
In Business Objects, there are three types of sessions:
• InfoView user sessions
• 3-tier BusinessObjects sessions
• sessions used by Broadcast Agent for the processing of scheduled tasks
BusinessObjects
login in 3-tier mode
InfoView login
Session creation
Broadcast
Agent
Authentication modes
Your choice of authentication mode determines the method by which users are
authenticated for both 2- and 3-tier Business Objects applications. Business
Objects recommends that you do not mix authentication modes within a single
Business Objects cluster. This can potentially compromise your system’s
security.
The following table summarizes the different authentication modes in a 2-tier and
3-tier Business Objects system.
Authentication modes
42 Security for Business Objects
Business Objects
When Business Objects authentication is selected:
1. The user requests the InfoView portal page in a web browser.
2. The user clicks the Login button, then enters a valid username and password.
3. The password is encoded and sent with the username to WILoginServer.
4. WILoginServer verifies the existence of the username and the validity of the
password entered for this user.
5. If the username and password are valid, WILoginServer builds:
- the list of applications the user is allowed to use
- the list of documents the user is allowed to use
- the list of security metadata (such as connection or universe overloads),
which is kept with the session as long as it is valid
Advantages/disadvantages
Because it uses proprietary access techniques, it is normally hard to crack.
Business Objects mode is also strengthened by the use of strong encryption and
decryption techniques like DES/AES.
When used with the Repository authentication source, Business Objects mode is
more suitable to simple deployments with a small user population.
Windows
When Windows authentication is selected:
1. The user requests the InfoView portal page in a web browser.
2. The Microsoft IIS web server (set to Windows Authentication or NT
Challenge-Response, depending on the version) transparently asks the
browser for the user’s credentials.
3. The browser responds.
4. The web server verifies these credentials against its authentication source.
5. If the credentials are accepted, the web server returns the InfoView portal
page.
6. The user clicks the Login button.
7. The user’s identity is retrieved from the web server and used by
WILoginServer to calculate the user's security rights.
Advantages/disadvantages
This mode leverages the trust relationship between the various domains in the
network.
Windows 2000 servers use the Kerberos authentication protocol, which is now a
recommended standard. (NT uses NTLM)
With Windows 2000 Server, you can use Active Directory for user management.
There is a danger, however, that a hacker could bypass the authentication
mechanism by accessing the application server directly from the outside. This
can be avoided by using a firewall, so that all transmissions pass via IIS.
SSO
To use SSO, you must have a supported third-party security management
system that is supported by Business Objects (see Optional Third-Party Security
Management Systems on page 59).
When SSO authentication is selected:
1. The client user initiate a session in the portal. The call is redirected by the
SSO Agent for credential checks.
2. The SSO Agent queries the security server to authenticate the user. If the
result is positive, the security server instructs the Agent on the policy to follow
with the user.
3. The SSO Agent redirects the user’s calls to the web server, according to the
Security Server policy, and adds the appropriate ticket to the HTTP headers.
This is the ticket used to identify the session.
4. The user’s request for an application service is sent to the application along
with the session ticket.
5. The Affiliate Agent checks for the portal session ticket authenticity with the
Security Server, and instructs the application to act accordingly.
Advantages/disadvantages
SSO mode provides a single point of login between multiple applications.
You can use it to leverage the capabilities of an external security management
system to authenticate users.
Authentication modes
44 Security for Business Objects
Basic
When Basic authentication is selected:
1. The user requests the InfoView portal page in a web browser.
2. The user clicks the Login button.
3. The web server requests the user’s credentials.
4. The user enters the credentials (username and password, LDAP username
and password).
5. The web server verifies these credentials against its authentication source.
6. If the credentials are accepted, the web server returns the user’s identity,
which WILoginServer uses to calculate the user’s rights.
Advantages/disadvantages
Be careful when using Basic authentication because passwords are transmitted
openly over the network. There is no encryption. Any eavesdropper can capture
the password, which can lead to replay attacks.
Authentication sources
To authenticate a user, the system checks the username and password entered
at login against preregistered authentication information required for access to
the system.
You set where Business Objects finds this information. This is called the
authentication and authorization source. As a Business Objects administrator,
you can manage this type of user information in the repository, in a third-party
security management system, or in an LDAP database.
Authentication sources
46 Security for Business Objects
Authentication Description
source
Repository The traditional Business Objects approach, in which each user’s
authentication information and security profile is entered using
Supervisor and stored in the repository’s security domain. Users
are both authenticated and authorized through the repository,
using Business Objects security mechanisms.
External then Mapping between the external LDAP directory to the Business
Repository Objects repository is set by either one of two methods:
and 1. Each user is declared in an external LDAP directory (this makes
External them external users) and is mapped directly to a user that has been
declared by name in the repository using Supervisor. The user
must be declared by the same name in both the external directory
and the repository. The external user is granted all the rights of the
repository user. (If a user is declared only in the repository, the
login will still be successful.)
2. Each external user is mapped to one or more repository groups
declared using Supervisor, thereby acquiring all the access rights
of those groups. The user is declared in the LDAP directory but is
not actually named in the repository. The relationship between the
external user and the security profiles in the repository is defined in
the external directory itself. Authorization is calculated by
combining the authorizations of the mapped user groups and their
parent groups in the repository.
Only when the setting “External then Repository” is selected will the
system first attempt authentication via the LDAP directory; if the
user is not found in LDAP then authentication is performed via the
Business Objects repository.
For more detailed information on the mapping between externalized users and
the security profiles in the repository, see Mapping LDAP users to Business
Objects on page 93.
Repository source
When used with the Business Objects authentication mode, it is more suitable to
simple deployments with a small user population.
External source
All users are available only in the LDAP directory, so there is no need to
synchronize the user profiles in the Business Objects repository. However, you
cannot manage security at the user level unless the user is declared in the
repository.
This source uses the same LDAP directory for all applications within the
enterprise network.
In most cases, External is the most secure authentication source.
Authentication sources
48 Security for Business Objects
Start
authentication
Check source in
repository
Is the user
Yes No
declared in the
repository?
What security options and sources can you use with each authentication
mode?
The following tables show which security options and sources can be used with
each type of authentication mode.
Authentication sources
50 Security for Business Objects
chapter
52 Security for Business Objects
Overview
This chapter describes how an LDAP (Lightweight Directory Access Protocol)
based directory works with Business Objects. Managing Business Objects user
identities in this type of system allows you to store user information for all your
enterprise applications—including the Business Objects suite—in a single
corporate directory.
This chapter also covers the LDAP-based external user management systems
supported with this release (Microsoft Active Directory® and
Sun Directory Server®) and how they work with Business Objects.
What is LDAP?
LDAP is protocol that enables users to share information among applications.
An LDAP-based directory is a database used to store users, groups, distribution
lists, and other objects inside a structure which represents the organization of the
company. It is used for user authentication and retrieval of user attributes such
as identity, email and phone number, position in the company, department,
security groups, and publication lists.
LDAP is based on the X.500 standard, which uses a directory access protocol
(DAP) for client-server communication. LDAP is an alternative to DAP because it
uses fewer resources and simplifies and omits some X.500 operations and
features.
With LDAP, you can:
• store the entire organization (users and resources) on a single directory
• support a well-defined API which is easy to code and use
• work efficiently with popular third-party security management systems like
SiteMinder
• use the PKI infrastructure, which enhances user security
• service a large number of users
• build a solid foundation for UNIX and extranet deployments
LDAP directories are not functional without a network connection.
What is LDAP?
54 Security for Business Objects
LDAP queries
The LDAP query is the mechanism used to retrieve and update objects inside the
tree.
Before being able to retrieve objects from an LDAP directory, a client must
establish a connection to the LDAP server. This is called binding. To bind to the
server, the client must provide:
• Connection parameters: LDAP server hostname and port
• Credentials: user’s full distinguished name (FDN) and password
The LDAP user entry is retrieved inside the directory tree. By default, the search
query is simple. Its base argument is the root entry and its filter argument is
(uid=<loginname>).
After the user is localized inside the directory, the DN is known and the password
is validated by issuing an LDAP bind request. Then the group membership
(symbolic name) is retrieved by Business Objects.
Active Directory
Microsoft Active Directory provides centralized management of users and user
rights. Active Directory:
• is bundled with Windows 2000 Server and 2003 Server
• conforms to the latest LDAP V3 standards
• provides centralized user management for the enterprise domain
• forms a trust relationship between domains
• supports PKI
• supports SSO
chapter
60 Security for Business Objects
Overview
This chapter explains how third-party security management systems work with
the BusinessObjects 6.5 suite.
These systems enable you to have users authenticated in one central location,
with maximum security.
A major reason for using these systems with Business Objects is that they
provide single sign-on (SSO), which allows users to authenticate once, then
access other protected resources without re-authenticating. Depending on your
configuration, this can occur when users enter the operating system, an
enterprise portal, or elsewhere.
These systems usually work together with an LDAP directory. (For a full
discussion of LDAP, see Chapter 4.)
For the list of supported third-party security management systems and versions,
see the PAR:
1. Go to www.techsupport.businessobjects.com.
2. Log into the site.
3. Select Enterprise 6 > PAR > BI Platform 6.
NOTE
Business Objects recommends that you configure your third-party security
management system, as explained in the sections below, before installing the
BusinessObjects 6.5 suite.
Netegrity SiteMinder
SiteMinder is a platform for secure portal, extranet, and intranet management. It
meets key authentication, authorization, and personalization requirements for
building and managing secure websites. SiteMinder is supported by
BusinessObjects 6.5.
Using SiteMinder, you can easily implement security policies that protect web
applications and resources. It enables you to manage both authentication and
authorization privileges based on a user-centric, policy-based model for security.
SiteMinder is a directory-enabled, standards-based system that can work with
heterogeneous web and application servers, operating systems, and application
development platforms.
The following diagram illustrates how SSO works with SiteMinder.
2
The SSO Agent queries the
3 Security server to
The SSO Agent authenticate the user. If the
redirects the user’s calls user is authenticated, the
to the web server security server instructs the
according to the Agent on the policy to follow
Security Server policy, Web server for the user.
and adds the SSO Agent
appropriate ticket to the
HTTP headers. This is
the ticket used to identify
1
Security Server
the session. The user logs into
InfoView.
The call is redirected
by the SSO Agent for
credential checks.
Client
Netegrity SiteMinder
62 Security for Business Objects
SiteMinder components
A SiteMinder installation has two main components:
• Policy Server
• Web Agent
Policy Server
The SiteMinder Policy Server manages the access-control policies established
by an administrator. These policies define which resources are protected and
which users or user groups are allowed access to resources. Using policies, you
can set time constraints on resource availability and IP address constraints on
the client attempting access.
The Policy Server runs on a Windows or UNIX system and performs key security
and portal management operations. To meet the security needs of each
environment, the Policy Server supports a range of authentication methods and
uses existing directory services to authenticate users. By supporting a wide
range of authentication methods, the Policy Server provides flexibility and
security for a diverse set of users.
To define policies, administrators use the Policy Server User Interface. This web-
based application enables you to create policies that protect any resource, and
lets you configure responses that supply data for web applications.
Web Agent
SiteMinder Web Agents work with the Policy Server to authenticate and authorize
users for access to resources on a web server.
The Web Agent is integrated with a web server or application server. The agent
intercepts requests for a resource and determines whether or not the resource is
protected by SiteMinder.
The SiteMinder Agent Operations Guide describes how to manage web agents
according to the web server or web application server with which they are
integrated.
part
Preparing Your Environment
chapter
66 Security for Business Objects
Overview
This chapter describes how to set up basic network and system security. This
includes:
• setting up firewalls
• setting up a reverse proxy
• configuring security on Windows 2003
• installing the BusinessObjects 6.5 suite
• activating SSL
• setting security for the Business Objects environment
Setting up firewalls
Here’s an overview of the overall security implementation process, and where
you should be now. Optional steps are in red:
Setting up firewalls
68 Security for Business Objects
Database
Intranet
Secondary Secondary
node node
Firewall restrictions
This release supports neither Business Objects server components (such as a
“dead” secondary node) nor a firewall between primary and secondary nodes in
the cluster.
However, you can have the application server in its own DMZ, separated from the
cluster by one or more firewalls. This is called a deported application server. For
information, see the Deploying the Business Objects System guide.
Setting up firewalls
70 Security for Business Objects
IIS
Database
WAN
Intranet
Repository
Double firewalls Single
firewall
protecting Secondary
cluster node
Repository
Double firewalls Double firewalls Single
firewall
protecting Secondary
cluster node
6. Run the Configuration Tool on the application server machine, configuring the
machine as a client node.
If you’re using NAT (Network Address Translation) between the application
server client node and the other cluster nodes, when you run the
Configuration Tool on the application server node, you must configure the
ORB using the node’s hostname, not IP address.
If you start the primary node, you should be able to ping the client node
hostname from the primary node.
7. Deploy the Business Objects web applications (InfoView and the
Administration Console at least) on the web and application servers, using
either the Configuration Tool, the wdeploy script, or manual configuration
procedures.
8. Test the configuration by running an Internet browser on a client machine and
typing the URL pointing to the primary node (for example, http://server1/
wijsp).
The list of the ports you must open is displayed in the Administration Console:
You can also retrieve this list using the wasfadm utility, by typing for example:
% wasfadm -port
Although it is possible to place the reverse proxy outside the outer firewall, there
are important reasons to have the reverse proxy within the DMZ:
• With the reverse proxy inside the firewall, it benefits from the protection of the
outer firewall
• The reverse proxy may need to cross the DMZ to access the security server
in the intranet. Because the outer firewall allows HTTP access only, it would
not permit this connection.
When you deploy a reverse proxy within a DMZ, you must use one of the
following configurations, depending on whether you have an JSP or an ASP
deployment.
JSP deployments
In this schema:
• the reverse proxy and the web server are positioned within the DMZ
• the outer firewall provides access control for users trying to use the system
from the Internet
• the reverse proxy provides authentication and data control
Client
users
Application
Web server server
Database
Intranet
Reverse
proxy
Outer firewall DMZ Inner firewall Repository
Primary Secondary
node node
ASP deployments
In this schema:
• the reverse proxy is situated within the DMZ
• the outer firewall provides access control for users trying to use the system
from the Internet
• the web server provides authentication and data control
Client
users
Application/
web server
Database
Intranet
Reverse
proxy
Outer firewall DMZ Inner firewall Repository
Primary Secondary
node node
Now that you have set up your firewalls and planned your overall Business
Objects deployment, you install the BusinessObjects 6.5 suite.
See the Installation and Configuration Guide (Windows or UNIX) for instructions.
Activating SSL
Here’s an overview of the overall security implementation process, and where
you should be now. Optional steps are in red:
Activating SSL
80 Security for Business Objects
5. Test the SSL security by logging into InfoView from a client browser using
https://<Business Objects Host Name>/<wiasp or wijsp>
If you can log in, SSL security is functioning.
After the web server is set up to work with SSLs, Business Objects will use the
same HTTPS for sending and receiving information to and from the client.
Undeploying Apache
To undeploy Apache:
1. Stop Apache and the Business Objects server.
2. Undeploy Apache using the Configuration Tool.
(See the Installation and Configuration Guide for instructions.)
There is no need to undeploy Tomcat as the application server. You are only
deleting the virtual directory for the web server:
Activating SSL
82 Security for Business Objects
4. Restore your original httpd.conf file back into the conf directory
5. Temporarily restart Apache to make sure it is still listening on its original port.
Installing OpenSSL
To install OpenSSL:
1. Open OpenSSL-0.9.6h-Win32.zip from the Business Objects CD.
2. Extract the following three files, and place them directly into the
\WINNT\System32 folder:
- libeay32.dll
- ssleay32.dll
- openssl.exe
Activating SSL
84 Security for Business Objects
4. Comment out your original Port line (the Listen options override it).
5. Add the lines from the httpd.conf.ssl file to the end of the file. (Available from
the my zip file).
This occurs because you created and signed it yourself, but it doesn't
recognize the CA that you represent. Note in the picture above that it is
providing an alert only about the issuer; the validity dates and subject name
are valid. If the last point also raises a warning, you may have created the
certificate with an incorrect server name.
In order for the WebIntelligence Java Report Panel to transparently establish
a connection back to the server via this SSL-enabled route, you must install
this certificate within your browser’s certificate store. This means that it is
effectively “trusting” that this certificate came from a valid CA.
Activating SSL
86 Security for Business Objects
Notice that this certificate has been issued by the same server/CA that is
destined for <name of machine>.
6. Click Install Certificate.
7. Accept all of the defaults.
8. After the certificate is installed, open a new browser and retry your SSL-
enabled URL, https://localhost
This time it should allow you to enter.
9. Stop the Apache instance you started interactively by pressing Ctrl-C in the
open window.
10. Install it as an NT service using:
apache.exe -k install
Activating SSL
88 Security for Business Objects
Setting up the Business Objects repository then creating users and groups
90 Security for Business Objects
chapter
92 Security for Business Objects
Overview
This chapter describes how to configure an LDAP directory to work with Business
Objects. First, general LDAP configuration is discussed, then specific instructions
are given for using Microsoft Active Directory and Sun Directory Server.
Here’s an overview of the overall security implementation process, and where
you should be now. Optional steps are in red:
North America
Ontario Instance 1
of John Smith
Instance 2
cn = ‘John Smith’ of John Smith
South America
The LDAP user is mapped to the user instances in the repository, in this case to
Instance 1 and 2 of John Smith.
In this case, more than one LDAP user can be mapped to a single repository
user.
North America
Ontario
cn = ‘John Smith’
Roles = Group 1
Group 22
South America
North America
Ontario
cn = ‘John Smith’
NSROLE=Group 1, Group 22
South America
The LDAP server maps the external user attribute to groups in the repository, in
this case to Group 1 and Group 22.
In this example, the attribute, NSROLE, includes Group 1 and Group 22 for user
John Smith. Therefore, when John logs in, he inherits the access rights defined
for Groups 1 and 22 in the repository.
The main constraint here is that you need the attribute in your LDAP schema. If
there is already one that can be used, it’s easier. If not, you must modify your
schema, which is not acceptable in most cases.
This solution is often used when:
• the LDAP group structure doesn’t match the structure of repository users or
groups
• you want to merge an existing LDAP directory and a legacy repository whose
group organizations are different
• LDAP groups could not be used in Business Objects to define rights at the
group level
North America
Ontario
cn = ‘John Smith’
Group = ‘Group 11’
Members = ‘John Smith’
‘Mary Jones’
South America
Group = ‘Group 2’
Members = ‘John Smith’
‘Steve Adams’
The LDAP user groups are mapped to groups in the repository (Group 11 and
Group 2). LDAP Group 2 has the members John Smith and Steve Adams, who
inherit the Business Objects group rights of Group 2.
Therefore, user John Smith also inherits the group rights of Group 11.
Supervisor
Users stored externally are not visible in Supervisor.
The supervisor and the designer users cannot be externalized. They can be
authenticated externally but must still be administered in the repository.
InfoView
To limit the scope of LDAP searches in the Send To workflow, not all LDAP users
can be displayed in the drop-down list at the same time. To find an LDAP user,
type the first letters of the user’s name.
Broadcast Agent
Send To workflow
To limit the scope of LDAP searches in the Send To workflow, not all LDAP users
can be displayed in the drop-down list at the same time. To find an LDAP user,
type the first letters of the user’s name.
Broadcast Agent requires a Broadcast Agent user to execute tasks. This user
must still be declared and authenticated through the repository; you can't
externalize Broadcast Agent users through LDAP.
SSO requirements
SSO requirements for Active Directory depend on the way in which users access
Business Objects: either via a thick client, or over the web. In both scenarios, the
security plug-in obtains the security context for the user from the authentication
provider, and grants the user an active Business Objects session if the user is a
member of a mapped Active Directory group.
To obtain SSO functionality over the web, the system must use Microsoft
components only. Specifically, the user must be running Internet Explorer on a
Windows operating system, and the web server must be IIS.
Security Connector
When you install the BusinessObjects Suite, make sure you select the Security
Connector for LDAP. It is found in the Installer under Administration Products >
Security Connector > LDAP.
Later, in the Advanced LDAP Configuration, you will come to the Mapping page.
Security Connector
When you install the BusinessObjects Suite, make sure you select the Security
Connector for LDAP. It is found in the Installer under Administration Products >
Security Connector > LDAP.
chapter
106 Security for Business Objects
Overview
This chapter explains how to configure a third-party security management
system, Netegrity SiteMinder, to work with the BusinessObjects 6.5 suite.
Here’s an overview of the overall security implementation process, and where
you should be now. Optional steps are in red:
Configuring SiteMinder
Before you begin...
Before setting up SiteMinder, Business Objects recommends that you read the
SiteMinder documentation:
• Concepts Guide
• Deployment Guide
• Release Notes
• Installation Guide
• Agent Operations Guide
NOTE
This guide includes information about SiteMinder that is current at the time of
writing. Check the SiteMinder documentation to verify that the information is still
up to date.
Supported platforms
Make sure your platform and operating system is supported for use with both
BusinessObjects 6.5 and SiteMinder 5.5. You can do this by checking the PAR:
1. Go to www.techsupport.businessobjects.com.
2. Log into the site.
3. Select Enterprise 6 > PAR > BI Platform 6.
You must use WebAgent version 5 QMR6 HF 007.
Configuring SiteMinder
108 Security for Business Objects
Users
Secondary node
--SiteMinder Policy Server
Network
Primary node
--Business Objects server
--SiteMinder Web Agent
--Web server LDAP server
Note that the LDAP server can be located on any machine in the network. In
order for users to be logged into Business Objects products using SiteMinder's
SSO feature, their Business Objects user names must correspond to their LDAP
user names.
If you are using SiteMinder with SSO authentication, you must use an LDAP user
directory. Make sure you declare an LDAP server when you create the Business
Objects agent in SiteMinder.
You set the mode on the Authentication Mode page of the Business Objects
Security Configuration Tool.
Configuring SiteMinder
110 Security for Business Objects
Configuring SiteMinder
112 Security for Business Objects
The following table shows the parameters you need to set in either case.
Configuring the Web Agent for use with BusinessObjects in 3-tier mode
To be able to install and use 3-tier deployments of BusinessObjects with
Netegrity SiteMinder’s SSO feature, you must do one of the following:
• In your Policy Server, create an unprotected realm under your principal realm,
which contains as Resource Filter the distribution folder (wijsp/distribution or
wiasp/distribution).
• Enable persistent cookies (PersistentCookies=yes)
Configuring SiteMinder
114 Security for Business Objects
3. Give the agent type a name, such as BO Agent, and define the following
actions:
- Search (use identifier 222)
- SearchGroup (identifier 223)
- SearchUsers (identifier 224)
4. When you finish entering the information, click OK.
The Administration Console reappears.
Creating the agent
To create the agent:
1. On the System tab, right-click Agents, and then select Create Agent.
The Agent Properties dialog box appears.
2. Give the agent a name, such as boagent, and enter the following:
- IP address or host name of the machine (usually the same as for the Web
Agent)
- Shared secret
3. Click OK.
The Administration Console reappears.
Creating responses for the agent
Responses are actions the BO Agent performs. You must create the following
three responses for the BO Agent:
• Search
• SearchGroup
• SearchUsers
Configuring SiteMinder
116 Security for Business Objects
For example, the Attribute Setup tab for the SearchUsers response would
look like this:
4. When you have finished defining the three responses, click OK.
5. Close the Response Properties dialog box.
The Administration Console reappears.
Creating a realm
You must now create a realm, and then add rules to it.
To create a realm:
1. On the Domains tab, right-click Realms, and then select Create Realm.
The Realm Properties dialog box appears.
2. Give the realm a name, such as BO Agent-realm.
3. Enter the required information in the various tabs. In the Advanced tab, in the
Directory Mapping area, make sure you select a user directory.
4. When you finish entering the information on the three tabs, click OK.
The Administration Console reappears.
5. In the Domains tab, right-click the name of the realm, and then select Create
Rule under Realm.
The Rule Properties dialog box appears.
6. Add rules for the three BO Agent actions:
Configuring SiteMinder
118 Security for Business Objects
chapter
120 Security for Business Objects
Overview
This chapter describes how to use the Security Configuration Tool.
Here’s an overview of the overall security implementation process, and where
you should be now. Optional steps are in red:
The Security Configuration Tool can be used from any node which has a valid
repository key file. Although you can modify your configuration at any time, the
changes will not take effect until the cluster is restarted from the Administration
Console.
The Authentication and Authorization Source page appears. The procedures you
now follow depend on the authentication mode you selected:
• If you selected Business Objects authentication, go directly to Setting the
source for standard modes on page 129.
• If you selected Windows authentication, read If you chose Windows
authentication on page 124, and then go to Setting the source for standard
modes on page 129.
• If you selected Basic authentication, read If you chose Basic authentication
on page 126, and then go to Setting the source for standard modes on
page 129.
• If you selected Single Sign-on, go directly to Setting the source for SSO mode
on page 130.
NOTE
NT accounts refers to both Windows NT and Windows 2000 accounts.
Business Objects supports user and group accounts that are created with
Windows NT or Windows 2000. However, before users can use their NT user
name and password to log on to Business Objects, their NT user account must
be mapped to a new or existing Business Objects account.
Note that this is in addition to the mapping you perform using the Security
Configuration Tool.
Users will now be able to log on to InfoView using their NT account if they use the
following format:
• \\NTDomainName\NTusername
• \\NTMachineName\LocalUserName
Users do not have to specify the NT Domain Name if it is specified in the Default
NT Domain field on the Windows NT tab.
Go to Setting the source for standard modes on page 129.
5. If you selected Bind with the following account, enter the account name and
bind password of your LDAP account in the Account DN and Bind Password
boxes. Read access is sufficient.
The Bind user name and password are for the LDAP account used to log into
LDAP and query for user attributes and groups.
6. Click Next.
The Mapping page appears.
2. If you want to set LDAP attributes and filter queries, click Advanced, and go
to Customizing LDAP query parameters on page 134.
If you use a standard LDAP schema (users identified by ID or user-to-
repository mapping based on group or LDAP attributes), then you do not need
to set the Advanced LDAP Configuration.
3. Click Next.
The Final Confirmation page appears. Go to Confirming your configuration on
page 139.
When you click Advanced on the Mapping page, the Advanced LDAP
Configuration page appears.
Creating an attribute
Each object in an LDAP directory is defined as a set of attributes, each attribute
having one or more values.
To create a new attribute:
1. Under the Attribute Returned area, click New.
The LDAP Attribute Configuration dialog box appears.
Editing an attribute
To edit an attribute:
1. In the Attribute Returned area, highlight the attribute you want to edit.
2. Click Edit.
The LDAP Attribute Configuration dialog box appears.
3. Make the changes you want. (See Creating an attribute on page 136 for
instructions.)
4. Click OK.
The Advanced LDAP Configuration page reappears.
Index
$INSTALLDIR 89 Authentication and Authorization Source window
.key file 89 129, 130
authentication certificates 25
Symbols authentication mode 38
Basic 41
3-tier deployments
Business Objects 41
using reverse proxies 35
how they work 42
SSO 41
A Windows 41
Access Packs 60, 107 Authentication Mode window 109, 122
Accounting port 131 authentication source 38, 45, 129, 130
activating SSL 79 advantages and disadvantages 46
Active Directory 58 description of different 45
and SSO 100 diagram 48
authentication 100 selecting standard 129
configuring 100 authorization
PWD rules 101, 103 defined 38
what you need to set 101 diagram 49
additional security options 15
AddModule line 83
B
Administration Console 69
base argument 56
Advanced LDAP Configuration window 134, 135
Basic authentication 41
advantages and disadvantages of SSL 25
advantages and disadvantages 44
Affiliate Agent 43
configuring the web server 126
Agent Conf object 111
how it works 44
Agent Properties dialog box 114
bind request 57
Agent Type Properties dialog box 113
binding 54
AllowLocalConfig variable 111
binding anonymously 132
Apache 80, 126
BODocGenISAPI.dll file 71
undeploying 80
bomain.key 89
ApacheSSL 84
BOPASS variable 99
applet communications 25
bosmapi.dll file 113
application servers
BOUSER variable 99
deported 32, 68
Broadcast Agent 89
in DMZ configurations 31
account 98
Attribute Setup tab 116
refreshing a document 99
attributes in LDAP 136
restrictions 98
authentication 130
storing passwords 135
defined 38
Index
142 Security for Business Objects
buffer zone 29 D
Business Objects DAP (directory access protocol) 53
consulting services 9, 11 demo
documentation 8 materials 7
Documentation Supply Store 7 deployment configurations
support services 9 using reverse proxies 35
training services 9, 11 deported application server 68
Business Objects Agent 113 designer user 98
creating a realm 116 Developer Suite 8, 10
responses 115 digital certificate 24
Business Objects authentication 41 directory access protocol (DAP) 53
advantages and disadvantages 42 disambiguation 56
how it works 42 distinguished name (DN) 54
Business Objects server DMZ 29
and reverse proxies 35 typical topology 31
Business Objects system where to place reverse proxy 74
login 39 DN (distinguished name) 54
documentation
C CD 7
CA (Certificate Authority) 24, 79 feedback on 8
Certificate dialog box 86 on the web 7
certificate store 84 printed, ordering 7
Choose LDAP Connection window 130 roadmap 7
cipher text 26 search 7
common name (CN) 54 Documentation Supply Store 7
communication through firewalls 29
configuring Active Directory 100 E
configuring LDAP education see training
confirmation 139 encryption
configuring LDAP connection parameters 132 defined 26
configuring the ORB 69 External authentication source
confirming your LDAP configuration 139 advantages and disadvantages 47
consultants External then Repository authentication source
Business Objects 9 advantages and disadvantages 47
CookieDomain parameter 112 external user management system
CookieProvider parameter 112 mapping to groups based on external attributes
cookies 95
header 39 mapping to groups based on external user
CORBA 29 groups 95
Coyote connector 127 overview 58
CSR (Certificate Signing Request) 79 restrictions on Broadcast Agent 98
customer support 9 restrictions on InfoView 98
customizing LDAP queries 97, 134 restrictions on Supervisor 98
customizing search queries 136 supported directories 60, 107
Index
Security for Business Objects 143
Index
144 Security for Business Objects
O
S
Online Customer Support 9
scope 55
OpenSSL 80, 82
search
OpenSSL Client utility 85
documentation 7
openssl.exe 82
search query 55
ORB configuration 69
SearchUsers response 116
Orbix 2000 server 30
secure environment
organization of guide 16
implementing 63
outer firewall 30, 69
secure HTTP request 25
securing web browsers and web servers 23
P
PersistentCookies parameter 112
PKI infrastructure 53
plain text 26
planning a secure environment 19
overview 17
Index
Security for Business Objects 145
Index
146 Security for Business Objects
U
uid 56
undeploying Apache 80
user entry 56
user externalization 93
user ID 96
user-to-user mapping 93
W
wasfadm tool
retrieving list of processes/ports 73
web
customer support 9
getting documentation via 7
useful addresses 10
Web Agent 62, 110
Index