510 likes | 591 Views
Information Security and WebFOCUS. Penny J Lester SVP Delivery Services August 22, 2008. Authentication.
E N D
Information Security and WebFOCUS Penny J Lester SVP Delivery Services August 22, 2008
Authentication • “Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. “
Authorization • “Authorization (deciding whether to grant access) is a separate concept to authentication (verifying identity), and usually dependent on it.”
www.google.com/a/security • Google surveyed 575 IT professionals
Information Security • A layered approach to authentication and authorization (auth/auth) • Physical • Network • Operating System (OS) • RDBMS • Application
Physical Security • Secure the hardware • Active Reports • Secure the server room • Secure your passwords • Do not share it • Do not write it down
Network Security • Implement a single sign on (SSO) in a Windows network • Update the client odin.cfg
Network Security • Implement a single sign on (SSO) in a Windows network • Update site.wfs
Network Security • Implement a single sign on (SSO) in a Windows network • site.wfs (cont.)
Network Security • Implement a single sign on (SSO) in a Windows network • site.wfs (cont.)
Operating System Security • Five authentication options • OPSYS • PTH • DBMS • LDAP • OFF
Operating System Security • OPSYS • Authentication against OS • Authorization based on OS IDs • Administrators have full access to web console • OS ID impersonated to run reports
Operating System Security • OPSYS – PLester57 is not an Administrator
Operating System Security • OPSYS – Penny is the Administrator
Operating System Security • OPSYS – authenticate ID to OS, not an Administrator
Operating System Security • OPSYS – authenticate ID to OS, not an Administrator
Operating System Security • OPSYS – authenticate ID to OS, is an Administrator
Operating System Security • OPSYS – authenticate ID to OS, is an Administrator
Operating System Security • OPSYS – authenticate ID to OS, is invalid
Operating System Security • OPSYS – authenticate ID to OS, is invalid
Operating System Security • PTH • Authentication against admin.cfg • Authorization • if ID is in admin.cfg can access WebFOCUS Web Console and run reports • if not can only run reports
Operating System Security • PTH – Configured 1 administrator
Operating System Security • PTH – Penny is administrator ID
Operating System Security • PTH – ID “admin” is not administrator
Operating System Security • PTH – ID “Penny” unrestricted access • PTH – ID “admin” restricted access
Operating System Security • DBMS • Authentication against Database vs. the OS • Authorization • if ID is in the DBMS can run reports • if ID is not in the DBMS cannot run reports Note: the ID’s must be set up in the DBMS to use SQL authentication vs. Windows authentication
Operating System Security • DBMS – RDBMS must be up!
Operating System Security • DBMS – Notice no IWA
Operating System Security • DBMS Authentication • Penny • Windows
Operating System Security • DBMS Penny IWA
Operating System Security • DBMS Authentication • SQLUser • SQL Server
Operating System Security • DBMS SQLUser SQL Server
Operating System Security • LDAP • Authentication against LDAP file • Authorization • if ID is in the LDAP file(s) can run reports • if ID is not in the LDAP file(s) cannot run reports
Operating System Security • LDAP
Operating System Security • LDAP – Microsoft Active Directory
Operating System Security • OFF – Danger!! • “badID” can do anything the administrator ID that started the server can do!!
Database Security • DBMS can be used for Authentication
Database Security • Data Adapter – Explicit
Database Security • Data Adapter – Explicit, invalid ID/pwd
Database Security • Data Adapter – Password Passthru
Database Security • Data Adapter – Trusted
Application Security • Managed Reporting Environment
Application Security • Managed Reporting Environment • Authentication
Application Security • Managed Reporting Environment • Authorization
Application Security • Managed Reporting Environment • Analytical User
Application Security • Managed Reporting Environment • Content Manager
Summary • A layered approach to authentication and authorization (auth/auth) • Physical • Network • Operating System (OS) • RDBMS • Application • WebFOCUS hits four out of five!