Configuring Pre-Authentication, External Authentication or External Authorization

How to:

Configuring pre-authentication, external authentication, or external authorization requires you to perform the following tasks:

  1. Create a WebFOCUS administrator account whose name matches an account in the external authentication source.
  2. It is strongly recommended that you ensure back-up access to WebFOCUS before configuring pre-authentication or external authentication. For external authentication or authorization, this means configuring the superuser. For pre-authentication, this means also enabling the alternate zone.
  3. Configure a trusted connection between the WebFOCUS Client and the WebFOCUS Server.
  4. If you wish to use separate authentication methods for default authentication, alternate authentication, mobile authentication, or portlet authentication, configure the security zones to support your requirements.
  5. For pre-authentication, configure pre-authentication as appropriate for your needs. For external authentication or authorization, configure a security provider on the WebFOCUS Server and then configure the WebFOCUS Client to authenticate to the WebFOCUS Server.
  6. For external authorization, map external groups.

Procedure: How to Create a TIBCO WebFOCUS Administrator Account for External Sources

Since the default WebFOCUS administrator account admin generally does not exist in the external source, it cannot be authenticated once pre-authentication or external authentication has been successfully configured. The account that you create will exist in both WebFOCUS and the external source so that you can use it for administrative access to WebFOCUS once you have restarted WebFOCUS in its new authentication configuration.

The user ID of the WebFOCUS administrator account that you create must match an account in the external source, although it does not need to be an administrator in the external source. For example, if you are configuring pre-authentication to a Web Access Management system, the WebFOCUS user name should be identical to the Web Access Management user ID.

If you are configuring external authentication to LDAP, the WebFOCUS user name should be identical to the LDAP user name. If you are configuring pre-authentication to Windows, specify the Windows account without the domain name.

  1. In the Security Center, under Users, click New User.
  2. Type an account name that is identical to the user ID of an account in the external source.
  3. Type a password and the password confirmation.

    Note: WebFOCUS ignores this password when you sign in using pre-authentication or external authentication. However, if you have configured pre-authentication in the default zone, enabled the alternate zone, and left External Security Type blank, this password will be verified if it is supplied during sign in from the alternate zone.

  4. Optionally, type a description and an email address.
  5. Click GroupAdmins, in the Create in Group list. Leave the account status as Active.
  6. Click OK to save your changes and exit the New User dialog box.
  7. Close or move away from the Security Center.

You have now created the WebFOCUS account that you will use for administrative access once you have restarted WebFOCUS in the new authentication configuration. You can now proceed to enabling superuser access to WebFOCUS.

Procedure: How to Enable Superuser Access

Superuser access overrides all other security rules. The superuser account can be internally authenticated to WebFOCUS, even if pre-authentication, external authentication, or external authorization is misconfigured or unavailable. You should use the superuser account only if you encounter sign-in problems with the administrator account while configuring authentication. After validating that the configuration has been successful, you should either disable superuser access or protect the superuser password.

  1. In the Administration Console, click the Security tab.
  2. Under the Security Configuration folder, click Advanced.
  3. In the Root User field, type the superuser account name. In the Root Password field, type the superuser password, then click Save.

    Note: Do not specify the WebFOCUS administrator account that you created for use after configuration is complete.

  4. When you receive a message stating that the changes were saved successfully, click OK.
  5. When you receive a message asking you to clear the cache, click OK.
  6. In the Administration Console menu bar, click Clear Cache.
  7. When you receive a message confirming that the cache is cleared, click OK.

You have now enabled superuser access for the named account. If you are configuring pre-authentication, you can enable the alternate zone so that the superuser can sign in, even if pre-authentication is misconfigured.

If you are configuring external authentication, you can test superuser access by signing out and then signing in with the new superuser credentials.

Once you have verified superuser access, you can proceed by configuring a trusted connection between the WebFOCUS Client and the WebFOCUS Server.

Procedure: How to Configure a Reverse Proxy for Apache Tomcat

If you are planning to use a reverse proxy configuration with an Apache Tomcat™ application server, you must configure a setting in the server.xml file to ensure that all URL calls use the address of the web-facing proxy server, instead of the internal server. Otherwise, some features, such as drill downs in Microsoft® Excel® 2007 reports, retrieve information from the internal host machine instead of the proxy.

To modify the Apache Tomcat server.xml file, perform the following steps:

  1. Navigate to the following directory
    <Tomcat_Home>\conf

    where:

    <Tomcat_Home>

    Is the location on your system where Apache Tomcat is installed.

  2. Open the server.xml file with a text editor.
  3. Search for the Coyote/JK2 AJP 1.3 connector block.
  4. Add the proxyName and proxyPort parameters, as shown in the following example:
    <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
    enableLookups="false" redirectPort="8443" debug="0"
    protocol="AJP/1.3" proxyName="WEB-FACING PROXY_SERVER"
    proxyPort="WEB FACING PROXY_PORT" />
  5. For the proxyName parameter value, specify the fully qualified host name of the web-facing proxy server.
  6. For the proxyPort parameter value, specify the port number of the web-facing proxy server.
  7. Save the changes to the server.xml file.
  8. Restart the Apache Tomcat application server.