Host Integrator supports authentication and authorization security for access control. Some tasks may require providing user name and password credentials. This security applies within the Host Integrator product and is separate from your host logins.
The following table summarizes differences in behavior for authentication and authorization, depending on product version and its configuration. In order to complete a task, user name and password credentials may be required, and the user must be in the appropriate authorization security profile (User, Developer, or Administrator) as indicated below.
Access Control Security
|Task ||Any version with Session Server security enabled ||Default in version 7.0.967 or higher ||Default in version 7.0.961 only ||Version 6.6 or earlier with only admin security enabled ||Version 6.6 or earlier default |
|Use Administrative Console or Administrative WebStation (connect to Management Server or AADS) ||Administrator or Developer* ||Administrator or Developer* ||Administrator or Developer* ||Administrator or Developer* ||None |
|Deploy model from Design Tool or command line ||Administrator ||Administrator ||None ||Administrator ||None |
|Web Builder: Populate model drop-down list ||Developer or User ||Developer or User ||None ||Developer or User ||None |
|Web Builder: Retrieve model metadata ||Developer or User ||Developer or User ||None ||None ||None |
|Setup: Join an existing installation (add server for load distribution and failover) ||Administrator ||Administrator ||Administrator ||Administrator ||None |
|Use LogExport command (or Log Viewer utility in version 6.6 and earlier) ||Administrator or Developer* ||Administrator or Developer* ||None ||Administrator or Developer* ||None |
|Use Model Variable Management API (com.wrq.vhi.sconfig) ||Administrator ||Administrator ||None ||Administrator ||None |
|Client application connecting to session server (connector API) ||User or Developer ||None ||None ||None ||None |
*Developer users have read-only access (cannot make changes to the session server or management server configuration).
Note: The default level of security varies by product version. In version 7.0.961, only Administrative Console access is secure by default. In version 6.6 and earlier, nothing is secure by default. We recommend that you configure appropriate security for your installation environment.
There are three sources that Host Integrator uses for user names and passwords:
- Built-in "admin" User: Beginning in version 7.0, there is always a built-in administrative account with âadminâ as the user name.
- The administrative password is set in the original installation.
- You can change the administrative password in Administrative Console (Perspective > Management > Servers > right-click Management Cluster > Change Admin Password).
- The administrative password is securely stored by the management server in encrypted format.
- The built-in âadminâ user is automatically a member of all three authorization profiles (see next section).
- LDAP Directory Server, such as Microsoft Active Directory: In version 7.0 and higher, to configure directory servers in Administrative Console, see http://docs2.attachmate.com/verastream/vhi/7.1/en/topic/com.attachmate.vmc.help.online/directories/vmc_add_remove_directories.xhtml.
- Local Operating System (OS) Groups: If you use this feature in multi-server installation environments (version 7.x Management Server failover as described in KB 7021563), all servers should be configured with the same users, groups, and user members in groups to avoid inconsistent runtime behavior.
Note: When using local OS groups on Linux/UNIX systems, the AADS or Management Server component must be run as root to use a security API for authenticating users (see KB 7021354). Also, on Linux/UNIX, we recommend that you use a supplementary group for each user (to avoid the issue described in KB 7021555).
Beginning in version 7.0, local OS groups are disabled by default (LDAP is recommended instead). To enable local OS group support in Administrative Console, select the Enable OS Groups checkbox in Directories Properties.
Adding Groups or Users to Authorization Profiles
After configuring directory servers or local OS groups (as described above), you can add groups or users to authorization profiles. There are three authorization security profiles:
- User: Typically used by client applications (or web service clients) that connect with the session server for host interaction. When using the connector API, user name and password are parameters provided in the connect method call.
- Developer: Same access rights as User, plus ability to run administrative tools in read-only mode.
- Administrator: Can run administrative tools and make configuration changes, including deploying models.
For specific information on tasks allowed for each profile, refer to Access Control Security above.
In version 7.0 and higher, the built-in administrative account (user name "admin") is always an implicit member of the User, Developer, and Administrator authorization profiles. Therefore, the "admin" user is authorized to perform all tasks.
In version 7.0 and higher, to add groups or users to authorization profiles in Administrative Console, see http://docs2.attachmate.com/verastream/vhi/7.1/en/topic/com.attachmate.vmc.help.online/authorization/vmc_authenticating_users.xhtml.
Enabling Security Options
To control which tasks require credentials, enable the appropriate security option(s):
In version 7.0 and higher, Administrative Console security is always enabled.
Session Server Security
Enabling security on the session server expands access control to more functions, including client connections. To enable session server security, follow the steps below:
Version 7.0 and higher:
- Run Administrative Console from the installed shortcut (Attachmate Verastream > Host Integrator > Administrative Console).
- Connect to the management server and log in as âadminâ or a user in the Administrator profile.
- If Session Server Explorer is not currently displayed, click Perspectives > Host Integrator > Session Servers.
- In the tree, right-click your server and click Properties.
- In the Server Properties dialog, click General > Security > Enable Security.
In version 7.0, you must separately enable security on the individual session servers.
Cached Credentials in Host Integrator Applications
You user name and password credentials can be cached to avoid repeated prompting.
To configure Administrative Console to cache the administrative credentials, select the âRemember my credentialsâ check box. Note: Cached credentials are stored in encrypted format in a local disk file.
In Design Tool and Web Builder, your credentials are remembered as long as the application instance remains running.