Authorization Security in Verastream Host Integrator

  • 7021567
  • 25-Jun-2010
  • 03-Mar-2018

Environment

Verastream Host Integrator

Situation

Verastream Host Integrator (VHI) requires user name and password credentials to perform certain tasks. Host Integrator product security is separate from your host logins. This technical note describes how VHI access control is configured and used.

Resolution

Host Integrator supports authentication and authorization security for access control. Some tasks may require providing user name and password credentials. This security applies within the Host Integrator product and is separate from your host logins.

The following table summarizes differences in behavior for authentication and authorization, depending on product version and its configuration. In order to complete a task, user name and password credentials may be required, and the user must be in the appropriate authorization security profile (User, Developer, or Administrator) as indicated below.

Access Control Security

Task
Any version with Session Server security enabled
Default in version 7.0.967 or higher
Default in version 7.0.961 only
Version 6.6 or earlier with only admin security enabled
Version 6.6 or earlier default
Use Administrative Console or Administrative WebStation (connect to Management Server or AADS)
Administrator or Developer*
Administrator or Developer*
Administrator or Developer*
Administrator or Developer*
None
Deploy model from Design Tool or command line
Administrator
Administrator
None
Administrator
None
Web Builder: Populate model drop-down list
Developer or User
Developer or User
None
Developer or User
None
Web Builder: Retrieve model metadata
Developer or User
Developer or User
None
None
None
Setup: Join an existing installation (add server for load distribution and failover)
Administrator
Administrator
Administrator
Administrator
None
Use LogExport command (or Log Viewer utility in version 6.6 and earlier)
Administrator or Developer*
Administrator or Developer*
None
Administrator or Developer*
None
Use Model Variable Management API (com.wrq.vhi.sconfig)
Administrator
Administrator
None
Administrator
None
Client application connecting to session server (connector API)
User or Developer
None
None
None
None

*Developer users have read-only access (cannot make changes to the session server or management server configuration).

Note: The default level of security varies by product version. In version 7.0.961, only Administrative Console access is secure by default. In version 6.6 and earlier, nothing is secure by default. We recommend that you configure appropriate security for your installation environment.

Configuring Authentication

There are three sources that Host Integrator uses for user names and passwords:

  • Built-in "admin" User: Beginning in version 7.0, there is always a built-in administrative account with “admin” as the user name.
    • The administrative password is set in the original installation.
    • You can change the administrative password in Administrative Console (Perspective > Management > Servers > right-click Management Cluster > Change Admin Password).
    • The administrative password is securely stored by the management server in encrypted format.
    • The built-in “admin” user is automatically a member of all three authorization profiles (see next section).
  • LDAP Directory Server, such as Microsoft Active Directory: In version 7.0 and higher, to configure directory servers in Administrative Console, see http://docs2.attachmate.com/verastream/vhi/7.1/en/topic/com.attachmate.vmc.help.online/directories/vmc_add_remove_directories.xhtml.
  • Local Operating System (OS) Groups: If you use this feature in multi-server installation environments (version 7.x Management Server failover as described in KB 7021563), all servers should be configured with the same users, groups, and user members in groups to avoid inconsistent runtime behavior.

Note: When using local OS groups on Linux/UNIX systems, the AADS or Management Server component must be run as root to use a security API for authenticating users (see KB 7021354). Also, on Linux/UNIX, we recommend that you use a supplementary group for each user (to avoid the issue described in KB 7021555).

Beginning in version 7.0, local OS groups are disabled by default (LDAP is recommended instead). To enable local OS group support in Administrative Console, select the Enable OS Groups checkbox in Directories Properties.

Adding Groups or Users to Authorization Profiles

After configuring directory servers or local OS groups (as described above), you can add groups or users to authorization profiles. There are three authorization security profiles:

  • User: Typically used by client applications (or web service clients) that connect with the session server for host interaction. When using the connector API, user name and password are parameters provided in the connect method call.
  • Developer: Same access rights as User, plus ability to run administrative tools in read-only mode.
  • Administrator: Can run administrative tools and make configuration changes, including deploying models.

For specific information on tasks allowed for each profile, refer to Access Control Security above.

In version 7.0 and higher, the built-in administrative account (user name "admin") is always an implicit member of the User, Developer, and Administrator authorization profiles. Therefore, the "admin" user is authorized to perform all tasks.

In version 7.0 and higher, to add groups or users to authorization profiles in Administrative Console, see http://docs2.attachmate.com/verastream/vhi/7.1/en/topic/com.attachmate.vmc.help.online/authorization/vmc_authenticating_users.xhtml.

Enabling Security Options

To control which tasks require credentials, enable the appropriate security option(s):

Administrative Security

In version 7.0 and higher, Administrative Console security is always enabled.

Session Server Security

Enabling security on the session server expands access control to more functions, including client connections. To enable session server security, follow the steps below:

Version 7.0 and higher:

  1. Run Administrative Console from the installed shortcut (Attachmate Verastream > Host Integrator > Administrative Console).
  2. Connect to the management server and log in as “admin” or a user in the Administrator profile.
  3. If Session Server Explorer is not currently displayed, click Perspectives > Host Integrator > Session Servers.
  4. In the tree, right-click your server and click Properties.
  5. In the Server Properties dialog, click General > Security > Enable Security.

Domain Security

In version 7.0, you must separately enable security on the individual session servers.

Cached Credentials in Host Integrator Applications

You user name and password credentials can be cached to avoid repeated prompting.

To configure Administrative Console to cache the administrative credentials, select the “Remember my credentials” check box. Note: Cached credentials are stored in encrypted format in a local disk file.

In Design Tool and Web Builder, your credentials are remembered as long as the application instance remains running.

Additional Information

Legacy KB ID

This article was originally published as Attachmate Technical Note 10110.