Business Analytics Administration : Business Analytics Security : Authentication with Digital Certificates/SSL
Authentication with Digital Certificates/SSL
 
Configure the Business Analytics REST API to Use Certificate Authentication
Configure Alternate User ID Extraction
Configure Dynamic User Support
Configure Additional Certificate Validation
There are two aspects of authentication for Business Analytics that you can configure for digital certificates: 1) whether Business Analytics accepts certificates for user authentication and 2) what information Business Analytics uses from the certificates to perform authentication.
Certificate authentication in Business Analytics uses Personal Digital Certificates (PDC) from a client. The default authentication process when Business Analytics receives a certificate looks for a user ID in the CN portion of the certificate's subjectDN. This user ID is authenticated against the User Repository.
If it is a valid user ID, this ends authentication. Business Analytics continues with authorization for the request. If the user ID is not valid, the request is rejected.
To enable authentication based on digital certificates
1. Configure the Business Analytics Server to use mutual SSL. See Configure Business Analytics for SSL and Digital Certificates for instructions.
2. Using any text or XML editor, edit the applicationContext-security.xml file in the web-apps-home/presto/WEB-INF/classes directory and:
a. Remove the comment markers from the <import> statement for the applicationContext-security-authn-x509.xml file.
The configuration would look something like this:
<beans>
<import resource="applicationContext-security-authn-rememberme.xml" />
<import resource="applicationContext-security-scheduler.xml" />
<import resource="applicationContext-security-authn-x509.xml" />
<!--<import resource="applicationContext-security-authn-rsa.xml" /> -->
...
</beans>
b. Save your changes to this file.
3. If needed, change the default certificate authentication behavior with one or more of these options:
*Configure Alternate User ID Extraction to change where Business Analytics obtains the user ID.
*Configure Dynamic User Support to enable Business Analytics to accept certificates for user IDs not found in the User Repository.
*Configure Additional Certificate Validation beyond simple user IDs.
4. Enable certificate authentication for the Business Analytics REST API. See Configure the Business Analytics REST API to Use Certificate Authentication for instructions.
5. If needed, enable certificate caching for the Business Analytics Server.
By default, the Business Analytics Server does not cache user certificates. This ensures that any changes to user identification or authorization are detected as soon as possible but can impact performance. To turn caching on:
a. Using any text or XML editor, edit the applicationContext-security-authn-x509.xml file in the web-apps-home/presto/WEB-INF/classes directory.
b. Find the x509AutheticationProvider bean.
c. Add <property name="certificateCachingEnabled" value="true" /> to the list of properties for this bean.
d. Save your changes to this file.
6. To apply these changes, restart the Business Analytics Server.
Copyright © 2013-2016 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback