When users start a Spotfire client, they are presented with a login dialog where they select which Spotfire Server to connect to. If that server uses a user name and pass-word based authentication method, the users are also prompted for user name and password.
The user name and password are then sent to Spotfire Server (over the HTTP BASIC protocol). The user name and password authentication methods are sometimes referred to as BASIC authentication methods. The credentials are not encrypted then they are transferred unless the server uses TLS/SSL. and the information can easily be col-lected by other eavesdropping computers on the network. To use any user name and password authentication method in a safe manner, make sure to also enable TLS/SSL to safely transfer the user name and the password to Spotfire Server over the encrypt-ing HTTPS protocol.
The user name and password can be validated using:
Spotfire database
LDAP Directory (for example Active Directory)
Windows NT Domain (Legacy, use only if you cannot use LDAP)
Custom JAAS
For all methods, entries are created in the Spotfire database. When using an external authentication method, appropriate information is copied to the Spotfire database.
4.6.1 Authentication towards the Spotfire Database
This authentication method requires that the User Directory is configured for Spotfire database. The database will store the names and password hashes of all users, and an administrator will have to create all user accounts in advance. This is the default behavior, and no configuration is needed for this authentication method. This is a con-figuration that is easy and fast to set up and it is recommended for small sites.
To create a lot of users at once, export the users from an external system and imported to the Spotfire Database using the Administration Manager.
4.6.2 Authentication towards LDAP
This authentication method integrates with an existing LDAP directory and delegates the actual authentication responsibility to its configured LDAP servers. The result is that only users with valid accounts in the LDAP directory can log in to Spotfire Server.
This setup is recommended for all larger sites. It can be combined with both Spotfire database User Directory and LDAP User Directory.
It is recommended to combine the LDAP authentication method with an LDAP User Directory mode. However, in some cases, for example where the LDAP directory con-tains a very large number of users that are not divided into convenient sub-units
(con-texts), combining the LDAP authentication method with a Spotfire database User Directory will reduce the set of users tracked within Spotfire Server. Only the users that are logging in to Spotfire Server will be included. This makes Spotfire Server's User Directory easier to manage and survey.
When combining it with a Spotfire database User Directory configuration, the users shall be automatically added to the User Directory and consequently the Post-Authen-tication Filter must be configured in auto-creating mode. When combining it with an LDAP User Directory mode, the default setting of the Post-Authentication Filter, blocking mode, is already correct.
Spotfire Server supports the following LDAP servers:
Microsoft Active Directory
The Directory Server product family (Oracle Directory Server, Sun Java System Directory Server, Sun ONE Directory Server, iPlanet Directory Server, Netscape Directory Server)
The above mentioned are the tested and supported variants. Other types of LDAP serv-ers may also work with Spotfire Server. Such a custom LDAP configuration may be slightly more advanced to configure.
Note: When Spotfire Server is authenticating towards a Microsoft Active Directory server, it will automatically use the Fast Bind Control (also known as Concurrent Bind Control) option to minimize the consumed resources on the LDAP server.
4.6.3 Configuring SASL Authentication for LDAP
DIGEST-MD5 and GSSAPI are SASL (Simple Authentication Socket Layer) mecha-nisms. These are used for secure authentication of Spotfire Server when it is connect-ing to LDAP Servers. SASL prevent clear text passwords from beconnect-ing transmitted over the network.
4.6.3.1 DIGEST-MD5
When configuring SASL authentication with DIGEST-MD5 in an Active Directory environment, the distinguished name (DN) does not work for authentication and the userPrincipalName attribute must be used instead. The authentication attribute option should be set to userPrincipalName and the username attribute option should be set to sAMAccountName, which is the default value for an Active Directory LDAP configu-ration.
When setting up SASL with DIGEST-MD5 in an Active Directory environment, all accounts must use reversible encryption for their passwords. This is typically not the default setting for Active Directory.
4.6.3.2 GSSAPI
These instructions apply for Active Directory LDAP configurations. Spotfire Server does not support GSSAPI for other LDAP alternatives.
The GSSAPI authentication mechanism provides secure authentication even over un-secure networks since it uses the Kerberos protocol for authentication. Passwords are not sent in clear text across the network even if using un-encrypted HTTP, for information about Kerberos in general, see “Kerberos Authentication” on page 66.
Configure Spotfire Server for GSSAPI Authentication of LDAP Preparations:
1 Make sure you have a fully working Active Directory LDAP configuration using clear-text password authentication (also known as simple authentication mechanism).
This configuration is created using the Configuration Tool or the Configuration Command Line Tool.
Save this fully working Active Directory LDAP configuration to file.
the LDAP configuration's ID.
2 Make sure that you have a fully working krb5.conf file. The content of the krb5.conf file shall be the same as when setting up Spotfire Server for Kerberos authentication.
See “Configure Kerberos for Java:” on page 70.
Note: Make sure to stop the entire service/Java process before installing the file. It is not sufficient that the restart-policy is set automatic force or automatic on idle. If the krb5.conf file is modified after Spotfire Server has been started, a restart of Spotfire Server process is required for the modifications to have effect.
Procedure:
1 Stop Spotfire Server, See “Start and Stop Spotfire Server” on page 110.
2 Copy the fully working krb5.conf file to the <inst dir>/jdk/jre/lib/security directory on each Spotfire Server in the cluster.
3 Start the Configuration Tool and provide the Tool Password, See “Configuration Tool”
on page 34.
4 Go to the LDAP Configuration Panel.
5 Update the LDAP user name so that it is a proper Kerberos principal name. Usually it is sufficient to add the name of the account's Windows domain written in upper-case letters. Sometimes its also necessary to include the Windows domain name as well.
Using a name based on a distinguished name (DN) or including a NetBIOS domain name does not work when using GSSAPI. Examples of correct names: "ldapsvc@
RESEARCH.EXAMPLE.COM" and "[email protected]@
RESEARCH.EXAMPLE.COM".
6 Select the specific LDAP configuration to be GSSAPI enabled and expand the Advanced settings.
7 Set the security-authentication configuration property to GSSAPI.
8 Set the authentication-attribute to sAMAccountName or userPrincipalName (select what works best for your configuration). The default value is empty.
Note: If the krb5.conf file contains more than one Kerberos realm, the authentica-tion-attribute must be set to "userPrincipalName".
9 Add a custom property with the key kerberos.login.context.name and the value SpotfireGSSAPI.
10 Save the configuration to the Spotfire database by clicking Save configuration.
11 Start Spotfire Server, See “Start and Stop Spotfire Server” on page 110.
Procedure steps related to LDAP configurations need to be performed for each LDAP catalogue that shall have GSSAPI enabled. For multiple LDAP configurations, repeat these steps for each configuration.
4.6.4 Authentication towards Windows NT Domain (legacy)
With this authentication method, user authentication is delegated to Windows NT domain controllers. To be able to use this method, Spotfire Server must be installed on a machine running Windows and you must have a working Windows NT 4 Server Domain Controller or a Windows Server 2000 (or later) Domain Controller running in Mixed Mode. This is a legacy solution that should only be used if LDAP cannot be used.
Just like the LDAP authentication method, the Windows NT Domain authentication method can be combined with a User Directory in either Windows NT Domain mode or in Spotfire database mode.
When combining this authentication method with a Spotfire database User Directory mode, the Post-Authentication Filter must be configured in auto-creating mode, so that the users will be automatically added to the User Directory. When combining it with a Windows NT Domain User Directory mode, the default blocking Post-Authentication Filter is already correct.
4.6.5 Authentication towards a Custom JAAS Module
All authentication methods described above are implemented as Java Authentication and Authorization Service (JAAS) modules. Spotfire also supports third-party JAAS modules. You may therefore use a custom JAAS module, provided that it validates user name and password authentication and that it uses JAAS’ NameCallback and Pass‐
wordCallback objects for collecting the user names and passwords.
When using a custom JAAS module, you must place the jar file in the <installation dir>/tomcat/webapps/spotfire/WEB‐INF/lib directory on all Spotfire Servers.
Consult the JAAS Reference Guide for more information about JAAS.