TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation

More documents

Recommendations

Info

Authentication and User Directory • Check the box Password never expires. All other boxes should be unchecked (Note: Make sure to uncheck User must change password at next logon). • If you intend to use Kerberos for database authentication (see the section “Database Authentication using Kerberos” on page 91), you must also set Account is trusted for delegation found on the Accounts tab of the Properties dialog. This setting has certain security issues, and therefore you should only set it if you intend to do this. Next, you must create two Service Principal Names needed for the authentication. This requires Microsoft Support Tools. Refer to its documentation for more information about this and other tools included in the package. Note: In a load balanced environment, you need to create two Service Principal Names for each Spotfire Server, and two for the load balancer. You must map all of them to the same service account. Creating Service Principal Names (SPNs) Executing the following commands on one of the Windows Domain Controllers: > setspn -A HTTP/myHost.mydomain[:port] myServiceAccount > setspn -A HTTP/myHost[:port] myServiceAccount Replace the myHost myServiceAccount, and mydomain variables with values appropriate in your environment. Note: If you use port 80, do not specify port number. Example: Setting SPNs for the service account "spotsvc" and the computer spotserver.research.example.com using the HTTP port 8080. > setspn -A HTTP/spotserver.research.example.com:8080 spotsvc > setspn -A HTTP/spotserver:8080 spotsvc This would result in the following two SPNs: • HTTP/spotserver.research.example.com:8080 • HTTP/spotserver:8080 Note: All usernames, hostnames, and domain names are case sensitive. Take special care when running the commands and editing the files below. After you have run these commands, you can verify your setup with the command: > setspn -L myServiceAccount Example: Verifying SPNs for the service account “spotsvc”. > setspn -L spotsvc Registered ServicePrincipalNames for CN=spotsvc,CN=Users,DC=research,DC=example,DC=com: 70 (144) TIBCO Spotfire® Server 3.2.2
Authentication and User Directory HTTP/spotserver:8080 HTTP/spotserver.research.example.com:8080 Create Keytab Files The next step is to create keytab files, which the Spotfire Server(s) will use to authenticate using Kerberos. This is also done with a tool that comes with Microsoft Support Tools, called ktpass.exe. You can run this command on one of your Domain Controllers and then copy the created files to the Spotfire Server(s). Note: In a clustered environment, create one keytab file, and use the long principal name of the load balancer, not one of the Spotfire Servers. Always name the file spotfire.keytab, as shown below. Run the command, including all the text on one line, like this: > ktpass /princ HTTP/myHost.mydomain[:port]@MYDOMAIN /mapuser myServiceAccount /ptype krb5_nt_principal /crypto rc4-hmac-nt /out spotfire.keytab /pass Password Replace the myServiceAccount, myHost appropriate values. mydomain, and Password variables with Example: Generate a keytab file for the Spotfire server spotserver.research.example.com running on port 8080 in the Windows domain RESEARCH.EXAMPLE.COM (note the upper case) with the password Pa55w0rd: > ktpass /princ HTTP/spotserver.research.example.com:8080@RESEARCH.EXAMPLE.COM /mapuser spotsvc /ptype krb5_nt_principal /crypto rc4-hmac-nt /out spotfire.keytab /pass Pa55w0rd Install Keytab Files Once the keytab files are created with the above examples you need to install them on the Spotfire Servers. For each Spotfire Server, the keytab file should be placed in the directory /jdk/jre/lib/security/ Note: This file contains important security information that should not be shared. It is recommended that you use caution when copying the files to the destination servers. If possible, a memory stick or similar should be used to avoid insecure network file copy. You should also limit access to the file once in place. Only the Service and the Administrator accounts on the Spotfire Server need to be able to read and write to it. Also note that if, at any point, you change the password for Spotfire service account, Kerberos will stop working and you will have to re-create the keytab files with the new password. 8.3.1.2 Configure the Spotfire Server(s) to Use Kerberos To enable Kerberos on the Spotfire Server(s) there is one configuration file that needs to be modified. This chapter will outline what changes need to be made to this file. For complete reference of the file, see the section “krb5.conf” on page 137. TIBCO Spotfire® Server 3.2.2 71 (144)
Page 1 and 2:
TIBCO Spotfire ® Server 3.2.2 Inst
Page 3 and 4:
Contents 1 Installation Planning 6
Page 5 and 6:
10 Backup and Restore 128 10.1 Over
Page 7 and 8:
Installation Planning The Web Playe
Page 9 and 10:
Installation Planning If you are ru
Page 11 and 12:
Installation Planning When you set
Page 13 and 14:
Installation Planning Which port nu
Page 15 and 16:
Installation Planning Before you co
Page 17 and 18:
Installing Spotfire Server 3.2 2.2.
Page 19 and 20: Installing Spotfire Server 3.2 The
Page 21 and 22: Installing Spotfire Server 3.2 •
Page 23 and 24: Installing Spotfire Server 3.2 If y
Page 25 and 26: Installing Spotfire Server 3.2 Clic
Page 27 and 28: Installing Spotfire Server 3.2 tha
Page 29 and 30: Installing Spotfire Server 3.2 2.6
Page 31 and 32: Migration from 10.1 3.2 Prerequisit
Page 33 and 34: Migration from 10.1 The values prom
Page 35 and 36: Migration from 10.1 3.7 Log Files I
Page 37 and 38: Upgrade from 3.0 or 3.1 to 3.2 4 Up
Page 39 and 40: Upgrade from 3.0 or 3.1 to 3.2 Belo
Page 41 and 42: Upgrade from 3.0 or 3.1 to 3.2 Data
Page 43 and 44: Upgrade from 3.0 or 3.1 to 3.2 Data
Page 45 and 46: Upgrade from 3.0 or 3.1 to 3.2 Upgr
Page 47 and 48: Configure the System 5 Configure th
Page 49 and 50: Configure the System You can also r
Page 51 and 52: Configure the System Note: This inf
Page 53 and 54: Configure the System 1 In the confi
Page 55 and 56: Configure the System privileges to
Page 57 and 58: Spotfire Administrative Tasks 6.2.3
Page 59 and 60: Load Balancing 7 Load Balancing Thi
Page 61 and 62: Load Balancing # Load the mod_jk mo
Page 63 and 64: Load Balancing # Convert usernames
Page 65 and 66: Authentication and User Directory 8
Page 67 and 68: Authentication and User Directory C
Page 69: Authentication and User Directory 8
Page 73 and 74: Authentication and User Directory F
Page 75 and 76: Authentication and User Directory 8
Page 77 and 78: Authentication and User Directory c
Page 79 and 80: Authentication and User Directory E
Page 81 and 82: Authentication and User Directory U
Page 83 and 84: Authentication and User Directory M
Page 85 and 86: Advanced Procedures Included in the
Page 87 and 88: Advanced Procedures the certificate
Page 89 and 90: Advanced Procedures Comment: There
Page 91 and 92: Advanced Procedures 9.5 Configuring
Page 93 and 94: Advanced Procedures The file krb5.c
Page 95 and 96: Advanced Procedures Add Spotfire Se
Page 97 and 98: Advanced Procedures 1 Open Tools >
Page 99 and 100: Advanced Procedures # Configure SSL
Page 101 and 102: Advanced Procedures 9.11 Preventing
Page 103 and 104: Advanced Procedures sqlplus @DBServ
Page 105 and 106: Advanced Procedures 9.16.2 For Wind
Page 107 and 108: Advanced Procedures • DB2 (DataDi
Page 109 and 110: Advanced Procedures Comment: You wi
Page 111 and 112: Advanced Procedures display-name dr
Page 113 and 114: Advanced Procedures catalog-namepat
Page 115 and 116: Advanced Procedures date-timelitera
Page 117 and 118: Advanced Procedures oracle Oracle
Page 119 and 120: Advanced Procedures Example: Config
Page 121 and 122:
Advanced Procedures 1 Log into TIBC
Page 123 and 124:
Advanced Procedures 9.19.2 Configur
Page 125 and 126:
Advanced Procedures Servers will be
Page 127 and 128:
Advanced Procedures 9 Click Start C
Page 129 and 130:
Backup and Restore • HTTPS (see t
Page 131 and 132:
Technical Reference 11 Technical Re
Page 133 and 134:
Technical Reference 11.1.4 Console
Page 135 and 136:
Technical Reference Jakarta Service
Page 137 and 138:
Technical Reference Note: The v
Page 139 and 140:
Technical Reference page 47 for mor
Page 141 and 142:
Technical Reference Example: jdbc:t
Page 143 and 144:
Uninstall 12 Uninstall 12.1 Server
show all

TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation

Create successful ePaper yourself

Delete template?

Save as template?