This section helps you set up DB2 OLAP Server to use external authentication in
addition to, or in place of, the DB2 OLAP Server security system. Using external authentication
to manage user logins provides two main benefits:
- The existing corporate structure of user accounts can be employed by Analytic
Services and other OLAP products, reducing administrative overhead.
- The benefit of single sign-on between DB2 OLAP Server and other OLAP products is
added, eliminating the need for users to log on multiple times with multiple
user names and passwords.
The following workflow describes the steps that are required to implement
external authentication and single sign-on with DB2 OLAP Server:
- Decide which of the supported authentication providers, on which platforms,
to make available in the security realm. See Table 20.
Table 16. Supported authentication providers and platforms
Operating system |
Lightweight Directory Access Protocol (LDAP)
V3 compatible directories |
NT LAN Manager (NTLM) |
Microsoft Active Directory 2000 and 2003 |
Windows 2000 Server and Advanced Server,
SP3 or later |
X |
X |
X |
Windows 2003 |
X |
X |
X |
UNIX |
X |
X
Requires installation of Remote Authentication Module |
X |
Note:
The tested and supported LDAP servers are: iPlanet
5.2, Novell eDirectory 8.7, IBM Tivoli(R) Directory Server V5.1, and IBM Lotus Domino(R) LDAP 5.x
and 6.0. iPlanet is now know as Sun Open Net Environment (Sun ONE).
- The installation program for DB2 OLAP Server sets the environment variables you
need. To verify the settings for your operating system, see Security Platform
Reference section of the Analytic
Services Technical Reference,
under Java Version Considerations and Setting Environment Variables for Java.
- If you are using an NT LAN Manager provider and Analytic Server runs on
a Windows platform, the account that runs Analytic Server must be a domain
user rather than a local Windows user. Additionally, you must grant
the following user rights to the account that runs Analytic Server:
- Access this computer from the network
- Act as part of the operating system
For instructions on granting the above rights, see the Security Platform
Reference section of the Analytic
Services Technical Reference,
under NT LAN Manager Notes.
- If you are implementing security using an NT LAN Manager provider and
are using a UNIX platform for DB2 OLAP Server, DB2 OLAP Server Administration Services, or both, ensure
that the Remote Authentication Module is installed on a separate Windows 2000
or Windows 2003 server. You can install the Remote Authentication Module
by running the ram\setup.exe file from the DB2 OLAP Server CD. After the
Remote Authentication Module is installed, you must also provide its URL as
a value to the <remote server> element in the security platform
XML configuration file.
- If you are implementing security using an NT LAN Manager provider and
you want to enable authentication of users from multiple Windows domains,
but you do not want to set up trust relationships between those domains, install
the Remote Authentication Module on a separate Windows server. This enables users of
OLAP applications running on one domain to log in to OLAP applications on
other domains. All the domains involved must be running applications that
are configured to use the same Remote Authentication Module instance.
- With the exception of the Remote Authentication Module, all security platform
components are installed by default with DB2 OLAP Server. These include:
- css-2_5_x.dll, a library for enabling NT LAN Manager support.
This file is installed to HYPERION_HOME\common\CSS\2.5.x\bin.
- css-full.xml, a sample configuration file that you can modify
or re-create to represent your authentication needs. This file is installed
to HYPERION_HOME\common\CSS\2.5.x\configuration.
- css-2_5_x.jar, containing the security platform classes. This
file is installed to HYPERION_HOME\common\CSS\2.5.x\lib.
-
Create a security platform XML configuration file, as described
in the Security Platform Reference section of the Analytic Services Technical Reference, under Configuring the Security
Platform. The css-full.xml file might be used as an example
to edit, or you can copy and edit sample.xml from the Analytic Services Technical Reference.
- Edit the essbase.cfg configuration file to point to the location
of the XML file mentioned in step 7. This procedure is
described in the Security Platform Reference section of the Analytic Services Technical Reference, under Selecting the Authentication
Module. If Java, the XML file, and the essbase.cfg file
are all configured correctly, then Analytic Server displays the following
message upon startup:
Single Sign-On Initialization Succeeded !
- If you have installed Administration Services, edit the Administration
Services file OlapAdmin.properties to point to the location of
the properly configured XML file mentioned in 7. OlapAdmin.properties is located in the eas\server directory
of the Administration Services installation. For example:
SECURITY_CONFIGURATION=file://c:/ibm/db2olap/bin/sample.xml
- You can now create users whose type is external. These users
can log in to DB2 OLAP Server using the user names and passwords already assigned to
them in the corporate authentication repository. For information about creating
external users with MaxL, see the Security Platform Reference section of the Analytic Services Technical Reference, under MaxL Statements for External User Management. For information about creating
external users with Administration Services, see the Administration Services
Online Help.