Workflow for implementing external authentication

This section helps you set up DB2 OLAP Server to use external authentication in addition to, or in place of, the DB2 OLAP Server security system. Using external authentication to manage user logins provides two main benefits:

The following workflow describes the steps that are required to implement external authentication and single sign-on with DB2 OLAP Server:

  1. Decide which of the supported authentication providers, on which platforms, to make available in the security realm. See Table 20.
    Table 16. Supported authentication providers and platforms
    Operating system Lightweight Directory Access Protocol (LDAP) V3 compatible directories NT LAN Manager (NTLM) Microsoft Active Directory 2000 and 2003
    Windows 2000 Server and Advanced Server, SP3 or later X X X
    Windows 2003 X X X
    UNIX X X

    Requires installation of Remote Authentication Module

    X
    Note:
    The tested and supported LDAP servers are: iPlanet 5.2, Novell eDirectory 8.7, IBM Tivoli(R) Directory Server V5.1, and IBM Lotus Domino(R) LDAP 5.x and 6.0. iPlanet is now know as Sun Open Net Environment (Sun ONE).
  2. The installation program for DB2 OLAP Server sets the environment variables you need. To verify the settings for your operating system, see Security Platform Reference section of the Analytic Services Technical Reference, under Java Version Considerations and Setting Environment Variables for Java.
  3. If you are using an NT LAN Manager provider and Analytic Server runs on a Windows platform, the account that runs Analytic Server must be a domain user rather than a local Windows user. Additionally, you must grant the following user rights to the account that runs Analytic Server: For instructions on granting the above rights, see the Security Platform Reference section of the Analytic Services Technical Reference, under NT LAN Manager Notes.
  4. If you are implementing security using an NT LAN Manager provider and are using a UNIX platform for DB2 OLAP Server, DB2 OLAP Server Administration Services, or both, ensure that the Remote Authentication Module is installed on a separate Windows 2000 or Windows 2003 server. You can install the Remote Authentication Module by running the ram\setup.exe file from the DB2 OLAP Server CD. After the Remote Authentication Module is installed, you must also provide its URL as a value to the <remote server> element in the security platform XML configuration file.
  5. If you are implementing security using an NT LAN Manager provider and you want to enable authentication of users from multiple Windows domains, but you do not want to set up trust relationships between those domains, install the Remote Authentication Module on a separate Windows server. This enables users of OLAP applications running on one domain to log in to OLAP applications on other domains. All the domains involved must be running applications that are configured to use the same Remote Authentication Module instance.
  6. With the exception of the Remote Authentication Module, all security platform components are installed by default with DB2 OLAP Server. These include:
  7. Create a security platform XML configuration file, as described in the Security Platform Reference section of the Analytic Services Technical Reference, under Configuring the Security Platform. The css-full.xml file might be used as an example to edit, or you can copy and edit sample.xml from the Analytic Services Technical Reference.
  8. Edit the essbase.cfg configuration file to point to the location of the XML file mentioned in step 7. This procedure is described in the Security Platform Reference section of the Analytic Services Technical Reference, under Selecting the Authentication Module. If Java, the XML file, and the essbase.cfg file are all configured correctly, then Analytic Server displays the following message upon startup:
    Single Sign-On Initialization Succeeded !
  9. If you have installed Administration Services, edit the Administration Services file OlapAdmin.properties to point to the location of the properly configured XML file mentioned in 7. OlapAdmin.properties is located in the eas\server directory of the Administration Services installation. For example:
    SECURITY_CONFIGURATION=file://c:/ibm/db2olap/bin/sample.xml 
  10. You can now create users whose type is external. These users can log in to DB2 OLAP Server using the user names and passwords already assigned to them in the corporate authentication repository. For information about creating external users with MaxL, see the Security Platform Reference section of the Analytic Services Technical Reference, under MaxL Statements for External User Management. For information about creating external users with Administration Services, see the Administration Services Online Help.