Progress
Version 9
Product Update Bulletin
AdminServer Security Enhancement
Progress Version 9.1D provides enhanced functionality that provides administrators with the opportunity to establish more security when it comes to working with the AdminServer. This appendix provides information about the following:
AdminServer Security At Install
Progress Version 9.1D has optional functionality that allows access to the AdminServer based on a user’s membership in a group that has the appropriate privileges to perform AdminServer operations.
Checking a user’s group membership consists of the following two processes:
During the Progress Version 9.1D installation, administrators are asked if they wants to enable user authorization:
- If the administrator chooses not to use authorization, the AdminServer functionality works as it did in Progress Version 9.1C. That is, there is no group checking and no authorization of users.
- If the administrator chooses to use authorization, the installation prompts for the name of the group or list of groups. The default group is PSCAdmin. The AdminServer is then going to require authorization and authentication for all operations it performs, including startup and shutdown.
NOTE: When you install the AdminServer, by default, it is started up using a default account called LocalSystem. The AdminServer Authorization dialog box also has a username and password option, that, if selected, changes the LocalSystem to a specific username and password.Groups are set up in the operating system, outside of the Progress environment; however, an administrator using Progress Version 9.1D can also set up groups in a minimal fashion (locally only) during the Progress install. It is up to the administrator to determine who belongs in which particular group. If, after the Progress installation, a user attempts to perform an operation and does not belong to a group with that privilege, users are informed that they are not authorized to perform that operation and will be referred to the system administrator for assistance.
NOTE: Determining group membership is up to the administrator and is based on a variety of factors that differ from company to company, such as company policy, operating system, version number, procedures, etc.Option To Require Authorization On the Command Line
If the administrator accepts the default installation and does not choose to use authorization, authorization can optionally be selected when starting up the AdminServer. The new command-line option for authorization with the AdminServer is AdminGroup (
-admingroup
) has the following syntax:
For the AdminGroup startup parameter, there must be a minimum of one group. If multiple groups are listed, they are separated with a colon. The AdminServer will not start unless a minimum of one group exists. To perform AdminServer functions, the user has to be a valid account in one of the groups.
The following lists the user group authorization platform support:
AdminServer Logging Enhancement
The AdminServer includes logging entries specifically related to user authentication and authorization. The log lists both successful and failed operations in the following format:
The fields in a security entry specify :
- date — The existing Logging tool will automatically insert the current date using the existing AdminServer log format.
- level — The possible levels are 1 through 5, in compliance with the existing AdminServer log conventions. The security entry will use only the following levels:
- "security" — This is a text constant that Progress specifies in order to simply log file scanning tools, so that an automated parser can easily identify security events.
- UserName — This field contains the user account being authenticated to the AdminServer. This field might indicate e "no-user" if the authentication and/or authorization operation failed before the authentication portion could take place. On Windows systems only, the
UserName
might be in the form
[
domain
\]
UserName
where domain is the result of an account lookup operation when the user has not specified a fully qualified user account.- UserSuppliedPwd — This field indicates whether the password being validated for the user account is one of the three following possible conditions:
- GroupInfo — This field contains group authorization information. When the AdminServer initializes, it validates that a minimum of one group is accessible before allowing startup. In this instance, the field will contain the list of available groups and unavailable groups. In unavailable groups are designated with enclosing braces. The format is “group, group...;{unavailablegroup,unavailablegroup...}. On Windows only, the list of available groups might have the Windows domain prefixed in square brackets to indicate where the group name lookup operation found the entry.
When a security entry is made for an authentication or authorization operation, it can contain:
- No Group Checking — This indicates that the AdminServer started without the -admingroup option and no group authorization took place.
- GroupName — This indicates that a single group name was successfully authorized for the user with a success message logged.
- GroupNames — This indicates the group names that the user failed to be authorized in when the failure message was logged.
- Text — This field contains one of the messages that further explains the success or failure. The possible text messages follow:
- User is not authenticated.
- User is authenticated and authorized.
- User is not authorized.
- Failed to find the admingroup(s).
- Failed to find the admingroup, not a valid group list.
- Failed to find the admingroup, please provide a valid group list.
- User password is not valid.
- System generated password has expired.
- Error, system generated password is not valid, user and host are valid.
- Valid group list.
The default behavior for logging is that both success and failure events will be logged.
There is an AdminServer command-line option for JVMARGS that is called
DLogLevelSecurity
, that, when set, determines the type of logging that the AdminServer log file captures. The syntax for JVMARGS is as follows:
Setting
-DLogLevelSecurity=
2 stops successful logins from being logged.Setting
-DLogLevelSecurity=3
logs failures and successes.Option To Require a Valid Username and Password
In Progress Version 9.1D, a user can require that when users are starting servers of the AdminServer (AppServer, SonicMQ, and WebSpeed) the
ubroker.properties
file must provide a valid username and password. This enhanced authentication for starting the AppServer, WebSpeed, and SonicMQ Adapter uses theuboker.properties
file hierarchy to find usernames and passwords. A new Progress Explorer password field (which Progress recommends as the preferred method for updating theubroker.properties
file) can be set to supply the username’s password.The new command-line option that tells the AppServer, WebSpeed, and SonicMQ to require a username and password from the
ubroker.properties
file is Require Username (-requireusername
). Progress Version 9.1D still uses the manual password field generator if you do not use the Progress Explorer. The user runs<
install-dir
>\bin\genpassword
. This gives the user an obfuscated password that the user can enter into the Progress Explorer. Alternately, but not recommended, the user can cut and paste this password into theubroker.properties
file.The Require Username syntax is as follows:
Copyright © 2004 Progress Software Corporation www.progress.com Voice: (781) 280-4000 Fax: (781) 280-4095 |