Progress
Version 9
Product Update Bulletin


AdminServer Security Enhancement

Progress Version 9.1D provides enhanced functionality that provides administrators with the opportunity to establish more security when it comes to working with the AdminServer. This appendix provides information about the following:

AdminServer Security At Install

Progress Version 9.1D has optional functionality that allows access to the AdminServer based on a user’s membership in a group that has the appropriate privileges to perform AdminServer operations.

Checking a user’s group membership consists of the following two processes:

During the Progress Version 9.1D installation, administrators are asked if they wants to enable user authorization:

NOTE: When you install the AdminServer, by default, it is started up using a default account called LocalSystem. The AdminServer Authorization dialog box also has a username and password option, that, if selected, changes the LocalSystem to a specific username and password.

Groups are set up in the operating system, outside of the Progress environment; however, an administrator using Progress Version 9.1D can also set up groups in a minimal fashion (locally only) during the Progress install. It is up to the administrator to determine who belongs in which particular group. If, after the Progress installation, a user attempts to perform an operation and does not belong to a group with that privilege, users are informed that they are not authorized to perform that operation and will be referred to the system administrator for assistance.

NOTE: Determining group membership is up to the administrator and is based on a variety of factors that differ from company to company, such as company policy, operating system, version number, procedures, etc.

Option To Require Authorization On the Command Line

If the administrator accepts the default installation and does not choose to use authorization, authorization can optionally be selected when starting up the AdminServer. The new command-line option for authorization with the AdminServer is AdminGroup (-admingroup) has the following syntax:

SYNTAX
-admingroup group[:group...] 

For the AdminGroup startup parameter, there must be a minimum of one group. If multiple groups are listed, they are separated with a colon. The AdminServer will not start unless a minimum of one group exists. To perform AdminServer functions, the user has to be a valid account in one of the groups.

The following lists the user group authorization platform support:

AdminServer Logging Enhancement

The AdminServer includes logging entries specifically related to user authentication and authorization. The log lists both successful and failed operations in the following format:

SYNTAX
[date][level]["security"] UserName:UserSuppliedPwd:GroupInfo:Text 

The fields in a security entry specify :

The default behavior for logging is that both success and failure events will be logged.

There is an AdminServer command-line option for JVMARGS that is called DLogLevelSecurity, that, when set, determines the type of logging that the AdminServer log file captures. The syntax for JVMARGS is as follows:

SYNTAX
JVMARGS="$JVMARGS -DLogLevelSecurity={2|3}" 

Setting -DLogLevelSecurity= 2 stops successful logins from being logged.

Setting -DLogLevelSecurity=3 logs failures and successes.

Option To Require a Valid Username and Password

In Progress Version 9.1D, a user can require that when users are starting servers of the AdminServer (AppServer, SonicMQ, and WebSpeed) the ubroker.properties file must provide a valid username and password. This enhanced authentication for starting the AppServer, WebSpeed, and SonicMQ Adapter uses the uboker.properties file hierarchy to find usernames and passwords. A new Progress Explorer password field (which Progress recommends as the preferred method for updating the ubroker.properties file) can be set to supply the username’s password.

The new command-line option that tells the AppServer, WebSpeed, and SonicMQ to require a username and password from the ubroker.properties file is Require Username (-requireusername). Progress Version 9.1D still uses the manual password field generator if you do not use the Progress Explorer. The user runs <install-dir>\bin\genpassword. This gives the user an obfuscated password that the user can enter into the Progress Explorer. Alternately, but not recommended, the user can cut and paste this password into the ubroker.properties file.

The Require Username syntax is as follows:

SYNTAX
-requireusername 


Copyright © 2004 Progress Software Corporation
www.progress.com
Voice: (781) 280-4000
Fax: (781) 280-4095