You can take actions to ensure that your installation is
secure, customize your security settings, and set up user access controls.
You can also ensure that you know about any security limitations that
you might encounter with this application.
Enabling security during
the install process
If you are installing only the Document
Studio or Launcher applications, no steps are required for enabling
security during installation. If you are installing the remote services
on an application server, you must complete steps to secure your server.
- If you are using WebSphere® Application Server as
your application server, several security settings, such as administrative
security and application security, must be enabled when deploying Rational® Publishing Engine web
applications. For more information, see Manually deploying the Remote services application
on WebSphere Application Server.
- If you are using Apache Tomcat as your application server, no
required security settings must be set, although you can choose to
set up the SSL configuration. For more information, see the SSL Configuration
How-To information for version 6.0 or version 7.0 on the Apache Tomcat website.
- To learn more about how user names and passwords are stored,
see the documentation for your application server.
To prevent clickjacking, the X-Frame-Options
header in the Remote services application is set to DENY by
default. For more information about clickjacking and this setting,
see the topic for WebSphere Application Server or Apache Tomcat.
After you deploy
the Remote services application, you can choose whether to enter a
secure or nonsecure URL to the remote document generation component
in the client applications. The secure URL is included in the documentation
in this information center. For more information, see Remote services URLs. If you choose
to set up nonsecure document generation, any users can view the generated
output documents, even if they do not have access to the data in the
data source.
Enabling secure communication
between multiple applications
No additional configuration
is required when you are running multiple applications on one server,
because there is no direct communication between Rational Publishing Engine and
the data source you are using. Data source schema and data are used
from the data source in Rational Publishing Engine,
but there is no alteration of the data in Rational Publishing Engine that
requires communication back to the data source.
Ports, protocols, and
services
You can set up a proxy connection.
HTTPS
transport port of the administrative console for the application server:
- The default port for WebSphere Application Server is 9043.
- The default port for Apache Tomcat is 8080.
HTTP transport port of the application server:
- The default port for WebSphere Application Server is 9080.
- The default port for Apache Tomcat is 8080,
unless you are using a port where the SSL is configured, and then
the port number is usually 8443.
Customizing your
security settings
User names and passwords for the web applications
are not created automatically. Rational Publishing Engine requires
user names and passwords for connecting to the remote services, but
not for using the Document Studio and Launcher client applications
on your computer.
Data sources might require separate authentication
for Rational Publishing Engine to
access the data inside them. Verify the security of the data source
and do not use untrusted data sources with Rational Publishing Engine.
If your data source requires authentication, user names and passwords
for data sources can be stored on the Rational Publishing Engine remote
server, in document specification files, or in template files.
Passwords
are encrypted in Rational Publishing Engine.
When passwords are stored in template files and on the remote server,
the characters are masked with bullets. When passwords are stored
in document specification files, the characters are masked with bullets
as they are being typed and are switched to asterisks after you move
the cursor away from the value. If you open a document specification
in a browser or XML editor, the password is encoded.
Templates
or document specifications can be shared by either storing them in
the Central Management component or by sending them through a method
outside of Rational Publishing Engine.
Before sharing a template or document specification, you must decide
whether to keep or remove the user name and password from the files.
In most situations, removing the user name and password from the file
is recommended. Even if the password cannot be identified because
it is encrypted, other users can still generate documents that might
include data that those users are not otherwise permitted to see.
Setting up user roles
and access
Rational Publishing Engine has
roles for administrators and users of the remote services components,
including Remote document generation, Central management system, Monitor &
Control, and Report scheduling. An overview of the user roles is available
in Configuring the Remote services application.
You can then set up the
user roles and provide access to your users on your
WebSphere Application Server or
Apache Tomcat application server.
Provide individual users with their own user name and password instead
of sharing user names with a group of people. Individual user credentials
ensure that users can access only the reports that contain data that
they have permission to view.
Security limitations
- Nonsecure document generation: If you do not choose secure
document generation, any user can view the generated output.
- Unsuccessful login attempts: Apache Tomcat does not lock
out users after multiple unsuccessful attempts to log in.
- Sharing templates and document specifications: If credentials
are not removed from shared templates and document specifications,
users can generate documents on data that they might not otherwise
have permission to access.
- Data source security: Data is secured by the application
that stores it. Rational Publishing Engine does
not secure data.