I am testing 767 on a windows 2003 server(s) using LDAP on both reporting and web server. I'm trying to find a way to eliminate the additional log-in the reporting server is asking for. When the user logs into MRE they are prompted for their MR credentials and then when they execute a procedure they are prompted again. I think I'm getting warm by looking into the WF_COOKIE but the documentation is lacking. Is there a way to pass my MR credentials behind the scenes to the reporting server instead of it asking for them?

Currently, I'm running 7.14 and the reporting server (on unix mainframe) is setup as PTH. We were able to get away with this because developers using dev studio couldn't see the data servers. In 767 they can regardless of me removing their data server access via the MR administration way.

So, I turned on the security, but now I get an extra prompt.

Thanks,

This message has been edited. Last edited by: Kerry,

I'm no security expert, but I suspect you need to tweak some security setting somewhere...

Meanwhile, here's how I work with MRE and reporting server logins.

Along with other stuff, the following is in my site profile (C:\ibi\client53\wfc\etc\site.wfs, accessible from WF Administration Console > Configuration > Custom Settings):

<IFDEF> WORPUSER
  <SENDVAR>
  UID=&WORPUSER
  UPASS=&WORPPASS
  IBIC_user=&WORPUSER
  <ENDSENDVAR>
<ELSE>
  <IFDEF> IBIMR_user
    <SENDVAR>
      UID=&IBIMR_user
      IBIC_user=&IBIMR_user
      WORPUSER=&IBIMR_user
      IBIMR_user=&IBIMR_user
      UPASS=&IBIMR_pass
    <ENDSENDVAR>
  <ELSE>
    <SENDVAR>
      UID=UNKNOWN
      IBIC_user=UNKNOWN
      UPASS=UNKNOWN
    <ENDSENDVAR>
  <ENDIF>
<ENDIF>

This means:

If the user logged in via B.I. Dashboard:
pass the Dashboard User Id and Password to WebFOCUS variables &UID and &UPASS,
copy the Dashboard User ID to the reporting server User Id (IBIC_user)
else
If the user logged in via MRE:
pass the MRE User Id and Password to WebFOCUS variables &UID and &UPASS,
pass the MRE User Id to WebFOCUS variable &IBIMR_user
copy the MRE User ID to the reporting server User Id (&IBIC_user)
copy the MRE User ID to the Dashboard User Id (&WORPUSER)
else
set the WebFOCUS variables &UID and &UPASS to "UNKNOWN"
set the reporting server User Id to "UNKNOWN"

I inherited some of these settings and am not sure if they're all required. Also, we only have MRE security so I'm not sure of the ramifications of that. You may have to add the following to pass the MRE password to the reporting server:

IBIC_pass=&IBIMR_pass

I've only chimed in because no one else has since last Thursday and I apologize if none of this helps.

Thanks Francis,
But no dice. It is close because now when I'm challenged by the reporting server it has my user ID already in the text box. It's the IBIC_pass that seems to not be responding to: IBIC_pass=&IBIMR_pass

In the meantime I hacked up some of the mr_login.htm files to pass the credentials to both the reporting server and the web server. This works but I have to do it for the BID login as well. Not to mention IBI suggests to stay with the jsp pages for added security. I'm trying to adjust those now.

All this work to try to keep local department developers out of the data servers in Dev studio only to find that is impossible. I'll post this to a new thread once I cool off.

Much thanks for looking into this.

Shawn,

I don't know if this will help or if your reporting server is on Unix or not, but you could put a default server logon in the WebFOCUS client in the Remote Servers profile and then restrict access to Data Servers with group directory permissions by business unit. We have just a few MRE users and everyone else is Data Servers in different business units and that is how we organize stuff.

If you would like more detailed information, I'd be happy to share it.

Ginny - I was with you until "restrict access to Data Servers with group directory permissions". Is this Unix's flavor of active directory whereas you determine group A has access to ibi\apps\baseapp and group B has access to ibi\apps\ibisamp ?

In our shop we have about 100+ basic MRE users and 10 developers using dev studio. It's these developers which I want to remove their access to the data servers while in dev studio. However, if they don't have access to ibisamp (using active dir) then they couldn't run a standard report in MRE utilizing the CAR syn... correct?

If I'm off on any of the above points let me know.

Thanks

Unix has 3 levels of permissions on a file/directory, owner, group, and world. Usually we give permissions of rw-rw-r so that world had read privileges and cannot write.

You are correct in that if you didn't give world read access to ibisamp, then they couldn't use CAR.

I think I've muddied the waters for you and for that I apologize but your signature noted Unix on z/OS.

I don't do active directory.

Our reporting server is also running with security LDAP you can have the MRE authenticate against the reporting server by changing the MR security settings in the webfocus administrative console. There is information about the various options within the help on the console. We use external directory WFRS though you may want to use something else based on your web server security. What WFRS does is pass the credentials they logged on to the client (mre) with and authenticates them against the reporting server which is running in LDAP security mode.

Does this help?


IBIMR_action EQ "MR_SIGNON"
httpsession=_ibpass
CopyWFVarToSessionVar(IBIMR_pass,httpsession)


IBIC_user=&IBIMR_user
wfvar=IBIC_pass
httpsession=_ibpass
CopySessionVarToWFVar(httpsession,wfvar)

IBIWF_language(pass)
IBIMR_fex(pass)
IBIMR_domain(pass)
MR_FULL_FEXNAME(pass)

You should consider changing your MR Security settings to External Directory of WFRS. That way your MRE will authenticate directly to the reporting server and thus avoiding multiple logons.

SOLVED!
using WFRS for MR security...

Thanks for all your help.