We are in a process of moving from 7.6 to 8. In WF 7 we used to make direct call from Brower to the group view in WebFOCUS server using this url

/ibi_apps/bid?WORP_REQUEST_TYPE=WORP_GBV_VERIFY&groupName=grouphref&WORP_USER=xxx&WORP_PASS=xxx&WORP_MPV=aaa_gbv

It is not working in WF8. I looked at the event log of the server and saw this error

java.lang.Exception: ERROR - Request 'WORP_GBV_VERIFY' is unsupported.

Any help regarding this issue will really be appreciated.

This message has been edited. Last edited by: <Kathryn Henning>,

We use public dashboards and the call string did change from 7.6 to 8. We use:

http://servername/ibi_apps/bid/aa_mpv

Hi F-One,

It looks like a case has been opened to handle this issue. Please share with us what the final resolution is so that others can benefit as well.

Thanks and regards,

Kathryn

This the response I got from IBI

"There was an issue reviewed by the Product Division as follows:
WF8ashboard:Unable pass in URL Username/Password

Passing credentials on the url is seen as a security vulnerability, as web servers typically log url information.

User's will now be required to pass credentials.
I believe starting the Reporting Server unsecured is not an option."

That may not work for us because we have WF reports and dashboards with our existing web portals which already have AD login screen of its own and we are not going to ask user to login again on WF server with same credentials. I am pretty sure they might have thought about that before putting that kind of restriction in WF 8 security model.

I am open for any suggestions.

If you already have AD set up for other web sites, then you should be able to easily set up Single Sign-On (SSO) using IWA or LDAP.

Are your WebFOCUS IDs the same as your AD IDs? If so it's simple. If not then you can probably run the Reporting server trusted and pass the AD id from your other login pages.

Cheers

Stu

We have same WebFocus IDs as AD IDs. Can you send me some steps on how to setup SSO in WF8.

I will really appreciate that.

Amin

Amin,

Unfortunately you are probably have to read the Security Manual for Version 8 (specifically Chapter 7. Authentication), but a quick overview for a SSO deployment on Windows

1. Set IIS to use Windows Authentication
2. Change Tomcat to not do Authentication - add tomcatAuthentication="false" to your AJP connector
After these two steps you should be see the REMOTE_USER populated with your AD id in the WebFOCUS Client admin Console - under Diagnostics -> HTTP Request Info
3. Make sure that your Reporting Server is configured for LDAP/AD (or OPSYS if on Windows) and you can log in with your AD id.
4. Change the WF client security to WFRS via Admin Console
5. Restart tomcat and see whether you can log in with AD id.
If you get this far then you can alter the securitysettings.xml to turn of the login form and pass REMOTE_USER as the login ID. Once this works the next step is to change the connection from WebFOCUS client to Reporting Server to be trusted nad you should no longer be prompted for credentials against the Reporting Server.

Do this on a WebFOCUS install that is not using IIS is a little more complicated but you just need to identify what header your SSO is setting if it is not REMOTE_USER.

Feel free to ask any specific questions you may have. All environments have their own "weird" points that makes security a non-trivial task.

Cheers

Stu