In this article:
Step 1. Preparing Domain Environment
Step 3. Setting Up Integrated Domain Authentication
Step 4. Saving Credentials for DBMS Connection
Setting Up Integrated Domain Authentication with Built-in Authorization
To set up integrated domain authentication with built-in authorization on Apache2 web server in Linux OS, follow the steps given below. Simultaneous use of integrated domain authentication with built-in authorization is available only in working with PostgreSQL DBMS.
IMPORTANT. Built-in authorization is set up once during primary system setup.
Step 1. Preparing Domain Environment
Foresight Analytics Platform gets information about domain security subjects from the domain catalog service or global catalog that must be set up in the computer network. Interaction with the directory service is executed via the LDAP/LDAPS protocol.
If the catalog service of the current domain (global catalog of the current network) is based on Active Directory, and Foresight. Analytics Platform works in Windows OS, advanced settings do not need to be determined to connect to this service.
If the directory service is located at Linux OS server, or it is required to connect to the directory service in the network other than the current one (Linux or Windows OS server), execute the following operations depending on the operating system in use:
Install necessary packages depending on Linux OS version:
Debian-based distributions:
sudo apt install libldap-2.4-2 libsasl2-modules-gssapi-mit
RedHat-based distributions:
sudo yum install openldap openldap-clients
ALT Linux:
sudo apt-get install openldap-common
Download and run the OpenSSL installer. The default installation folder for OpenSSL: C:\Program Files\OpenSSL-Win64.
Add the path to the bin folder - C:\Program Files\OpenSSL-Win64\bin to the PATH system variable.
Preparing domain environment also includes:
Installation and setup of Kerberos PostgreSQL DBMS server. Make sure that domain information is added in the /etc/krb5.conf file. For details see Kerberos documentation.
Creating Keytab files and setting up HTTP service. Keytab files are used to authenticate users without entering password in Astra Linux Directory (ALD) in Linux OS or Active Directory (AD) in Windows OS. A Keytab file stores names of Kerberos principals and corresponding encrypted keys obtained based on Kerberos passwords.
NOTE. If user properties are changed, keytab file should be recreated.
Step 2. Setting Up BI Server
When installing BI server, configuration files of the Apache2 instance are located in the folder by default:
/etc/apache2-fp10.x in Debian-based distributions.
/etc/httpd-fp10.x in RedHat-based distributions.
/etc/httpd2-fp10.x in ALT Linux.
To set up BI server:
Install necessary packages depending on Linux OS version:
Debian-based distributions:
sudo apt install libsasl2-modules-gssapi-mit libapache2-mod-auth-gssapi
RedHat-based distributions:
sudo yum install cyrus-sasl-gssapi mod_session mod_auth_gssapi
ALT Linux:
sudo apt-get install apache2-mod_auth_gssapi libsasl2-plugin-gssapi
Copy configuration files of Apache2 web server to the Apache2 instance with BI server:
Debian-based distributions:
cp /etc/apache2/mods-available/auth_gssapi.load /etc/apache2-fp10.x/mods-available/
cp /etc/apache2/mods-available/session.load /etc/apache2-fp10.x/mods-available/
cp /etc/apache2/mods-available/session_cookie.load /etc/apache2-fp10.x/mods-available/
RedHat-based distributions:
cp /etc/httpd/conf.modules.d/01-session.conf /etc/httpd-fp10.x/conf.modules.d/
cp /etc/httpd/conf.modules.d/10-auth_gssapi.conf /etc/httpd-fp10.x/conf.modules.d/
ALT Linux:
cp /etc/httpd2/conf/mods-available/auth_gssapi.load /etc/httpd2-fp10.x/conf/mods-available/
cp /etc/httpd2/conf/mods-available/session.load /etc/httpd2-fp10.x/conf/mods-available/
cp /etc/httpd2/conf/mods-available/session_cookie.load /etc/httpd2-fp10.x/conf/mods-available/
Enable the missing Apache2 modules in Debian-based distributions and in ALT Linux:
a2enmod-fp10.x auth_gssapi
a2enmod-fp10.x authz_user
a2enmod-fp10.x authn_core
a2enmod-fp10.x headers
a2enmod-fp10.x session
a2enmod-fp10.x session_cookie
a2enmod-fp10.x rewrite
a2enmod-fp10.x setenvif
Enable the mod_request.so unit in RedHat-based distributions. Uncomment the string in the /etc/httpd-fp10.x/conf.modules.d/00-base.conf file:
LoadModule request_module modules/mod_request.so
Change the configuration file of BI server fp10.x-biserver.conf located in the folder:
/etc/apache2-fp10.x/mods-available in Debian-based distributions.
/etc/httpd-fp10.x/conf.d in RedHat-based distributions.
/etc/httpd2-fp10.x/conf/mods-available in ALT Linux.
Cats the file contents to the following view:
# Foresight AnalyticsPlatform
LoadModule axis2_module "/opt/foresight/fp10.x-biserver/bin/libmod_axis2_2_4.so"
Axis2RepoPath "/opt/foresight/fp10.x-biserver/bin"
Axis2LogFile "/opt/foresight/fp10.x-biserver/var/log/axis2.log"
Axis2LogLevel info
Axis2ServiceURLPrefix services
<Location /FPBI_App_v10.x/axis2>
SetHandler axis2_module
Require valid-user
AuthType GSSAPI
GssapiAllowedMech krb5
GssapiCredStore keytab:<path to keytab file for HTTP service>
GssapiDelegCcacheDir /opt/foresight/fp10.x-biserver/var/cache
GssapiUseSessions On
<IfModule mod_session.c>
Session on
</IfModule>
<IfModule mod_session_cookie.c>
SessionCookieName gssapi_sessionpath=/;httponly;secure;
</IfModule>
</Location>
The file contains path to main files of BI server located in the /opt/foresight/fp10.x-biserver folder by default.
After executing the operations the BI server is set up.
In Active Directory one can use unlimited and limited delegation:
To use unlimited delegation, select the Trust This User for Delegation to Any Service (Kerberos only) radio button on the Delegation tab in user properties.
To use limited delegation:
Select the Trust This User for Delegation to Specified Services Only > Use Any Authentication Protocol radio button on the Delegation tab in user properties.
Append the BI server configuration file fp10.x-biserver.conf in the <Location> section. Enable the GssapiUseS4U2Proxy option and specify additional parameters:
GssapiUseS4U2ProxyOn
GssapiCredStore client_keytab:<path to keytab file for HTTP service>
GssapiCredStore ccache:FILE:/opt/foresight/fp10.x-biserver/var/cache/krb5ccache
Astra Linux Directory uses unlimited delegation.
Step 3. Setting Up Integrated Domain Authentication
To set up integrated domain authentication:
Set up two repository connections in the Metabases.xml file:
Repository connection parameters for the administrator must use the Authentication attribute that is set to 1.
Repository connection parameters for domain users must use the Authentication attribute that is set to 2.
The example of the Metabases.xml file:
<PP>
<Metabases>
<REPOSITORY_ID Name="WAREHOUSE" Authentication="1" Driver="POSTGRES" Package="STANDARDSECURITYPACKAGE">
<LogonData DATABASE="DATABASE_NAME" SERVER="SERVER_DATABASE" CASESENSITIVE="true"/>
</REPOSITORY_ID>
<REPOSITORY_ID_INT_DOMAIN Name="WAREHOUSE_INT_DOMAIN" Authentication="2" Driver="POSTGRES" Package="STANDARDSECURITYPACKAGE">
<LogonData DATABASE="DATABASE_NAME" SERVER="SERVER_DATABASE" CASESENSITIVE="true"/>
</REPOSITORY_ID_INT_DOMAIN>
</Metabases>
</PP>
Determine full domain DNS name of server:
In the SERVER parameter in the /opt/foresight/fp10.x-biserver/etc/Metabases.xml file.
In the serviceUrl and baseUrl parameters in the /opt/foresight/fp10.x-webserver/r/config/config.json file.
In the PP_SOM variable in the /etc/opt/foresight/fp10.x-webserver/envvars file.
For Apache2 web server specify the ServerName parameter inside the <VirtualHost> tag in the file:
/etc/apache2-fp10.x-web/sites-available/webserver.conf in Debian-based distributions.
/etc/httpd-fp10.x-web/conf.d/00-virtualhost.conf in RedHat-based distributions.
/etc/httpd2-fp10.x-web/conf/sites-available/000-default.conf in ALT Linux.
Set the parameters of comparison between directory service attributes and security subject attributes in Foresight Analytics Platform and specify user credentials to connect to the directory service in the settings.xml file. If required, connect additional controllers for domains or subdomains.
Restart BI server and web application back end.
Add domain users and/or groups will be displayed in the security manager.
After executing the operations the integrated domain authorization is set up.
Step 4. Saving Credentials for DBMS Connection
When built-in authorization is used, DBMS connection is established using technological account credentials. Make sure that in the security manager a user is created, whose credentials will be used as a technological account.
To save technological account credentials, use the PP.Util utility with the save_creds parameter and specify the DBOWNER keyword:
./PP.Util_start.sh /save_creds metabase_id login [password] DBOWNER
PP.Util.exe /save_creds metabase_id login [password] DBOWNER
After example execution:
In Linux OS, credentials will be saved to the Metabases.xml file in the Credentials section, which corresponds to repository identifier.
In Windows OS, credentials will be saved to the registry key [HKLM\SOFTWARE\Foresight\Foresight Analytics Platform\10.0\Metabases\<repository identifier>\Credentials\Item0] and in the Metabases.xml file, if it is used.
To apply settings from the Metabases.xml file in the web application, restart the BI server.
Step 5. Using Built-in Authorization
To use built-in authorization, in the security manager select the Use Built-in Authorization checkbox on the Access Control tab in the Policies Editor section.
Step 6. Setting Up Browser
To set up browser, enable the server and allowed nodes or local network, for example:
In Google Chrome add the AuthNegotiateDelegateAllowlist string parameter in the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] and specify the list of servers, for which the browser can give user credentials.
In Mozilla Firefox set the http://,https:// value for the parameters: network.negotiate-auth.delegation-uri, network.negotiate-auth.trusted-uris. The parameters are contained in the list at:
about:config
Step 7. Login
To log in to the system, click the Login button in the login dialog box:
After executing the operations, domain user authorization is executed by means of Foresight Analytics Platform. Communication with DBMS and repository connection are executed using the saved technological account credentials.