A service user of security subsystem ensures:
System login.
Correct work of auditing and user locking.
Use of application role when working with DBMS.
Use of password hashing.
NOTE. Creating a service user is required for a repository created based on the following DBMS: PostgreSQL, Oracle, or Microsoft SQL Server.
To create a service user of security subsystem in Linux OS:
IMPORTANT. Database server supports only a single service user account. If database server contains several repositories, create a service user with equal credentials for each repository.
After executing the operations, a service user of security subsystem will be created on the database server and saved according to the selected method on the computer with installed BI server.
TIP. It is recommended to disable the mandatory periodic password change policy for an account of service user of security subsystem in DBMS.
To change password of the existing service user of security subsystem, use the following scripts:
ALTER ROLE "SERVICE_USER_NAME" WITH PASSWORD 'NEW_PASSWORD';
ALTER USER SERVICE_USER_NAME IDENTIFIED BY 'NEW_PASSWORD';
ALTER LOGIN SERVICE_USER_NAME WITH PASSWORD = 'NEW_PASSWORD';
Where:
SERVICE_USER_NAME. Service user name.
NEW_PASSWORD. New password of a service user.
To create service user credentials, start the PP.Util utility located in the folder with installed BI server: /opt/foresight/fp10.x-biserver/bin.
NOTE. When service user credentials are created, the AnalyticsPlatform feature is requested. Study the methods for specifying the LSFORCEHOST or LSHOST system variable before executing PP.Util_start.sh.
To start the application, use the PP.Util_start.sh script with the following parameters:
sudo ./PP.Util_start.sh /create_audit_user metabase_id login password audit_login audit_password db_login db_password
Where:
metabase_id. Repository identifier. Mandatory parameter.
NOTE. The repository with the specified identifier should be in the repositories list. If a custom schema is specified in repository connection settings, service user credentials will be created for it.
login. Owner name for the ADMIN schema for repository connection. Mandatory parameter.
password. Owner password for the ADMIN schema for repository connection. Mandatory parameter.
audit_login. Name of created service user. Mandatory parameter.
NOTE. The P4AUDIT service user name is reserved by the system and cannot be used.
audit_password. Password of created service user. Mandatory parameter.
db_login. Name of the database who has privileges to create DBMS users. Optional parameter. If user name is not specified, it will be asked in interactive mode.
db_password. Name of the database user who has privileges to create DBMS users. Optional parameter. If the password is not specified, it will be requested in interactive mode.
After executing the operations, service user credentials are created on the database server.
To save created service user credentials on the computer with installed BI server, start the PP.Util utility located in the folder with installed BI server: /opt/foresight/fp10.x-biserver/bin. To start the application, use the PP.Util_start.sh script with the following parameters:
sudo ./PP.Util_start.sh /save_audit_creds /ALG enc_alg realm|/DC login password
Where:
enc_alg. Encryption algorithm, which is used to encrypt user credentials:
gos. Default value. Encryption with the GOST 28147-89 algorithm is used.
pro. Encryption with Data Protection API (DPAPI) in Windows is used. This encryption type is unavailable in Linux OS.
sim. Credentials are saved unencrypted.
IMPORTANT. To ensure security during production operation of Foresight Analytics Platform, use the gos or pro value.
Optional parameter. If the parameter is not set, the default value is used.
scope. Method for saving credentials:
hkcu. Only for me. Credentials will be stored in the registry key of the current user - [HKEY_CURRENT_USER\SOFTWARE\Foresight\Foresight Analytics Platform\10.0\Audit\Credentials\Item0] - and are available only for the current computer user.
hklm. Anyone who uses this computer. Credentials will be stored in the local computer registry - [HKEY_LOCAL_MACHINE\SOFTWARE\Foresight\Foresight Analytics Platform\10.0\Audit\Credentials\Item0] - and are available for anyone who uses this computer.
file. Default value. To the settings.xml file.
In Windows OS, credentials will be stored in the settings.xml file located at %PROGRAMDATA%\Foresight\Foresight Analytics Platform.
NOTE. The ProgramData folder is hidden in the operating system by default.
If the file exists in the specified folders, it will be overwritten. If there is not such a file, it will be created.
Optional parameter, it is used only in Windows OS. If the parameter is not set, the default value is used.
In Linux OS, credentials can be stored only in the settings.xml file located at: /opt/foresight/fp10.x-biserver/etc.
realm|/DC. Credentials scope of the service user. Select one of the methods:
realm. If the list of repositories contains more than one repository, and service user credentials should differ for each of them, set an identifier of the SERVER_DATABASE|TYPE type for the database server specified in specific repository connection settings, where:
SERVER_DATABASE. IP address or alias of the registered database server.
NOTE. When setting up repository connection on each client computer or on the computer with installed BI server, IP address or server alias must match with the server specified in the SERVER_DATABASE parameter.
TYPE. Type of driver in use. Available values: POSTGRES, MSSQL, ORCL.
For example: "127.0.0.1|POSTGRES".
NOTE. To avoid syntax errors, enclose the value in quotation marks.
/DC. If the list of repositories contains one or more repositories, but service user credentials should be equal for all repositories, use this parameter without specifying additional settings.
Mandatory parameter.
login. Name of existing service user. Mandatory parameter, it is case sensitive.
password. Password of existing service user. Optional parameter, it is case sensitive. If the password is not specified, it will be requested in interactive mode.
IMPORTANT. A service user can be locked on an attempt to log in to the repository if his credentials added using the PP.Util utility mismatch the source credentials specified on creating a user. To unlock the service user, contact DBMS administrator.
See also:
Creating and Managing Metadata Repositories | Linux Repository Manager