Setting Up Authentication on State Server

To improve security during the use of state server based on Redis or Memcached, set up user authentication:

1. Set up configuration file on state server.

2. Encrypt users credentials in Foresight Analytics Platform.

NOTE. Setting up authentication on state server is available for Redis 6.0.0 or later and for Memcached 1.5.15 or later.

Setting Up Configuration File on State Server

To authenticate users on state server, edit the configuration file:

• redis.conf. When a state server based on Redis is used.

• memcached.conf. When a state server based on Memcached is used.

Redis

In the redis.conf file add credentials for the administrator and the user who logs in to the system:

user default on <encrypted administrator password> ~* &* +@all
user <user name> on <encrypted user password> ~FP_* resetchannels -@all +setex +info +del +incr +get +set +expire

TIP. It is recommended to use the "default" administrator name.

For details see the Redis documentation:

• Password encryption.

• Saving user credentials.

Memcached

In the memcached.conf file set the -Y parameter that is the path to the memcached.pwd file, which contains user credentials in the format: <user name>:<password>.

NOTE. After credentials are entered, in the memcached.pwd file press the ENTER key to go to the next line.

The example of the memcached.pwd file:

user_name:password

The example of the memcached.conf file in Linux OS:

-Y /etc/memcached.pwd

NOTE. To specify user credentials, one can use only the -Y parameter; authentication via SASL is not supported.

User Credentials Encryption in Foresight Analytics Platform

To provide interaction between BI servers cluster and state server, encrypt user credentials in Foresight Analytics Platform:

1. Start the PP.Util utility located in the folder with installed Foresight Analytics Platform with the following parameter:

PP.Util /encrypt_creds <user name> <password>

Use PP.Util_start.sh to execute the command in Linux OS, and PP.Util.exe to execute the command in Windows OS instead of PP.Util.

2. Copy the obtained encrypted user credentials and insert them as values of the Crs and Crsa parameters of the Credentials subsection in the settings.xml file or in the registry.

The example of the settings.xml file:

<Configuration>
 <Root>
   <Key Name="PP">
     <BIS>
       <Key Name="System">
         <Session KeyIncr="0" Statable="Yes" />
         <StateServer Host="state-server.sample.com" Port="6379" Type="Redis">
           <Credentials Crsa="ALIHJDOCHDGAGOAEJJBPAPDGBHBLDEHKDIFLAGEMDHOEMMKC://gos" Crs="U2FsdGVkX1+JUMi2hGBLY1oDJkJ9tJza8v0ZXXVOyQRxG+CezITE/4tNHMHB9qBPfNSk+5Ke0aHlOdnW5X0lGLzzG/ISf06FpkqRjYInxCvzBS6r9UpamDQYMZz0p+RuQnhf/76QwX7w1bAapLkbEhhzlhipksXtOjjaFZNP4ZoVlPd+iZLmivtjqzEHSgM/pf3K3aec+LF8Xk1KB9R9dX4OynBf7i0eLTBN4rg76m7JuVZn9UYW5ReBWjcfngPU3kdQH/+UjnQpAhEYOj6WGRSiRl13K28uQ/9Vhjy+zFQRylErDr1rPGsttST4rQsBsyQlZTV/elN61IqAMLRslh0qOB38J04YvgfkJKUuc3rveIOpIWVTc5fwendODnTyQ+v9wKBwW7GHwjxqkrsX4CGsDLeGRYbggrg0u9hkayky9T8cGE0sorXKNU7pMo45qhKyvQM1ymfYI4aSH3qdCarauI+i5+aw1UifsgON9wQyhpp4BCBCK"/>
         </StateServer>
       </Key>
     </BIS>
   </Key>
 </Root>
</Configuration>

3. Restart state server and BI servers cluster.

After executing the operations, user credentials for connection to state server are encrypted.