{"id":1229,"date":"2008-09-23T03:45:49","date_gmt":"2008-09-23T08:45:49","guid":{"rendered":"http:\/\/www.mrc-productivity.com\/docs\/?page_id=1229"},"modified":"2023-08-11T15:05:06","modified_gmt":"2023-08-11T20:05:06","slug":"implementing-security","status":"publish","type":"ht_kb","link":"https:\/\/www.mrc-productivity.com\/docs\/knowledge-base\/implementing-security","title":{"rendered":"Implementing Security"},"content":{"rendered":"\n<p class=\"wp-block-ht-blocks-messages wp-block-hb-message wp-block-hb-message--withicon is-style-info\"><em>Click <a rel=\"noreferrer noopener\" href=\"https:\/\/www.mrc-productivity.com\/legacy\/security\/implementing-security\" target=\"_blank\">here<\/a> to access the legacy version of this documentation.<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"overview\">Overview<\/h3>\n\n\n\n<p>For some users, the need to implement sign-on security in front of their applications is relatively low. However, at some point in time, you may need to activate m-Power&#8217;s built in security, formally referred to as Dictionary Security. Enabling Dictionary Security allows you to do the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Validate end-users against their database user profile, a database table, Active Directory, or Single Sign On (SSO).<\/li>\n\n\n\n<li>Implement a menuing system that shows end-users only applications they have access to.<\/li>\n\n\n\n<li>Utilize m-Power&#8217;s <a href=\"\/docs\/knowledge-base\/row-level-security\" data-type=\"URL\">Row Level Security<\/a> (Limiting which rows of data a user can see at runtime)<\/li>\n\n\n\n<li>Capture the username for auditing purposes, conditional visibility, and more.<\/li>\n\n\n\n<li>Create a fully customizable sign on page.<\/li>\n<\/ul>\n\n\n\n<p>Each time an application is run, m-Power will check to see if security exists. If it does, the user will be brought to a sign-on page. If no security exists, the user will be taken directly to their application.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Implement\">Enabling Security for a Data Dictionary<\/h3>\n\n\n\n<p>To implement your security, you will need to first click &#8220;Admin&#8221; in the header bar. Under &#8220;Menu and Security,&#8221; click &#8220;Toggle Security.&#8221;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/mrc-productivity.com\/docs\/vue-images\/security.jpg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Figure 1: Dictionary Security &#8211; Enabled vs Disabled<\/figcaption><\/figure>\n\n\n\n<p>That\u2019s it! Once the security is enabled (as shown in the left image above), all users will now have to sign-on when they wish to access applications within this Data Dictionary.<\/p>\n\n\n\n<p class=\"wp-block-ht-blocks-messages wp-block-hb-message wp-block-hb-message--withicon is-style-alert\"><strong>Note<\/strong>: When attempting to enable Dictionary Security for the first time, the Apache Tomcat Manager will prompt you with a security message, as shown in Figure 2. This will require valid credentials. For more information on these credentials, see <a href=\"https:\/\/www.mrc-productivity.com\/docs\/knowledge-base\/modifying-default-tomcat-user\">here<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/docs\/vue-images\/security2.jpg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Figure 2: The security message prompted by Apache Tomcat<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Config\">Configuring your Security Options<\/h3>\n\n\n\n<p>Once Dictionary Security is enabled, there are various settings to configure. To begin, click <strong>Admin<\/strong> -&gt; <strong>MENU &amp; SECURITY <\/strong>-&gt; <strong>Edit Security Settings<\/strong>. A popup window will open like in the screenshot below:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"\/docs\/vue-images\/security3.jpg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Figure 3. The Edit Security Settings window<\/figcaption><\/figure>\n\n\n\n<p>There are two tabs on the lefthand side of this window, Signon Properties and Opt Out Applications. <\/p>\n\n\n\n<p>The <strong>Validation Type <\/strong>property, the very first property inside the Signon Properties tab, must be configured as this will tell m-Power which security authentication method will be used within this Data Dictionary. The necessary configuration required for each of these different validation types will be explained in the next section. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/docs\/vue-images\/security4.jpg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Figure 4. The Validation Type property, shown with the available validation options.<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"validate-by-system-profile-on-remote-server\"> Validate by system profile on remote server<\/h4>\n\n\n\n<p> <span style=\"font-size: revert; color: initial;\">This option is for securing against iSeries user profiles. <\/span> Configuration is as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Validation Type:<\/strong> Validate by system profile on remote server\n<ul class=\"wp-block-list\">\n<li><strong>Data Source<\/strong>: This option is useful if you need to point your security credentials at a secondary database that is configured in the mrc Spring Context file.<\/li>\n\n\n\n<li><strong>Validate by Table<\/strong>: This option is not used.<\/li>\n\n\n\n<li><strong>Max Signon Attempts<\/strong>: Controls the number of times a user can guess wrong. Once this number has been reached, they will be redirected to the URL listed in the &#8220;Signon Fail Redirect&#8221; parameter.<\/li>\n\n\n\n<li><strong>Signon Screen<\/strong>: If you wish to use your own customized signon screen, rather than the one provided to you with m-Power, please change this parameter.<\/li>\n\n\n\n<li><strong>After Signoff\/Signon Redirect<\/strong>: Once your user clicks the signoff button or signs on (from the DICTIONARY.Login) page, they will be automatically redirected to the URLs listed here.<\/li>\n\n\n\n<li><strong>Signon Fail Redirect<\/strong>: Once your user has exceeded the tries to sign in as defined in the Max Signon Attempts value, they will be redirected to the URL listed here. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"validate-by-database-user\">Validate by database user<\/h4>\n\n\n\n<p>This option is for non-iSeries databases to secure against users set up on the database. Configuration is as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Validation Type<\/strong>: Validate by database user<ul><li><strong>Data Source<\/strong>: This option is useful if you need to point your security credentials at a secondary database that is configured in the mrc Spring Context file.<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li><strong>Validate by Table<\/strong>: This option is not used.<\/li>\n\n\n\n<li><strong>Max Signon Attempts<\/strong>: Controls the number of times a user can guess wrong. Once this number has been reached, they will be redirected to the URL listed in the &#8220;Signon Fail Redirect&#8221; parameter.<\/li>\n\n\n\n<li><strong>Signon Screen<\/strong>: If you wish to use your own customized signon screen, rather than the one provided to you with m-Power, please change this parameter.<\/li>\n\n\n\n<li><strong>After Signoff\/Signon Redirect<\/strong>: Once your user clicks the signoff button or signs on (from the DICTIONARY.Login) page, they will be automatically redirected to the URLs listed here.<\/li>\n\n\n\n<li><strong>Signon Fail Redirect<\/strong>: Once your user has exceeded the tries to sign in as defined in the Max Signon Attempts value, they will be redirected to the URL listed here. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"validate-by-database-table\">Validate by database table<\/h4>\n\n\n\n<p>This option allows you validate end-user sign on against a database table. Configuration is as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Validation Type: <\/strong>Validate by database table\n<ul class=\"wp-block-list\">\n<li><strong>Data Source:<\/strong> This option is required. Select the datasource of where your security table lives.<\/li>\n\n\n\n<li><strong>Validate by Table:<\/strong> This option allows you to specify the schema &amp; table to validate against, the column names for the user and password, and also what encryption your password field uses.\n<ul class=\"wp-block-list\">\n<li><strong>Note<\/strong>: To allow m-Power to use an encrypted password field, add encryption_type=&#8221;XXX&#8221; to your validateby_table tag in text mode, where XXX is the type of encryption used. Valid encryption types are:\n<ul class=\"wp-block-list\">\n<li>MD2<\/li>\n\n\n\n<li>MD5<\/li>\n\n\n\n<li>SHA-1<\/li>\n\n\n\n<li>SHA-256<\/li>\n\n\n\n<li>SHA-384<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>To use m-Power to encrypt your database values, see&nbsp;<a href=\"https:\/\/www.mrc-productivity.com\/techblog\/?p=9441\" target=\"_blank\" rel=\"noreferrer noopener\">this here<\/a>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Max Signon Attempts<\/strong>: Controls the number of times a user can guess wrong. Once this number has been reached, they will be redirected to the URL listed in the &#8220;Signon Fail Redirect&#8221; parameter.<\/li>\n\n\n\n<li><strong>Signon Screen<\/strong>: If you wish to use your own customized signon screen, rather than the one provided to you with m-Power, please change this parameter.<\/li>\n\n\n\n<li><strong>After Signoff\/Signon Redirect<\/strong>: Once your user clicks the signoff button or signs on (from the DICTIONARY.Login) page, they will be automatically redirected to the URLs listed here.<\/li>\n\n\n\n<li><strong>Signon Fail Redirect<\/strong>: Once your user has exceeded the tries to sign in as defined in the Max Signon Attempts value, they will be redirected to the URL listed here. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"validate-by-active-directory\">Validate by Active Directory<\/h4>\n\n\n\n<p>This option is for securing your applications against an Active Directory account. Configuration is as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Validation Type<\/strong>: Validate by Active Directory <\/li>\n\n\n\n<li> <strong>Data Source<\/strong>: This option is not used.<\/li>\n\n\n\n<li><strong>Validate by Table<\/strong>: This option is not used.<\/li>\n\n\n\n<li><strong>Max Signon Attempts<\/strong>: Controls the number of times a user can guess wrong. Once this number has been reached, they will be redirected to the URL listed in the &#8220;Signon Fail Redirect&#8221; parameter.<\/li>\n\n\n\n<li><strong>Signon Screen<\/strong>: If you wish to use your own customized signon screen, rather than the one provided to you with m-Power, please change this parameter.<\/li>\n\n\n\n<li><strong>After Signoff\/Signon Redirect<\/strong>: Once your user clicks the signoff button or signs on (from the DICTIONARY.Login) page, they will be automatically redirected to the URLs listed here.<\/li>\n\n\n\n<li><strong>Signon Fail Redirect<\/strong>: Once your user has exceeded the tries to sign in as defined in the Max Signon Attempts value, they will be redirected to the URL listed here. <\/li>\n\n\n\n<li><strong>Active Directory URL<\/strong>: Required. Enter in the URL to your Active Directory server. This should be formatted similar to the following example shown here: <\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" src=\"\/docs\/vue-images\/security6.jpg\" alt=\"LDAP Configuration\" class=\"wp-image-11790\"\/><\/figure>\n<\/div>\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<ul class=\"wp-block-list\">\n<li><code><strong>ldap:\/\/XX.XX.XXX.XXX:389;domain=mrc.test;search_base=DC=mrc,DC=test<\/strong><\/code>\n<ol class=\"wp-block-list\">\n<li>Replace <code>XX.XX.XXX.XXX<\/code> with your Active Directory server address<\/li>\n\n\n\n<li>Replace <code>MYDOMAIN.com<\/code> with your Active Directory domain.<\/li>\n\n\n\n<li>Add the necessary domain content values (DC=) to the <code>search_base<\/code> parameter. You may add as many domain content values as is necessary for your system (separated by commas).<\/li>\n\n\n\n<li>Save your changes when done and restart Tomcat.<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"validate-by-single-sign-on\">Validate by Single Sign On<\/h4>\n\n\n\n<p>This option is for utilizing an existing non m-Power sign on with your applications. Configuration is as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Validation Type<\/strong>: Validate by Single Sign On\n<ul class=\"wp-block-list\">\n<li><strong>Data Source<\/strong>: This option is not used.<\/li>\n\n\n\n<li><strong>Validate by Table<\/strong>: This option is not used.<\/li>\n\n\n\n<li><strong>Max Signon Attempts<\/strong>: Controls the number of times a user can guess wrong. Once this number has been reached, they will be redirected to the URL listed in the &#8220;Signon Fail Redirect&#8221; parameter.<\/li>\n\n\n\n<li><strong>Signon Screen<\/strong>: If you wish to use your own customized signon screen, rather than the one provided to you with m-Power, please change this parameter.<\/li>\n\n\n\n<li><strong>After Signoff\/Signon Redirect<\/strong>: Once your user clicks the signoff button or signs on (from the DICTIONARY.Login) page, they will be automatically redirected to the URLs listed here.<\/li>\n\n\n\n<li><strong>Signon Fail Redirect<\/strong>: Once your user has exceeded the tries to sign in as defined in the Max Signon Attempts value, they will be redirected to the URL listed here. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-ht-blocks-messages wp-block-hb-message wp-block-hb-message--withicon is-style-info\"><strong>Note<\/strong>: In order to configure Single Sign On, there are a few additional steps that are required. Please visit <a href=\"\/docs\/knowledge-base\/adding-sso-via-saml-to-m-power-applications\" data-type=\"URL\" data-id=\"\/docs\/knowledge-base\/adding-sso-via-saml-to-m-power-applications\" target=\"_blank\" rel=\"noreferrer noopener\">this<\/a> page to see those additional steps.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"opt-out-applications\">Opt Out Applications<\/h4>\n\n\n\n<p>Click this tab if you wish to designate any applications within this data dictionary that should not be secured. If an application is listed here, users will not be required to sign-on when accessing these pages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Signon\">mrc Sign-on Screen<\/h3>\n\n\n\n<p>The sign-on screen that is presented to the user is fully editable. To edit this page, click <strong>Admin<\/strong> &#8211;<strong>&gt; MENU &amp; SECURITY<\/strong> -&gt; <strong>Edit sign on screen HTML<\/strong>. A split window pane allows you to customize your sign on screen via a text editor on the left, and preview the live output on the right.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/mrc-productivity.com\/docs\/vue-images\/security5.jpg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Figure 5: Editing the sign on screen page (mrcSignon2.html)<\/figcaption><\/figure>\n\n\n\n<p>To preview your changes before saving the editor press <strong>Preview<\/strong>. When completed with your changes, make sure to click the <strong>Save<\/strong> button.<\/p>\n\n\n\n<p class=\"wp-block-ht-blocks-messages wp-block-hb-message wp-block-hb-message--withicon is-style-info\"><strong>Note:<\/strong> You will notice that rather than calling the standard header and stylesheet, the Sign-on Screen uses embedded headers, footers, and styles. This allows you to modify your Sign-on screen to look and feel much different than your regular applications.<\/p>\n\n\n\n<p class=\"wp-block-ht-blocks-messages wp-block-hb-message wp-block-hb-message--withicon is-style-info\"><strong>Note:<\/strong> Changes will not take effect until the next time Tomcat has been restarted.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Other\">Other Important things to Remember<\/h3>\n\n\n\n<p>Once a user logs in, they will not have to sign in again until:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>They close their browser<\/li>\n\n\n\n<li>Tomcat is restarted<\/li>\n\n\n\n<li>They have exceeded their timeout value<\/li>\n\n\n\n<li>Tomcat is loaded (often because a developer compiles or saves changes in m-Painter)<\/li>\n<\/ul>\n\n\n\n<p>Particularly because of the last point listed above, mrc <strong><em>strongly<\/em><\/strong> recommends moving development and production into two separate environments. Not only will this provide a much more stable environment for your end users, it will give your developers piece of mind knowing that they are not changing applications that are currently in use. More information regarding this topic can be found <a href=\"https:\/\/www.mrc-productivity.com\/techblog\/?p=1037\">here<\/a>.<\/p>\n\n\n\n<p>Also, any changes made to mrcSignon2.xml or mrcSignon2.html after they have been loaded into Tomcat&#8217;s memory will require Tomcat to be restarted before those changes will go into effect.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview For some users, the need to implement sign-on security in front of their applications is relatively low. However, at some point in time, you may need to activate m-Power&#8217;s built in security, formally referred to as Dictionary Security. Enabling Dictionary Security allows you to do the following: Each time&#8230;<\/p>\n","protected":false},"author":1,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[257],"ht-kb-tag":[],"class_list":["post-1229","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-security"],"_links":{"self":[{"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb\/1229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/comments?post=1229"}],"version-history":[{"count":91,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb\/1229\/revisions"}],"predecessor-version":[{"id":13161,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb\/1229\/revisions\/13161"}],"wp:attachment":[{"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/media?parent=1229"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb-category?post=1229"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb-tag?post=1229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}