By default, Host Integrator security is disabled. When security is enabled, an administrative login is required for Host Integrator administrative tools. You can also configure security on servers or domains, which forces an encrypted channel with clients (connectors) and requires userID and password parameters in connection method calls.
Host Integrator security includes authentication, access control, and encryption.
VHI_FIPS = 1. After this variable is set all SSL Telnet connections will use the FIPS 140-2 Crypto Libraries.
Authentication Authorization and Directory Services (AADS) provides access control and authentication. When you install Host Integrator, authentication is disabled so you do not need a password to access the Administrative WebStation or any Host Integrator servers or domains.
Using the Administrative WebStation:
The first time system administrators run the Administrative WebStation, they should add themselves to the Host Integrator Administrator profile, enable security, and then save their configuration. Doing this enables access control for the currently selected directory server and the servers and domains associated with it.
See Configuring Host Integrator Security for instructions on how to set up security between the Host Integrator server and other Host Integrator components.
The Host Integrator provides three different security profiles:
|User||Users can load Host Integrator models, create and attach to sessions, and interact with the host system. Client application user IDs are typically assigned this profile. Members of the User profile cannot log on to the Administrative WebStation to view or configure Host Integrator servers and domains, and cannot deploy models.|
|Developer||Developers can do everything users can do, as well as log on to the Administrative WebStation in view mode. In view mode you can see server configurations and status information, but you cannot make configuration changes. Developers of client applications are typically assigned to this profile.|
|Administrator||Administrators (those logging on with an Administrator profile) can create and attach to sessions, interact with the host system, and access the Administrative WebStation in configure mode. In configure mode you can view and configure servers, domains, and security.|
The type of access allowed on the server is determined by the security profile the user ID belongs to. This access control is separate from and in addition to the access control provided by the host. There are scenarios in which host user ID's and passwords are sufficient for controlling access; in these cases you may decide not to enable authentication on your servers and domains.
When security is enabled on the Administrative WebStation, access to servers and domains to view or modify configurations is controlled. This setting also limits access to the Session Monitor and Log Viewer. Security on the Administrative WebStation does not, however, control access to domains and servers by data objects and client programs. This access control is established when security is enabled on individual domains and servers. When security is enabled on a domain, security is enabled on all servers in that domain. You can also configure security on individual servers that do not belong to a domain.
When security is disabled on the Administrative WebStation, security on all Host Integrator servers and domains associated with the currently selected directory server is also disabled. If you then re-enable security, security is not re-enabled on your domains and servers.
Enabling security on a Host Integrator Server or domain also secures the channel between the server or domain and the clients that connect to it. When security is enabled, a server or domain forces encryption over SSL with every client that connects to it.
Federal Information Processing Standards (FIPS) are guidelines established by the United States government to standardize computer systems. To use FIPS 140-2 validated TLS version 1 encyption for SSL support, in a Windows environment, you must first define an environment variable,
VHI_FIPS = 1. After this variable is set all SSL support will use the FIPS 140-2 Crypto Libraries.
When security is disabled on a server or domain, the channel between it and its clients is encrypted only if the clients use the RequireSecureConnection API call. RequireSecureConnection is a state flag. Once it is set, all communication between the client and server is encrypted, regardless of the authentication setting on the server. This scenario is appropriate for environments in which it is not necessary to have access control to the Host Integrator server, but you still want to encrypt information such as host user IDs and passwords. For more information about working with Host Integrator APIs, see Connectors and APIs available from the online help or Start menu.
The Administrative WebStation can be accessed from any browser that has network access to it. To secure the connection between the Administrative WebStation and a browser running on another machine, you should enable https on your Web server. See the documentation for your Web server for instructions on enabling SSL.