Enabling Java Naming and Directory Interface (JNDI) Security

Enabling JNDI security or restricted access provides access-control to data sources. With JNDI restricted access, read-only access is provided to data sources.

This chapter includes the following sections:

•

Additional Buildomatic Configuration for JNDI Security Installation Upgrade

•

Create Read-only Users

•

Websphere Installation for Enabling JNDI Security

•

Weblogic Installation for JNDI Security

•

Enabling JNDI Security post Installing JasperReports Server

Additional Buildomatic Configuration for JNDI Security Installation Upgrade

The default_master.properties file handles the configuration for the JNDI security installation upgrade.

To configure the default_master.properties file for the JNDI security installation upgrade:

•

Edit the default_master.properties file to configure settings specific to your database and application server.

Look for the line Disable Edit/Delete access to jasperserver and jasperserverAudit JNDI connections and uncomment the settings listed in Sample Values for the default_master.properties File for JNDI Restricted Access Installation.

For example: To uncomment #jndi.restrictedAccess=true, change it to jndi.restrictedAccess=true.

Sample Values for the default_master.properties File for JNDI Restricted Access Installation lists the settings that you need to uncomment with sample values for each supported database.

Sample Values for the default_master.properties File for JNDI Restricted Access Installation

Database	Sample Property Values
PostgreSQL	# jndi.restrictedAccess=true # analytics.dbUsername=jasperuser # analytics.dbPassword=password # auditAnalytics.dbUsername=jasperuser # auditAnalytics.dbPassword=password
MySQL	# jndi.restrictedAccess=true # analytics.dbUsername=jasperuser # analytics.dbPassword=password # auditAnalytics.dbUsername=jasperuser # auditAnalytics.dbPassword=password
Oracle	# jndi.restrictedAccess=true # analytics.dbUsername=jasperuser # analytics.dbPassword=password # auditAnalytics.dbUsername=jasperuser # auditAnalytics.dbPassword=password
DB2	# jndi.restrictedAccess=true # analytics.dbUsername=jasperuser # analytics.dbPassword=password # auditAnalytics.dbUsername=jasperuser # auditAnalytics.dbPassword=password
SQL Server	# jndi.restrictedAccess=true # analytics.dbUsername=jasperuser # analytics.dbPassword=Pass@123 # auditAnalytics.dbUsername=jasperuser # auditAnalytics.dbPassword=Pass@123 The password for SQL Server must be a combination of a special character, a number, an uppercase, and a lower case character.
Once the database is created, you must create read-only users. For details, refer to Create Read-only Users

Each sample_conf/<dbType>_master.properties file contains the properties and appropriate sample values.

You can enable JNDI restricted access while deploying JasperReports Server on Tomcat or JBoss EAP or Wildfly. For details, refer to the JasperReports® Server Security Guide.

Create Read-only Users

The following table lists the database and the respective steps to create read-only users:

Database	Steps to create read-only users
PostgreSQL	Create user: CREATE USER postgres WITH PASSWORD 'postgres'; Assign read-only permissions: GRANT CONNECT ON DATABASE jasperserver TO jasperuser; GRANT USAGE ON SCHEMA public TO jasperuser; GRANT SELECT ON ALL TABLES IN SCHEMA public TO jasperuser; The above steps are for the jasperserver database. If you use split installation follow the same steps for the jsaudit database too.
MySQL	Create user: CREATE USER 'jasperuser' IDENTIFIED BY 'password'; Assign read-only permissions: GRANT SELECT ON *.* TO 'jasperuser'; Or GRANT SELECT, SHOW VIEW ON *.* TO ''jasperuser'' IDENTIFIED BY 'password';
Oracle	Create user: CREATE USER jasperuser IDENTIFIED BY password; Assign read-only permissions: GRANT CREATE SESSION TO jasperuser; GRANT READ ANY TABLE TO jasperuser;
DB2	Create user: sudo useradd jasperuser sudo passwd jasperuser (enter password as 'password') Assign read-only permissions: login using db2inst1/password #Connect to the database db2 connect to JSPRSRVR user db2inst1 using password # Create the 'read-only' role if it does not exist db2 "create role readonly" # Retrieve the list of table names in the 'JSPRSRVR' schema and save them to a file db2 -x "SELECT tabname FROM syscat.tables WHERE tabschema = 'JSPRSRVR'" > table_list.txt # Grant 'SELECT' privilege for each table in the 'read-only' role while IFS= read -r table; do db2 "grant select on JSPRSRVR.$table to role readonly" done < table_list.txt # Grant the 'read-only' role to the 'jasperserver' user db2 "grant role readonly to user jasperuser" # Clean up - remove the temporary file rm table_list.txt
SQL Server	Create user: CREATE LOGIN jasperuser WITH PASSWORD =’Pass@123’; CREATE USER jasperuser FOR LOGIN jasperuser; Assign read-only permissions: ALTER ROLE db_datareader ADD MEMBER jasperuser;

Websphere Installation for Enabling JNDI Security

Procedure

1. Deploy VM on the Websphere application server.

2. Log in to the Websphere console https://<ip_address>:9043/ibm/console, using the credentials wasadmin and wasadmin.

3. Navigate to Resources > JDBC > Data Sources > Add New JNDI Data Sources. For details, refer to Configuring a JDBC Provider in WebSphere.

   Figure 1: Add New JNDI Data Sources

4. Restart the Websphere server.

5. Navigate to Applications > Application Types > Websphere Enterprise Application > Select your application (for example, jasperserver-pro_war) > Stop > Start.

   Figure 2: Restart Websphere Server

6. Log in to JasperReports Server and check connection to all JNDI data sources.

7. Set hibernate.propeties=true.

   cd
   IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/
   na2devjaspf607Node01Cell/jasperserver-pro_war.ear/jasperserver-pro.war/WEBINF/classes/
   vim hibernate.properties

8. Set metadata.hibernate.jndi.restrictedAccess.enabled=true.

9. Restart the application server again and go to JasperReports Server. The test connection should fail for jasperserver and jasperserverAudit data sources.

Weblogic Installation for JNDI Security

Procedure

1. Deploy VM on the Weblogic application server.

2. Log in to the Weblogic console http://host:port/console using the credentials weblogic and just4eng.

3. If the console is not accessible, then start Weblogic by using the following commands:

   sudo chmod -R 777 Oracle

   cd /opt/Oracle/Middleware/Oracle_Home/domains/jasper_domain/bin

   sudo ./startWebLogic.sh

4. Navigate to Domain Structure >Services >Data Sources>Add AuditAnalyticsDataBase and JasperServerSystemDataBase. For details, refer to Procedure for Installing the WAR File for WebLogic

   Figure 3: Add New JNDI Data Sources

5. Redeploy WAR file.

6. Navigate to Deployment.

7. Select jasperserver-pro file and click Update.

   Figure 4: Redeploy WAR file

8. Log in to JasperReports Server and check the connection to all JNDI data sources.

9. Set metadata.hibernate.jndi.restrictedAccess.enabled=true.

10. Update the hibernate.properties in jasperserver-pro.war file.

11. Redeploy jasperserver-pro.war file.

12. Go to JasperReports Server. The test connection should fail for jasperserver and jasperserverAudit data sources.

Enabling JNDI Security post Installing JasperReports Server

Procedure

1. Follow the steps in Create Read-only Users to create read-only users.

2. Update the jasperreports server>/WEB-INF/hibernate.properties file and set metadata.hibernate.jndi.restrictedAccess.enabled=true.

3. Edit the jasperreports server>/META-INF/context.xml file.

   Based on the values used in Step 1, change the username and password for the following two resources:

   • jdbc/jasperserverSystemAnalytics

   • jdbc/jasperserverAuditAnalytics

4. Complete the changes and restart the application server.

5. Create a JNDI data source by using either of the following two connections:

   • jdbc/jasperserver

   • jdbc/jasperserverAudit

   A message stating If your JNDI Data Connection has Edit/Delete access disabled, jasperserver and jasperserverAudit cannot be used for creating a new data source. Please select another JNDI connection. is displayed.

6. Create a JNDI data source by using either of the following two connections:

   • jdbc/jasperserverSystemAnalytics

   • jdbc/jasperserverAuditAnalytics

   You should be able to create data source using these connections.