Tagged with security - Visokio Forums http://forums.visokio.com/discussions/tagged/security/feed.rss Mon, 30 Oct 17 14:31:12 -0400 Tagged with security - Visokio Forums en-CA Security: Authentication on Omniscope Web Server? http://forums.visokio.com/discussion/2801/security-authentication-on-omniscope-web-servers Thu, 25 Dec 2014 01:24:36 -0500 stavro 2801@/discussions
How can I create an authentication page which will be shown when we click to mobile web server page? Also all users shouldn't access to all reports. Can you explain it detailed.]]>
Security: Connecting via Proxy Server requiring Authentication. http://forums.visokio.com/discussion/1606/security-connecting-via-proxy-server-requiring-authentication. Mon, 18 Jun 2012 12:59:28 -0400 antonio 1606@/discussions
"HTTP/1.0 407 Proxy Authentication Required"

When you need to open a file on a remote server through a Proxy server that requires authentication, then you have to provide Omniscope with the Proxy server authentication credentials. To do this select
Settings > Advanced > Default Proxy Authentication
and insert username and password. These credentials will be valid for the whole Omniscope session.

Note that proxy server authentication is different from remote server authentication. If the remote server requires authentication then you will receive the following message:

Unauthorised (HTTP error 401)

To resolve this, depending on the dialog, tick "Requires authentication" and insert the username and password.]]>
Security: Server SSL Error-handshake alert:unrecognized_name http://forums.visokio.com/discussion/2614/security-server-ssl-error-handshake-alertunrecognized_name Fri, 27 Jun 2014 05:30:44 -0400 Veaceslav 2614@/discussions
  • Security: SSL Certificate Error - Use your trusted certificate
  • HTTPS Certificate Error
  • Security: The server you are connecting to does not have a valid certificate
  • SSL Error - handshake alert: unrecognized_name

  • Server SSL Error - handshake alert: unrecognized_name


    You may get this SSL error if the server you are trying to access has not been properly configured.

    For security reasons SNI extension has been enabled by default in Java 7. However, if you trust the server you are trying to connect you may want to disable SNI extension.

    jsse.enableSNIExtension is a java system property. Server Name Indication (SNI) is a TLS extension, defined in RFC 4366. It enables TLS connections to virtual servers, in which multiple servers for different network names are hosted at a single underlying network address.

    Some very old SSL/TLS vendors may not be able to handle SSL/TLS extensions. In this case, set this property to false to disable the SNI extension.

    To disable SNL extension you need to do the following:

    1. Open 'installconfig.properties' file located at {YOUR_OMNISCOPE_INSTALLATION_PATH}

    {YOUR_OMNISCOPE_INSTALLATION_PATH} - this is where Omniscope is installed on your machine (e.g. C:\Users\slavvi\AppData\Local\Visokio Omniscope app)

    2. Edit the file to add this line:
    ADDITIONAL_JVM_ARGS=-Djsse.enableSNIExtension=false

    3. Restart Omniscope

    Note: After setting this property, you may get the following error if the server you want to access does not have a certificate issued by a certified authority:
    The server you are connecting to does not have a valid certificate from an authorised authority
    To resolve this error please read the following post:
    http://forums.visokio.com/discussion/2613/security-the-server-you-are-connecting-to-does-not-have-a-valid-certificate
    However, you will be unable to execute step 2 outlined in that forum post unless you disable the SNI extension while executing that command. Here is how that command may look like:
    java -Djsse.enableSNIExtension=false InstallCert server-storing-my-iok-files.com:443


    ]]>
    Security: Server you are connecting to does not have a valid certificate? http://forums.visokio.com/discussion/2613/security-server-you-are-connecting-to-does-not-have-a-valid-certificates Thu, 26 Jun 2014 08:07:06 -0400 Veaceslav 2613@/discussions
  • Security: SSL Certificate Error - Use your trusted certificate
  • HTTPS Certificate Error
  • Security: The server you are connecting to does not have a valid certificate
  • SSL Error - handshake alert: unrecognized_name

  • Server SSL error - The server you are connecting to does not have a valid certificate from an authorised authority


    Here is what you need to do to enable Omniscope access the url you have (e.g. "https://server-storing-my-iok-files.com/"):

    1. Download InstallCert.zip archive and unzip it (it contains two java class files: InstallCert$SavingTrustManager.class, InstallCert.class), put both of them in a folder (e.g. c:\your_path\)

    2. Open command prompt (cmd.exe) and change current dir to the folder containing the class files from step 1 (e.g. cd c:\your_path\) then execute this command:
    • java InstallCert server-storing-my-iok-files.com:443

      Note: if you don't have java installed, use the java executable located at:

      - {YOUR_OMNISCOPE_INSTALLATION_PATH}\x86\bin\java (if you have a 32 bit OS)
      - {YOUR_OMNISCOPE_INSTALLATION_PATH}\x64\bin\java (if you have a 64 bit OS)

      {YOUR_OMNISCOPE_INSTALLATION_PATH} - this is where Omniscope is installed on your machine (e.g. C:\Users\slavvi\AppData\Local\Visokio Omniscope app)

      (to check whether you have a 32-bit or 64-bit OS: open Control Panel -> System and check 'System type:')
      The command may look like this: "{YOUR_OMNISCOPE_INSTALLATION_PATH}\x64\bin\java" InstallCert server-storing-my-iok-files.com:443

      If you get the SSL error - handshake alert: unrecognized_name while executing this command please read this post: handshake alert: unrecognized_name

    3. You will be asked 'Enter certificate to add to trusted keystore or 'q' to quit: [1]', press 1 then press ENTER
    Note: After executing step 3, this message will be displayed in the console:
    Added certificate to keystore 'jssecacerts' using alias 'server-storing-my-iok-files.com-1'
    which means that this particular certificate will be trusted by java applications if 'jssecacerts' keystore is provided

    Notice that 'jssecacerts' file has been created in the folder you executed the command (e.g. c:\your_path\)

    4. Open 'installconfig.properties' file located at {YOUR_OMNISCOPE_INSTALLATION_PATH}

    5. Edit the file to add this line:
    ADDITIONAL_JVM_ARGS=-Djavax.net.ssl.trustStore="c:\your_path\jssecacerts"

    6. Restart Omniscope

    Note 1: You will get this error if you miss step 5 or the path to 'jssecacerts' is wrong:
    java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

    Note 2: If -Djavax.net.ssl.trustStore="c:\your_path\jssecacerts" points to a directory instead of a file or to a non-existent path, all SSL connections will fail (regardless whether the certificates have been authorised by the most trusted authorities, SSL connections will NOT work at all) and the same error will be displayed:
    java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

    Note 3: There can be only one path set to -Djavax.net.ssl.trustStore="c:\your_path\jssecacerts". If you need more than one trust stores, you need to merge them into a single file and set that file to javax.net.ssl.trustStore property. If this is the case, the simplest solution is to use steps 1-3 mentioned above to add each individual URL. Each entry will be appended to the same jssecacerts file.

    ]]>
    Security: Mobile Web Server user permissions http://forums.visokio.com/discussion/2388/security-mobile-web-server-user-permissions Mon, 28 Oct 2013 15:04:16 -0400 antonio 2388@/discussions
    To enable this feature, just create a folder.xml configuration file and put it into your sharing folder (or subfolder).
    You can start by using the folder.xml.default file, present into the mobile sharing folder, as template.

    Remember, the settings present into the folder.xml file will override the default anonymous/folder permissions, and the default users credentials and permissions. As a note for system administrators, folder.xml works like Apache .htaccess file.

    Here follows the main aspects you have to knowledge to properly configure the folder.xml file:

    Permissions


    These are permissions you can set on a folder or per user basis:
    • listDirectory : allow users to list existing files and subfolders
    • downloadFile : allow users to download the IOK files
    • viewInMobile : allow users to launch the Omniscope Mobile app for the existing IOK files
    • fileManagement : allow users to upload IOK files, rename and delete resources, create new folders in the folder
    • getStatic : allow users to get/access static resources from the folder, and to customise default styles (e.g. logo, icons, css files)
    • viewServerState : allow users to view the server state through a monitoring page

    N.B. A missing permission in the configuration is equivalent to deny

    User Credentials


    To specify user credentials is required you specify:
    • username : in clear text
    • password : hash encrypted string using MD5 algorythm. As reference you can use this link to generate the hash.


    folder.xml file structure


    • Anonymous section
      The <anonymous> element describes the unauthenticated permissions, and is also used as default values for per-user permissions.
      Unauthenticated public access will be given these permissions. Any false/missing permissions will require authentication.
    • Users section
      The <user> element describes the credentials and the permissions per user, and is made by the following elements/attributes:
      • Enabled : whether or not the user is enabled.
      • Credentials : the user username and password
      • Permissions: the user permissions that will override the anonymous ones



    folder.xml example


    <?xml version="1.0" encoding="UTF-8"?>
    <mobilefolder>
    <anonymous>
    <permissions listDirectory="true" downloadFile="false" viewInMobile="true" fileManagement="false" getStatic="false" viewServerState="false"/>
    </anonymous>
    <users>
    <user enabled="true">
    <credentials>
    <credentials username="antonio" password="9aeb94180027a7081352cba05e6a3782" />
    </credentials>
    <permissions>
    <permissions listDirectory="true" downloadFile="true" viewInMobile="true" fileManagement="true" getStatic="true" viewServerState="true" />
    </permissions>
    </user>
    <user enabled="true">
    <credentials>
    <credentials username="guest" password="4aeb93180027a708186hy4505e6a6465" />
    </credentials>
    <permissions>
    <permissions listDirectory="true" viewInMobile="true" getStatic="true" />
    </permissions>
    </user>
    </users>
    </mobilefolder>


    Common use cases:


    • Anonymous access not allowed, Admin user full permissions, Guest users browse and play IOK files
      <?xml version="1.0" encoding="UTF-8"?>
      <mobilefolder>
      <anonymous>
      <permissions listDirectory="false" downloadFile="false" viewInMobile="false" fileManagement="false" getStatic="false" viewServerState="false"/>
      </anonymous>
      <users>
      <user enabled="true">
      <credentials>
      <credentials username="admin" password="9aeb94180027a7081352cba05e6a3782" />
      </credentials>
      <permissions>
      <permissions listDirectory="true" downloadFile="true" viewInMobile="true" fileManagement="true" getStatic="true" viewServerState="true" />
      </permissions>
      </user>
      <user enabled="true">
      <credentials>
      <credentials username="guest" password="4aeb93180027a708186hy4505e6a6465" />
      </credentials>
      <permissions>
      <permissions listDirectory="true" viewInMobile="true" getStatic="true" />
      </permissions>
      </user>
      </users>
      </mobilefolder>

    • Anonymous can browse folders, no Admin user, Guest users browse and play IOK files
      <?xml version="1.0" encoding="UTF-8"?>
      <mobilefolder>
      <anonymous>
      <permissions listDirectory="true" getStatic="true" />
      </anonymous>
      <users>
      <user enabled="true">
      <credentials>
      <credentials username="guest" password="4aeb93180027a708186hy4505e6a6465" />
      </credentials>
      <permissions>
      <permissions listDirectory="true" viewInMobile="true" getStatic="true" />
      </permissions>
      </user>
      </users>
      </mobilefolder>


    ]]>
    Security: Group Permissions http://forums.visokio.com/discussion/2572/security-group-permissions Tue, 27 May 2014 07:02:09 -0400 Veaceslav 2572@/discussions Mobile Web Server Authentication

    Group Permissions

    Mobile Server authentication has been redesigned to include LDAP/Active Directory (AD) authentication and Single-Sign-On (SPNEGO) mechanisms.

    Each server request goes through a security check first and if it is authorized, the request is processed and a proper response is sent back to the client.

    Authorization permissions may be added to anonymous users and authentication groups. Permissions cannot be added for each individual user. To make sure a user has specific permissions you need to create a group with those permissions and add the user to that group.

    Omniscope Mobile web server allows you to configure per folder authorization/permissioning configuration.

    To enable this feature, just create a folder.xml configuration file and put it into your sharing folder (or subfolder).
    You can start by using the folder.xml.default file, present into the mobile sharing folder, as template.

    Remember, the settings present into the folder.xml file will override the default anonymous/folder permissions, and the default authentication groups and permissions. As a note for system administrators, folder.xml works like Apache .htaccess file.

    Editing tip for folder.xml
    Instead of manually editing the folder.xml file we suggest you copy an existing folder.xml into the correct folder and then use Omniscope Mobile Web Server UI main toolbar (Settings > Edit folder.xml configuration...) to edit the folder.xml.

    Permissions

    Here follows the main aspects you have to knowledge to properly configure the folder.xml file.

    These are permissions you can set on a folder or per group basis:
    • listDirectory : allow users to list existing files and subfolders
    • downloadFile : allow users to download the IOK files
    • viewInMobile : allow users to launch the Omniscope Mobile app for the existing IOK files
    • fileManagement : allow users to upload IOK files, rename and delete resources, create new folders in the folder and save. Also used to control if mobile is in "Viewer" mode.
    • getStatic : allow users to get/access static resources from the folder, and to customise default styles (e.g. logo, icons, css files)
    • viewServerState : allow users to view the server state through a monitoring page
    • exportData : allow users to export a view's data as a CSV file.

    N.B. A missing permission in the configuration is equivalent to deny

    folder.xml file structure


    • Anonymous section
      The <anonymous> element describes the unauthenticated permissions, and is also used as default values for per-group permissions.
      Unauthenticated public access will be given these permissions. Any false/missing permissions will require authentication.
    • Groups section
      The <group> element describes the authentication group and its permissions, and is made by the following elements/attributes:
      • Enabled : whether or not the group is enabled. Disabled groups are not considered during authentication
        Note: If the enabled attribute is missing the group will be enabled by default. A group is disabled only if the enabled attribute is present and is set to false
      • Name: specifies the group name e.g. Data Analysts, Guests, Administrators, Employees, etc
      • Permissions: the group permissions that will override the anonymous ones
      • Mechanisms: a list of authentication mechanisms to be used when authenticating users for this group e.g. LDAP Query, List Of Users, SPNEGO (Single-Sign-On)
        • ListOfUsers: defining a list of users, e.g. :
          <listOfUsers>
          <users>
          <credentials username="test" password="098f6b627b4f6" />
          <credentials username="visokio" password="72261efef7c41" />
          </users>
          </listOfUsers>

          Credentials element has two attributes: username and password (the MD5 encrypted password).
          To generate password MD5s, visit this link

        • ldapQuery: LDAP Query mechanism enables Omniscope Server to query an LDAP/AD server to validate user credentials
          Attributes:
          • distinguishedName: LDAP group distinguished name E.g. CN=Users,DC=example,DC=com
          • url: A full URL pointing to your LDAP/AD server
            Example 1: 'LDAP://ldapserver.example.com:389'
            where LDAP is protocol name, ldapserver.example.com is the LDAP/AD server and 389 is the default port for LDAP protocol
            Example 2: 'LDAPS://ldapserver.example.com:636' where LDAPS is LDAP over SSL protocol,
            ldapserver.example.com is the LDAP/AD server and 636 is the default port for LDAPS protocol
          • ignoreSslIssues: false most of the time. Set true only if your LDAP/AD server has not been configured to use a trusted certificate and you are using LDAPS protocol
          • securityAuthentication: Security authentication type supported by your LDAP/AD server. By default, LDAP/AD server uses a simple security type. However, you should contact your administrator to check whether you need to use a different type (CRAM-MD5, or DIGEST-MD5, or none)
          • principalNameFormat: can have only one the the following values:
            1. {Name} : User's simple name will be used to authenticate. e.g. 'username' and 'password' will be used
            2. DOMAIN\{Name}: User's simple name will be added the DOMAIN name automatically e.g 'EXAMPLE.COM\username' and 'password' will be used to authenticate the user
            3. {Name}@DOMAIN: User's simple name will be appended the DOMAIN name automatically e.g. 'username@EXAMPLE.COM' and 'password' will be used to authenticate the user

          • principalDomain: must be set only if 'principalNameFormat' contains a domain name, otherwise it will be disregarded. e.g. 'EXAMPLE.COM'

        • spnegoMechanism: a Single-Sign-On authentication mechanism e.g.:
          <spnegoMechanism>
          <userNames>
          <userName userName="johnsmith" />
          <userName userName="johndoe" />
          </userNames>
          </spnegoMechanism>

          spnegoMechanism element has a list of user names to be verified once users authenticate successfully on LDAP/AD server and are assigned group permissions (roles).
          WARNING: spnegoMechanism will be disregarded during authentication if SPNEGO global settings are not set in config.xml




    folder.xml example


    <?xml version="1.0" encoding="UTF-8"?>
    <mobilefolder>
    <anonymous>
    <permissions listDirectory="false" downloadFile="false" viewInMobile="false"
    fileManagement="false" getStatic="false" viewServerState="false"
    exportData="false" />
    </anonymous>
    <groups>
    <group enabled="true" name="Data Analysts">
    <permissions>
    <permissions listDirectory="true" downloadFile="true" viewInMobile="true"
    fileManagement="false" getStatic="false" viewServerState="false"
    exportData="false" />
    </permissions>
    <mechanisms>
    <spnegoMechanism>
    <userNames>
    <userName userName="john" />
    </userNames>
    </spnegoMechanism>
    <ldapQuery
    distinguishedName="CN=Users,DC=example,DC=com"
    url="ldap://ldapserver.example.com:389"
    ignoreSslIssues="false"
    securityAuthentication="simple"
    principalNameFormat="{Name}@DOMAIN"
    principalDomain="example.com">
    </ldapQuery>
    <listOfUsers>
    <users>
    <credentials username="Tester" password="f5d1277e04873b9" />
    </users>
    </listOfUsers>
    </mechanisms>
    </group>
    </groups>
    </mobilefolder>


    Common use cases:


    • Anonymous access not allowed, Admin user full permissions, Guest users browse and play IOK files

      <?xml version="1.0" encoding="UTF-8"?>
      <mobilefolder>
      <anonymous>
      <permissions listDirectory="false" downloadFile="false" viewInMobile="false"
      fileManagement="false" getStatic="false" viewServerState="false"
      exportData="false" />
      </anonymous>
      <groups>
      <group enabled="true" name="Administrators">
      <permissions>
      <permissions listDirectory="true" downloadFile="true" viewInMobile="true"
      fileManagement="true" getStatic="true" viewServerState="true"
      exportData="true" />
      </permissions>
      <mechanisms>
      <listOfUsers>
      <users>
      <credentials username="admin" password="5d141e04873b9" />
      </users>
      </listOfUsers>
      </mechanisms>
      </group>
      <group enabled="true" name="Guests">
      <permissions>
      <permissions listDirectory="true" viewInMobile="true"
      getStatic="true" />
      </permissions>
      <mechanisms>
      <listOfUsers>
      <users>
      <credentials username="guest" password="f5d1ee04873b9" />
      <credentials username="visitor" password="43ffge14197e45" />
      </users>
      </listOfUsers>
      </mechanisms>
      </group>
      </groups>
      </mobilefolder>

    • Anonymous access not allowed, admin users authenticating with their LDAP accounts, employees browse and play IOK files and authenticate with their LDAP accounts, a new employee user authenticating with List Of Users mechanism if an LDAP account is not yet available and a user authenticating with a Single-Sign-On (SPNEGO) mechanism

      <?xml version="1.0" encoding="UTF-8"?>
      <mobilefolder>
      <anonymous>
      <permissions listDirectory="false" downloadFile="false" viewInMobile="false"
      fileManagement="false" getStatic="false" viewServerState="false"
      exportData="false" />
      </anonymous>
      <groups>
      <group enabled="true" name="Administrators">
      <permissions>
      <permissions listDirectory="true" downloadFile="true" viewInMobile="true"
      fileManagement="true" getStatic="true" viewServerState="true"
      exportData="true" />
      </permissions>
      <mechanisms>
      <ldapQuery
      distinguishedName="CN=Administrators,DC=example,DC=com"
      url="ldap://ldapserver.example.com:389"
      ignoreSslIssues="false"
      securityAuthentication="simple"
      principalNameFormat="{Name}@DOMAIN"
      principalDomain="example.com">
      </ldapQuery>
      </mechanisms>
      </group>
      <group enabled="true" name="Employee">
      <permissions>
      <permissions listDirectory="true" downloadFile="true" viewInMobile="true"
      fileManagement="false" getStatic="true" viewServerState="false"
      exportData="false" />
      </permissions>
      <mechanisms>
      <spnegoMechanism>
      <userNames>
      <!-- User 'john' with password 'SomePassword' is defined on the
      LDAP server and logged in the client machine to test SPNEGO -->
      <userName userName="john" />
      </userNames>
      </spnegoMechanism>
      <ldapQuery
      distinguishedName="CN=Users,DC=example,DC=com"
      url="ldap://ldapserver.example.com:389"
      ignoreSslIssues="false"
      securityAuthentication="simple"
      principalNameFormat="{Name}@DOMAIN"
      principalDomain="example.com">
      </ldapQuery>
      <listOfUsers>
      <users>
      <credentials username="NewEmployee" password="d1274e417e04" />
      </users>
      </listOfUsers>
      </mechanisms>
      </group>
      </groups>
      </mobilefolder>

    ]]>
    Security: List Of Users authentication http://forums.visokio.com/discussion/2569/security-list-of-users-authentication Mon, 26 May 2014 06:12:43 -0400 Veaceslav 2569@/discussions Mobile Web Server Authentication

    List Of Users authentication mechanism

    Besides Single-Sign-On (SPNEGO) and LDAP Query mechanisms which authenticate users that are stored and managed on other servers like LDAP, Omniscope Mobile server may be configured to validate Omniscope users by manually adding custom users on server. Those users are stored in Omniscope Server configuration files (config.xml, folder.xml).

    Configuration steps


    1. Open Edit Default folder configuration dialog (Visokio Omniscope Server window -> Mobile Web Server section -> Config button -> Permissions section -> Default folder configuration -> Edit)
    2. Make sure to properly edit anonymous permissions first (actions that are allowed for anonymous users will not use authentication).
    3. Add a new group (or edit an existing group)
      - Note: Disabled groups are not considered during authentication

      image

    4. Edit group permissions
    5. For group mechanisms click the Add button and select List of users.

      image
    6. Add users.

      image

      image


    Legacy Omniscope users


    List Of Users authentication mechanism is a replacement for the legacy Omniscope users. Old configuration files are converted automatically.

    Users are grouped automatically based on their permissions and whether users are enabled or disabled.

    E.g.
    Legacy users:

    • User 1 with permissions A, enabled
    • User 2 with permissions B, enabled
    • User 3 with permissions A, enabled
    • User 4 with permissions A, disabled
    • User 5 with permissions A, enabled

    Are automatically converted to:
    • Group 1 with permissions A, enabled having User 1, User 3, User 5
    • Group 2 with permissions A, disabled having User 4
    • Group 3 with permissions B, enabled having User 2

    ]]>
    Security: Single-Sign-On (SPNEGO) Configuration http://forums.visokio.com/discussion/2566/security-single-sign-on-spnego-configuration Fri, 23 May 2014 10:32:45 -0400 Veaceslav 2566@/discussions Mobile Web Server Authentication

    Single-Sign-On (SPNEGO) Mechanism

    SPNEGO (Single-Sign-On) mechanism allows users to authenticate automatically with their LDAP/Active Directory (AD) account without asking them for credentials. Having a proper setup, authorized users never type their credentials in any dialog or form. Unauthorized users, however, are either prompted for credentials or are denied server access.
    • Users are stored and managed by an LDAP/AD server
    • Omniscope Mobile server is configured to ask the LDAP/AD server to validate user tokens

    Configuration

    At least three machines are involved in a Single-Sign-On setup:

    1. LDAP/AD server (e.g. computer name ldapserver)
    2. A machine running Omniscope server (e.g. computer name omniscopeserver)
    3. A client machine having a browser installed (Chrome, Firefox, Internet Explorer, etc) (e.g. computer name browserA)

    Note: Single-sign-on does not work when the client (browser) runs on the same machine as Omniscope server (or LDAP/AD)

    • The machines must be on the same intranet network,
    • on the same domain (e.g. example.com),
    • DNS properly setup such that they all can nslookup each other by name (e.g. nslookup omniscopeserver finds the machine running omniscope server)

    1. LDAP/AD machine - Windows Server OS (2003, 2008, 2012, etc)
      • Create a dedicated LDAP user on the domain, e.g. omniscopeuser@example.com with password YourPassword (choose a stronger password), make sure the password never expires
      • In command prompt execute:
        setspn -A HTTP/omniscopeserver.example.com omniscopeuser


        image
        where example.com is your network domain
        omniscopeserver is the name of the machine running Omniscope server
        omniscopeuser is user logon name of the dedicated LDAP user
        HTTP/omniscopeserver.example.com has never been mapped before with other user. If it has, you need to remove it first:
        setspn -D HTTP/omniscopeserver.example.com otheruser

      • In command prompt, execute the second command (make sure to use capital letters exactly as shown in the command):
        ktpass -princ HTTP/omniscopeserver.example.com@EXAMPLE.COM -pass YourPassword -mapuser omniscopeuser@EXAMPLE.COM -out omniscopeuser.HTTP.keytab -crypto RC4-HMAC-NT -kvno 0
        • where example.com is your network domain
        • HTTP/omniscopeserver.example.com - Kerberos service principal name for SPNEGO
        • omniscopeuser - the dedicated SPNEGO user that has been created on the LDAP server
        • YourPassword - password of the dedicated SPNEGO user
        • RC4-HMAC-NT - cryptosystem to use when sending SPNEGO tickets
        • kvno - Key version number

        image

      Obviously, LDAP/AD needs to have regular users defined, users that are about to use Omniscope at least. For the purpose of this tutorial we will consider that
      there is a user clientA@example.com with password ClientPassword

    2. Omniscope server machine

      • Start Omniscope server

        image

      • On Mobile Web Server service section click Config, scroll down to Default folder configuration and click Edit

        image

      • Edit SPNEGO global settings, for principal name type:
        HTTP/omniscopeserver.example.com
        and edit the password for that LDAP account ('YourPassword')

        image

        image

      • Click OK to close editing SPNEGO global settings
      • Either create a new group with new permissions, or edit an existing group

        image

      • Add a new authentication mechanism and choose SPNEGO mechanism

        image

      • Make sure you add all user names for the users that will be allowed to authenticate automatically (e.g. clientA, no domain needs to be included in the name)

        image

        image

      • Click OK to close each dialog and click Save and apply to save the configuration
      • Omniscope server does not need to be restarted manually

    3. Client Machine - The browser has to be configured to use Single-Sign-On and trust omniscopeserver machine

      • For Internet Explorer

        • Open Internet Options

          image
        • In Security tab select Local intranet and click Sites button - make sure all check boxes are selected:
          Automatically detect intranet network,

          image
          • Include all local intranet sites not listed in other zones,
          • Include all sites that bypass the proxy server,
          • Include all network paths


          Then click Advanced button and add the name of the omniscopeserver or the full name (with domain) as it is going to be used to access the omniscope server from the browser
          Note: The browser cannot use Single-Sign-On when accessing the omniscopeserver by IP instead of name, and the name has to be added to the zone

          image

        • Click Close then OK to close the Local intranet dialogs
        • Click Custom Level... button, scroll down to User Authentication and select Automatic logon with current user name and password then click OK to close the dialog

          image

        • In the Advanced tab of the Internet Options dialog scroll down to Security section and make sure Enable Integrated Windows Authentication option is selected. (It should be selected by default)

          image

        • Click OK to close Internet Options dialog
        • Restart Internet Explorer
        • Test it: open http://omniscopeserver you should be able to use omniscope server if you have the right permissions (group permissions that you set up on Omniscope server)

      • Google Chrome
        • Google’s Chrome browser shares the same configuration with Internet Explorer. Once the trusted URL is added in Internet Explorer, Chrome works with SPNEGO. Chrome does not have a configuration mechanism.

      • Mozilla Firefox
        • In the address bar type:
          about:config

          image

          and search for trusted. The required key is a comma separated parameter named network.negotiate-auth.trusted-uris - edit it to include 'omniscopeserver' as well
          image


    ]]>
    Security: Heartbleed bug CVE-2014-0160? http://forums.visokio.com/discussion/2521/security-heartbleed-bug-cve-2014-0160s Tue, 15 Apr 2014 13:54:37 -0400 donald 2521@/discussions
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

    Visokio Omniscope
    We do not believe that Omniscope is affected by this vulnerability.

    Omniscope is written in Java and we have not received any reports that Java is affected by this vulnerability.

    We have tested Omniscope mobile server with external Heartbleed checkers and no vulnerability was reported.

    However, if you are presenting content hosted on Omniscope mobile server via a front end proxy or load balancer such as Apache or Nginx you should check the version of OpenSSL used on those products and take appropriate action. You are advised to do your own security and penetration testing.

    The main Visokio website, KnowledgeBase and Forums are using a version of OpenSSL that is NOT affected by this vulnerability.

    Downloads from our website are delivered through a third party content delivery network through http: and are not affected by this vulnerability.

    Our activation server is not affected by this vulnerability.

    Our alpha and staging test sites for our Omniscope mobile Alpha partners are not affected by this vulnerability.
    ]]>
    Security: Web Server SSL configuration http://forums.visokio.com/discussion/2358/security-web-server-ssl-configuration Mon, 30 Sep 2013 08:53:33 -0400 antonio 2358@/discussions keystore.jks.default).

    If you want to use your own fully validated SSL certificate, you need to configure the path and the password of the keystore file containing the certificate.
    image

    To generate keys and certificates, follow one of these two guides:
    Generate a Self Signed Certificate using Java Keytool
    Generate a Trusted Certificate]]>
    Security: Overview of Omniscope file-based security options http://forums.visokio.com/discussion/2228/security-overview-of-omniscope-file-based-security-options- Thu, 04 Jul 2013 14:31:20 -0400 tjbate 2228@/discussions
    It is good practise to always time-limit IOK files containing important data. If the files fall into the wrong hands, even if they are unlocked and otherwise unsecured, the proprietary Omniscope encryption and compression should hold the unauthorised users off the data for a few days until the IOK file 'times out', at which point no one can gain access to the data, no matter how much hacking they employ (assuming you use the Omniscope option to set the files to confirm the date/time independently from an Internet source outside the machine running the file. If you don't use this option, time-limiting can be defeated by changing the system clock on the machine running the file).

    The best security is multiple, independent, layered security spanning both network/identity based, and file-based security. Omniscope permits file level security options to be added on top of network-based security to achieve multi-level security you can tailor. Omniscope file security options are outlined here:

    http://www.visokio.com/file-security

    Running analytics and reporting projects on instantly-available virtual, cloud-based, high-RAM machines makes a lot of sense, but many are reluctant to do this because they fear that their data in the cloud can be stolen. If you use an SQL database as the source in the cloud, this is much more likely than if you use a set of Omniscope IOK files as the source, provided you fully employ the range of layered independent security options Omniscope supports.]]>
    Deployment: WebStart - security issue? http://forums.visokio.com/discussion/1930/deployment-webstart-security-issues Thu, 29 Nov 2012 17:56:26 -0500 walsh 1930@/discussions
    Unsigned application requesting unrestricted access to system
    Unsigned resource: http://downloads.visokio.com/omni27...

    I don't pretend to understand the detailed message, but it contains the lines:

    <security\>
    <all-permissions/>
    </security>

    which looks like the sort of thing that would give our IT Risk people a major problem. Is there really a requirement for "*all* permissions" on my machine?

    Edit 3rd Dec: I've spoken with some support people here and, although they weren't able to help directly, they mentioned that the "Unsigned" parts of the error message (newly highlighted above) may cause a problemwith our systems here.

    Edit 5th Dec: Fwiw, the aforementioned "update of our desktop software" contained the following: Upgrade JRE to the new version 6u33]]>
    Security: How to share reports via Internet? http://forums.visokio.com/discussion/1209/security-how-to-share-reports-via-internets Fri, 13 Jan 2012 06:48:16 -0500 Kefsid 1209@/discussions
    Is it possible?]]>
    Security: Time limiting files? http://forums.visokio.com/discussion/717/security-time-limiting-filess Wed, 20 Apr 2011 12:27:20 -0400 Paul 717@/discussions Security: Domain locking from Desktop? http://forums.visokio.com/discussion/1058/security-domain-locking-from-desktops Thu, 20 Oct 2011 09:40:37 -0400 Kiddo29 1058@/discussions
    Quick one. I wanted to domain lock an iok file but in version 2.6 i cant seem to find an option for it. On your website it says for 2.5 go to save as and tic the box which says domain lock but there isn't one in 2.6.

    Could you direct me to where this option is in 2.6 please?

    Thanks]]>
    Security: Owner-locked option is greyed out in Desktop version 2.6? http://forums.visokio.com/discussion/818/security-owner-locked-option-is-greyed-out-in-desktop-version-2.6s Tue, 14 Jun 2011 11:00:08 -0400 elitem 818@/discussions I go to File -> File Security -> and there's an option to Password Protect the file, or Owner-lock. The latter is greyed out.

    How can I lock the file?
    Thanks
    ]]>