Security

This topic provides information for configuring FME Server security. The instructions are written based on using the Web Admin Interface.

You must have the following prerequisites in place to use FME Server security:

FME Server Web Service Security Concepts

All web services, including the Web Connection (also known as the SOAP Service), support HTTP basic authentication and SSL.

Default Authentication and Authorization Provider

When security is enabled, the default authentication and authorization provider gives full integration with FME Server.

By default, all user and security information is stored in the FME Server repository database.

The FME Server security architecture is fully extensible and you can change it to other available authentication and authorization providers.

Client Identifier

Every web service has a client identifier that identifies the FME Server client calling context. For added security, you can also change the following property in the Web Service properties file:

SECURITY_CLIENT_ID

Property Files

Web service property files are generally found in the following location:

<TomcatDir>/webapps/<ServletName>/WEB-INF/conf/propertiesFile.properties

FME Server Client Security

All FME applications and components that access FME Server support providing user credentials such as username and password for authentication.

All clients also provide a client ID that’s used for authorization. Administrators can Resources using the Web Admin Interface.

FME Server Security Management

When security is enabled for FME Server, a Security tab shows on the Web Admin Interface. The Security web page is where administrators define permissions. The following hierarchy is in place:

Users

The Users page lets you create user accounts that you can then assign to Roles.

  1. Click the Users tab to open the Users Account web page. Click the Add New User button to open the New User Account dialog, shown next.

  2. Enter the Name for the new user as you want it to show on the web page and then enter the user’s Full Name in the appropriate field.
  3. Enter this user’s Password and then enter it again in the Confirm Password field.
  4. From the Available Roles list, select the role this user is assigned to and then click Add to add this available role to the Assigned Roles list.
  5. When you’re satisfied this information is correct, click OK. You’ll notice that the User Accounts list shows your new user was added as you indicated.

Roles

The Roles web page lets you create roles that can have Users assigned to them. You can also assign Roles to Resources.

  1. On the User Roles web page, click Add New Role to open the New Role dialog, shown next.

  2. Enter the Name for the new role.
  3. From the Available Users list, click your choice for users you’ll assign to this role and then click Add to add the available users to the Role Membership list.
  4. When you’re satisfied with your choices, click OK. You’ll notice on the User Roles web page that your new role was added as you assigned it.

Resources

The Resources web page lists all resources that access FME Server. When Roles are assigned to a specific Resource that implies that all Users who belong to the assigned Role now have permission to access the specific Resource.

  1. On the Resources web page, scroll down to the bottom and click Add Resource to open the New Resource dialog, shown next.

  2. Enter the name for the new resource, then enter how you’d like it to show on the web page.
  3. Enter the appropriate Client ID. The Client ID must match the Client ID you defined in your application.
  4. Open the Category list and choose the correct category for this new resource.
  5. From the Available Roles list, click your choice and then click Add to add this available role to the Assigned Roles list.
  6. When you’re satisfied with your choices, click OK. On the Resources web page, you can see that your new resource was added to the category you assigned.

FME Server Role-based Transformations

During a transformation, Role information is also passed on to the FME Engines through the Transformation Manager as a published parameter. This means that it’s possible to create workspaces that do different things based on the User’s Role.

By default, the published parameter name is FME_SECURITY_ROLES, which is a spaceseparated list. You can change this name in the FME Server configuration file. The value of the FME_SECURITY_ROLES published parameter contains role information that can be fetched easily with the FME ParameterFetcher transformer in Workbench.

Enabling FME Server Security

The FME Server installer provides the option to enable or disable security. When you installed FME Server you were presented with an enable security prompt. If you clicked Yes, then FME Server is set up to support security.

When security is enabled, the Web User Interface and the Web Administrator User Interface have login and logout capabilities. Also, a Security tab shows on the Web Admin Interface, which is used to administer security.

There are several levels of security you can use on FME Server:

Manually Enabling FME Server Security

To manually enable FME Server security, set the ENABLE_SECURITY option to true in the following configuration files:

Enabling FME Server SSL Support

There are two steps required to enable SSL support.

Modifying Service URLs to use HTTPS

To enable SSL for a service, open the FME Server Web Admin Interface, click the Services tab and select the desired service in the table as shown below:

Then click the Configure button to bring up the Service Definition dialog as shown below:

In the dialog's URL field change http to https and modify the port number if required. Typically SSL is configured on either port 8443 or 443.

Enabling SSL on the Application Server

Depending on the method, instructions to set up SSL on different application servers vary. The following example provides steps for setting up SSL for Apache Tomcat 6, using self-signed certificates.

For development and testing purposes, self-signed certificates are supported. For production use, it’s recommended you use SSL certificates from a verified SSL Certificate Authority.

For any https (SSL) page, a certificate is absolutely necessary. First, you’ll learn how to generate a keystore that contains a certificate chain using the keytool command from the Java Developer Kit (JDK). Therefore, you must have JDK installed to use this keytool command.

To set up SSL for Apache Tomcat 6 using self-signed certificates, follow these steps:

  1. Open the command prompt.
  2. Type the following command:

    3. keytool -genkey -alias tomcat -keyalg RSA

    If your path is not set to the Java bin directory, please go there and then type the appropriate command.

  3. Next you’re prompted for a keystore password. Type changeit. You can give the keystore password a different name, however, if you do you’ll have to make some changes later.
  4. Enter the required details, shown next:

  5. Next you’re asked to provide the alias password, which must be the same as the keystore password (see step 3).
  6. A keystore is generated in the following location: <drive>:\Documents and Settings\<username>\.keystore where in this example <drive> is C: and <username> is hnguyen.
  7. Copy the .keystore file and paste it somewhere in the Tomcat directory, and then provide the path. Don’t forget to change this path. In server.xml the keystore file value is the full path.
  8. Now, add the following code into the <TomcatDir>\webapps\conf\server.xml file, which is below the

    9. <Service name="Catalina">

    element:

    <Connector protocol="org.apache.coyote.http11.Http11Protocol"

    port="443" minSpareThreads="5" maxSpareThreads="75"

    enableLookups="true" disableUploadTimeout="true"

    acceptCount="100" maxthreads="200"

    scheme="https" secure="true" SSLEnabled="true"

    keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\.keystore"

    keystorePass="changeit"

    clientAuth="false" sslProtocol="TLS" />

    Note:  You may need to change the path for keystoreFile depending on your Tomcat installation.

  9. In the Apache Tomcat’s server.xml file change the Listener className line (found at the beginning of the file) to how it’s written below:

    10. <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine='off' />

  10. Your configuration is complete so save the server.xml file.
  11. Restart your Tomcat application.
  12. Open a browser and navigate to https://localhost. This should show you the same Tomcat home page, but in a secured format.

Advanced FME Server Security Configurations

The information in this section covers more advanced security configuration topics.

Deploying an FME Server Site with Secured and Unsecured Web Services

You can configure FME Server so that some web services require user credentials and others do not. For example, you may want to allow open access to the Data Download service, but restrict access to the Data Streaming service. This capability is possible because each web service contains a trusted user account that you can change in the service’s properties file.

If the trusted user account is granted access to FME Server, then users do not need to provide user credentials.

To enable a trusted user account for one of your services and, therefore, allow unauthenticated users access to FME Server, follow these steps:

  1. Access the Web Admin Interface, click the Security tab and then the Users Accounts tab.
  2. Create a user account that will be used as a trusted account.
  3. Click the User Roles tab and decide on an existing role or create a new one that is to be assigned to the desired service.
  4. Assign the role determined in Step 3 to the desired service. Click the Resources tab and locate the service in the Services section of the table. Select the service by clicking on its entry and click the Configure button to bring up the configuration panel. In the Assigned Roles table select the role in the left column, click Add then OK.
  5. Make the trusted user account created in step 2 a member of the role determined in step 3. Click the User Roles tab and locate the role in the table. Select the role by clicking on its entry and click the Configure button to bring up the configuration panel. In the User Membership table select the trusted user in the left column, click Add then OK.
  6. Add the trusted user account to the service’s properties file. Each FME Server service has a properties file assiciated with it found here:

    7. <WebAppDir>/<serviceName>/WEB-INF/conf/propertiesFile.properties

    For example, if you are using Apache Tomcat as your application server and want to provide unsecured access to the Data Download service, the properties file may be found in a path like this:

    C:/Program Files/Apache Software Foundation/Tomcat6.0/webapps/fmedatadownload/WEB-INF/conf/propertiesFile.properties

    There are two properties in the file that you need to change:

  7. Redeploy the service whose properties you just changed. Either restart your servlet engine or redeploy the specific servlet for the service.

Using the FME Token Service

The FME Token Service is a new service that enables users to be authenticated in order to fully use the FME REST API. It is recommended that users use similiar level of security for any service involving tokens as they would with basic http security. For example, using https/SSL

Creating a token

A token can be created by using the web form found at http://<host>:<port>/fmetoken/

Upon authenticating the username and password, a token will be created that is valid for the specified duration.

An alternative method is to send a POST request to http://<host>:<port>/fmetoken/generate with the same parameters.

Using a token

A token that has been created can be used by sending it as a parameter in a HTTP request. For example:

http://localhost/fmerest/repositories.html?token=<token>

Safe Software Inc. www.safe.com