Server Security

About #

This section is about restricting access to Xtract Universal/Board Connector’s built in web server to predefined users or user groups.
By setting access restrictions on the web server you ensure that only dedicated users can execute extractions.

There are two types of users and user groups, access can be restricted to.

• Windows AD users (Kerberos authentication)
• custom users (Basic authentication)

When access to the web server is restricted, Windows AD credentials or credentials of a custom user must be submitted when running an extraction.

Note: Submitting credentials for Basic Authentication is not supported by the SAP Data Reader of the Board Server (as of version 11.3).
Securing web access to extractions can be accomplished by using network level security methods e.g., firewalls.

Prerequisite: Activating TLS encryption #

Both types of access restrictions require accessing the web server through an https connection. This requires installation of an X.509 certificate. If the certificate is not listed in the Windows certificate store, install the X.509 certificate.

1. Navigate to the menu bar and select Server > Settings. Switch to the Web Server tab.
2. Depending on what type of user you want to restrict access to, select HTTPS - Restricted to AD users with Designer read access or HTTPS - Restricted to custom users with Designer read access.
3. Click the [Select X.509 certificate] button. The “Edit certificate location” window opens.
4. Select the X.509 certificate created for your machine under Local Machine > Personal.
5. Confirm with [OK]. The window closes.
6. Optional: Change the port number of the HTTPS port.

Restrict access to Windows AD users (Kerberos authentication) #

1. Assign a Windows service account under which the Xtract Universal/Board Connector service runs. See Running a service under a Windows service account.
2. Activate TLS encryption as outlined in Prerequisite: Activating TLS encryption.
3. Navigate to the menu bar and select Server > Settings. In the Web Server tab select HTTPS - Restricted to AD users with Designer read access.
4. Switch to the Configuration Server tab.
5. Add the custom users or groups that are allowed to execute an extraction to Access Management.
6. Assign at least Read permission to the Windows AD users.
7. Close all windows with [OK]
8. Restart the server when prompted.

Result: An extraction can only be executed, if the Windows AD credentials of the caller are passed on to the web server and the caller has at least Read access to the Designer.

Note: This type of authentication uses Kerberos authentication via SPNEGO. NTLM is not supported.

Restrict access to custom users (Basic authentication) #

1. Activate TLS encryption as outlined in the section Prerequisite: Activating TLS encryption.
2. Navigate to the menu bar and select Server > Settings. In the Web Server tab select HTTPS - Restricted to custom users with Designer read access
3. Switch to the Configuration Server tab.
4. Add the Windows AD users or groups that are allowed to execute an extraction to Access Management.
5. Assign at least Read permission to the custom users.
6. Close all Windows with [OK]
7. Restart the server when prompted.

Result: An extraction can only be executed, if the custom credentials of the caller are passed on to the web server and the caller has at least Read access to the Designer.

Running a service under a Windows service account #

When restricting access to Windows AD users, the Board Connector service must run under a dedicated service account. The procedure to run the Board Connector service under a Windows service account is the same as Running the Xtract Universal Service under a Windows Service Account.

---

Related Links

• User Management
• Access Management
• SPNEGO