<html>
<head>
<base href="https://docs.jboss.org/author">
<link rel="stylesheet" href="/author/s/en/2172/19/5/_/styles/combined.css?spaceKey=TEIID&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://docs.jboss.org/author/display/TEIID/Security+Guide">Security Guide</a></h2>
<h4>Page <b>edited</b> by <a href="https://docs.jboss.org/author/display/~shawkins">Steven Hawkins</a>
</h4>
<div id="versionComment">
<b>Comment:</b>
adding note about encrypting files<br />
</div>
<br/>
<h4>Changes (1)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > <br>Encrypting remote source access is the responsibility for the resource adapter and library/driver used to access the source system. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"> <br>h3. Temporary Data <br> <br>Teiid temporary data which can be stored on the file system as configured by the BufferManager may optionally be encrypted. Set the {{buffer-service-encrypt-files}} property to true on the Teiid subsystem to use 128-bit AES to encrypt any files written by the BufferManager. A new symmetric key will be generated for each start of the Teiid system on each server. A performance hit will be seen for processing that is memory intensive such that data typically spills to disk. This setting does not affect how VDBs (either the artifact or an exploded form) or log files are written to disk. <br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<p>The Teiid system provides a range of built-in and extensible security features to enable secure data access. This introduction provides a high-level guide to security concerns. The rest of the guide provides specifics on configuring clients, the Teiid server, and the application server.</p>
<h1><a name="SecurityGuide-Authentication"></a>Authentication</h1>
<h3><a name="SecurityGuide-ClientAuthentication"></a>Client Authentication</h3>
<p>JDBC/ODBC/Web Service clients may use simple passwords to authenticate a user.</p>
<p>Typically a user name is required, however user names may be considered optional if the identity of the user can be discerned by the password credential alone. In any case it is up to the configured security domain to determine whether a user can be authenticated. If you need authentication, the administrator must configure <a href="/author/display/TEIID/LoginModules" title="LoginModules">LoginModules</a> for Teiid.</p>
<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>By default, access to Teiid is NOT secure. The default <a href="/author/display/TEIID/LoginModules" title="LoginModules">LoginModules</a> are only backed by file based authentication, which has a well known user name and password. We <b>DO NOT</b> recommend leaving the default security profile as defined when you are exposing sensitive data.</td></tr></table></div>
<p>Teiid JDBC/ODBC also supports <a href="/author/display/TEIID/Kerberos+support+through+GSSAPI" title="Kerberos support through GSSAPI">Kerberos</a> authentication with additional configuration.</p>
<p>Auto-generated web services, such as <a href="/author/display/TEIID/OData+Support" title="OData Support">OData</a>, for consuming Teiid typically support HTTPBasic authentication, which in turn should utilize <a href="#SecurityGuide-PassthroughAuthentication">Pass-through Authentication</a>.</p>
<h3><a name="SecurityGuide-SourceAuthentication"></a>Source Authentication</h3>
<p>Source authentication is generally determined by the capabilities of JCA resource adapters used to connect to external resources. Consult the AS JCA documentation for the capabilities of source pooling and supplied resource adapters for more information. Typically a single username/password credential is supported, such as when creating <a href="/author/display/TEIID/JDBC+Data+Sources" title="JDBC Data Sources">JDBC Data Sources</a>. In more advanced usage scenarios the <a href="/author/display/TEIID/Data+Source+Security" title="Data Source Security">source</a> and/or translator may be configured or customized to use an <a href="/author/display/TEIID/Statement+Extensions" title="Statement Extensions">execution payload</a>, the Teiid subject, or even the calling application subject via <a href="#SecurityGuide-PassthroughAuthentication">Pass-through Authentication</a>. See also <a href="/author/display/TEIID/Developing+JEE+Connectors" title="Developing JEE Connectors">Developing JEE Connectors</a> and <a href="/author/display/TEIID/Translator+Development" title="Translator Development">Translator Development</a></p>
<h3><a name="SecurityGuide-Pass%5CthroughAuthentication"></a>Pass-through Authentication</h3>
<p>If your client application (web application or Web service) resides in the same JBoss AS instance as Teiid and the client application uses a security domain, then you can configure Teiid to use the same security domain and not force the user to re-authenticate. In pass-through mode Teiid looks for an authenticated subject in the calling thread context and uses it for sessioning and authorization. To configure Teiid for pass-through authentication, change the Teiid security-domain name in the embedded "transport" section to the same name as your application's security domain name. This change can be made via the CLI or in the "standalone-teiid.xml" file if running in standalone mode. The security domain must be a JAAS based LoginModule and your client application MUST obtain its Teiid connection using a <a href="/author/display/TEIID/JBoss+AS+DataSource#JBossASDataSource-LocalJDBCConnection">Local Connection</a> with the <em>PassthroughAuthentication</em>=true connection flag set.</p>
<h1><a name="SecurityGuide-Authorization"></a>Authorization</h1>
<p>Authorization covers both administrative activities and data roles. A data role is a collection of permissions (also referred to as entitlements) and a collection of entitled principals or groups. With the deployment of a VDB the deployer can choose which principals and groups have which data roles. Check out <a href="/author/display/TEIID/Data+Roles" title="Data Roles">Reference Guide Data Roles</a> chapter for more information. Any source level authorization decisions are up to the source systems being integrated.</p>
<h1><a name="SecurityGuide-Encryption"></a>Encryption</h1>
<h3><a name="SecurityGuide-TeiidTransports"></a>Teiid Transports</h3>
<p>Teiid provides built-in support for JDBC/ODBC over <a href="/author/display/TEIID/Teiid+Server+SSL" title="Teiid Server SSL">SSL</a>. JDBC defaults to just sensitive message encryption (login mode), while ODBC (the pg transport) defaults to just clear text passwords if using simple username/password authentication.</p>
<p>The AS instance must be configured for SSL as well so that Any web services consuming Teiid may use SSL.</p>
<h3><a name="SecurityGuide-Configuration"></a>Configuration</h3>
<p>Passwords in configuration files are by default stored in plain text. If you need these values to be encrypted, please see <a href="http://community.jboss.org/wiki/maskingpasswordsinjbossasxmlconfiguration" class="external-link" rel="nofollow">encrypting passwords</a> for instructions on encryption facilities provided by the container.</p>
<h3><a name="SecurityGuide-SourceAccess"></a>Source Access</h3>
<p>Encrypting remote source access is the responsibility for the resource adapter and library/driver used to access the source system.</p>
<h3><a name="SecurityGuide-TemporaryData"></a>Temporary Data</h3>
<p>Teiid temporary data which can be stored on the file system as configured by the BufferManager may optionally be encrypted. Set the <tt>buffer-service-encrypt-files</tt> property to true on the Teiid subsystem to use 128-bit AES to encrypt any files written by the BufferManager. A new symmetric key will be generated for each start of the Teiid system on each server. A performance hit will be seen for processing that is memory intensive such that data typically spills to disk. This setting does not affect how VDBs (either the artifact or an exploded form) or log files are written to disk.</p>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;" class="grey">
<a href="https://docs.jboss.org/author/users/removespacenotification.action?spaceKey=TEIID">Stop watching space</a>
<span style="padding: 0px 5px;">|</span>
<a href="https://docs.jboss.org/author/users/editmyemailsettings.action">Change email notification preferences</a>
</div>
<a href="https://docs.jboss.org/author/display/TEIID/Security+Guide">View Online</a>
|
<a href="https://docs.jboss.org/author/pages/diffpagesbyversion.action?pageId=67240172&revisedVersion=6&originalVersion=5">View Changes</a>
|
<a href="https://docs.jboss.org/author/display/TEIID/Security+Guide?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>