Security considerations for IBM Rational Publishing Engine

You can take actions to ensure that your installation is secure, customize your security settings, and set up user access controls. You can also ensure that you know about any security limitations that you might encounter with this application.

Enabling security during the install process

If you are installing only the Document Studio or Launcher applications, no steps are required for enabling security during installation. If you are installing the remote services on an application server, you must complete steps to secure your server.
  • If you are using WebSphere® Application Server as your application server, several security settings, such as administrative security and application security, must be enabled when deploying Rational® Publishing Engine web applications. For more information, see Manually deploying the Remote services application on WebSphere Application Server.
    Warning: If you installed a WebSphere Application Server interim fix for PM44303 or a fix pack that contains PM44303, a potential security exposure exists with some versions of WebSphere Application Server. You must install a fix that is specific to your version of WebSphere Application Server and your operating system. For more information, see the Potential security exposure from IBM WebSphere Application Server impacts Rational Publishing Engine technote.
  • If you are using Apache Tomcat as your application server, no required security settings must be set, although you can choose to set up the SSL configuration. For more information, see the SSL Configuration How-To information for version 6.0 or version 7.0 on the Apache Tomcat website.
  • To learn more about how user names and passwords are stored, see the documentation for your application server.

After you deploy the Remote services application, you can choose whether to enter a secure or nonsecure URL to the remote document generation component in the client applications. The secure URL is included in the documentation in this information center. For more information, see Remote services URLs. If you choose to set up nonsecure document generation, any users can view the generated output documents, even if they do not have access to the data in the data source.

Enabling secure communication between multiple applications

No additional configuration is required when you are running multiple applications on one server, because there is no direct communication between Rational Publishing Engine and the data source you are using. Data source schema and data are used from the data source in Rational Publishing Engine, but there is no alteration of the data in Rational Publishing Engine that requires communication back to the data source.

Ports, protocols, and services

You can set up a proxy connection.

HTTPS transport port of the administrative console for the application server:
  • The default port for WebSphere Application Server is 9043.
  • The default port for Apache Tomcat is 8080.
HTTP transport port of the application server:
  • The default port for WebSphere Application Server is 9080.
  • The default port for Apache Tomcat is 8080, unless you are using a port where the SSL is configured, and then the port number is usually 8443.

Customizing your security settings

User names and passwords for the web applications are not created automatically. Rational Publishing Engine requires user names and passwords for connecting to the remote services, but not for using the Document Studio and Launcher client applications on your computer.

Data sources might require separate authentication for Rational Publishing Engine to access the data inside them. Verify the security of the data source and do not use untrusted data sources with Rational Publishing Engine. If your data source requires authentication, user names and passwords for data sources can be stored on the Rational Publishing Engine remote server, in document specification files, or in template files.

Passwords are encrypted in Rational Publishing Engine. When passwords are stored in template files and on the remote server, the characters are masked with bullets. When passwords are stored in document specification files, the characters are masked with bullets as they are being typed and are switched to asterisks after you move the cursor away from the value.

Templates or document specifications can be shared by either storing them in the Central Management component or by sending them through a method outside of Rational Publishing Engine. Before sharing a template or document specification, you must decide whether to keep or remove the user name and password from the files. In most situations, removing the user name and password from the file is recommended. Even if the password cannot be identified because it is encrypted, other users can still generate documents that might include data that those users are not otherwise permitted to see.

For more information about removing credentials from templates and document specifications, see Saving a document specification.

Setting up user roles and access

Rational Publishing Engine has roles for administrators and users of the remote services components, including Remote document generation, Central management system, Monitor & Control, and Report scheduling. An overview of the user roles is available in Configuring the Remote services application.

You can then set up the user roles and provide access to your users on your WebSphere Application Server or Apache Tomcat application server. Provide individual users with their own user name and password instead of sharing user names with a group of people. Individual user credentials ensure that users can access only the reports that contain data that they have permission to view.

Privacy policy considerations

This software offering does not use cookies or other technologies to collect personally identifiable information. For more information about cookies, see the Documentation notices for IBM Rational Publishing Engine.

Security limitations

  • Nonsecure document generation: If you do not choose secure document generation, any user can view the generated output.
  • Unsuccessful login attempts: Apache Tomcat does not lock out users after multiple unsuccessful attempts to log in.
  • Sharing templates and document specifications: If credentials are not removed from shared templates and document specifications, users can generate documents on data that they might not otherwise have permission to access.
  • Data source security: Data is secured by the application that stores it. Rational Publishing Engine does not secure data.

Feedback