How to restrict repository access to a client

Anuradha88
Anuradha88 Member
edited August 7, 2013 in Documentum #1

Hi All,

          I need some information about restricting repository access to a client application. Suppose I use DA and Webtop to access particular repository. I want to restrict access of repository to the DA. How can I prevent DA or any other application from accessing repository?

Thanks & Regards,

Anuradha

Tagged:

Best Answer

  • PanfilovAB
    PanfilovAB Member
    edited August 6, 2013 #2 Answer ✓

    1. you should define all (including JMS,server's iapi, idql, etc) your dfc clients and mark them as approved (in DA: Administration -> Client Rights Management -> Privileged Clients). It will be a challenge because by default dfc does not generate human readable identifiers

    2. set approved_clients_only flag in dm_docbase_confg to true

Answers

  • PanfilovAB
    PanfilovAB Member
    edited August 3, 2013 #3

    You have two optoins:

    1. approved_clients_only flag in dm_docbase_confg - read Fundamentals Guide and Administration and Configuration Guide about Privileged DFC
    2. application_access_control in dm_server_config - read Fundamentals Guide about Application access control tokens
  • Anuradha88
    Anuradha88 Member
    edited August 3, 2013 #4

    Thanks a lot. I will go through mentioned manuals.

  • Anuradha88
    Anuradha88 Member
    edited August 6, 2013 #5

    Hi,

               I have gone through these manuals. By setting mentioned flags, how can we restrict a client application from accessing repository. I didn't find any information about this in manuals. In manuals there is AAC(Application Access Control) tokens using which we can restrict access. I have created this token but I don't know how to use this token to restrict access and where to use application id generated in token. If you know about this, please reply.

    Regards,

    Anuradha    

  • PanfilovAB
    PanfilovAB Member
    edited August 6, 2013 #6 


              I have gone through these manuals. By setting mentioned flags, how can we restrict a client application from accessing repository. I didn't find any information about this in manuals.

    Application (i.e. dfc) reads avaliable tokens from dfc.tokenstorage.dir directory (dfc.tokenstorage.enable should be set to true) during connection phase, and sends token to the server, if application_access_control is set to true and target user is not superuser CS rejects authentication unless received token is valid.


    Example:

    generating token:


    ]$ dmtkgen -username dmadmin -password secret -base dwh_rt -scope docbase
    Connecting to server for docbase dwh_rt
    Generating token
    Token generated successfully
    Disconnecting from docbase
    Writing token to file dwh_rt.tkn
    Successfully wrote token to file dwh_rt.tkn
    Token generation completed

    ]$ cat dwh_rt.tkn
    <token>
    <docbase>dwh_rt</docbase>
    <user></user>
    <scope>docbase</scope>
    <timeout></timeout>
    <appidhash>DA39A3EE5E6B4B0D3255BFEF95601890AFD80709</appidhash>
    <machineonly></machineonly>
    <tokendata>DM_TOKEN=AAAAAQAAAOQAAAACAAAAmFIApKZT4dgmAAAAOGR3aF9ydAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGR3aF9ydAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRvY3U2N2RldjAxLnNpbmVyYS5yZW1vdGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAenNNeWhtaVN3a01teWRUa1Z4czN0aWpMcFBYc09ScmdHNFBZSkZpcDZYVmVXb3l4ckF5Ujl3PT0=</tokendata>
    </token>

    Checking that unprivileged user is able to connect:


    ]$ iapi
    Please enter a docbase name (docubase): dwh_rt
    Please enter a user (dmadmin): user1
    Please enter password for user1:

            EMC Documentum iapi - Interactive API interface
            (c) Copyright EMC Corp., 1992 - 2011
            All rights reserved.
            Client Library Release 6.7.1000.0027

    Connecting to Server using docbase dwh_rt
    [DM_SESSION_I_SESSION_START]info:  "Session 0101d92080065747 started for user user1."

    Connected to Documentum Server running Release 6.7.1150.0241HF  Linux.Oracle
    Session id is s0
    API>

    Enabling AAC:


    ]$ iapi
    Please enter a docbase name (docubase): dwh_rt
    Please enter a user (dmadmin):
    Please enter password for dmadmin:

            EMC Documentum iapi - Interactive API interface
            (c) Copyright EMC Corp., 1992 - 2011
            All rights reserved.
            Client Library Release 6.7.1000.0027

    Connecting to Server using docbase dwh_rt
    [DM_SESSION_I_SESSION_START]info:  "Session 0101d920800656ee started for user dmadmin."

    Connected to Documentum Server running Release 6.7.1150.0241HF  Linux.Oracle
    Session id is s0
    API> retrieve,c,dm_server_config
    ...
    3d01d92080000102
    API> set,c,l,application_access_control
    SET> T
    ...
    OK
    API> save,c,l
    ...
    OK
    API> reinit,c,
    ...
    OK
    API> Bye

    Now unprivileged user can't connect to repository:


    ]$ iapi
    Please enter a docbase name (docubase): dwh_rt
    Please enter a user (dmadmin): user1
    Please enter password for user1:

            EMC Documentum iapi - Interactive API interface
            (c) Copyright EMC Corp., 1992 - 2011
            All rights reserved.
            Client Library Release 6.7.1000.0027

    Connecting to Server using docbase dwh_rt
    [DM_SESSION_E_AUTH_FAIL]error:  "Authentication failed for user user1 with docbase dwh_rt."

    Could not connect

    Coping token to dfc.tokenstorage.dir and checking again:


    ]$ cp dwh_rt.tkn /u01/documentum/dwh/shared/apptoken/
    ]$ iapi
    Please enter a docbase name (docubase): dwh_rt
    Please enter a user (dmadmin): user1
    Please enter password for user1:

            EMC Documentum iapi - Interactive API interface
            (c) Copyright EMC Corp., 1992 - 2011
            All rights reserved.
            Client Library Release 6.7.1000.0027

    Connecting to Server using docbase dwh_rt
    [DM_SESSION_I_SESSION_START]info:  "Session 0101d9208006574e started for user user1."

    Connected to Documentum Server running Release 6.7.1150.0241HF  Linux.Oracle
    Session id is s0
    API>
  • Anuradha88
    Anuradha88 Member
    edited August 6, 2013 #7

    Hi,

                    Thanks for reply. But using your solution we can only restrict access to the non superusers. I want to restrict access to a client application like DA or Webtop i.e. using these applications we can not access repository.

    Regards,

    Anuradha

  • PanfilovAB
    PanfilovAB Member
    edited August 6, 2013 #8

    So, what is the problem with privileged clients?

  • Anuradha88
    Anuradha88 Member
    edited August 6, 2013 #9

    Actually I am using one desktop application 'Q-Transfer Lite' which access repository. If I want to restrict this application from accessing repository, how can i do that.

  • PanfilovAB
    PanfilovAB Member
    edited August 6, 2013 #10 Answer ✓

    1. you should define all (including JMS,server's iapi, idql, etc) your dfc clients and mark them as approved (in DA: Administration -> Client Rights Management -> Privileged Clients). It will be a challenge because by default dfc does not generate human readable identifiers

    2. set approved_clients_only flag in dm_docbase_confg to true

  • Anuradha88
    Anuradha88 Member
    edited August 7, 2013 #11

    Thanks a lot

Categories