Security Options
Top  |
|
System Configuration |
Content |
||||||||||||||||||||||||
|
Security Options |
|
|
| Option | Description | ||||||||||||||
| Max Logon Attempts | Indicates the maximum number of times a user can incorrectly enter a password before the account is disabled. | ||||||||||||||
| Max logon attempts before cooldown |
Indicates the number of times a user can incorrectly enter a password before their account begins to require a longer wait time between successive attempts (cooldown period). Each failed attempt extends the wait time up to the "Max cooldown time" or until the "Max Logon Attempts" is reached. Cooldown time gets reset if forgot password is used. Cooldown time is reset if user is enabled by a system administrator on the user list page. This number should be less than the "Max Logon Attempts" in order to activate this feature. Ecample of a user account that has entered the cooldown period as seen from the User List page:
|
||||||||||||||
| Max cooldown time | Indicates the maximum cooldown time in seconds. | ||||||||||||||
| Log Successful Logons | Determines if a log is generated each time a user successfully logs in. Log entries are generated in the Tracelog table. | ||||||||||||||
| Log Logon Failures | Determines if a log is generated each time a user fails a login attempt. Log entries are generated in the Tracelog table. | ||||||||||||||
| Disable Legacy Session Tracking | Determines if an audit record is generated for every successful logon attempt. This is disabled by default. | ||||||||||||||
| Password Expiry Warning | Determines the number of days before a password expires that a user is notified of the pending password expiry. | ||||||||||||||
| Password Expiry Days | Used to determine the new expiry date of a password after is has been reset by the system. An absolute expiry date for a password can be set in user maintenance. | ||||||||||||||
| Disable User on Password Expiry | Determines if the user is disabled when the password expires. | ||||||||||||||
| Case Sensitive Passwords | Determines if User and Custodian passwords are case-sensitive:
|
||||||||||||||
| Default Password | Determines the default password when a new user is created by copying another or when using a template. If this value is not populated, LabVantage will assign a random password for the administrator to alter after the new account has been saved. The value you enter here is not checked against your password validation rules. Make sure any value you enter for this default will conform to your password complexity rules or new accounts created by a template or through a copy will generate an error thus blocking the creation of such accounts. | ||||||||||||||
| Disable Electronic Signature | Determines if all ESig dialogs configured and called from
buttons on the advancedtoolbar Element are globally disabled. This overrides
all button configurations, i.e., ESig dialogs will not be shown even if
a button is configured with ESig required. In the OOB configuration, the
default is set to "No" (meaning "do not disable").
The following ESig configurations are not affected by this property:
|
Automation Options |
|
|
Poll and Scheduling Options |
These options configure the pollers that are created on the LAM to poll the ToDo List. For an overview of the automation system, see Concepts of Actions → Action Processing.
| Option | Description | ||||||
| ToDoList Poll Interval | Time interval (in seconds) that an automation engine will poll the ToDo List to process awaiting Event Triggers (Actions or other events awaiting execution). This setting defines the maximum delay after adding a todolist entry and a dormant automation server waking up. This should be on the order of 1-10s, depending on the responsiveness of the automation engine required. | ||||||
| ToDoList Processors | Number of threads per server that can simultaneously process Actions from the ToDo List. For example, a LabVantage installation with a load balancer in front of two LIMS serves will run a total of 20 threads when this number is set to 10. Setting this value too low may result in poor performance and scalability. The default is 10. Entries on the ToDoList are NOT guaranteed to get executed (i.e. complete) in the order in which they were added in a multi-threaded or multi-server environment. To address this, "ToDoList Groups" are available. | ||||||
| ToDoList Buffer | Time interval in milli-seconds. When processing a backlog of todolist entries, this slight delay allows for threads to get synchronized before grabbing more entries to process. Setting this value >0 reduces the number of singleton 'next entry' requests. If set to zero, the perpetual poller will fetch the next todolist immediately after the last one completes. This may lead to a spike in todolist selects. Setting this to non-zero introduces a dampening affect to allow multiple threads to complete before fetching the next number of waiting items. | ||||||
| ToDoList Logging | Yes or No. Yes enables database-level logging in the todolistlog table. Note that log entries here are only retained for 14 days. These logs can only be viewed using a query (or report) against the database. | ||||||
| Task Poll Interval | Time interval (in seconds) that the Task table (in the database) is polled. At poll time, the Task is transferred from the Task table to the ToDo List. The default is 60 seconds. If you are not using scheduled Tasks, you should set this interval to zero.
Tasks are pre-scheduled up to the next Task Poll Interval. For example, if you schedule a Task to occur every minute, you can set the Task Poll Interval to poll every 5 minutes. At poll time, 5 Tasks are transferred to the ToDoList. One Task will be due immediately, while the remaining four Tasks will be due one minute apart. In this case, you would set the ToDoList Poll Interval to 60 seconds. |
||||||
| Schedule Poll Interval | Time interval (in seconds) that the Event Scheduler and the Task Executor poll (query) the SchedulePlanItem table to determine if any Events must be generated or any Tasks are scheduled to be run (see Polling in the Scheduler). Set this to zero if you are not using the Scheduler. | ||||||
| Timeout Poll Interval | Time interval (in seconds) that LabVantage
checks to see if the current user should be logged off. The default is 60
seconds.
|
||||||
| Default Scheduler Execute Ahead | Default period ahead of the Schedule Date that Scheduled Tasks are executed. In general, this is explicitly defined in a Schedule Plan (see Scheduler Principles). |
Server Ping Options |
These options determine how long an active LabVantage server is registered in the Admin database based on monitoring conducted by the LabVantage Automation Manager. For an overview of the automation system, see Concepts of Actions → Action Processing.
| Option | Description |
| Sever Ping Interval | Each LabVantage server will update the Admin database to indicate that it is still alive once during each "Server Ping Interval" (specified in seconds). |
| Server Latency | Any LabVantage server that has not pinged the Admin database during the "Server Latency" period (in seconds) will be removed from the Admin database. This should be set to approximately three times the "Server Ping Interval". |
| Poll Server Commands | Frequency with which servers in a cluster check to see if there are any notifications or cache reset commands sent from other servers. |
Housekeeping Settings |
These options determine when unwanted or unnecessary data are removed.
| Option | Description |
| WebPage History Retention Time | Time period (in days) LabVantage retains the history of Web pages accessed by a user. Set to zero to disable. |
| Bulletin Retention Time | Time perios (in days) LabVantage retains a copy of Bulletins stored in the database. Set to zero to disable. Reducing this may improve system performance. |
| Connection Log Retention Time | Time period (in days) LabVantage retains the Connection Log of all connections made to the LabVantage server. Set to zero to disable. |
| Department Assignment History Retention Time | Time period (in days) LabVantage retains the Department Assignment History. Set to zero to disable. |
User Options |
|
|
Logon Options |
| Option | Description |
| Default Language | The default language for all users of the system. This option can be overridden at the user level. |
Business Objects Options |
These are global (system-wide) defaults for connecting to Business Objects (BO). User (user-specific) overrides can be defined at the user level (see User Profile in Users and Roles).
| Option | Description | ||||||||
| BO URL | URL for accessing BO Web Services. | ||||||||
| BO CMS Name | Name of the CMS process. | ||||||||
| BO Username | Current user's username to access the Business Objects server. | ||||||||
| BO Password | Current user's password to access the Business Objects server. | ||||||||
| BO Authentication Type | Defines how the BO CMC server authenticates a user. Possible
values:
|
||||||||
| BO Root Folder Name | Name of the Business Objects root folder. | ||||||||
| BO Connection Timeout (Seconds) | Connection timeout (in seconds) for closing idle connections
to the Report Server.
|
||||||||
| BO Crystal Date Format | Date format to use for BO Crystal Reports (defaults to MM/dd/yyyy H:m:ss a). | ||||||||
| BO Desktop Date Format | Date format to use for BO Desktop Reports (defaults to MM-dd-yyyy H:m:s). | ||||||||
| BO Webi Date Format | Date format to use for BO WebI Reports (defaults to MM-dd-yyyy H:m:s). | ||||||||
| Test Connection | Establishes a connection to the BO server and tests the
BO-LabVantage connection and configuration. If successful, displays a message
such as:
Here is an example of what an unsuccessful test might yield:
|
Animation Options |
These enable/disable the user interface animations:
| Property | Description |
| Enable Menu Animations | Yes/No enables/disables the specified animations. |
| Enable Fade-in & Fade-out Animations | |
| Enable Resize-in & Resize-out Animations |
Notification Options |
These specify default notification formats:
| Property | Description |
| Notifications Format | Default format (Email or Bulletin) used by the SendBulletin Action to send notifications. |
Logging and Stats Options |
|
|
Logging Overview |
|
|
Log Generation Options are defined in the LABVANTAGE_HOME\applications\APPLICATION_HOME\labvantagelogging.props file. LabVantage provides a Log Generation Interface that lets you choose these options and thereby determine how this file is populated. LabVantage outputs messages to these logs according to the chosen options:
| Log | Contents | Location |
| LabVantage Log | All messages (can be filtered to log only specific types of messages). | LABVANTAGE_HOME\applications\APPLICATION_HOME\logs\labvantage.log |
| Error Log | Errors (also logged in the LabVantage Log). | LABVANTAGE_HOME\applications\APPLICATION_HOME\labvantage_errors.log |
| Startup Log | LabVantage Startup information (also logged in the LabVantage Log). | LABVANTAGE_HOME\applications\APPLICATION_HOME\labvantage_startup.log |
| Security Violations Log | All security violations generated by the RejectRequest filter (also logged in the LabVantage Log). | LABVANTAGE_HOME\applications\APPLICATION_HOME\labvantage_securityviolations.log |
| Statistics/Thread Log | Statistical information concerning various LabVantage operations. | There is no log file for this. Statistics are displayed in System Admin → Monitoring → Performance Statistics. |
Access the Log Generation Interface interface through System Admin → Configuration → System Configuration → Logging and Stats Options. The options below are provided for generating logs. Each can be enabled/disabled.
Choose a Logging Type |
| Option | Description | |||
| Custom Logging Configuration | If you are familiar with log4j, choosing "Custom" lets you write your own logging file by editing the labvantagelogging.props file and managing it yourself. | |||
| Managed Logging Configuration | If you are not familiar with log4j, choosing "Managed" provides an interface to define logging options. Your choices are used to automatically populate the labvantagelogging.props file. If you choose this option, make certain you backup any custom logging files that have been created. | |||
| Separate these databases into their own logs | When enabled, logging is directed to a log for a specific database. Provide a Comma-separated list of databases. Each listed database will have its own logs.
Log files are labelled Labvantage.[databaseid].log. STARTUP log entries will be duplicated into these database-specific logs. |
LabVantage uses the following log file format:
%-23d %-5p [#%X{threadid}] %-30X{logcontext} : %m%n
| NOTE: | The Log File Viewer provides a convenient method of downloading LabVantage log files, as well as a set of tools to parse and analyze the logs. |
| NOTE: | The Log File Viewer relies on the log file format shown above. If custom logging changes this format, the Log File Viewer may not work (including Snapshotting). |
Diagnostic Logging |
| Option | Description |
| Create Diagnostic Log for: |
Create a Log file for a specific class of entry-point. Choose the entry-point class in the dropdown. This creates the log file labvantage.diag.log (or labvantage.[databaseid].diag.log). This logs entire thread durations, but filters by specified classes of entry-points (according to the selection in the dropdown). For example, if you are working on an enhancement to RESTful WebServices, you can enable a diagnostic log that specifically logs threads that are initiated by a RESTful web-service call (and everything down-steam).
Selecting "For User" allows logging for a specific User. When selected a dropdown is provided where you can select a User.
To help read a diagnostic log a physical break is added when switching between diagnostic modes. |
Log Options |
|
| LabVantage Log |
Filter levels for the LabVantage Log:
| Level | Items Logged | Comments |
| Error | Error messages only. | Minimizes logging when LabVantage is idle. |
| Info | Information messages only. | Minimizes logging when LabVantage is idle. |
| Debug | Debug messages only. | Causes log file to rapidly increase in size. |
| All | All of the above. |
| NOTE: |
Action properties are truncated at 2000 characters in the property block of the Labvantage Log (below) unless the level is set to "Debug". INFO [#325] ACTIONSERVICE:++++++++++ Processing Action AddSDI for [database|(system)123456] |
Log file generation methods:
| Method | Description |
| Rolling | Grows to the specified Maximum Size ("Max Size"), then rolls over into the specified number of Backup files ("Backups"). |
| Daily (or date-based) | Rolls over into backup files based on the specified "Date Pattern". |
| Continuous | Grows unchecked... unless "Reset file on startup" is set, and a restart occurs. |
| Error Log |
Log file generation methods:
| Method | Description |
| Rolling | Grows to the specified Maximum Size ("Max Size"), then rolls over into the specified number of Backup files ("Backups"). |
| Daily (or date-based) | Rolls over into backup files based on the specified "Date Pattern". |
| Continuous | Grows unchecked... unless "Reset file on startup" is set, and a restart occurs. |
| Startup Log |
Startup files are recreated each time LabVantage is started. You can retain the specified number of "Backups" (each is dated).
| Method | Description |
| Enable | Generates the startup log, which contains all startup messages output by LABVANTAGE. See Logging Overview for file locations. |
| Backups | Number of dated backup files to be retained. |
| Security Violations Log |
These options are available for logging security violations.
| Method | Description |
| Enable | Generates the security violations log, which contains all violations generated by the RejectRequest filter. See Logging Overview for file locations. |
| Log SQL Snippets | Enabling this allows the RejectRequest filter to log potential SQL snippets found in requests. This is helpful for finding embedded SQL or SQL snippets that may require obfuscation or special handling. |
| Statistics/Thread Log |
This offers options to enable gathering of statistics and thread logs at the respective debug level.
| Option | Description |
| Enable | Enabling this displays statistics System Admin →
Monitoring → Performance Statistics.
After changing this setting, you must restart the Application Server in order for the change to take effect. |
| Log Trace | Enabling this provides additional entries at the trace level. |
| Snapshot Folder |
You must set this before using the Log File Viewer.
| Option | Description |
| Snapshot Folder | Specify a snapshot folder if you wish to use the Log File Viewer. In a clustered environment, ALL nodes in the cluster should point to the same folder. In a non-clustered environment, consider setting this value to APPLICATION_HOME/snapshots. |
Additional Logging Information |
| • | Log files contain the ConnectionId against most messages at the Info and Error level (and where possible for other logging levels). This is truncated to show only the last 13 (unique) digits to facilitate tracing a user request. |
| • | The logger name display reflects where the logging originated. |
| • | Web component logging (servlets and tags) is in the LabVantage Log to facilitate tracing a user request. |
LabVantage Logging API |
The sapphire.util.Logger class is the standard (public) Java API for LabVantage Logging.
| When working in... | This is available... |
| Java classes |
In Java code, the "logger" variable in sapphire.util.Logger is available and exposed throughout the LabVantage APIs as a variable in the code. For example, in BaseAction, there is a database object available to provide database access the database. Similarly, there is also a logger object available, e.g., logger.info( "some information" ); // Logs some information or logger.error( "found an error", e ); // Prints the error stack trace in the LabVantage Log Note that if you pass an exception into logger.stackTrace, it will go to the LabVantage Log rather than system.out. |
| JSPs | In Java scriptlets within the <sapphire:page> tag (JSPs), the logger variable is explicitly exposed within the tag. |
In addition to these implicit (available and exposed) logger objects, sapphire.util.Logger also contains static methods. In cases where the implicit logger object is not exposed, you can use these (or create your own instance of the Logger class).
|
Configuration Transfer Options |
|
|
These apply to the Configuration Transfer Tools:
| Property | Description | ||||||||
| Checksum processing | Controls how checksum information in files is handled:
|
||||||||
| Import processing | Controls how the import of files is logged:
|
||||||||
| Default export directory | Default export directory when exporting data. | ||||||||
| Default import directory | Default import directory when importing data. |
API Options |
|
|
Custom Business Rules (SDC Rules) |
This specifies the package that contains custom SDC Rules. See CreatingSDCRules for details regarding package registration.
Custom SQL Register |
SQLRegister is a security measure to help prevent execution of SQL passed from the client. If you have implemented a custom SQL register class, you must specify the full Java class name here (including the package).
To register the SQL, write a custom SQL register class that extends sapphire.ext.BaseSQLRegister. An example is shown below.
|
/** *Example custom SQLRegister */ public class MySQLRegister extends BaseSQLRegister { public String getSQLStatement( int sqlCode ) { switch ( sqlCode ) { case 30000: return "select sampletypeid from s_product where producttype=?"; case 30001: return "some other sqls"; } return ""; } } |
After the SQL has been registered, you can write a class such as in the example below, which is an Ajax class that handles any Ajax request that passes sqlcode as a request parameter:
|
/** * Example Ajax Request class to retrieve dataset by sqlcode */ public class MyAjaxDataSetBySqlCode extends BaseAjaxRequest { @Override public void processRequest( HttpServletRequest request, HttpServletResponse response, ServletContext servletContext ) throws ServletException { String sqlcode = request.getParameter( "sqlcode" ); AjaxResponse ajaxResponse = new AjaxResponse( request, response ); try { QueryProcessor queryProcessor = getQueryProcessor(); DataSet ds = queryProcessor.getSqlDataSet( sqlcode ); //call overloaded method with bind variables if needed ajaxResponse.addCallbackArgument( "dataset", ds ); ajaxResponse.print(); } catch ( Exception e ){ ajaxResponse.setError( e.getMessage() ); logError( e.getMessage(), e ); } } } |
ExecSQL Action |
If you choose to use this, check Make the ExecSQL action available in my configuration.
Action Locking Options |
| Option | Description |
| Do you want Actions to automatically lock data? | Determines data locking behavior of Actions using RSets. |
Server-Side Actions that modify SDIs and/or Data Sets have the "applylock" property, which can lock the data in an RSet record while the Action is processing:
| Do you want Actions to automatically lock data? | Data Locking Behavior During Processing | ||||||
| Yes |
|
||||||
| No (default) |
|
The table below identifies Server-Side Actions that modify SDIs and/or Data Sets and support locking while the Action is processing. "Primary" indicates that the Action locks the SDIs, i.e., the Action returns data in the "primary" result set. If you require more information concerning the "primary" result set, see the sdi tag descriptions and examples.
| Server-Side Action | Data Locked | Server-Side Action | Data Locked |
| AddChargeListItem | primary (Charge List) | EditDataItem | Data Set |
| AddDataItem | primary | EditDataSet | Data Set |
| AddDataSet | primary | EditPriceListItem | primary (Price List) |
| EditSDI | primary | ||
| AddPriceListItem | primary (Price List) | EditSDIAddress | primary |
| AddSDIAddress | primary | EditSDIDetail | primary |
| AddSDIAttachment | primary | EnterDataItem | Data Set |
| AddSDIDetail | primary | EnterDataSet | Data Set |
| AddSDISpec | primary | ReleaseDataItem | all Data Sets |
| ReleaseDataSet | all Data Sets | ||
| AddSDIWorkitem | primary | RemoveSDISpec | all Data Sets |
| ApplyDataItemLimits | all Data Sets | ResetDataSet | all Data Sets |
| ApplyDataSetLimits | all Data Sets | SetDataItemDate | Data Set |
| CopyDataSet | primary | SetDataItemNumber | Data Set |
| DeleteChargeListItem | primary (Charge List) | SetDataItemString | Data Set |
| DeleteDataItem | all Data Sets | SetDataSetDate | Data Set |
| DeleteDataItemLimit | all Data Sets | SetDataSetNumber | Data Set |
| DeleteDataSet | all Data Sets | SetDataSetString | Data Set |
| DeletePriceListItem | primary (Price List) | SetSDIDate | primary |
| DeleteSDI | primary | SetSDINumber | primary |
| DeleteSDIAddress | primary | SetSDIString | primary |
| DeleteSDIDetail | primary | SetSDIWIIComplete | primary |
| EditChargeListItem | primary (Charge List) | UnReleaseDataItem | all Data Sets |
| EditDataApproval | Data Set | UnReleaseDataSet | all Data Sets |
Miscellaneous Options |
|
|
Application Settings |
| Property | Description |
| Web Application Base URL | URI of LabVantage Web application in use, in the format http://HOSTNAME:PORT/WEBAPP. |
Mail Settings |
| Property | Description |
| Mail Server (SMTP Host Name) | Name of your SMTP (mail) server. You need this in order to use the LabVantage "SendMail" Action and other email-related features. |
| Email 'From' Address | When mailing notifications of security violations, this is the source address specified on the email. |
| Security Email Address | Destination address when mailing notifications of security violations. |
| Additional Mail Server Connection Properties | This can be used to interface with SMTP servers that require
more properties such as a portid or TLS-encrypted connections.
Here are some examples: mail.smtp.port=465 mail.smtp.starttls.enable=true mail.smtp.ssl.enable=true mail.smtp.socketFactory.class=javax.net.ssl.SSLSocketFactory |
| Mail Server User Name | Username for your SMTP server. |
| Mail Server Password | Password for your SMTP server. |
RSet and SQL Control |
These options let you choose how LabVantage uses RSets (locked Result Sets) to query for SDIs and apply the appropriate security privileges.
| Option | Description | |||||||||||||||
| Max rows per RSET query | Sets global (system-wide) limits on retrieved
SDIs. This sets the maximum number of rows (records) that can be retrieved
as the result of a single query. The default is unlimited. If the maximum
is exceeded, a LabVantage Exception is generated.
This affects the number of rows only in an RSet, and does not apply to queries in general. |
|||||||||||||||
| Allow quotes in parameters |
To deal with this, LabVantage provides a global, system-wide setting to allow or prevent using single quotes as part of data. This setting works only with an Oracle DBMS. MS SQL Server does not support global setting because it does not support the session-specific variables that exist in Oracle packages. The default is to prevent use of single quotes, which is the behavior of LabVantage DM0206 (V3.4) and onward. You can allow single quotes by adding a row to the SysConfig table, which is activated by the startup routine and active for the session:
In the Query Maintenance page, there is also an argument-level setting. This works with both Oracle and MS SQL Server DBMS, but it applies only to arguments in Query SDIs. This changes the allowquotes flag in the table containing the argument (reportparam.allowquotesflag). |
|||||||||||||||
| RSET logging level | Determines how the RSetLog table logs all
activity regarding RSets:
In the RSetLogLevel column, a row is inserted at the beginning of RSet activity, then updated at the end. This happens in an autonomous transaction (Oracle); therefore, if RSet creation fails, activity information is still logged (a status column indicates such a case). |
|||||||||||||||
| Embed security within RSet queries | Determines whether security-related SQL is
added directly to a query WHERE clause (Yes), or security is applied after
to the results of the initial query (No). These values correspond to on/off
in the SysConfig.RSetEmbedSecurity column. Note that adding security-related SQL to a WHERE clause may affect query performance. |
|||||||||||||||
| SQL Statement Timeout | This sets the number of seconds SQL statements
can run before a statement timeout error is generated. OOB, the default
is set to 300 seconds. However, shorter timeouts may be required to achieve
better protection for specific implementations.
This setting is implemented in the sapphire.util.DBUtil class, which is used by all LabVantage database APIs to execute SQL statements (database object provided to Actions, QueryProcessor, SDIProcessor). It is also implemented in Adhoc Query Hibernate database calls. |
|||||||||||||||
| SQL Obfuscation | Determines whether SQL or SQL snippets sent to/from a browser client are obfuscated. |
Stability Data Definitions |
| Option | Description |
| Protocol Product SDC | Used only with Stability, this is the KeyId of the SDC used for the Protocol Product. |
| Study Product Column | Used only with Stability, this is the KeyId of the column used for the Study Product. |
Translations |
| Option | Description |
| Auto fill temporary translation table | If set, the TransMasterTemp table is populated with text where no translation was found. |
| Show Translations | If set, all text that are translated server-side or client-side will be tagged. |
File Management |
| Option | Description |
| Maximum Upload File Size | If set, this is the maximum size (in Mb) of files that can be uploaded. If not provided, this defaults to the servlet definition in the web application. With dealing with Attachment uploads, this can be overridden by the Attachment Policy. |
| Maximum Download File Size | If set, this is the maximum size (in Mb) of files that can be downloaded. If not provided, file size is not restricted by this property. |
| Maximum Data File Size | If set, this is the maximum size (in Mb) of files that can be uploaded as an example data file in Data File Definition maintenance. If not provided, this defaults to 1 Mb. If a value of less than zero is provided, this defaults to "Maximum Upload File Size". |
