Restrict access to the LEM reports application

This topic documents how to secure the LEM reports application so that only authorized users can access it.

Understand your options for securing LEM reports

Older versions of LEM (pre 6.2) allow unrestricted access to the LEM database by the reports application installed on a Windows computer. No credentials were required for the access.

Starting with LEM version 6.2.0, the LEM Reports application requires a username and password to allow the LEM Reports application to access the database.

As with all versions of LEM, there is one additional level of security for the Reports application, but the same holds true for the SSH connection or the Console connection (web-based or air-based). You only need to run the restrictreports command (or restrictconsole or restrictssh commands) to create a whitelist of computer hostnames or IP addresses that can run reports and access the database (or the console or SSH, if using that parameter).

  • Access can be restricted to specific computers.
  • Access can be restricted by port number. The Reports application communicates over port 9001, using TLS or no encryption. Console access only on port 8443/443 when the LEM is activated, but port 8080/80 is available during evaluation period or if togglehttp command used to re-enable the port 8080/80. SSH access is allowed on port 22 or 32022, but support can assist you with forcing only one port. LEM versions prior to 6.3.1 only had port 32022 available for SSH.
  • The LEM reports application can be configured to require a user name and password.

To encrypt communication between the LEM reports application and the LEM database, see Enable transport layer security (TLS) in the LEM reports application.

Restrict access to LEM reports to specific computers

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

  2. At the cmc> prompt, type service.

  3. At the cmc::service> prompt, type restrictreports.

  4. When prompted, press the Enter key.

  5. Enter the IP addresses of the computers you want to allow to run the LEM reports application, separated by spaces.

    Ensure that the list you provide is complete. Your entry will override any previous entries.

  6. To confirm your entry, type y.

  7. To return to the cmc> prompt, type exit.

  8. To log out of the CMC command line, type exit.

Remove all LEM reports access restrictions

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

  2. At the cmc> prompt, type service.

  3. At the cmc::service> prompt, type unrestrictreports.

  4. When prompted, press the Enter key.

    Removing LEM reports restrictions will make the LEM database accessible to any computer on your network that is running the LEM reports application.

  5. To return to the cmc> prompt, type exit, and then press Enter.
  6. To log out of the CMC command line, type exit, and then press Enter.