Restrict access to the SEM reports application

This topic documents how to secure the SEM reports application so that only authorized users can access it.

Understand your options for securing SEM reports

Older versions of SEM (pre 6.2) allow unrestricted access to the SEM database by the reports application installed on a Windows computer. No credentials were required for the access.

Starting with SEM version 6.2.0, the SEM Reports application requires a username and password to allow the SEM Reports application to access the database.

As with all versions of SEM, there is one additional level of security for the Reports application, but the same holds true for the SSH connection or the Console connection (web-based or air-based). You only need to run the restrictreports command (or restrictconsole or restrictssh commands) to create a whitelist of computer hostnames or IP addresses that can run reports and access the database (or the console or SSH, if using that parameter).

  • Access can be restricted to specific computers.
  • Access can be restricted by port number. The Reports application communicates over port 9001, using TLS or no encryption. Console access only on port 8443/443 when the SEM is activated, but port 8080/80 is available during evaluation period or if togglehttp command used to re-enable the port 8080/80. SSH access is allowed on port 22 or 32022, but support can assist you with forcing only one port. SEM versions prior to 6.3.1 only had port 32022 available for SSH.
  • The SEM reports application can be configured to require a user name and password.

To encrypt communication between the SEM reports application and the SEM database, see Enable transport layer security (TLS) in the SEM reports application.

Restrict access to SEM reports to specific computers

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.

  2. At the cmc> prompt, type service.

  3. At the cmc::service> prompt, type restrictreports.

  4. When prompted, press the Enter key.

  5. Enter the IP addresses of the computers you want to allow to run the SEM reports application, separated by spaces.

    Ensure that the list you provide is complete. Your entry will override any previous entries.

  6. To confirm your entry, type y.

  7. To return to the cmc> prompt, type exit.

  8. To log out of the CMC command line, type exit.

Remove all SEM reports access restrictions

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.

  2. At the cmc> prompt, type service.

  3. At the cmc::service> prompt, type unrestrictreports.

  4. When prompted, press the Enter key.

    Removing SEM reports restrictions will make the SEM database accessible to any computer on your network that is running the SEM reports application.

  5. To return to the cmc> prompt, type exit, and then press Enter.
  6. To log out of the CMC command line, type exit, and then press Enter.