Configuring Internal Authentication

Internal authentication allows the server software to run without root privileges. However, it limits client connections to the same disk-access. Every user who connects to the server software has the same disk-access security. Therefore, one user can delete another user's file. If this is a concern, it is recommended that you use the unix2 authentication method instead. This method does not restrict client connections because it uses the UNIX passwd file for authentication. See the topic Configuring unix2 Authentication for more information.

Warning: Do not use internal authentication when running the daemon/service as root/SYSTEM. Doing so is the same as giving root/SYSTEM access to your server to any user that connects.

Configuring Internal Authentication on UNIX

  1. Create a group for users who will connect to the server software. We recommend naming this group statistics.
  2. A member of this group must install the server software. This user will be the owner of the server software daemon.
  3. Another member of this group (different from the daemon owner and typically the user who maintains the server software users) creates a statisticsusers file in the config directory in the server software installation directory. This file should have read/write access for the user who created it. It should have read access for the users group. No other users should be able to access it. If you don't create this file manually, it is automatically created the first time you run the statisticsuser command line tool (see the next step). The command line tool sets the appropriate permissions.
  4. In the config directory, use the statisticsuser command line tool to add users. As the user who created the statisticsusers file, type statisticsuser <username> to create a regular user (e.g., statisticsuser jdoe). Use the -a option to create an admin user (e.g., statisticsuser -a jdoe). The statisticsuser command line tool prompts you for a password. An end user enters the user name and password to connect to the server software. Be sure to distribute the user name and passwords appropriately. To delete a user, use the -d option (e.g., statisticsuser -d jdoe).
  5. Logged in as the owner of the server software daemon, open the configuration file (e.g., statisticsd.conf) in a text editor.
  6. Find the userauth element and change the value parameter from unix to internal.
  7. Logged in as the owner of the server software daemon, start the server.

Configuring Internal Authentication on Windows

  1. Edit the IBM SPSS Statistics Server entry to run as a specific user:
    1. Open the Windows Services Panel and double click the entry for IBM® SPSS® Statistics NN.m, where NN is the major version number and m is the minor version number.
    2. Click the Log On tab.
    3. Under Log on as, select This account.
    4. Enter the domain\username and password of the user that will own the server process. This user will need the Logon as a service privilege.
  2. The same user must create a statisticsusers file in the config directory in the server software installation directory. This file should have read/write access for the user who created it. No other users should have write access. If you don't create this file manually, it is automatically created the first time you run the statisticsuser command line tool (see the next step).
  3. In the config directory, use the statisticsuser command line tool to add users. As the user who created the statisticsusers file, type statisticsuser <username> to create a regular user (e.g., statisticsuser jdoe). Use the -a option to create an admin user (e.g., statisticsuser -a jdoe). The statisticsuser command line tool prompts you for a password. An end user enters the user name and password to connect to the server software. Be sure to distribute the user name and passwords appropriately. To delete a user, use the -d option (e.g., statisticsuser -d jdoe).
  4. Logged in as the owner of the server software daemon, open the configuration file (e.g., statisticsd.conf) in a text editor.
  5. Find the userauth element and change the value parameter from win32 to internal.
  6. Go to the Windows Services Panel and start the service.