Title: MOVE14: Migrating Your 4GL Authentication System to OpenEdge 10'1A and Beyond
1MOVE-14 Migrating Your 4GL Authentication System
to OpenEdge 10.1A and Beyond
Michael Jacobs
Development Architect
2Agenda
- Why Migrate Your User Authentication
- OpenEdge Security Systems
- OpenEdge 10.1A User-id Management
- Migrating to 10.1A User-id Management
This presentation includes annotations with
additional complementary information
3Why Migrate Your User Authentication
What are the user authentication challenges I can
face?
- Compliance with Security standards Government
regulations - Integrate with different authentication systems
- Single Sign-On
- Auditing
4Why Migrate Your User Authentication
Does this apply to my application?
- If you or your customer does business with
- US Medical services ( HIPAA )
- Credit card processing ( CISP )
- International financial ( Basil II SOCKS )
- International computing practices ( ISO 17799 )
- Business in California, USA ( SB 1368 )
- US EU Governments ( FEA standard )
- Peoples private data ( Graham Leach Bliley )
- British legal system ( BIP 0008-1 )
- Business in EU ( EU Protection Directive )
5Why Migrate Your User Authentication
What technologies may my application have to
support?
- Strong user authentication systems
- Strong Password based systems
- Hardware tokens
- Smart Cards ( Digital Certificates )
- Microsoft workstation single sign-on
- Single source of user authentication
- Federated user identities between partners
6Why Migrate Your User Authentication
What do I need to change in my application?
- Configurable user authentication systems
- Configure which to use at production site
- Quickly extend support to new systems
- No application code changes required
- Use OpenEdge 10.1A security services
- OpenEdge auditing core service
- OpenEdge database run-time security
7Why Migrate Your User Authentication
What value is provided by OpenEdge 10.1A security
features?
- OpenEdge auditing core service
- Secure ABL, SQL, database utility auditing
- User login/logout and login-sessions
- Faster database record auditing than triggers
- OpenEdge run-time permission checking
- Database table field permissions
- No, you DO NOT need to use _user table
8Agenda
- Why Migrate Your User Authentication
- OpenEdge Security Systems
- OpenEdge 10.1A User-id Management
- Migrating to 10.1A User-id Management
9OpenEdge 10.0 Database Compile-time Security
Session
_User TableAccounts
OpenEdgeDatabase
ABL Application
ABL Run-time
_UserAuthenticationSystem
_User
DB Connection
Permissions
Authenticate
root
CAN-
Connectionuser-id
Table FieldCAN- Permissions
Authorize
FIND Customer
Customer
Table FieldAccess Control
10OpenEdge 10.0 Application Run-time Security
Session
OpenEdgeDatabase
Application authentication
ABL Application
ABL Run-time
Application User Accounts
_User
DB Connection
Login.p Run doLogin(fred)
Permissions
Application User Privileges
Authenticate
ApplicationAuthorization
root
CAN-
UserAccount
BypassAuthorization
Privileges
ViewCustomer.p If CAN-DO (fred) FIND Customer
Customer
11OpenEdge 10.1A Security Features
Session
OpenEdgeDatabase
ABL Application
ABL Run-time
_User
DB Connection
Login.p Run doLogin(fred)
Permissions
Authenticate
root
CAN-
UserAccount
Privileges
ViewCustomer.p If CAN-DO (fred) FIND Customer
Authorize
Customer
12Agenda
- Why Migrate Your User Authentication
- OpenEdge Security Systems
- OpenEdge 10.1A User-id Management
- Migrating to 10.1A User-id Management
13OpenEdge 10.1A Identity Management
What is new in Release 10.1A
- User Identity Access Token
- CLIENT-PRINCIPAL handle
- Synchronize OpenEdge and application user-id
- Domain registries
- SECURITY-POLICYSET-CLIENT ( )
- SET-DB-CLIENT ( )
- Equivalent to SETUSERID()
- Database hosted ABL client security options
- Progress session user-id
- Synchronizes OpenEdge DB connection user-ids
Registry
14User Identity Access Token
Proof of an authenticated users information,
including the domain that authenticated them,
the roles or privileges they hold, and
miscellaneous user-context.
FredApp-accountsAB25DH398E23user,adminLOGINL
ogged inABL ProcedureNBFFlintstone.NETOpenClien
tUI.advancedYES
USER-IDDOMAIN-NAMESESSION-IDROLESLOGIN-STATES
TATE-DETAILDOMAIN-TYPELOGIN-HOSTCLIENT-TTY
. . .ltUser-defined-propertygt
15CLIENT-PRINCIPAL Operations
What can a CLIENT-PRINCIPAL do for you?
- Automatic user login auditing
- SEAL ( )
successful login - LOGOUT ( ) logout
- AUTHENTICATION-FAIL ( ) failed login
- Login-sessions Login
session-id context - Synchronize application user login
- With Progress session and DB connection
- Between multiple Progress sessions
- AppServer Agents
- Load-balanced AppServers
- WebSpeed Agents
16OpenEdge 10.1A Identity Management
DomainRegistry
Sessionuser-id
Session
TrustConfiguration
OpenEdgeDatabase
CLIENT-PRINCIPAL
OpenEdgeDatabase
Registry
System Domain
ABL Application
ABL Run-time
root
root
_User
DB Connection
Session user-idsets connection user-id
Audit sessionuser-id
Permissions
Authenticate
Audit Data
DomainRegistry
Audit
root
UserAccount
Privileges
Authorize
Customer
17OpenEdge 10.1A Identity Management
Session
OpenEdgeDatabase
OpenEdgeDatabase
Registry
System Domain
ABL Application
ABL Run-time
root
root
_User
DB Connection
X
Permissions
Authenticate
Audit Data
Audit
root
UserAccount
Privileges
Authorize
Customer
18Agenda
- Why Migrate Your User Authentication
- OpenEdge Security Systems
- OpenEdge 10.1A User-id Management
- Migrating to 10.1A User-id Management
19Use-case Assumptions Case 1
- Existing client-server application
- Uses application security (tables)
- Connects DB using single _user account
- Not using OpenEdge table field permissions
- Short-term migration goals
- Use OpenEdge auditing core service
- Medium-term goals
- Use run-time OpenEdge database security
- OpenEdge RA compliant application
20OpenEdge 10.1A Security Configuration
SynchronizeRegistries
OpenEdgeDatabase
OpenEdgeDatabase
Audit sessionuser-id
System Domain
ABL Application
ABL Run-time
_User
DB Connection
Permissions
Authenticate
Audit Data
Audit
UserAccount
Privileges
Authorize
Customer
21Migrate Existing Application
Step 1 Enable 10.1A Security Features
- Enable OpenEdge database 10.1A features
- Security without OpenEdge Auditing proutil db C
updateschema - Security with OpenEdge Auditing vi
AuditAreas.st prostrct add db
AuditAreas.st proutil db C
enableauditing - Data Administration utility Admin ?
Security ? Edit Auditing Privileges
22Migrate Existing Application
Step 2 Set Client Security Auditing Options
Admin-gt Database Options
Audit sessionuser-id
SynchronizeRegistries
ABL run-time permissionchecking
23Migrate Existing Application
Step 3 Define Session-global Variables
- Define global session current-user storage
DEF NEW GLOBAL SHARED VAR g_hCP AS HANDLE.
- Define global default authentication domain
DEF NEW GLOBAL SHARED VAR g_cDefDomName AS
CHAR.DEF NEW GLOBAL SHARED VAR g_cDefDomType AS
CHAR.DEF NEW GLOBAL SHARED VAR g_cDefDomDesc AS
CHAR.DEF NEW GLOBAL SHARED VAR g_cDomToken AS
CHAR.ASSIGN g_cDefDomName OpenEdge
g_cDefDomType ABLApplication
g_cDefDomDesc Application user
accounts.ASSIGN g_cDomToken
BASE64-ENCODE(GENERATE-PBE-KEY(g_cDefDomType)).
24OpenEdge 10.1A Application Initialization
Startup.p
OpenEdgeDatabase
OpenEdgeDatabase
/ Load Registries /
Connect DB
System Domain
ABL Application
ABL Run-time
SETUSERID( )
_User
DB Connection
X
SETUSERID()Locks outsynchronization
Registry
Permissions
Authenticate
Audit Data
root
CAN-
UserAccount
Audit
Privileges
Customer
25Migrate Existing Application
Step 4 Modify Application Startup Code
- Lock database connection user-id
- Remove for run-time permission checking
SETUSERID ( root, pwd, DICTDB ).
- Load Progress session Domain Registry
- Cannot use domain until locked
SECURITY-POLICYREGISTER-DOMAIN( OpenEdge,
g_cDomToken )
NO-ERROR. SECURITY-POLICY
LOCK-REGISTRY() NO-ERROR.
26OpenEdge 10.1A User Login Logout
OpenEdgeDatabase
OpenEdgeDatabase
Login.p
System Domain
ABL Application
ABL Run-time
fred
_User
DB Connection
X
Permissions
Authenticate
Audit Data
Logout.p
Audit
root CAN-
UserAccount
Privileges
Customer
27OpenEdge 10.1A User Login Logout
OpenEdgeDatabase
OpenEdgeDatabase
Login.p
System Domain
ABL Application
ABL Run-time
fred
_User
DB Connection
X
(fred)
Permissions
Authenticate
Audit Data
Logout.p
Audit
root CAN-
UserAccount
Privileges
Customer
28Migrate Existing Application
Step 5 Modify Application User Login Code
- Create a CLIENT-PRINCPAL object
CREATE CLIENT-PRINCIPAL g_hCP./ Required user
account information /g_hCPUSER-ID
fred.g_hCPDOMAIN-NAME g_cDefDomName.g_hCPS
ESSION-ID SUBSTRING(BASE64-ENCODE(GENERATE-
UUID), 1, 22 )./ Optional user
account information /g_hCPDOMAIN-TYPE
g_cDefDomType.g_hCPDOMAIN-DESCRIPTION
g_cDefDomDesc.
29Migrate Existing Application
Step 6 Modify User Login Completion Code
- On successful login, start user login-session
- CLIENT-PRINCIPALs access-token is now read-only
g_hCPSEAL( g_cDomToken ).
- On failed login, invalidate user login object
- CLIENT-PRINCIPALs access-token is invalid
g_hCPFAILED-AUTHENTICATION ( Invalid
Password ).
30Migrate Existing Application
Step 7 Modify Success Login Code
- Set the Progress sessions user-id
lStatus SECURITY-POLICYSET-CLIENT(
g_hCP ) NO-ERROR.IF ( NOT lStatus ) THEN DO
...END.
31Migrate Existing Application
Step 8 Modify Logout Code
- Logout the CLIENT-PRINCIPAL and cleanup
InvalidatesCLIENT-PRINCIPAL
g_hCPLOGOUT(). lStatus SECURITY-POLICYSET-CLIE
NT( ? ) NO-ERROR.DELETE OBJECT g_hCP.g_hCP ?.
Clears sessionuser-id
32Manually Controlling Database User-id
- Lock out SECURITY-POLICYSET-CLIENT()
- Equivalent to SETUSERID()
- Use when no _user accounts exist
lStatus SET-DB-CLIENT( g_hCP, DICTDB )
NO-ERROR.IF ( NOT lStatus ) THEN DO END.
33Use-case Assumptions Case 2
- Existing stateless AppServer application
- Uses application security
- Connects DB using single _user account
- Not using OpenEdge table field permissions
- Short-term migration goals
- Use OpenEdge auditing core service
- Medium-term goals
- Use run-time OpenEdge database security
34User-id Management in a Stateless AppServer
Client
( CJB762B )
AppServerBroker
( CJB762B )
( CJB762B )
( CJB762B )
( CJB762B )
ABL Agent
ABL Agent
ABL Agent
ABL Agent
Session
Session
Session
Session
User-Context
SERVER-CONNECTION-ID
35Stateless AppServer Migration
Additional Migration steps
- Startup procedure
- Connect to User-Context
- Add two fields for access-token storage
- Login-session-id ( CHAR, primary, unique )
- Access-token ( RAW )
- Empty User-Context of access-token
- Connect login procedure
- After CLIENT-PRINCIPALSEAL()
- Store CLIENT-PRINCIPALs access-token
36Stateless AppServer Migration
Additional Migration steps - cont
- Activation procedure
- Restore CLIENT-PRINCIPAL from User-Contexts
access-token - ( If the SERVER-CONNECTION-ID changes )
- Disconnect logout procedure
- After CLIENT-PRINCIPALLOGOUT()
- Delete access-token from User-Context
37Stateless AppServer Migration
Caching CLIENT-PRINCIPAL Objects
- Storing CLIENT-PRINCPAL access-token
CREATE ctx.ASSIGN ctx.Id SESSIONSERVER-CONNECT
ION-ID ctx.Token g_hCPEXPORT-PRINCIPAL
( ).
- Restoring CLIENT-PRINCPAL access-token
FIND ctx WHERE ctx.Id
SESSIONSERVER-CONNECTION-ID.DELETE OBJECT
g_hCP.CREATE CLIENT-PRINCIPAL g_hCPg_hCPIMPORT-
PRINCIPAL ( ctx.Token )./ SECURITY-POLICYSET-CL
IENT (g_hCP). /
38Use-case Assumptions Case 3
- Existing OpenEdge Reference Architecture
(state-free) application - Uses application security
- Connects DB using single _user account
- Not using OpenEdge table field permissions
- Short-term migration goals
- Use OpenEdge auditing core service
- Medium-term goals
- Use run-time OpenEdge database security
39User-id Management in an OpenEdge RA AppServer
Client
(3KU60N5TXL)
AppServerBroker
(3KU60N5TXL)
(3KU60N5TXL)
(3KU60N5TXL)
(3KU60N5TXL)
ABL Agent
ABL Agent
ABL Agent
ABL Agent
Session
Session
Session
Session
User-Context
SESSION-ID
40State-free AppServer
Additional Migration steps
- No Connect or Disconnect procedures
- Substitute Login and Logout procedures
- No SESSIONSERVER-CONNECTION-ID
- Substitute CLIENT-PRINCIPALSESSION-ID
- Pass SESSION-ID for all remote procedures
41Primary User Authentication APIs
- LoginClient ( INPUT cUserid AS
CHAR, INPUT rAuthToken AS RAW,
INPUT cDomain AS CHAR, INPUT
cSecondaryId AS CHAR, INPUT
rSecondaryToken AS RAW, OUTPUT
cSessionid AS CHAR ).LogoutClient ( INPUT
cSessionid AS CHAR ).AnyProcedure ( , - INPUT cSessionid
AS CHAR).
42For More Information, go to
Implementing the OpenEdge Reference Architecture
8 Context Management OpenEdge
PrincipalsWhite-papers
43In Summary
- Extensible user authentication provides necessary
functionality - Synchronizing the applications user-id with
OpenEdge can bring benefits such as core services - OpenEdge 10.1A gives you the tools to begin your
applications migration now
44Questions?
45Thank you foryour time
46(No Transcript)