Title: DEV-09: User Authentication in an OpenEdge
1DEV-09User Authentication in an OpenEdge 10.1
Distributed Computing Environment
- Michael Jacobs
- Development Architect
2Agenda
- User authentication drivers
- Authentication basics
- Whats in OpenEdge 10.1A
- Distributed authentication
- Using OpenEdge 10.1A
- Whats next?
3Under Development
- This talk includes information about potential
future products and/or product enhancements. - What I am going to say reflects our current
thinking, but the information contained herein is
preliminary and subject to change. Any future
products we ultimately deliver may be materially
different from what is described here.
4Agenda
- User authentication drivers
- Authentication basics
- Whats in OpenEdge 10.1A
- Distributed authentication
- Using OpenEdge 10.1A
- Whats next?
5User Authentication Drivers
- Hackers, Crackers, Rage, and Corruption
- Government regulations
- Sarbanes-Oxley (SOX)
- CFR Part 11
- HIPAA
- Customer security policy requirements
- Migration to n-tier application architecture
- OpenEdge Reference Architecture
- Service Oriented Architecture
6Distributed User Authentication Challenges
- Prevent identity theft
- Login credentials
- Login session
- Multiple authentication systems
- Existing customer systems
- Future authentication systems
- Multiple service interface support
- Deployment time configuration
7Agenda
- User authentication drivers
- Authentication basics
- Whats in OpenEdge 10.1A
- Distributed authentication
- Using OpenEdge 10.1A
- Whats next?
8Application Security Fundamentals
AUTHENTICATION
APPLICATIONSECURITY
AUTHORIZATION
AUDITING
9Balancing Authentication Costs
Technology Development Support
Liability Data Support
Product
Customer
10Authentication Manager Architecture
AuthenticationManager
ProcessControl
OpenEdge
AP/End user
11Authentication Process Control
Client
AppServer Agent
AuthenticationManager
ProcessControl
12Single User Account Systems
13True Single Sign-On
14Whats in a Principal
AuthenticationSystem Data
User Account Data
User Account Restrictions
Application Defined Data
15Agenda
- User authentication drivers
- Authentication basics
- Whats in OpenEdge 10.1A
- Distributed authentication
- Using OpenEdge 10.1A
- Whats next?
16OpenEdge 10.1A Presents!
- CLIENT-PRINCIPAL 4GL Object
- Trusted Authentication System Registry (TASR)
- Database controlled authentication options
- Language extensions that use CLIENT-PRINCIPAL
objects - Optional run-time OpenEdge database permission
checking
174GL CLIENT-PRINCIPAL Object
- Represents a single users login session
- Share a single user authentication
- Between application servers
- Between application server agents
- Supersedes the SETUSERID() function
- Set the current user-id for
- The 4GL Application
- A OpenEdge database connection permissions
- Triggers OpenEdge auditing record creation
18Trusted Authentication System Registry (TASR)
- Used to validate CLIENT-PRINCIPAL
- OpenEdge client to AppServer Agent
- 4GL Client to OpenEdge database
- Supports multiple domains
- Uses domains key for validation
- Configurable via OpenEdge database options table
- Loaded from OpenEdge database Domain Registry
table
194GL Language Extensions
- SECURITY-MANAGER object
- SET-CLIENT() method
- LOAD-DOMAINS() method
- UUID function
- SETDBCLIENT() function
- HEXBINARY-ENCODE() function
20Release 10.1 Authentication Components
4GL Client, AppServer,WebSpeed Agent
4GL Application
Client Login Session
AuthenticationManager
ServiceInterface
Authentication Options
Principal
Application Domains
Database Domains
4GL Core
SECURITY-POLICY
ApplicationTASR
Domain Configuration
21Agenda
Sample Image Please replace it (Insert,
Picture, )
- User authentication issues
- Authentication basics
- Whats in OpenEdge 10.1A
- Distributed authentication
- Using OpenEdge 10.1A
- Whats next?
22Benefits of the State-Free AppServer
23Benefits of the State-Free AppServer
24Problem with User Authentication in a State-Free
AppServer
Client
25Problem with User Authentication in a State-Free
AppServer
Client
26Whats a Login-Token
Seal 24VGWYY872ACE
27User Authentication in a State-Free Distributed
System
Client
28State-Free User Context Management
Client
29State-Free User Context Management
Client
30Agenda
Sample Image Please replace it (Insert,
Picture, )
- User authentication drivers
- Authentication basics
- Distributed authentication
- Whats in OpenEdge 10.1A
- Using OpenEdge 10.1A
- Whats next?
31Configuring Single CLIENT-PRINCIPAL Context Mode
Data AdministrationUtility
4GL Application
AuthenticationManager
ServiceInterface
4GL Core
SECURITY-POLICY
ApplicationTASR
32Configuring the SECURITY-POLICY TASR
- Configure TASR domains
- Domain name LDAP
- Domain key Domain key
- Configure databases to use applications TASR
- Load application TASR at run-time
SECURITY-POLICYLOAD-DOMAINS(tasrdb).
33User Login Creating the CLIENT-PRINCIPAL
LoginCredentials
4GL Application
AuthenticationManager
ServiceInterface
4GL Core
SECURITY-POLICY
ApplicationTASR
34Creating the CLIENT-PRINCIPAL in the
Authentication Manager
- Create a CLIENT-PRINCIPAL object
CREATE CLIENT-PRINCIPAL hCP.
- Set required attributes
hCPUSER-ID DDuck.hCPLOGIN-TOKEN
BASE64-ENCODE(UUID).hCPDOMAIN LDAP.
- Define optional client account attributes
hCPROLES Accountant.
35Creating the CLIENT-PRINCIPAL (cont)
- Define optional application properties
hCPSET-PROPERTY(SalesOrderCRU).hCPSET-PROPER
TY(CustInfoR).
- Commit the user authentication
hCPSEAL(Domain key).
hCPAUTHENTICATION-FAILED.
- Read-only access to attributes and properties
prop hCPGET-PROPERTY(CustInfo).
Audit Record Generated
36Sealing a CLIENT-PRINCIPAL Object
hCPSEAL(Domain key).
(HMAC)
37User LoginSharing CLIENT-PRINCIPLAL Objects
4GL Application
Principal Context
AuthenticationManager
ServiceInterface
4GL Core
SECURITY-POLICY
ApplicationTASR
38Sharing User Login Context
- Define CLIENT-PRINCIPAL storage
DEFINE TEMP-TABLE PrincipalContext FIELD
tokenid AS CHARACTER FIELD token AS RAW
INDEX tokenidIdx IS PRIMARY tokenid.
- Export the users access token
CREATE PrincipalContext.token
hCPEXPORT-PRINCIPAL.tokenid
hCPLoginToken.RELEASE PrincipalContext.
39Running a Remote ProcedureRecovering the
CLIENT-PRINCIPAL
Principal Context
4GL Application
Principal
AuthenticationManager
ServiceInterface
Principal
4GL Core
SECURITY-POLICY
ApplicationTASR
40Running a Remote ProcedureSetting the
CLIENT-PRINCIPAL
4GL Application
Principal Context
AuthenticationManager
ServiceInterface
Principal
Principal
4GL Core
SECURITY-POLICY
ApplicationTASR
41Retrieving the User Login Context and Setting the
User Identity
- Import the users access token
FIND PrincipalContext WHERE tokenid
AXy12hCPIMPORT(token).
- Setting a single application user identity
SECURITY-POLICYSET-CLIENT(hCP).
Audit Record Generated
42Validating a CLIENT-PRINCIPAL Object
TASR
(HMAC)
Seal 24VGWYY872ACE
43Logging OutDeleting CLIENT-PRINCIPLAL Objects
Principal Context
4GL Application
AuthenticationManager
ServiceInterface
Principal
4GL Core
SECURITY-POLICY
ApplicationTASR
44Logging out CLIENT-PRINCIPAL Objects and Deletion
- Import the users access token
FIND PrincipalContext WHERE tokenid
AXy12hCPIMPORT(token).DELETE
PrincipalContext.
- Logout a client
hCPLOGOUT(hCP).
Audit Record Generated
45Agenda
- User authentication drivers
- Authentication basics
- Distributed authentication
- Whats in OpenEdge 10.1A
- Using OpenEdge 10.1A
- Whats next?
46Authentication Manager Architecture
AuthenticationManager
ProcessControl
OpenEdge
AP/End user
47Future SupportMore Core Business Services
OpenEdgeAuthenticationService
Login()Logout()
ProcessControl
OpenEdgePlug-in
_user
LDAP
LDAPPlug-in
4GLPlug-in
4GLProcedures
User ContextSubsystem
OpenEdge
OpenEdge UserContext Service
48Future SupportMore Application Authorization
4GL Application
4GL ACLFunctions
4GL Login Functions
ServiceInterface
Principal
User Role Support
CanAccess().
Login ().
Access Control Lists
4GL Core
OpenEdgeAuthenticationSubsystem
SECURITY-POLICY
AuthorizationSubsystem
49In Summary
- Secure user authentication is necessary in
todays world - Distributed user authentication presents many
challenges - OpenEdge 10 is providing the answer
50Questions?
51Thank you for your time!
52(No Transcript)