513 Barbarians at the Gate Roy Ellis ellisprogress
513: Barbarians at the Gate Roy Ellis ellis@progress. com
Agenda § What is the Open. Edge Authentication Gateway § Installing and configuring the Open. Edge Authentication Server § Configuring and Enabling the Database for the Open. Edge Authentication Gateway § Additional Steps § The Login Process 2
And now, for something completely different… 3
Barbarians at the Gate 4
Open. Edge Authentication Gateway is a set of features that ensure trusted identity management. The right users get the right access to the right information.
What are the features? § The Open. Edge Authentication Server § Database enabled to enforce use of Open. Edge Authentication Server § Open. Edge Client-Principal creation and verification § Client-Server key verification § Tools to help configure and debug 6
Security before Open. Edge Authentication Gateway ABL and SQL database security handled by the clients ABL & SQL Client // Directly connects to the db // Code-enforced authentication // Code-enforced authorization Rogue ABL & SQL Clients // I’m in the database- awesome! 7
Installing and configuring the Open. Edge Authentication Server 8
Install the Open. Edge Authentication Gateway Server ABL Clients Open. Edge Authentication Gateway Server Application Server STS Open. Edge Database SQL Clients 9
Open. Edge Authentication Server § The Open. Edge Authentication Gateway Server is a PASOE application • So you manage and configure much of the server like any PASOE instance • If you purchase a PASOE production license you can get OE Auth Gateway license § Installation • Install on a separate machine or with the database § Start and verify that the Authentication Server is working • Test with ‘stsclientutil’ tool – stsclientutil –url https: //hostname: port –nohostverify –cmd ping – stsclientutil –url https: //hostname: port –nohostverify –cmd authenticate –user test –password test 10
Connect to a 3 rd Party authentication service ABL Clients Open. Edge Authentication Gateway Server Application Server STS Open. Edge Database SQL Clients 3 rd Party 11
Open. Edge Authentication Server - continued § Configure Open. Edge Authentication Server to use your 3 rd party authentication product • LDAP • Active Directory • Operating System • Users file (default set up for quick validation) § How? • Configure sts. properties • Configure domains in the domains. json • Create an encrypted keystore with domains access code 12
Configuring and enabling the database for the Open. Edge Authentication Server 13
Configure your database to use Open. Edge Authentication Gateway Server ABL Clients Open. Edge Authentication Gateway Server Application Server STS Open. Edge Database SQL Clients 3 rd Party 14
Configure the Open. Edge Database § Test the connection from database machine to Open. Edge Authentication Server • stsclientutil –url https: //hostname: port –nohostverify –cmd ping • stsclientutil –url https: //hostname: port –nohostverify –cmd authenticate –user@domain –password § Add a security domain • Add at least 2 security administrators in the security domain • Including one that matches your LDAP, Active Directory, or Operating System § Add domains that match the domains in your Open. Edge Authentication Server domians. json § Enter the access code for the domain that matches the domains keystore in your Open. Edge Authentication Server 15
Configure the Open. Edge Database - continued § Add the Open. Edge Authentication Server URL to the database • stsurlutil update –url https: //hostname: port –ssl –nohostverify –db database –dbparameters § Enable the database to use the Open. Edge Authentication Gateway • proutil database –C enableauthgateway § Start the database • proserve dbname –nohostverify –S –H § Verify you can log into the database • mpro dbname –U user@domain –P password 16
Additional steps 17
Create a Server Key and install Client Keys ABL Clients Open. Edge Authentication Gateway Server Application Server STS HTTPS Open. Edge Database SQL Clients 3 rd Party 18
More Security Features § Create a web server certificate with valid hostname • Now you can stop using –nohostverify § Create a client-server key set for the Open. Edge Authentication Server § Server key • stskeyutil create –url https: //hostname: port – Enter password – Enter access-code • Modify sts. properties – Enable server key – Set path and file name – Enter access-code • Restart Open. Edge Authentication Server 19
More Security Features - continued § Install the client key on the database machine • Copy the server key the database machine • Install the client key from the server key – stskeyutil install –url https: //hostname: port –file serverkeyname – Enter password when prompted § Test Open. Edge Authenticate server connection using stsclienutil § Delete the server key from clent/database machine § Copy the new web certificate to the database machine § Restart your database § Follow the steps above to add the client key to all client installs 20
Limit database access through connection roles ABL Clients Open. Edge Authentication Gateway Server Application Server STS HTTPS Open. Edge Database SQL Clients 3 rd Party 21
Even more security features - continued § Add connection role authorization to database § Enable • stsconnroleutil enable –db dbname –U user@domain –P password – Now only user@domain can connect to the database § Add another user • stsconnroleutil grantuser –grantee anotheruser@domain –db dbname –U user@domain –P password § Add a list of users • stsconnroleutil grantuser –file addusers. list –db dbname –U user@domain –P password 22
Even more security features - continued § Add policies • Using 4 GL code refine policies even further § Add events • Fire events using 4 GL code § Invoke –processid • Use current login user • mpro –db dbname –OSUser –domain 23
The login process 24
The Open. Edge Authentication Gateway Process ABL Clients Open. Edge Authentication Gateway Server Application Server STS HTTPS Open. Edge Database SQL Clients 3 rd Party 25
The Open. Edge Authentication Gateway Process ABL Clients Open. Edge Authentication Gateway Server Application Server STS HTTPS Open. Edge Database SQL Clients 3 rd Party 26
The Open. Edge Authentication Gateway Process ABL Clients Open. Edge Authentication Gateway Server Application Server STS HTTPS Open. Edge Database SQL Clients 3 rd Party 27
The Open. Edge Authentication Gateway Process ABL Clients Open. Edge Authentication Gateway Server Application Server STS HTTPS Open. Edge Database SQL Clients 3 rd Party 28
The Open. Edge Authentication Gateway Process ABL Clients Open. Edge Authentication Gateway Server Application Server STS HTTPS CP Open. Edge Database SQL Clients 3 rd Party 29
The Open. Edge Authentication Gateway Process ABL Clients Open. Edge Authentication Gateway Server Application Server STS CP HTTPS CP Open. Edge Database SQL Clients 3 rd Party 30
The Open. Edge Authentication Gateway Process ABL Clients Open. Edge Authentication Gateway Server Application Server STS CP HTTPS CP Open. Edge Database SQL Clients _db. connect 3 rd Party 31
The Open. Edge Authentication Gateway Process ABL Clients Application Server Open. Edge Authentication Gateway Server CP STS CP HTTPS CP CP Open. Edge Database SQL Clients _db. connect CP 3 rd Party 32
Summary 33
Open. Edge Authentication Gateway § Allows you to use industry standard authentication products • Separation of duties – Some one else handles users and passwords • It’s their job to be thinking about securing the users and passwords § Takes creating and validating client principals out of the ABL § Allows database administrators the ability to manage users authorization § Auditing via Events § Detailed Authorization § Never have to write authentication code again! 34
- Slides: 35