db-19: openedge ® authentication without the _user table stephen ferguson progress software

DB-19: OpenEdge® Authentication Without the _User Table

Stephen FergusonProgress Software

© 2007 Progress Software Corporation2 DB-19: OpenEdge Authentication Without The _User Table

Agenda

Authentication in OpenEdge The authentication process Identity Management with the OpenEdge

AppServer™ Configuration and deployment setup


Why User Authentication?

Compliance with Security standards & Government regulations

Integrate with different authentication systems

OpenEdge Auditing

What are the user authentication challenges I can face?


OpenEdge Authentication Advantages

1. Configurable user authentication systems• Configure which to use at production site

• Quickly extend support to new systems

• Support multiple authentication systems

2. Use OpenEdge 10.1+ security services• OpenEdge auditing core service

• OpenEdge database run-time security


What’s the Value-Add?

OpenEdge run-time permission checking• Database table & field permissions

The ABL does not need to use _User table

OpenEdge auditing core service• Secure ABL, SQL, & database utility auditing• User login/logout and login-sessions• Faster database record auditing than triggers

What value is provided by OpenEdge 10.1+ security features?


ABL Database Table and Field Permissions

Order dependent, comma separated list of account names

Table and field permissions stored in the database

Permission Examples

Table

_Can-Create

_Can-Read

_Can-Write

_Can-Delete

*

Steve

!Steve,*

Admin

Field_Can-Read

_Can-Write

!Group1,!Group2,*

*


Agenda




The OpenEdge User Identity Challenge

The _User table was the only trusted user-id source

Almost no ABL applications use the _User table• No way for ABL application to tell OpenEdge that it is a

trusted authentication source

• No way for OpenEdge to validate that a user-id came from a trusted ABL application source

• Solution: allow ABL applications to become a trusted source of user authentication

Prior to OpenEdge 10.1A


ProcessControl

Authentication and Authorization Process

Client-Principal

AuthenticationSystem

UserAccounts

Authenticate


UserAccounts


User Accounts

Account Check

Get Account Data

Application ResourcesAccessControl

Data

AuthorizationManager

LoginCredentials

AppServer Agent

Client

AuthenticationManager


OpenEdge Authentication Strategies

OpenEdge Authentication with _User• Can still connect to OpenEdge database using

–U –P

• Authenticate and set the user-id for a database connection with SETUSERID()

OpenEdge Authentication without _User

Custom application design & implementation

What are my choices?


OpenEdge Authentication

Use OpenEdge CLIENT-PRINCIPAL identity extensions• Use existing ABL authentication modules

• User login-logout and session information

• Single sign-on between ABL products

• Requires • Code additions

• Conditional configuration and deployment setup


Introduced in OpenEdge 10.1A

User identity access token• CLIENT-PRINCIPAL object

Domain Registries• Identifies trusted user authentication systems

• Used to validate CLIENT-PRINCIPAL object

• User defined or loaded from database

OpenEdge session user-id• Synchronizes OpenEdge DB connection user-

ids


The CLIENT-PRINCIPAL Object

CLIENT-PRINCIPALDomain: ApplicationUser-ID: JoshuaLogin-token: BW3G1&2G1836D872Login-date: 6/12/07 08:15:33.12Login-expires: 6/12/07 19:30.00.00State: LoginRoles: ManagerApp-data: Company=ABC Corp ...Seal: AC63Galx98wBwuuw2

AuthenticationSystem Data

User Account Information

Application Defined Data

Data Integrity Seal

Login-SessionID

User Account Restrictions


ABL CLIENT-PRINCIPAL Object

Created and managed by ABL application Represents a single user login session Sets the current user-id for

• The ABL application & all database connections

• Individual OpenEdge database connection CLIENT-PRINCIPAL’s user-id can be used for

run-time permission checking


Load Authentication Systems

SECURITY-POLICY:REGISTER-DOMAIN

( “Application”,cDomToken ) NO-ERROR.

SECURITY-POLICY:LOCK-REGISTRATION() NO-ERROR.

Loads OpenEdge session Domain Registry• Cannot use domain until locked

Can only be loaded once per session

Modify Application Startup Code - Example



FOR EACH Trusted-Auth-Domain NO-LOCK:

SECURITY-POLICY:REGISTER-DOMAIN

(Trusted-Auth-Domain.cDomainName,

Trusted-Auth-Domain.cDomainKey,

Trusted-Auth-Domain.cDomainDescr,

Trusted-Auth-Domain.cDomainType) NO-ERROR.

END.

SECURITY-POLICY:LOCK-REGISTRATION NO-ERROR.

Example

Load from application tables



SECURITY-POLICY:LOAD-DOMAINS (“Dictdb”) NO-ERROR.

Configure Authentication Systems and Domains in Data Admin• _sec-authentication-system

• _sec-authentication-domain

Load session Domain Registry

Can only be loaded once per session Single operation, more secure

Modify Application Startup Code


CREATE CLIENT-PRINCIPAL hCP./* Required user account information */hCP:DOMAIN-TYPE = cDefDomType.hCP:DOMAIN-DESCRIPTION = cDefDomDesc.

hCP:DOMAIN-NAME = cDefDomainName.

hCP:USER-ID = cUserid.hCP:SESSION-ID = SUBSTRING(BASE64-ENCODE(GENERATE-UUID), 1, 22 )./* Optional user account information */...

Creating a CLIENT-PRINCIPAL

Application User Login Code


Completing the Login

On successful login, start user login-session• CLIENT-PRINCIPAL’s access-token becomes read-only

hCP:SEAL( cDomainToken ). On failed login, invalidate user login object

• CLIENT-PRINCIPAL’s access-token is invalid

• Log to audit files when auditing enabled

hCP:AUTHENTICATION-FAILED ( “Invalid Password” ).

User Login Completion Code


Setting the Session User-id

Set the OpenEdge session’s user-id• All connected databases

Setting session user-id across a single database• Equivalent to SETUSERID()

Success Login Code

SECURITY-POLICY:SET-CLIENT( hCP ) NO-ERROR.

SECURITY-POLICY:SET-DB-CLIENT

( hCP, “dbname” ) NO-ERROR.


Logging Out

Logout the CLIENT-PRINCIPAL and cleanup

hCP:LOGOUT().

SECURITY-POLICY:SET-CLIENT( ? ) NO-ERROR.DELETE OBJECT hCP.hCP = ?.

Clear the sessionuser-id

Invalidate theCLIENT-PRINCIPAL


Agenda




Context Management Basics

Target environment is client to stateless or statefree AppServer• Each interaction is independent

Maintain context between related interactions Store context between client requests in a

shared data store • All AppServer sessions can read and write it

• The context is held on the server


Client

ProcessesContext

Data

Application Server

Login Credentials Create CLIENT-PRINCIPAL

EXPORT

Session-id

Session-idRetrieve

CLIENT-PRINCIPAL IMPORTReset User identity

Logout requestSession-id

Retrieve CLIENT-PRINCIPAL

hCp:LOGOUT

IMPORT

Application ServerShutdown

Purge

Asserting the Trusted User Identity (who)

Managing context - re-establishing identity

ContextSub-system


Pushing Identity into Context

Store in context using hCP:SESSION-ID

IF NOT lOk THEN /* invalid or new user */

DO:

ASSIGN hCP:USER-ID = pcUser

hCP:DOMAIN-NAME = cDomainName

hCP:SESSION-ID =

SUBSTRING(BASE64-ENCODE(GENERATE-UUID),1,22).

lOk = hCP:SEAL(gcDomainKey).

ctx.rawCP = hCP:EXPORT-PRINCIPAL().

END.

/* Now reset to current user identity */

lOk = SECURITY-POLICY:SET-CLIENT(hCP).

Assign values

SEAL the principal

EXPORT the principal


Re-asserting Identity from Context

Store in context using hCP:SESSION-ID

/* Re-assert identity – from context if possible */

CREATE CLIENT-PRINCIPAL hCP NO-ERROR.

lOk = hCP:IMPORT-PRINCIPAL(ctx.rawCP) NO-ERROR.

IF lOk AND (hCP:LOGIN-STATE <> "LOGIN":U)

THEN DO:

/* an invalid client-principal was imported */

END.

lOk = SECURITY-POLICY:SET-CLIENT(hCP).

IMPORT principal

Validate

Set client


Clean-up – Logging out the User

Log out at true end of session Only do a logout when user really changes

• Not with each Application Server roundtrip!IF VALID-HANDLE(hCP) THEN

DO:

IF hCP:LOGIN-STATE = "LOGIN":U THEN hcp:LOGOUT() NO-ERROR.

/* also delete context using hCP:SESSION-ID */

SECURITY-POLICY:SET-CLIENT( ? ) NO-ERROR.

DELETE OBJECT hCP NO-ERROR.

hCP = ?.

END.

Log out

Clear the session


Primary User Authentication APIs

LoginClient ( INPUT cUserid AS CHAR, INPUT rAuthToken AS RAW, [….,]

OUTPUT cSessionId AS CHAR ).

AnyProcedure ( […,]

INPUT cSessionId AS CHAR).

LogoutClient ( INPUT cSessionId AS CHAR ).


Managing CLIENT-PRINCIPAL Context

Faster to import CLIENT-PRINCIPAL from context than re-create and re-seal

Be explicit about • Login (SEAL)

• Logout


Agenda




Enabling an Existing Application

1. Enable OpenEdge database 10.1+ features• For migrated databases

2. Set database options

3. Create authentication system domains and domain types

Steps to enable 10.1+ authentication features

proutil dbname –C updateschema


Setting Database Options

Data Admin → Admin → Database Options

SynchronizeRegistries

ABL run-time permissionchecking


Authentication System Domains and Types

Data Admin → Admin → Security → Authentication System Maintenance


In Summary

Define your own trusted authentication systems

No longer tied to _User Extensible user authentication

provides core functionality OpenEdge 10.1+ gives you the

tools to migrate now


For More Information, go to…

PSDN

Implementing the OpenEdge Reference Architecture: • 8: Context Management

• OpenEdge Principals

Progress eLearning Community:• What's New In OpenEdge 10.1: Auditing

Documentation:• Core Business Services


Relevant Exchange Sessions

DB-8: Jump Starting Your OpenEdge Auditing Solution

DB-14: OpenEdge run-time database security revealed

ARCH-4: A Stateful Application in a Stateless World


Questions?


Thank you foryour time

db-19: openedge ® authentication without the _user table stephen ferguson progress software

Documents