dev-09: user authentication in an openedge™ 10.1 distributed computing environment michael jacobs...

DEV-09:User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment

Michael JacobsDevelopment Architect

2 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation

Agenda

User authentication drivers Authentication basics What’s in OpenEdge 10.1A Distributed authentication Using OpenEdge 10.1A What’s next?


D I S C L A I M E R

Under Development

This talk includes information about potential future products and/or product enhancements.

What I am going to say reflects our current thinking, but the information contained herein is preliminary and subject to change. Any future products we ultimately deliver may be materially different from what is described here.

D I S C L A I M E R


Agenda



User Authentication Drivers

Hackers, Crackers, Rage, and Corruption Government regulations

– Sarbanes-Oxley (SOX)– CFR Part 11– HIPAA

Customer security policy requirements Migration to n-tier application architecture

– OpenEdge Reference Architecture– Service Oriented Architecture


Distributed User Authentication Challenges

Prevent identity theft– Login credentials

– Login session Multiple authentication systems

– Existing customer systems

– Future authentication systems Multiple service interface support Deployment time configuration



Agenda


Application Security Fundamentals

AUTHENTICATION

AU

TH

OR

IZA

TIO

NA

UD

ITIN

G

AU

DIT

ING

APPLICATIONSECURITY


Balancing Authentication Costs

$ Technology

$ Development

$ Support

$ Liability

$ Data

$ Support

Customer

Product


Au

then

tica

tio

nP

lug

-in

Su

bsy

stem

Authentication Manager Architecture

AuthenticationManager

ProcessControl

LDAPLDAPLDAPPlug-in

4GLPlug-in

4GLProcedures

4GLProcedures

ProgressPlug-in _user_user

API

User ContextSubsystem

Au

dit

ing

OpenEdge

AP/End user


ProcessControl

ProcessControl

Authentication Process Control

Principal

AuthenticationSystem


UserAccounts

UserAccounts

Authenticate



UserAccounts

UserAccounts



User AccountsUser Accounts

Account Check

Get Account Data

Application ResourcesApplication ResourcesAccessControl

Data

AccessControl

Data

AuthorizationManager


LoginCredentials

LoginCredentials

AppServer Agent

Client



Single User Account Systems



UserAccounts

UserAccounts












True Single Sign-On



UserAccounts

UserAccounts









TrustedDomainsTrusted

DomainsTrusted

DomainsTrusted

Domains

DomainAccess Key


What’s in a Principal

PRINCIPALDomain: LDAPState: LoginUser-ID: DDuckLogin-token: BW3G1&2G1836D872Login-date: 3/12/05 08:15:33.12Login-expires: 3/12/05 19:30.00.00Roles: AccountantApp-data: Company=Acme ...

AuthenticationSystem Data

User Account Data

User Account Restrictions

Application Defined Data



Agenda


OpenEdge 10.1A Presents!

CLIENT-PRINCIPAL 4GL Object Trusted Authentication System Registry

(TASR) Database controlled authentication options Language extensions that use CLIENT-

PRINCIPAL objects Optional run-time OpenEdge database

permission checking


4GL CLIENT-PRINCIPAL Object

Represents a single user’s login session Share a single user authentication

– Between application servers

– Between application server agents Supersedes the SETUSERID() function Set the current user-id for:

– The 4GL Application

– A OpenEdge database connection [ & permissions] Triggers OpenEdge auditing record creation


Trusted Authentication System Registry (TASR)

Used to validate CLIENT-PRINCIPAL– OpenEdge client to AppServer Agent– 4GL Client to OpenEdge database

Supports multiple domains Uses domain’s key for validation Configurable via OpenEdge database

options table Loaded from OpenEdge database Domain

Registry table


4GL Language Extensions

SECURITY-MANAGER object– SET-CLIENT() method

– LOAD-DOMAINS() method UUID function SETDBCLIENT() function HEXBINARY-ENCODE() function


Release 10.1 Authentication Components

DB Options

OpenEdgeDatabase

Domain Registry

4GL Client, AppServer,WebSpeed Agent

4GL Core


Principal

SECURITY-POLICY

ApplicationTASR

4GL Application

ServiceInterface

DatabaseTASR

Database Connection

Client Login Session

Application Domains

Database Domains

Authentication Options

Domain Configuration


User authentication issues Authentication basics What’s in OpenEdge 10.1A Distributed authentication Using OpenEdge 10.1A What’s next?

Agenda

Sample Image:

Please replace it

(Insert, Picture, …)


ClientClientClientClient

Benefits of the State-Free AppServer

AppServerAppServer

Agent

Agent

Agent

AppServerAppServer

Agent

Agent

Agent

ClientClient


ClientClientClientClient

Benefits of the State-Free AppServer

AppServerAppServer

Agent

Agent

Agent

AppServerAppServer

Agent

Agent

Agent

ClientClient

ClientClient

AdapterAdapter

SOA


AppServerAppServer

Agent

Agent



ServiceInterface

ServiceInterface

Problem with User Authentication in a State-Free AppServer

ClientClient

LoginLogin

PrincipalPrincipal




AppServerAppServer

Agent

Agent



ServiceInterface

ServiceInterface

Problem with User Authentication in a State-Free AppServer

ClientClient ProcA

?

PrincipalPrincipal


What’s a Login-Token


Seal: 24VGWYY872ACE

Login Token


AppServerAppServer

Agent

Agent



ServiceInterface

ServiceInterface

User Authentication in a State-Free Distributed System

ClientClient

Login

Principal ContextPrincipal Context

Principal

Principal




AppServerAppServer

Agent

Agent



ServiceInterface

ServiceInterface


Principal

State-Free User Context Management

ClientClientProcA


AppServerAppServer

Agent

Agent



ServiceInterface

ServiceInterface


Principal

State-Free User Context Management

ClientClient

ProcB


User authentication drivers Authentication basics Distributed authentication What’s in OpenEdge 10.1A Using OpenEdge 10.1A What’s next?

Agenda

Sample Image:

Please replace it

(Insert, Picture, …)


DB Options

OpenEdgeDatabase

Domain Registry

Configuring Single CLIENT-PRINCIPAL Context Mode

Data Administration

Utility

4GL Core


SECURITY-POLICY

ApplicationTASR

4GL Application

ServiceInterface

DatabaseTASR

Database Connection


Configuring the SECURITY-POLICY TASR

SECURITY-POLICY:LOAD-DOMAINS(“tasrdb”).

3.Load application TASR at run-time

1.Configure TASR domainsa. Domain name: LDAP

b. Domain key: “Domain key”

2. Configure databases to use application’s TASR


CLIENT-PRINCIPAL

4GL Core


SECURITY-POLICY

ApplicationTASR

4GL Application

ServiceInterface

User Login: Creating the CLIENT-PRINCIPAL

Principal


LoginCredentials

LoginCredentials

DB Permissions

OpenEdgeDatabase

Data TablesDatabase

TASR

Database Connection


Creating the CLIENT-PRINCIPAL in the Authentication Manager

1.Create a CLIENT-PRINCIPAL object

CREATE CLIENT-PRINCIPAL hCP.

2.Set required attributeshCP:USER-ID = “DDuck”.hCP:LOGIN-TOKEN = BASE64-ENCODE(UUID).hCP:DOMAIN = “LDAP”.

hCP:ROLES = “Accountant”.

3.Define optional client account attributes


Creating the CLIENT-PRINCIPAL (cont)4.Define optional application properties

hCP:SET-PROPERTY(“SalesOrder=CRU”).hCP:SET-PROPERTY(“CustInfo=R”).

hCP:SEAL(“Domain key”).

5.Commit the user authentication *

* Audit Record Generated

hCP:AUTHENTICATION-FAILED.

prop = hCP:GET-PROPERTY(“CustInfo”).

6.Read-only access to attributes and properties


Sealing a CLIENT-PRINCIPAL Object


(HMAC)

Seal: 24VGWYY872ACE

Domain AccessKey

hCP:SEAL(“Domain key”).


CLIENT-PRINCIPAL

4GL Core


SECURITY-POLICY

ApplicationTASR

4GL Application

ServiceInterface

User Login:Sharing CLIENT-PRINCIPLAL Objects


Principal

Principal

DatabaseTASR

Database Connection DB Permissions

OpenEdgeDatabase

Data Tables


Sharing User Login Context

CREATE PrincipalContext.token = hCP:EXPORT-PRINCIPAL.tokenid = hCP:LoginToken.RELEASE PrincipalContext.

Define CLIENT-PRINCIPAL storageDEFINE TEMP-TABLE PrincipalContext FIELD tokenid AS CHARACTER FIELD token AS RAW INDEX tokenidIdx IS PRIMARY tokenid.

Export the user’s access token


CLIENT-PRINCIPAL

4GL Core


4GL Application

ServiceInterface

Running a Remote Procedure:Recovering the CLIENT-PRINCIPAL

Principal ContextPrincipal ContextPrincipal

Principal

SECURITY-POLICY

ApplicationTASR

DatabaseTASR


OpenEdgeDatabase

Data Tables


CLIENT-PRINCIPAL

4GL Core


4GL Application

ServiceInterface

Running a Remote Procedure:Setting the CLIENT-PRINCIPAL


Principal

Principal

SECURITY-POLICY

ApplicationTASR

DatabaseTASR


OpenEdgeDatabase

Data Tables


Retrieving the User Login Context and Setting the User Identity

1. Import the user’s access tokenFIND PrincipalContext WHERE tokenid = “AXy12…”hCP:IMPORT(token).

SECURITY-POLICY:SET-CLIENT(hCP).

2.Setting a single application user identity *



Validating a CLIENT-PRINCIPAL Object


(HMAC)

Seal: 24VGWYY872ACE

TASR

== T/F

Domain AccessKey


CLIENT-PRINCIPAL

4GL Core


4GL Application

ServiceInterface

Logging Out:Deleting CLIENT-PRINCIPLAL Objects


Principal

SECURITY-POLICY

ApplicationTASR

DatabaseTASR


OpenEdgeDatabase

Data Tables


Logging out CLIENT-PRINCIPAL Objects and Deletion

hCP:LOGOUT(hCP).

2.Logout a client *


1. Import the user’s access tokenFIND PrincipalContext WHERE tokenid = “AXy12…”hCP:IMPORT(token).DELETE PrincipalContext.


User authentication drivers Authentication basics Distributed authentication What’s in OpenEdge 10.1A Using OpenEdge 10.1A What’s next?

Agenda


Au

then

tica

tio

nP

lug

-in

Su

bsy

stem

Authentication Manager Architecture


ProcessControl

LDAPLDAPLDAPPlug-in

4GLPlug-in

4GLProcedures

4GLProcedures

ProgressPlug-in _user_user

API


Au

dit

ing

OpenEdge

AP/End user


Au

then

tica

tio

nP

lug

-in

Su

bsy

stem

Future Support:More Core Business Services

OpenEdgeAuthentication

Service

ProcessControl

LDAPLDAPLDAPPlug-in

4GLPlug-in

4GLProcedures

4GLProcedures

OpenEdgePlug-in _user_user

API


Au

dit

ing

OpenEdge UserContext Service

Login()Logout()

OpenEdge


Future Support:More Application Authorization

User Roles

OpenEdgeDatabase

Access Control Lists

4GL Core

SECURITY-POLICY

4GL Application

ServiceInterface

AuthorizationSubsystem

CanAccess(…).

OpenEdgeAuthentication

Subsystem

Login (…).

Principal User Role Support

Access Control Lists

4GL ACLFunctions

4GL Login Functions


In Summary

Secure user authentication is necessary in today’s world

Distributed user authentication presents many challenges

OpenEdge 10 is providing the answer


Questions?


Thank you for your time!

dev-09: user authentication in an openedge™ 10.1 distributed computing environment michael jacobs...

Documents

single user authentication

gl application

current userid

current thinking

setuserid functionset