move-14: migrating your 4gl authentication system to openedge® 10.1a and beyond michael jacobs...
TRANSCRIPT
MOVE-14: Migrating Your 4GL Authentication System to OpenEdge® 10.1A and Beyond
Michael JacobsDevelopment Architect
© 2006 Progress Software Corporation2MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Agenda
This presentation includes annotations with additional complementary information
Why Migrate Your User Authentication OpenEdge Security Systems OpenEdge 10.1A User-id Management Migrating to 10.1A User-id Management
© 2006 Progress Software Corporation3MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Why Migrate Your User Authentication
Compliance with Security standards & Government regulations
Integrate with different authentication systems
Single Sign-On
Auditing
What are the user authentication challenges I can face?
© 2006 Progress Software Corporation4MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Why Migrate Your User Authentication
If you or your customer does business with• US Medical services ( HIPAA )• Credit card processing ( CISP )• International financial ( Basil II & SOCKS )• International computing practices ( ISO 17799 )• Business in California, USA ( SB 1368 )• US & EU Governments ( FEA standard )• Peoples private data ( Graham – Leach – Bliley )• British legal system ( BIP 0008-1 )• Business in EU ( EU Protection Directive )
Does this apply to my application?
© 2006 Progress Software Corporation5MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Why Migrate Your User Authentication
Strong user authentication systems• Strong Password based systems
• Hardware tokens
• Smart Cards ( Digital Certificates )
Microsoft workstation single sign-on
Single source of user authentication
Federated user identities between partners
What technologies may my application have to support?
© 2006 Progress Software Corporation6MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Why Migrate Your User Authentication
1. Configurable user authentication systems• Configure which to use at production site
• Quickly extend support to new systems
• No application code changes required
2. Use OpenEdge 10.1A security services• OpenEdge auditing core service
• OpenEdge database run-time security
What do I need to change in my application?
© 2006 Progress Software Corporation7MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Why Migrate Your User Authentication
OpenEdge auditing core service• Secure ABL, SQL, & database utility auditing• User login/logout and login-sessions• Faster database record auditing than triggers
OpenEdge run-time permission checking• Database table & field permissions
No, you DO NOT need to use _user table
What value is provided by OpenEdge 10.1A security features?
© 2006 Progress Software Corporation8MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Agenda
Why Migrate Your User Authentication OpenEdge Security Systems
OpenEdge 10.1A User-id Management
Migrating to 10.1A User-id Management
© 2006 Progress Software Corporation9MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
OpenEdge 10.0 Database Compile-time Security
ABL ApplicationABL Application ABL Run-timeABL Run-time
DB Connection
Authorize
Session
AuthenticateCONNECT db –U root
“root”
FIND Customer …
: CAN-*
_User
Permissions
Customer
OpenEdgeDatabase
_UserAuthentication
System
_User TableAccounts
Connectionuser-id
Table & FieldAccess Control
Table & FieldCAN-* Permissions
© 2006 Progress Software Corporation10MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
OpenEdge 10.0 Application Run-time Security
ABL ApplicationABL Application
_User
Permissions
ABL Run-timeABL Run-time
DB Connection
Session
Authenticate
Customer
OpenEdgeDatabase
“root”: CAN-* UserAccount
Privileges
Application User Accounts
BypassAuthorization
Application User Privileges
Login.p
Run doLogin(“fred”)
ViewCustomer.p
If CAN-DO (“fred”) FIND Customer …
Application authentication
ApplicationAuthorization
© 2006 Progress Software Corporation11MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
OpenEdge 10.1A Security Features
ABL ApplicationABL Application
_User
Permissions
ABL Run-timeABL Run-time
DB Connection
Authorize
Session
Authenticate
Customer
OpenEdgeDatabase
“root”: CAN-* UserAccount
Privileges
OpenEdgeRun-time
Access Control
AuditAudit Audit Data
OpenEdgeAuditing Service
DISCONNECT!
Login.p
Run doLogin(“fred”)
ViewCustomer.p
If CAN-DO (“fred”) FIND Customer …
© 2006 Progress Software Corporation12MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Agenda
Why Migrate Your User Authentication OpenEdge Security Systems OpenEdge 10.1A User-id Management Migrating to 10.1A User-id Management
© 2006 Progress Software Corporation13MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
OpenEdge 10.1A Identity Management
User Identity Access Token• CLIENT-PRINCIPAL handle
Synchronize OpenEdge and application user-id • Domain registries • SECURITY-POLICY:SET-CLIENT ( )• SET-DB-CLIENT ( )
– Equivalent to SETUSERID()
• Database hosted ABL client security options
Progress session user-id• Synchronizes OpenEdge DB connection user-ids
What is new in Release 10.1A
Registry
© 2006 Progress Software Corporation14MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
User Identity Access Token
USER-IDDOMAIN-NAMESESSION-IDROLESLOGIN-STATESTATE-DETAILDOMAIN-TYPELOGIN-HOSTCLIENT-TTY . . .<User-defined-property>
“Proof of an authenticated user’s information, including the domain that authenticated them, the roles or privileges they hold, and miscellaneous user-context.”
FredApp-accountsAB25DH398E23…user,adminLOGINLogged inABL ProcedureNBFFlintstone.NETOpenClient
UI.advanced=YES
© 2006 Progress Software Corporation15MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
CLIENT-PRINCIPAL Operations
Automatic user login auditing• SEAL ( ) [ successful login ]
• LOGOUT ( ) [ logout ]
• AUTHENTICATION-FAIL ( ) [ failed login ]
• Login-sessions [ Login session-id context ]
Synchronize application user login• With Progress session and DB connection
• Between multiple Progress sessions– AppServer Agents– Load-balanced AppServers– WebSpeed Agents
What can a CLIENT-PRINCIPAL do for you?
© 2006 Progress Software Corporation16MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
OpenEdge 10.1A Identity Management
ABL Run-timeABL Run-time
DB Connection
ABL ApplicationABL Application
Authorize
OpenEdgeDatabase
UserAccount
Privileges
Permissions
System + Domain
Session
Registry
DomainRegistry
Authenticate
AuditAudit
OpenEdgeDatabase
TrustConfiguration
Audit Data
_User
Customer
Sessionuser-id
Registry
DomainRegistry
CLIENT-PRINCIPAL
Session user-idsets connection
user-id Audit session
user-id
“root”
“root”
“root”
© 2006 Progress Software Corporation17MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
OpenEdge 10.1A Identity Management
ABL Run-timeABL Run-time
DB Connection
ABL ApplicationABL Application
Authorize
OpenEdgeDatabase
UserAccount
Privileges
Permissions
System + Domain
Session
Registry
Authenticate
AuditAudit
OpenEdgeDatabase
Audit Data
_User
Customer
Registry
“root”
“root”
“root”
X
© 2006 Progress Software Corporation18MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Agenda
Why Migrate Your User Authentication OpenEdge Security Systems OpenEdge 10.1A User-id Management Migrating to 10.1A User-id Management
© 2006 Progress Software Corporation19MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Use-case Assumptions: Case 1
Existing client-server application• Uses application security (tables)
• Connects DB using single _user account
• Not using OpenEdge table & field permissions
Short-term migration goals• Use OpenEdge auditing core service
Medium-term goals• Use run-time OpenEdge database security
• OpenEdge RA compliant application
© 2006 Progress Software Corporation20MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
OpenEdge 10.1A Security Configuration
ABL Run-timeABL Run-time
DB Connection
ABL ApplicationABL Application
Authorize
OpenEdgeDatabase
UserAccount
Privileges
Permissions
System + Domain
Session
Registry
Authenticate
OpenEdgeDatabase
Audit Data
_User
Customer
Registry
AuditAudit
SynchronizeRegistries
Audit sessionuser-id
© 2006 Progress Software Corporation21MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Migrate Existing Application
Enable OpenEdge database 10.1A features• Security without OpenEdge Auditing
proutil db –C updateschema• Security with OpenEdge Auditing
vi AuditAreas.st prostrct add db AuditAreas.st proutil db –C enableauditing …
Data Administration utility Admin Security Edit Auditing Privileges
Step 1: Enable 10.1A Security Features
© 2006 Progress Software Corporation22MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Migrate Existing Application
Step 2: Set Client Security & Auditing OptionsAdmin-> Database Options
Audit sessionuser-id
SynchronizeRegistries
ABL run-time permissionchecking
© 2006 Progress Software Corporation23MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Migrate Existing Application
Define global session current-user storageDEF NEW GLOBAL SHARED VAR g_hCP AS HANDLE.
Define global default authentication domain
DEF NEW GLOBAL SHARED VAR g_cDefDomName AS CHAR.DEF NEW GLOBAL SHARED VAR g_cDefDomType AS CHAR.DEF NEW GLOBAL SHARED VAR g_cDefDomDesc AS CHAR.DEF NEW GLOBAL SHARED VAR g_cDomToken AS CHAR.ASSIGN g_cDefDomName = “OpenEdge” g_cDefDomType = “ABLApplication” g_cDefDomDesc = “Application user accounts”.ASSIGN g_cDomToken = BASE64-ENCODE(GENERATE-PBE-KEY(g_cDefDomType)).
Step 3: Define Session-global Variables
© 2006 Progress Software Corporation24MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
OpenEdge 10.1A Application Initialization
ABL Run-timeABL Run-time
DB Connection
ABL ApplicationABL Application
OpenEdgeDatabase
UserAccount
Privileges
Permissions
System + Domain
Session
Registry
Authenticate
OpenEdgeDatabase
Audit Data
_User
Customer
Registry
AuditAudit
“root
X
Startup.p
Connect DB … SETUSERID( … )
/* Load Registries */
: CAN-*”
SETUSERID()Locks out
synchronization
© 2006 Progress Software Corporation25MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Migrate Existing Application
SECURITY-POLICY:REGISTER-DOMAIN( “OpenEdge”,
g_cDomToken ) NO-ERROR.
SECURITY-POLICY:LOCK-REGISTRY() NO-ERROR.
Load Progress session Domain Registry• Cannot use domain until locked
Step 4: Modify Application Startup Code
SETUSERID ( “root”, pwd, “DICTDB” ).
Lock database connection user-id• Remove for run-time permission checking
© 2006 Progress Software Corporation26MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
OpenEdge 10.1A User Login & Logout
ABL Run-timeABL Run-time
DB Connection
ABL ApplicationABL Application
OpenEdgeDatabase
UserAccount
Privileges
Permissions
System + Domain
Session
Registry
Authenticate
OpenEdgeDatabase
Audit Data
_User
Customer
Registry
AuditAudit
“fred”
“root : CAN-*”
X
Login.p
(“fred”)
Logout.p
© 2006 Progress Software Corporation27MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
OpenEdge 10.1A User Login & Logout
ABL Run-timeABL Run-time
DB Connection
ABL ApplicationABL Application
OpenEdgeDatabase
UserAccount
Privileges
Permissions
System + Domain
Session
Registry
Authenticate
OpenEdgeDatabase
Audit Data
_User
Customer
Registry
AuditAudit
“fred”
“root : CAN-*”
X
Login.p
(“fred”)
Logout.p
© 2006 Progress Software Corporation28MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
CREATE CLIENT-PRINCIPAL g_hCP./* Required user account information */g_hCP:USER-ID = “fred”.g_hCP:DOMAIN-NAME = g_cDefDomName.g_hCP:SESSION-ID = SUBSTRING(BASE64-ENCODE(GENERATE-UUID), 1, 22 )./* Optional user account information */g_hCP:DOMAIN-TYPE = g_cDefDomType.g_hCP:DOMAIN-DESCRIPTION = g_cDefDomDesc.
Migrate Existing Application
Create a CLIENT-PRINCPAL object
Step 5: Modify Application User Login Code
© 2006 Progress Software Corporation29MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Migrate Existing Application
On successful login, start user login-session• CLIENT-PRINCIPAL’s access-token is now read-only
g_hCP:SEAL( g_cDomToken ).
On failed login, invalidate user login object• CLIENT-PRINCIPAL’s access-token is invalid
g_hCP:FAILED-AUTHENTICATION ( “Invalid Password” ).
Step 6: Modify User Login Completion Code
© 2006 Progress Software Corporation30MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Migrate Existing Application
Set the Progress session’s user-id
Step 7: Modify Success Login Code
lStatus = SECURITY-POLICY:SET-CLIENT( g_hCP ) NO-ERROR.IF ( NOT lStatus ) THEN DO: ...END.
© 2006 Progress Software Corporation31MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Migrate Existing Application
Logout the CLIENT-PRINCIPAL and cleanup
g_hCP:LOGOUT().
lStatus = SECURITY-POLICY:SET-CLIENT( ? ) NO-ERROR.DELETE OBJECT g_hCP.g_hCP = ?.
Step 8: Modify Logout Code
Clears sessionuser-id
InvalidatesCLIENT-PRINCIPAL
© 2006 Progress Software Corporation32MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Manually Controlling Database User-id
Lock out SECURITY-POLICY:SET-CLIENT()• Equivalent to SETUSERID()• Use when no _user accounts exist
lStatus = SET-DB-CLIENT( g_hCP, “DICTDB” ) NO-ERROR.IF ( NOT lStatus ) THEN DO: … END.
© 2006 Progress Software Corporation33MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Use-case Assumptions: Case 2
Existing stateless AppServer™ application• Uses application security
• Connects DB using single _user account
• Not using OpenEdge table & field permissions
Short-term migration goals• Use OpenEdge auditing core service
Medium-term goals• Use run-time OpenEdge database security
© 2006 Progress Software Corporation34MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
User-id Management in a Stateless AppServer
ClientClient
AppServerBroker
AppServerBroker
ABL AgentABL Agent
Session
ABL AgentABL Agent
Session
ABL AgentABL Agent
Session
ABL AgentABL Agent
( CJB762B… )
( CJB762B… )
( CJB762B… )
Session
SERVER-CONNECTION-ID
User-Context
( CJB762B… ) ( CJB762B… ) ( CJB762B… )
© 2006 Progress Software Corporation35MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Stateless AppServer Migration
Startup procedure: • Connect to User-Context
– Add two fields for access-token storage Login-session-id ( CHAR, primary, unique ) Access-token ( RAW )
• Empty User-Context of access-token
Connect [ login ] procedure • After CLIENT-PRINCIPAL:SEAL()
– Store CLIENT-PRINCIPAL’s access-token
Additional Migration steps
© 2006 Progress Software Corporation36MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Stateless AppServer Migration
Activation procedure• Restore CLIENT-PRINCIPAL from User-
Context’s access-token
• ( If the SERVER-CONNECTION-ID changes )
Disconnect [ logout ] procedure• After CLIENT-PRINCIPAL:LOGOUT()
– Delete access-token from User-Context
Additional Migration steps - cont
© 2006 Progress Software Corporation37MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Stateless AppServer Migration
Storing CLIENT-PRINCPAL access-token
Caching CLIENT-PRINCIPAL Objects
Restoring CLIENT-PRINCPAL access-token
CREATE ctx.ASSIGN ctx.Id = SESSION:SERVER-CONNECTION-ID ctx.Token = g_hCP:EXPORT-PRINCIPAL ( ).
FIND ctx WHERE ctx.Id = SESSION:SERVER-CONNECTION-ID.DELETE OBJECT g_hCP.CREATE CLIENT-PRINCIPAL g_hCPg_hCP:IMPORT-PRINCIPAL ( ctx.Token )./* SECURITY-POLICY:SET-CLIENT (g_hCP). */
© 2006 Progress Software Corporation38MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Use-case Assumptions: Case 3
Existing OpenEdge Reference Architecture (state-free) application• Uses application security
• Connects DB using single _user account
• Not using OpenEdge table & field permissions
Short-term migration goals• Use OpenEdge auditing core service
Medium-term goals• Use run-time OpenEdge database security
© 2006 Progress Software Corporation39MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
User-id Management in an OpenEdge RA AppServer
ClientClient
AppServerBroker
AppServerBroker
ABL AgentABL Agent
Session
ABL AgentABL Agent
Session
ABL AgentABL Agent
Session
ABL AgentABL Agent
Session
User-Context
(3KU60N5TXL)
(3KU60N5TXL)
(3KU60N5TXL) (3KU60N5TXL) (3KU60N5TXL)
(3KU60N5TXL)
SESSION-ID
© 2006 Progress Software Corporation40MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
State-free AppServer
No Connect or Disconnect procedures• Substitute Login and Logout procedures
No SESSION:SERVER-CONNECTION-ID• Substitute CLIENT-PRINCIPAL:SESSION-ID
• Pass SESSION-ID for all remote procedures
Additional Migration steps
© 2006 Progress Software Corporation41MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Primary User Authentication APIs
LoginClient ( INPUT cUserid AS CHAR, INPUT rAuthToken AS RAW,
INPUT cDomain AS CHAR, INPUT cSecondaryId AS CHAR, INPUT rSecondaryToken AS RAW,
OUTPUT cSessionid AS CHAR ).
LogoutClient ( INPUT cSessionid AS CHAR ).
AnyProcedure ( …,
INPUT cSessionid AS CHAR).
© 2006 Progress Software Corporation42MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
For More Information, go to…
PSDNImplementing the OpenEdge Reference Architecture:
8: Context Management
OpenEdge Principals
White-papers
© 2006 Progress Software Corporation43MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
In Summary
Extensible user authentication provides necessary functionality
Synchronizing the application’s user-id with OpenEdge can bring benefits such as core services
OpenEdge 10.1A gives you the tools to begin your application’s migration now
© 2006 Progress Software Corporation44MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Questions?
© 2006 Progress Software Corporation45MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond
Thank you foryour time