move-14: migrating your 4gl authentication system to openedge® 10.1a and beyond michael jacobs...

MOVE-14: Migrating Your 4GL Authentication System to OpenEdge® 10.1A and Beyond

Michael JacobsDevelopment Architect

© 2006 Progress Software Corporation2MOVE-14: Migrating Your Authentication System to OpenEdge 10.1A and Beyond

Agenda

This presentation includes annotations with additional complementary information

Why Migrate Your User Authentication OpenEdge Security Systems OpenEdge 10.1A User-id Management Migrating to 10.1A User-id Management


Why Migrate Your User Authentication

Compliance with Security standards & Government regulations

Integrate with different authentication systems

Single Sign-On

Auditing

What are the user authentication challenges I can face?



If you or your customer does business with• US Medical services ( HIPAA )• Credit card processing ( CISP )• International financial ( Basil II & SOCKS )• International computing practices ( ISO 17799 )• Business in California, USA ( SB 1368 )• US & EU Governments ( FEA standard )• Peoples private data ( Graham – Leach – Bliley )• British legal system ( BIP 0008-1 )• Business in EU ( EU Protection Directive )

Does this apply to my application?



Strong user authentication systems• Strong Password based systems

• Hardware tokens

• Smart Cards ( Digital Certificates )

Microsoft workstation single sign-on

Single source of user authentication

Federated user identities between partners

What technologies may my application have to support?



1. Configurable user authentication systems• Configure which to use at production site

• Quickly extend support to new systems

• No application code changes required

2. Use OpenEdge 10.1A security services• OpenEdge auditing core service

• OpenEdge database run-time security

What do I need to change in my application?



OpenEdge auditing core service• Secure ABL, SQL, & database utility auditing• User login/logout and login-sessions• Faster database record auditing than triggers

OpenEdge run-time permission checking• Database table & field permissions

No, you DO NOT need to use _user table

What value is provided by OpenEdge 10.1A security features?


Agenda

Why Migrate Your User Authentication OpenEdge Security Systems

OpenEdge 10.1A User-id Management

Migrating to 10.1A User-id Management


OpenEdge 10.0 Database Compile-time Security

ABL ApplicationABL Application ABL Run-timeABL Run-time

DB Connection

Authorize

Session

AuthenticateCONNECT db –U root

“root”

FIND Customer …

: CAN-*

_User

Permissions

Customer

OpenEdgeDatabase

_UserAuthentication

System

_User TableAccounts

Connectionuser-id

Table & FieldAccess Control

Table & FieldCAN-* Permissions


OpenEdge 10.0 Application Run-time Security

ABL ApplicationABL Application

_User

Permissions

ABL Run-timeABL Run-time

DB Connection

Session

Authenticate

Customer

OpenEdgeDatabase

“root”: CAN-* UserAccount

Privileges

Application User Accounts

BypassAuthorization

Application User Privileges

Login.p

Run doLogin(“fred”)

ViewCustomer.p

If CAN-DO (“fred”) FIND Customer …

Application authentication

ApplicationAuthorization


OpenEdge 10.1A Security Features


_User

Permissions


DB Connection

Authorize

Session

Authenticate

Customer

OpenEdgeDatabase

“root”: CAN-* UserAccount

Privileges

OpenEdgeRun-time

Access Control

AuditAudit Audit Data

OpenEdgeAuditing Service

DISCONNECT!

Login.p

Run doLogin(“fred”)

ViewCustomer.p

If CAN-DO (“fred”) FIND Customer …


Agenda



OpenEdge 10.1A Identity Management

User Identity Access Token• CLIENT-PRINCIPAL handle

Synchronize OpenEdge and application user-id • Domain registries • SECURITY-POLICY:SET-CLIENT ( )• SET-DB-CLIENT ( )

– Equivalent to SETUSERID()

• Database hosted ABL client security options

Progress session user-id• Synchronizes OpenEdge DB connection user-ids

What is new in Release 10.1A

Registry


User Identity Access Token

USER-IDDOMAIN-NAMESESSION-IDROLESLOGIN-STATESTATE-DETAILDOMAIN-TYPELOGIN-HOSTCLIENT-TTY . . .<User-defined-property>

“Proof of an authenticated user’s information, including the domain that authenticated them, the roles or privileges they hold, and miscellaneous user-context.”

FredApp-accountsAB25DH398E23…user,adminLOGINLogged inABL ProcedureNBFFlintstone.NETOpenClient

UI.advanced=YES


CLIENT-PRINCIPAL Operations

Automatic user login auditing• SEAL ( ) [ successful login ]

• LOGOUT ( ) [ logout ]

• AUTHENTICATION-FAIL ( ) [ failed login ]

• Login-sessions [ Login session-id context ]

Synchronize application user login• With Progress session and DB connection

• Between multiple Progress sessions– AppServer Agents– Load-balanced AppServers– WebSpeed Agents

What can a CLIENT-PRINCIPAL do for you?




DB Connection


Authorize

OpenEdgeDatabase

UserAccount

Privileges

Permissions

System + Domain

Session

Registry

DomainRegistry

Authenticate

AuditAudit

OpenEdgeDatabase

TrustConfiguration

Audit Data

_User

Customer

Sessionuser-id

Registry

DomainRegistry

CLIENT-PRINCIPAL

Session user-idsets connection

user-id Audit session

user-id

“root”

“root”

“root”




DB Connection


Authorize

OpenEdgeDatabase

UserAccount

Privileges

Permissions

System + Domain

Session

Registry

Authenticate

AuditAudit

OpenEdgeDatabase

Audit Data

_User

Customer

Registry

“root”

“root”

“root”

X


Agenda



Use-case Assumptions: Case 1

Existing client-server application• Uses application security (tables)

• Connects DB using single _user account

• Not using OpenEdge table & field permissions

Short-term migration goals• Use OpenEdge auditing core service

Medium-term goals• Use run-time OpenEdge database security

• OpenEdge RA compliant application


OpenEdge 10.1A Security Configuration


DB Connection


Authorize

OpenEdgeDatabase

UserAccount

Privileges

Permissions

System + Domain

Session

Registry

Authenticate

OpenEdgeDatabase

Audit Data

_User

Customer

Registry

AuditAudit

SynchronizeRegistries

Audit sessionuser-id


Migrate Existing Application

Enable OpenEdge database 10.1A features• Security without OpenEdge Auditing

proutil db –C updateschema• Security with OpenEdge Auditing

vi AuditAreas.st prostrct add db AuditAreas.st proutil db –C enableauditing …

Data Administration utility Admin Security Edit Auditing Privileges

Step 1: Enable 10.1A Security Features



Step 2: Set Client Security & Auditing OptionsAdmin-> Database Options

Audit sessionuser-id

SynchronizeRegistries

ABL run-time permissionchecking



Define global session current-user storageDEF NEW GLOBAL SHARED VAR g_hCP AS HANDLE.

Define global default authentication domain

DEF NEW GLOBAL SHARED VAR g_cDefDomName AS CHAR.DEF NEW GLOBAL SHARED VAR g_cDefDomType AS CHAR.DEF NEW GLOBAL SHARED VAR g_cDefDomDesc AS CHAR.DEF NEW GLOBAL SHARED VAR g_cDomToken AS CHAR.ASSIGN g_cDefDomName = “OpenEdge” g_cDefDomType = “ABLApplication” g_cDefDomDesc = “Application user accounts”.ASSIGN g_cDomToken = BASE64-ENCODE(GENERATE-PBE-KEY(g_cDefDomType)).

Step 3: Define Session-global Variables


OpenEdge 10.1A Application Initialization


DB Connection


OpenEdgeDatabase

UserAccount

Privileges

Permissions

System + Domain

Session

Registry

Authenticate

OpenEdgeDatabase

Audit Data

_User

Customer

Registry

AuditAudit

“root

X

Startup.p

Connect DB … SETUSERID( … )

/* Load Registries */

: CAN-*”

SETUSERID()Locks out

synchronization



SECURITY-POLICY:REGISTER-DOMAIN( “OpenEdge”,

g_cDomToken ) NO-ERROR.

SECURITY-POLICY:LOCK-REGISTRY() NO-ERROR.

Load Progress session Domain Registry• Cannot use domain until locked

Step 4: Modify Application Startup Code

SETUSERID ( “root”, pwd, “DICTDB” ).

Lock database connection user-id• Remove for run-time permission checking


OpenEdge 10.1A User Login & Logout


DB Connection


OpenEdgeDatabase

UserAccount

Privileges

Permissions

System + Domain

Session

Registry

Authenticate

OpenEdgeDatabase

Audit Data

_User

Customer

Registry

AuditAudit

“fred”

“root : CAN-*”

X

Login.p

(“fred”)

Logout.p


CREATE CLIENT-PRINCIPAL g_hCP./* Required user account information */g_hCP:USER-ID = “fred”.g_hCP:DOMAIN-NAME = g_cDefDomName.g_hCP:SESSION-ID = SUBSTRING(BASE64-ENCODE(GENERATE-UUID), 1, 22 )./* Optional user account information */g_hCP:DOMAIN-TYPE = g_cDefDomType.g_hCP:DOMAIN-DESCRIPTION = g_cDefDomDesc.


Create a CLIENT-PRINCPAL object

Step 5: Modify Application User Login Code



On successful login, start user login-session• CLIENT-PRINCIPAL’s access-token is now read-only

g_hCP:SEAL( g_cDomToken ).

On failed login, invalidate user login object• CLIENT-PRINCIPAL’s access-token is invalid

g_hCP:FAILED-AUTHENTICATION ( “Invalid Password” ).

Step 6: Modify User Login Completion Code



Set the Progress session’s user-id

Step 7: Modify Success Login Code

lStatus = SECURITY-POLICY:SET-CLIENT( g_hCP ) NO-ERROR.IF ( NOT lStatus ) THEN DO: ...END.



Logout the CLIENT-PRINCIPAL and cleanup

g_hCP:LOGOUT().

lStatus = SECURITY-POLICY:SET-CLIENT( ? ) NO-ERROR.DELETE OBJECT g_hCP.g_hCP = ?.

Step 8: Modify Logout Code

Clears sessionuser-id

InvalidatesCLIENT-PRINCIPAL


Manually Controlling Database User-id

Lock out SECURITY-POLICY:SET-CLIENT()• Equivalent to SETUSERID()• Use when no _user accounts exist

lStatus = SET-DB-CLIENT( g_hCP, “DICTDB” ) NO-ERROR.IF ( NOT lStatus ) THEN DO: … END.



Existing stateless AppServer™ application• Uses application security






User-id Management in a Stateless AppServer

ClientClient

AppServerBroker

AppServerBroker

ABL AgentABL Agent

Session

ABL AgentABL Agent

Session

ABL AgentABL Agent

Session

ABL AgentABL Agent

( CJB762B… )

( CJB762B… )

( CJB762B… )

Session

SERVER-CONNECTION-ID

User-Context

( CJB762B… ) ( CJB762B… ) ( CJB762B… )


Stateless AppServer Migration

Startup procedure: • Connect to User-Context

– Add two fields for access-token storage Login-session-id ( CHAR, primary, unique ) Access-token ( RAW )

• Empty User-Context of access-token

Connect [ login ] procedure • After CLIENT-PRINCIPAL:SEAL()

– Store CLIENT-PRINCIPAL’s access-token

Additional Migration steps



Activation procedure• Restore CLIENT-PRINCIPAL from User-

Context’s access-token

• ( If the SERVER-CONNECTION-ID changes )

Disconnect [ logout ] procedure• After CLIENT-PRINCIPAL:LOGOUT()

– Delete access-token from User-Context

Additional Migration steps - cont



Storing CLIENT-PRINCPAL access-token

Caching CLIENT-PRINCIPAL Objects

Restoring CLIENT-PRINCPAL access-token

CREATE ctx.ASSIGN ctx.Id = SESSION:SERVER-CONNECTION-ID ctx.Token = g_hCP:EXPORT-PRINCIPAL ( ).

FIND ctx WHERE ctx.Id = SESSION:SERVER-CONNECTION-ID.DELETE OBJECT g_hCP.CREATE CLIENT-PRINCIPAL g_hCPg_hCP:IMPORT-PRINCIPAL ( ctx.Token )./* SECURITY-POLICY:SET-CLIENT (g_hCP). */



Existing OpenEdge Reference Architecture (state-free) application• Uses application security






User-id Management in an OpenEdge RA AppServer

ClientClient

AppServerBroker

AppServerBroker

ABL AgentABL Agent

Session

ABL AgentABL Agent

Session

ABL AgentABL Agent

Session

ABL AgentABL Agent

Session

User-Context

(3KU60N5TXL)

(3KU60N5TXL)

(3KU60N5TXL) (3KU60N5TXL) (3KU60N5TXL)

(3KU60N5TXL)

SESSION-ID


State-free AppServer

No Connect or Disconnect procedures• Substitute Login and Logout procedures

No SESSION:SERVER-CONNECTION-ID• Substitute CLIENT-PRINCIPAL:SESSION-ID

• Pass SESSION-ID for all remote procedures

Additional Migration steps


Primary User Authentication APIs

LoginClient ( INPUT cUserid AS CHAR, INPUT rAuthToken AS RAW,

INPUT cDomain AS CHAR, INPUT cSecondaryId AS CHAR, INPUT rSecondaryToken AS RAW,

OUTPUT cSessionid AS CHAR ).

LogoutClient ( INPUT cSessionid AS CHAR ).

AnyProcedure ( …,

INPUT cSessionid AS CHAR).


For More Information, go to…

PSDNImplementing the OpenEdge Reference Architecture:

8: Context Management

OpenEdge Principals

White-papers


In Summary

Extensible user authentication provides necessary functionality

Synchronizing the application’s user-id with OpenEdge can bring benefits such as core services

OpenEdge 10.1A gives you the tools to begin your application’s migration now


Questions?


Thank you foryour time

move-14: migrating your 4gl authentication system to openedge® 10.1a and beyond michael jacobs...

Documents