Presentation is loading. Please wait.

Presentation is loading. Please wait.

DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect.

Published byFelicity Carpenter Modified over 9 years ago

Similar presentations

Presentation on theme: "DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect."— Presentation transcript:

1 DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect

2 2© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Agenda n User authentication drivers n Authentication basics n What’s in OpenEdge 10.1A n Distributed authentication n Using OpenEdge 10.1A n What’s next?

3 3© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 D I S C L A I M E R Under Development n This talk includes information about potential future products and/or product enhancements. n What I am going to say reflects our current thinking, but the information contained herein is preliminary and subject to change. Any future products we ultimately deliver may be materially different from what is described here. D I S C L A I M E R

4 4© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Agenda n User authentication drivers n Authentication basics n What’s in OpenEdge 10.1A n Distributed authentication n Using OpenEdge 10.1A n What’s next?

5 5© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 User Authentication Drivers n Hackers, Crackers, Rage, and Corruption n Government regulations –Sarbanes-Oxley (SOX) –CFR Part 11 –HIPAA n Customer security policy requirements n Migration to n-tier application architecture –OpenEdge Reference Architecture –Service Oriented Architecture

6 6© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Distributed User Authentication Challenges n Prevent identity theft –Login credentials –Login session n Multiple authentication systems –Existing customer systems –Future authentication systems n Multiple service interface support n Deployment time configuration

7 7© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 n User authentication drivers n Authentication basics n What’s in OpenEdge 10.1A n Distributed authentication n Using OpenEdge 10.1A n What’s next? Agenda

8 8© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Application Security Fundamentals AUTHENTICATION AUTHORIZATION AUDITING APPLICATION SECURITY

9 9© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Balancing Authentication Costs $ Technology $ Development $ Support $ Liability $ Data $ Support Customer Product

10 10© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Authentication Plug-in Subsystem Authentication Manager Architecture Authentication Manager Process Control LDAP LDAP Plug-in 4GL Plug-in 4GL Procedures Progress Plug-in _user API User Context Subsystem Auditing OpenEdge AP/End user

11 11© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Process Control Authentication Process Control Principal Authentication System User Accounts Authenticate Authentication System User Accounts Authentication System User Accounts Account Check Get Account Data Application Resources Access Control Data Authorization Manager Login Credentials AppServer Agent Client Authentication Manager

12 12© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Single User Account Systems Authentication System User Accounts Authentication Manager

13 13© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Authentication Manager True Single Sign-On Authentication System User Accounts Authorization Manager Authentication Manager Authorization Manager Authentication Manager Trusted Domains Domain Access Key

14 14© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 What’s in a Principal PRINCIPAL Domain: LDAP State: Login User-ID: DDuck Login-token: BW3G1&2G1836D872 Login-date: 3/12/05 08:15:33.12 Login-expires: 3/12/05 19:30.00.00 Roles: Accountant App-data: Company=Acme... Authentication System Data User Account Data User Account Restrictions Application Defined Data

15 15© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 n User authentication drivers n Authentication basics n What’s in OpenEdge 10.1A n Distributed authentication n Using OpenEdge 10.1A n What’s next? Agenda

16 16© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 OpenEdge 10.1A Presents! n CLIENT-PRINCIPAL 4GL Object n Trusted Authentication System Registry (TASR) n Database controlled authentication options n Language extensions that use CLIENT- PRINCIPAL objects n Optional run-time OpenEdge database permission checking

17 17© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 4GL CLIENT-PRINCIPAL Object n Represents a single user’s login session n Share a single user authentication –Between application servers –Between application server agents n Supersedes the SETUSERID() function n Set the current user-id for: –The 4GL Application –A OpenEdge database connection [ & permissions] n Triggers OpenEdge auditing record creation

18 18© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Trusted Authentication System Registry (TASR) n Used to validate CLIENT-PRINCIPAL –OpenEdge client to AppServer Agent –4GL Client to OpenEdge database n Supports multiple domains n Uses domain’s key for validation n Configurable via OpenEdge database options table n Loaded from OpenEdge database Domain Registry table

19 19© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 4GL Language Extensions n SECURITY-MANAGER object –SET-CLIENT() method –LOAD-DOMAINS() method n UUID function n SETDBCLIENT() function n HEXBINARY-ENCODE() function

20 20© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Release 10.1 Authentication Components DB Options OpenEdge Database Domain Registry 4GL Client, AppServer, WebSpeed Agent 4GL Core Authentication Manager Principal SECURITY-POLICY Application TASR 4GL Application Service Interface Database TASR Database Connection Client Login Session Application Domains Database Domains Authentication Options Domain Configuration

21 21© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 n User authentication issues n Authentication basics n What’s in OpenEdge 10.1A n Distributed authentication n Using OpenEdge 10.1A n What’s next? Agenda Sample Image: Please replace it (Insert, Picture, …)

22 22© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Client Benefits of the State-Free AppServer AppServer Agent AppServer Agent Client

23 23© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Client Benefits of the State-Free AppServer AppServer Agent AppServer Agent Client Adapter SOA

24 24© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 AppServer Agent Authentication Manager Service Interface Problem with User Authentication in a State-Free AppServer Client Login Principal Authentication System

25 25© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 AppServer Agent Authentication Manager Service Interface Problem with User Authentication in a State-Free AppServer Client ProcA ? Principal

26 26© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 What’s a Login-Token PRINCIPAL Domain: LDAP State: Login User-ID: DDuck Login-token: BW3G1&2G1836D872 Login-date: 3/12/05 08:15:33.12 Login-expires: 3/12/05 19:30.00.00 Roles: Accountant App-data: Company=Acme... Seal: 24VGWYY872ACE Login Token

27 27© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 AppServer Agent Authentication Manager Service Interface User Authentication in a State-Free Distributed System Client Login Principal Context Principal Authentication System

28 28© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 AppServer Agent Authentication Manager Service Interface Principal Context Principal State-Free User Context Management Client ProcA

29 29© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 AppServer Agent Authentication Manager Service Interface Principal Context Principal State-Free User Context Management Client ProcB

30 30© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 n User authentication drivers n Authentication basics n Distributed authentication n What’s in OpenEdge 10.1A n Using OpenEdge 10.1A n What’s next? Agenda Sample Image: Please replace it (Insert, Picture, …)

31 31© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 DB Options OpenEdge Database Domain Registry Configuring Single CLIENT- PRINCIPAL Context Mode Data Administration Utility 4GL Core Authentication Manager SECURITY-POLICY Application TASR 4GL Application Service Interface Database TASR Database Connection

32 32© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Configuring the SECURITY-POLICY TASR SECURITY-POLICY:LOAD-DOMAINS(“tasrdb”). 3.Load application TASR at run-time 1.Configure TASR domains a.Domain name: LDAP b.Domain key: “Domain key” 2.Configure databases to use application’s TASR

33 33© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 CLIENT- PRINCIPAL 4GL Core Authentication Manager SECURITY-POLICY Application TASR 4GL Application Service Interface User Login: Creating the CLIENT-PRINCIPAL Principal Authentication System Login Credentials DB Permissions OpenEdge Database Data Tables Database TASR Database Connection

34 34© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Creating the CLIENT-PRINCIPAL in the Authentication Manager 1.Create a CLIENT-PRINCIPAL object CREATE CLIENT-PRINCIPAL hCP. 2.Set required attributes hCP:USER-ID = “DDuck”. hCP:LOGIN-TOKEN = BASE64-ENCODE(UUID). hCP:DOMAIN = “LDAP”. hCP:ROLES = “ Accountant ”. 3.Define optional client account attributes

35 35© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Creating the CLIENT-PRINCIPAL (cont) 4.Define optional application properties hCP:SET-PROPERTY(“SalesOrder=CRU”). hCP:SET-PROPERTY(“CustInfo=R”). hCP:SEAL(“Domain key”). 5.Commit the user authentication * * Audit Record Generated hCP:AUTHENTICATION-FAILED. prop = hCP:GET-PROPERTY(“CustInfo”). 6.Read-only access to attributes and properties

36 36© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Sealing a CLIENT-PRINCIPAL Object PRINCIPAL Domain: LDAP State: Login User-ID: DDuck Login-token: BW3G1&2G1836D872 Login-date: 3/12/05 08:15:33.12 Login-expires: 3/12/05 19:30.00.00 Roles: Accountant App-data: Company=Acme... (HMAC) Seal: 24VGWYY872ACE Domain Access Key hCP:SEAL(“Domain key”).

37 37© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 CLIENT- PRINCIPAL 4GL Core Authentication Manager SECURITY-POLICY Application TASR 4GL Application Service Interface User Login: Sharing CLIENT-PRINCIPLAL Objects Principal Context Principal Database TASR Database Connection DB Permissions OpenEdge Database Data Tables

38 38© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Sharing User Login Context CREATE PrincipalContext. token = hCP:EXPORT-PRINCIPAL. tokenid = hCP:LoginToken. RELEASE PrincipalContext. n Define CLIENT-PRINCIPAL storage DEFINE TEMP-TABLE PrincipalContext FIELD tokenid AS CHARACTER FIELD token AS RAW INDEX tokenidIdx IS PRIMARY tokenid. n Export the user’s access token

39 39© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 CLIENT- PRINCIPAL 4GL Core Authentication Manager 4GL Application Service Interface Running a Remote Procedure: Recovering the CLIENT-PRINCIPAL Principal Context Principal SECURITY-POLICY Application TASR Database TASR Database Connection DB Permissions OpenEdge Database Data Tables

40 40© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 CLIENT- PRINCIPAL 4GL Core Authentication Manager 4GL Application Service Interface Running a Remote Procedure: Setting the CLIENT-PRINCIPAL Principal Context Principal SECURITY-POLICY Application TASR Database TASR Database Connection DB Permissions OpenEdge Database Data Tables

41 41© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Retrieving the User Login Context and Setting the User Identity 1.Import the user’s access token FIND PrincipalContext WHERE tokenid = “AXy12…” hCP:IMPORT(token). SECURITY-POLICY:SET-CLIENT(hCP). 2.Setting a single application user identity * * Audit Record Generated

42 42© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Validating a CLIENT-PRINCIPAL Object PRINCIPAL Domain: LDAP State: Login User-ID: DDuck Login-token: BW3G1&2G1836D872 Login-date: 3/12/05 08:15:33.12 Login-expires: 3/12/05 19:30.00.00 Roles: Accountant App-data: Company=Acme... (HMAC) Seal: 24VGWYY872ACE TASR ==T/F Domain Access Key

43 43© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 CLIENT- PRINCIPAL 4GL Core Authentication Manager 4GL Application Service Interface Logging Out: Deleting CLIENT-PRINCIPLAL Objects Principal Context Principal SECURITY-POLICY Application TASR Database TASR Database Connection DB Permissions OpenEdge Database Data Tables

44 44© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Logging out CLIENT-PRINCIPAL Objects and Deletion hCP:LOGOUT(hCP). 2.Logout a client * * Audit Record Generated 1.Import the user’s access token FIND PrincipalContext WHERE tokenid = “AXy12…” hCP:IMPORT(token). DELETE PrincipalContext.

45 45© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 n User authentication drivers n Authentication basics n Distributed authentication n What’s in OpenEdge 10.1A n Using OpenEdge 10.1A n What’s next? Agenda

46 46© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Authentication Plug-in Subsystem Authentication Manager Architecture Authentication Manager Process Control LDAP LDAP Plug-in 4GL Plug-in 4GL Procedures Progress Plug-in _user API User Context Subsystem Auditing OpenEdge AP/End user

47 47© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Authentication Plug-in Subsystem Future Support: More Core Business Services OpenEdge Authentication Service Process Control LDAP LDAP Plug-in 4GL Plug-in 4GL Procedures OpenEdge Plug-in _user API User Context Subsystem Auditing OpenEdge User Context Service Login() Logout() OpenEdge

48 48© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Future Support: More Application Authorization User Roles OpenEdge Database Access Control Lists 4GL Core SECURITY-POLICY 4GL Application Service Interface Authorization Subsystem CanAccess(…). OpenEdge Authentication Subsystem Login (…). Principal User Role Support Access Control Lists 4GL ACL Functions 4GL Login Functions

49 49© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 In Summary n Secure user authentication is necessary in today’s world n Distributed user authentication presents many challenges n OpenEdge 10 is providing the answer

50 50© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Questions?

51 51© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1 Thank you for your time!

52 52© 2005 Progress Software Corporation DEV-09: User Authentication in OpenEdge 10.1

Download ppt "DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect."

Similar presentations

Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control.

Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control.
Client Principal in the wild

Client Principal in the wild
DEV-2: Getting Started with OpenEdge® Architect – Part I

DEV-2: Getting Started with OpenEdge® Architect – Part I
Improving your OpenEdge® Development Productivity David Lund Sr. Training Program Manager, Progress.

Improving your OpenEdge® Development Productivity David Lund Sr. Training Program Manager, Progress.
PUG Norway Lillehammer March 16th & 17th

PUG Norway Lillehammer March 16th & 17th
REST support for B2B access to your AppServer PUG Challenge Americas - 2014 Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.

REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
OpenEdge BPM What’s Coming in 11.3 Michael Banks Suresh Inavolu.

OpenEdge BPM What’s Coming in 11.3 Michael Banks Suresh Inavolu.
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
DEV-13: You've Got a Problem, Here’s How to Find It

DEV-13: You've Got a Problem, Here’s How to Find It
Scale Up Access to your 4GL Application using Web Services

Scale Up Access to your 4GL Application using Web Services
Angelo Tracanna Senior Manager, OpenEdge Data Management

Angelo Tracanna Senior Manager, OpenEdge Data Management
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
John Sadd Progress Fellow and OpenEdge Evangelist

John Sadd Progress Fellow and OpenEdge Evangelist
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
DEV-14: Understanding and Programming for the AppServer™

DEV-14: Understanding and Programming for the AppServer™
Performance testing of Progress Appservers and a plug-in for Jmeter

Performance testing of Progress Appservers and a plug-in for Jmeter
Understanding Active Directory

Understanding Active Directory
What’s new in Progress Developer Studio for OpenEdge 11.0?

What’s new in Progress Developer Studio for OpenEdge 11.0?

Similar presentations

Ads by Google