520 likes | 785 Views
DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment. Michael Jacobs Development Architect. Agenda. User authentication drivers Authentication basics What’s in OpenEdge 10.1A Distributed authentication Using OpenEdge 10.1A What’s next?. Under Development.
E N D
DEV-09:User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect
Agenda • User authentication drivers • Authentication basics • What’s in OpenEdge 10.1A • Distributed authentication • Using OpenEdge 10.1A • What’s next? DEV-09: User Authentication in OpenEdge 10.1
Under Development D I S C L A I M E R D I S C L A I M E R • This talk includes information about potential future products and/or product enhancements. • What I am going to say reflects our current thinking, but the information contained herein is preliminary and subject to change. Any future products we ultimately deliver may be materially different from what is described here. DEV-09: User Authentication in OpenEdge 10.1
Agenda • User authentication drivers • Authentication basics • What’s in OpenEdge 10.1A • Distributed authentication • Using OpenEdge 10.1A • What’s next? DEV-09: User Authentication in OpenEdge 10.1
User Authentication Drivers • Hackers, Crackers, Rage, and Corruption • Government regulations • Sarbanes-Oxley (SOX) • CFR Part 11 • HIPAA • Customer security policy requirements • Migration to n-tier application architecture • OpenEdge Reference Architecture • Service Oriented Architecture DEV-09: User Authentication in OpenEdge 10.1
Distributed User Authentication Challenges • Prevent identity theft • Login credentials • Login session • Multiple authentication systems • Existing customer systems • Future authentication systems • Multiple service interface support • Deployment time configuration DEV-09: User Authentication in OpenEdge 10.1
Agenda • User authentication drivers • Authentication basics • What’s in OpenEdge 10.1A • Distributed authentication • Using OpenEdge 10.1A • What’s next? DEV-09: User Authentication in OpenEdge 10.1
Application Security Fundamentals AUTHENTICATION APPLICATIONSECURITY AUDITING AUTHORIZATION DEV-09: User Authentication in OpenEdge 10.1
Balancing Authentication Costs $ Technology$ Development$ Support $ Liability$ Data$ Support Product Customer DEV-09: User Authentication in OpenEdge 10.1
Authentication Manager Architecture API ProgressPlug-in _user Auditing LDAP LDAPPlug-in AuthenticationPlug-in Subsystem 4GLPlug-in User ContextSubsystem 4GLProcedures AuthenticationManager ProcessControl OpenEdge AP/End user DEV-09: User Authentication in OpenEdge 10.1
Authentication Process Control LoginCredentials Authenticate AuthenticationSystem Account Check AuthenticationSystem AuthenticationSystem Get Account Data User Accounts Principal UserAccounts UserAccounts AccessControlData AuthorizationManager Application Resources Client AppServer Agent AuthenticationManager ProcessControl DEV-09: User Authentication in OpenEdge 10.1
Single User Account Systems AuthenticationManager AuthenticationManager AuthenticationManager AuthenticationManager AuthenticationSystem UserAccounts DEV-09: User Authentication in OpenEdge 10.1
True Single Sign-On AuthenticationManager AuthenticationManager AuthenticationManager AuthenticationSystem DomainAccess Key UserAccounts TrustedDomains TrustedDomains AuthorizationManager AuthorizationManager DEV-09: User Authentication in OpenEdge 10.1
What’s in a Principal PRINCIPAL Domain: LDAPState: LoginUser-ID: DDuckLogin-token: BW3G1&2G1836D872Login-date: 3/12/05 08:15:33.12Login-expires: 3/12/05 19:30.00.00Roles: AccountantApp-data: Company=Acme ... AuthenticationSystem Data User Account Data User Account Restrictions Application Defined Data DEV-09: User Authentication in OpenEdge 10.1
Agenda • User authentication drivers • Authentication basics • What’s in OpenEdge 10.1A • Distributed authentication • Using OpenEdge 10.1A • What’s next? DEV-09: User Authentication in OpenEdge 10.1
OpenEdge 10.1A Presents! • CLIENT-PRINCIPAL 4GL Object • Trusted Authentication System Registry (TASR) • Database controlled authentication options • Language extensions that use CLIENT-PRINCIPAL objects • Optional run-time OpenEdge database permission checking DEV-09: User Authentication in OpenEdge 10.1
4GL CLIENT-PRINCIPAL Object • Represents a single user’s login session • Share a single user authentication • Between application servers • Between application server agents • Supersedes the SETUSERID() function • Set the current user-id for: • The 4GL Application • A OpenEdge database connection [ & permissions] • Triggers OpenEdge auditing record creation DEV-09: User Authentication in OpenEdge 10.1
Trusted Authentication System Registry (TASR) • Used to validate CLIENT-PRINCIPAL • OpenEdge client to AppServer Agent • 4GL Client to OpenEdge database • Supports multiple domains • Uses domain’s key for validation • Configurable via OpenEdge database options table • Loaded from OpenEdge database Domain Registry table DEV-09: User Authentication in OpenEdge 10.1
4GL Language Extensions • SECURITY-MANAGER object • SET-CLIENT() method • LOAD-DOMAINS() method • UUID function • SETDBCLIENT() function • HEXBINARY-ENCODE() function DEV-09: User Authentication in OpenEdge 10.1
Release 10.1 Authentication Components Database Connection DatabaseTASR OpenEdgeDatabase DB Options Domain Registry 4GL Client, AppServer,WebSpeed Agent 4GL Application Client Login Session ServiceInterface AuthenticationManager Authentication Options Application Domains Principal Database Domains 4GL Core SECURITY-POLICY ApplicationTASR Domain Configuration DEV-09: User Authentication in OpenEdge 10.1
Agenda Sample Image: Please replace it (Insert, Picture, …) • User authentication issues • Authentication basics • What’s in OpenEdge 10.1A • Distributed authentication • Using OpenEdge 10.1A • What’s next? DEV-09: User Authentication in OpenEdge 10.1
Benefits of the State-Free AppServer AppServer Agent Agent Agent AppServer Client Client Client Agent Agent Agent DEV-09: User Authentication in OpenEdge 10.1
Benefits of the State-Free AppServer AppServer SOA Agent Adapter Agent Agent AppServer Client Client Client Client Agent Agent Agent DEV-09: User Authentication in OpenEdge 10.1
Problem with User Authentication in a State-Free AppServer AppServer Agent ServiceInterface Login Principal AuthenticationManager AuthenticationSystem Agent ServiceInterface AuthenticationManager Client DEV-09: User Authentication in OpenEdge 10.1
Problem with User Authentication in a State-Free AppServer AppServer Agent ServiceInterface Principal AuthenticationManager ProcA Agent ServiceInterface ? AuthenticationManager Client DEV-09: User Authentication in OpenEdge 10.1
What’s a Login-Token PRINCIPAL Login Token Domain: LDAPState: LoginUser-ID: DDuckLogin-token: BW3G1&2G1836D872Login-date: 3/12/05 08:15:33.12Login-expires: 3/12/05 19:30.00.00Roles: AccountantApp-data: Company=Acme ... Seal: 24VGWYY872ACE DEV-09: User Authentication in OpenEdge 10.1
User Authentication in a State-Free Distributed System AppServer Agent ServiceInterface Login Principal AuthenticationManager AuthenticationSystem Agent ServiceInterface Principal Context AuthenticationManager Principal Client DEV-09: User Authentication in OpenEdge 10.1
State-Free User Context Management AppServer Agent ServiceInterface AuthenticationManager Principal Context ProcA Agent Principal ServiceInterface AuthenticationManager Client DEV-09: User Authentication in OpenEdge 10.1
State-Free User Context Management AppServer Agent ServiceInterface ProcB AuthenticationManager Principal Context Agent Principal ServiceInterface AuthenticationManager Client DEV-09: User Authentication in OpenEdge 10.1
Agenda Sample Image: Please replace it (Insert, Picture, …) • User authentication drivers • Authentication basics • Distributed authentication • What’s in OpenEdge 10.1A • Using OpenEdge 10.1A • What’s next? DEV-09: User Authentication in OpenEdge 10.1
Configuring Single CLIENT-PRINCIPAL Context Mode Database Connection DatabaseTASR OpenEdgeDatabase DB Options Domain Registry Data AdministrationUtility 4GL Application ServiceInterface AuthenticationManager 4GL Core SECURITY-POLICY ApplicationTASR DEV-09: User Authentication in OpenEdge 10.1
Configuring the SECURITY-POLICY TASR • Configure TASR domains • Domain name: LDAP • Domain key: “Domain key” Configure databases to use application’s TASR Load application TASR at run-time SECURITY-POLICY:LOAD-DOMAINS(“tasrdb”). DEV-09: User Authentication in OpenEdge 10.1
User Login: Creating the CLIENT-PRINCIPAL CLIENT-PRINCIPAL Database Connection DatabaseTASR AuthenticationSystem Principal OpenEdgeDatabase DB Permissions Data Tables LoginCredentials 4GL Application ServiceInterface AuthenticationManager 4GL Core SECURITY-POLICY ApplicationTASR DEV-09: User Authentication in OpenEdge 10.1
Creating the CLIENT-PRINCIPAL in the Authentication Manager Create a CLIENT-PRINCIPAL object CREATE CLIENT-PRINCIPAL hCP. Set required attributes hCP:USER-ID = “DDuck”.hCP:LOGIN-TOKEN = BASE64-ENCODE(UUID).hCP:DOMAIN = “LDAP”. Define optional client account attributes hCP:ROLES = “Accountant”. DEV-09: User Authentication in OpenEdge 10.1
Creating the CLIENT-PRINCIPAL (cont) Define optional application properties hCP:SET-PROPERTY(“SalesOrder=CRU”).hCP:SET-PROPERTY(“CustInfo=R”). Commit the user authentication * hCP:SEAL(“Domain key”). hCP:AUTHENTICATION-FAILED. Read-only access to attributes and properties prop = hCP:GET-PROPERTY(“CustInfo”). * Audit Record Generated DEV-09: User Authentication in OpenEdge 10.1
Sealing a CLIENT-PRINCIPAL Object PRINCIPAL Domain AccessKey Domain: LDAPState: LoginUser-ID: DDuckLogin-token: BW3G1&2G1836D872Login-date: 3/12/05 08:15:33.12Login-expires: 3/12/05 19:30.00.00Roles: AccountantApp-data: Company=Acme ... Seal: 24VGWYY872ACE hCP:SEAL(“Domain key”). (HMAC) DEV-09: User Authentication in OpenEdge 10.1
User Login:Sharing CLIENT-PRINCIPLAL Objects CLIENT-PRINCIPAL Database Connection DatabaseTASR Principal Principal OpenEdgeDatabase DB Permissions Data Tables 4GL Application Principal Context ServiceInterface AuthenticationManager 4GL Core SECURITY-POLICY ApplicationTASR DEV-09: User Authentication in OpenEdge 10.1
Sharing User Login Context • Define CLIENT-PRINCIPAL storage DEFINE TEMP-TABLE PrincipalContext FIELD tokenid AS CHARACTER FIELD token AS RAW INDEX tokenidIdx IS PRIMARY tokenid. • Export the user’s access token CREATE PrincipalContext.token = hCP:EXPORT-PRINCIPAL.tokenid = hCP:LoginToken.RELEASE PrincipalContext. DEV-09: User Authentication in OpenEdge 10.1
Running a Remote Procedure:Recovering the CLIENT-PRINCIPAL CLIENT-PRINCIPAL Database Connection DatabaseTASR OpenEdgeDatabase DB Permissions Data Tables Principal Context 4GL Application Principal ServiceInterface AuthenticationManager Principal 4GL Core SECURITY-POLICY ApplicationTASR DEV-09: User Authentication in OpenEdge 10.1
Running a Remote Procedure:Setting the CLIENT-PRINCIPAL CLIENT-PRINCIPAL Database Connection DatabaseTASR OpenEdgeDatabase DB Permissions Data Tables 4GL Application Principal Context ServiceInterface AuthenticationManager Principal Principal 4GL Core SECURITY-POLICY ApplicationTASR DEV-09: User Authentication in OpenEdge 10.1
Retrieving the User Login Context and Setting the User Identity Import the user’s access token FIND PrincipalContext WHERE tokenid = “AXy12…”hCP:IMPORT(token). Setting a single application user identity * SECURITY-POLICY:SET-CLIENT(hCP). * Audit Record Generated DEV-09: User Authentication in OpenEdge 10.1
Validating a CLIENT-PRINCIPAL Object PRINCIPAL Domain AccessKey Domain: LDAPState: LoginUser-ID: DDuckLogin-token: BW3G1&2G1836D872Login-date: 3/12/05 08:15:33.12Login-expires: 3/12/05 19:30.00.00Roles: AccountantApp-data: Company=Acme ... T/F TASR (HMAC) == Seal: 24VGWYY872ACE DEV-09: User Authentication in OpenEdge 10.1
Logging Out:Deleting CLIENT-PRINCIPLAL Objects CLIENT-PRINCIPAL Database Connection DatabaseTASR OpenEdgeDatabase DB Permissions Data Tables Principal Context 4GL Application ServiceInterface AuthenticationManager Principal 4GL Core SECURITY-POLICY ApplicationTASR DEV-09: User Authentication in OpenEdge 10.1
Logging out CLIENT-PRINCIPAL Objects and Deletion Import the user’s access token FIND PrincipalContext WHERE tokenid = “AXy12…”hCP:IMPORT(token).DELETE PrincipalContext. Logout a client * hCP:LOGOUT(hCP). * Audit Record Generated DEV-09: User Authentication in OpenEdge 10.1
Agenda • User authentication drivers • Authentication basics • Distributed authentication • What’s in OpenEdge 10.1A • Using OpenEdge 10.1A • What’s next? DEV-09: User Authentication in OpenEdge 10.1
Authentication Manager Architecture API ProgressPlug-in _user Auditing LDAP LDAPPlug-in AuthenticationPlug-in Subsystem 4GLPlug-in User ContextSubsystem 4GLProcedures AuthenticationManager ProcessControl OpenEdge AP/End user DEV-09: User Authentication in OpenEdge 10.1
Future Support:More Core Business Services API Auditing AuthenticationPlug-in Subsystem OpenEdgeAuthenticationService Login()Logout() ProcessControl OpenEdgePlug-in _user LDAP LDAPPlug-in 4GLPlug-in User ContextSubsystem 4GLProcedures OpenEdge OpenEdge UserContext Service DEV-09: User Authentication in OpenEdge 10.1
Future Support:More Application Authorization OpenEdgeDatabase User Roles Access Control Lists 4GL Application 4GL ACLFunctions 4GL Login Functions ServiceInterface Principal User Role Support CanAccess(…). Login (…). Access Control Lists 4GL Core OpenEdgeAuthenticationSubsystem SECURITY-POLICY AuthorizationSubsystem DEV-09: User Authentication in OpenEdge 10.1
In Summary • Secure user authentication is necessary in today’s world • Distributed user authentication presents many challenges • OpenEdge 10 is providing the answer DEV-09: User Authentication in OpenEdge 10.1
Questions? DEV-09: User Authentication in OpenEdge 10.1