DEV-09: User Authentication in an OpenEdge - PowerPoint PPT Presentation

About This Presentation
Title:

DEV-09: User Authentication in an OpenEdge

Description:

DEV-09: User Authentication in an OpenEdge 10.1 Distributed Computing Environment Michael Jacobs Development Architect – PowerPoint PPT presentation

Number of Views:203
Avg rating:3.0/5.0
Slides: 53
Provided by: Michael3621
Category:

less

Transcript and Presenter's Notes

Title: DEV-09: User Authentication in an OpenEdge


1
DEV-09User Authentication in an OpenEdge 10.1
Distributed Computing Environment
  • Michael Jacobs
  • Development Architect

2
Agenda
  • User authentication drivers
  • Authentication basics
  • Whats in OpenEdge 10.1A
  • Distributed authentication
  • Using OpenEdge 10.1A
  • Whats next?

3
Under Development
  • This talk includes information about potential
    future products and/or product enhancements.
  • What I am going to say reflects our current
    thinking, but the information contained herein is
    preliminary and subject to change. Any future
    products we ultimately deliver may be materially
    different from what is described here.

4
Agenda
  • User authentication drivers
  • Authentication basics
  • Whats in OpenEdge 10.1A
  • Distributed authentication
  • Using OpenEdge 10.1A
  • Whats next?

5
User Authentication Drivers
  • Hackers, Crackers, Rage, and Corruption
  • Government regulations
  • Sarbanes-Oxley (SOX)
  • CFR Part 11
  • HIPAA
  • Customer security policy requirements
  • Migration to n-tier application architecture
  • OpenEdge Reference Architecture
  • Service Oriented Architecture

6
Distributed User Authentication Challenges
  • Prevent identity theft
  • Login credentials
  • Login session
  • Multiple authentication systems
  • Existing customer systems
  • Future authentication systems
  • Multiple service interface support
  • Deployment time configuration

7
Agenda
  • User authentication drivers
  • Authentication basics
  • Whats in OpenEdge 10.1A
  • Distributed authentication
  • Using OpenEdge 10.1A
  • Whats next?

8
Application Security Fundamentals
AUTHENTICATION
APPLICATIONSECURITY
AUTHORIZATION
AUDITING
9
Balancing Authentication Costs
Technology Development Support
Liability Data Support
Product
Customer
10
Authentication Manager Architecture
AuthenticationManager
ProcessControl
OpenEdge
AP/End user
11
Authentication Process Control
Client
AppServer Agent
AuthenticationManager
ProcessControl
12
Single User Account Systems
13
True Single Sign-On
14
Whats in a Principal
AuthenticationSystem Data
User Account Data
User Account Restrictions
Application Defined Data
15
Agenda
  • User authentication drivers
  • Authentication basics
  • Whats in OpenEdge 10.1A
  • Distributed authentication
  • Using OpenEdge 10.1A
  • Whats next?

16
OpenEdge 10.1A Presents!
  • CLIENT-PRINCIPAL 4GL Object
  • Trusted Authentication System Registry (TASR)
  • Database controlled authentication options
  • Language extensions that use CLIENT-PRINCIPAL
    objects
  • Optional run-time OpenEdge database permission
    checking

17
4GL CLIENT-PRINCIPAL Object
  • Represents a single users login session
  • Share a single user authentication
  • Between application servers
  • Between application server agents
  • Supersedes the SETUSERID() function
  • Set the current user-id for
  • The 4GL Application
  • A OpenEdge database connection permissions
  • Triggers OpenEdge auditing record creation

18
Trusted Authentication System Registry (TASR)
  • Used to validate CLIENT-PRINCIPAL
  • OpenEdge client to AppServer Agent
  • 4GL Client to OpenEdge database
  • Supports multiple domains
  • Uses domains key for validation
  • Configurable via OpenEdge database options table
  • Loaded from OpenEdge database Domain Registry
    table

19
4GL Language Extensions
  • SECURITY-MANAGER object
  • SET-CLIENT() method
  • LOAD-DOMAINS() method
  • UUID function
  • SETDBCLIENT() function
  • HEXBINARY-ENCODE() function

20
Release 10.1 Authentication Components
4GL Client, AppServer,WebSpeed Agent
4GL Application
Client Login Session
AuthenticationManager
ServiceInterface
Authentication Options
Principal
Application Domains
Database Domains
4GL Core
SECURITY-POLICY
ApplicationTASR
Domain Configuration
21
Agenda
Sample Image Please replace it (Insert,
Picture, )
  • User authentication issues
  • Authentication basics
  • Whats in OpenEdge 10.1A
  • Distributed authentication
  • Using OpenEdge 10.1A
  • Whats next?

22
Benefits of the State-Free AppServer
23
Benefits of the State-Free AppServer
24
Problem with User Authentication in a State-Free
AppServer
Client
25
Problem with User Authentication in a State-Free
AppServer
Client
26
Whats a Login-Token
Seal 24VGWYY872ACE
27
User Authentication in a State-Free Distributed
System
Client
28
State-Free User Context Management
Client
29
State-Free User Context Management
Client
30
Agenda
Sample Image Please replace it (Insert,
Picture, )
  • User authentication drivers
  • Authentication basics
  • Distributed authentication
  • Whats in OpenEdge 10.1A
  • Using OpenEdge 10.1A
  • Whats next?

31
Configuring Single CLIENT-PRINCIPAL Context Mode
Data AdministrationUtility
4GL Application
AuthenticationManager
ServiceInterface
4GL Core
SECURITY-POLICY
ApplicationTASR
32
Configuring the SECURITY-POLICY TASR
  • Configure TASR domains
  • Domain name LDAP
  • Domain key Domain key
  1. Configure databases to use applications TASR
  1. Load application TASR at run-time

SECURITY-POLICYLOAD-DOMAINS(tasrdb).
33
User Login Creating the CLIENT-PRINCIPAL
LoginCredentials
4GL Application
AuthenticationManager
ServiceInterface
4GL Core
SECURITY-POLICY
ApplicationTASR
34
Creating the CLIENT-PRINCIPAL in the
Authentication Manager
  1. Create a CLIENT-PRINCIPAL object

CREATE CLIENT-PRINCIPAL hCP.
  1. Set required attributes

hCPUSER-ID DDuck.hCPLOGIN-TOKEN
BASE64-ENCODE(UUID).hCPDOMAIN LDAP.
  1. Define optional client account attributes

hCPROLES Accountant.
35
Creating the CLIENT-PRINCIPAL (cont)
  1. Define optional application properties

hCPSET-PROPERTY(SalesOrderCRU).hCPSET-PROPER
TY(CustInfoR).
  1. Commit the user authentication

hCPSEAL(Domain key).
hCPAUTHENTICATION-FAILED.
  1. Read-only access to attributes and properties

prop hCPGET-PROPERTY(CustInfo).
Audit Record Generated
36
Sealing a CLIENT-PRINCIPAL Object
hCPSEAL(Domain key).
(HMAC)
37
User LoginSharing CLIENT-PRINCIPLAL Objects
4GL Application
Principal Context
AuthenticationManager
ServiceInterface
4GL Core
SECURITY-POLICY
ApplicationTASR
38
Sharing User Login Context
  • Define CLIENT-PRINCIPAL storage

DEFINE TEMP-TABLE PrincipalContext FIELD
tokenid AS CHARACTER FIELD token AS RAW
INDEX tokenidIdx IS PRIMARY tokenid.
  • Export the users access token

CREATE PrincipalContext.token
hCPEXPORT-PRINCIPAL.tokenid
hCPLoginToken.RELEASE PrincipalContext.
39
Running a Remote ProcedureRecovering the
CLIENT-PRINCIPAL
Principal Context
4GL Application
Principal
AuthenticationManager
ServiceInterface
Principal
4GL Core
SECURITY-POLICY
ApplicationTASR
40
Running a Remote ProcedureSetting the
CLIENT-PRINCIPAL
4GL Application
Principal Context
AuthenticationManager
ServiceInterface
Principal
Principal
4GL Core
SECURITY-POLICY
ApplicationTASR
41
Retrieving the User Login Context and Setting the
User Identity
  1. Import the users access token

FIND PrincipalContext WHERE tokenid
AXy12hCPIMPORT(token).
  1. Setting a single application user identity

SECURITY-POLICYSET-CLIENT(hCP).
Audit Record Generated
42
Validating a CLIENT-PRINCIPAL Object
TASR
(HMAC)

Seal 24VGWYY872ACE
43
Logging OutDeleting CLIENT-PRINCIPLAL Objects
Principal Context
4GL Application
AuthenticationManager
ServiceInterface
Principal
4GL Core
SECURITY-POLICY
ApplicationTASR
44
Logging out CLIENT-PRINCIPAL Objects and Deletion
  1. Import the users access token

FIND PrincipalContext WHERE tokenid
AXy12hCPIMPORT(token).DELETE
PrincipalContext.
  1. Logout a client

hCPLOGOUT(hCP).
Audit Record Generated
45
Agenda
  • User authentication drivers
  • Authentication basics
  • Distributed authentication
  • Whats in OpenEdge 10.1A
  • Using OpenEdge 10.1A
  • Whats next?

46
Authentication Manager Architecture
AuthenticationManager
ProcessControl
OpenEdge
AP/End user
47
Future SupportMore Core Business Services
OpenEdgeAuthenticationService
Login()Logout()
ProcessControl
OpenEdgePlug-in
_user
LDAP
LDAPPlug-in
4GLPlug-in
4GLProcedures
User ContextSubsystem
OpenEdge
OpenEdge UserContext Service

48
Future SupportMore Application Authorization
4GL Application
4GL ACLFunctions
4GL Login Functions
ServiceInterface
Principal
User Role Support
CanAccess().
Login ().
Access Control Lists
4GL Core
OpenEdgeAuthenticationSubsystem
SECURITY-POLICY
AuthorizationSubsystem
49
In Summary
  • Secure user authentication is necessary in
    todays world
  • Distributed user authentication presents many
    challenges
  • OpenEdge 10 is providing the answer

50
Questions?
51
Thank you for your time!
52
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com