dev-09: user authentication in an openedge™ 10.1 distributed computing environment michael jacobs...
TRANSCRIPT
DEV-09:User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment
Michael JacobsDevelopment Architect
2 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Agenda
User authentication drivers Authentication basics What’s in OpenEdge 10.1A Distributed authentication Using OpenEdge 10.1A What’s next?
3 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
D I S C L A I M E R
Under Development
This talk includes information about potential future products and/or product enhancements.
What I am going to say reflects our current thinking, but the information contained herein is preliminary and subject to change. Any future products we ultimately deliver may be materially different from what is described here.
D I S C L A I M E R
4 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Agenda
User authentication drivers Authentication basics What’s in OpenEdge 10.1A Distributed authentication Using OpenEdge 10.1A What’s next?
5 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
User Authentication Drivers
Hackers, Crackers, Rage, and Corruption Government regulations
– Sarbanes-Oxley (SOX)– CFR Part 11– HIPAA
Customer security policy requirements Migration to n-tier application architecture
– OpenEdge Reference Architecture– Service Oriented Architecture
6 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Distributed User Authentication Challenges
Prevent identity theft– Login credentials
– Login session Multiple authentication systems
– Existing customer systems
– Future authentication systems Multiple service interface support Deployment time configuration
7 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
User authentication drivers Authentication basics What’s in OpenEdge 10.1A Distributed authentication Using OpenEdge 10.1A What’s next?
Agenda
8 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Application Security Fundamentals
AUTHENTICATION
AU
TH
OR
IZA
TIO
NA
UD
ITIN
G
AU
DIT
ING
APPLICATIONSECURITY
9 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Balancing Authentication Costs
$ Technology
$ Development
$ Support
$ Liability
$ Data
$ Support
Customer
Product
10 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Au
then
tica
tio
nP
lug
-in
Su
bsy
stem
Authentication Manager Architecture
AuthenticationManager
ProcessControl
LDAPLDAPLDAPPlug-in
4GLPlug-in
4GLProcedures
4GLProcedures
ProgressPlug-in _user_user
API
User ContextSubsystem
Au
dit
ing
OpenEdge
AP/End user
11 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
ProcessControl
ProcessControl
Authentication Process Control
Principal
AuthenticationSystem
AuthenticationSystem
UserAccounts
UserAccounts
Authenticate
AuthenticationSystem
AuthenticationSystem
UserAccounts
UserAccounts
AuthenticationSystem
AuthenticationSystem
User AccountsUser Accounts
Account Check
Get Account Data
Application ResourcesApplication ResourcesAccessControl
Data
AccessControl
Data
AuthorizationManager
AuthorizationManager
LoginCredentials
LoginCredentials
AppServer Agent
Client
AuthenticationManager
12 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Single User Account Systems
AuthenticationSystem
AuthenticationSystem
UserAccounts
UserAccounts
AuthenticationManager
AuthenticationManager
AuthenticationManager
AuthenticationManager
AuthenticationManager
AuthenticationManager
AuthenticationManager
AuthenticationManager
13 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
AuthenticationManager
AuthenticationManager
True Single Sign-On
AuthenticationSystem
AuthenticationSystem
UserAccounts
UserAccounts
AuthorizationManager
AuthorizationManager
AuthenticationManager
AuthenticationManager
AuthorizationManager
AuthorizationManager
AuthenticationManager
AuthenticationManager
TrustedDomainsTrusted
DomainsTrusted
DomainsTrusted
Domains
DomainAccess Key
14 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
What’s in a Principal
PRINCIPALDomain: LDAPState: LoginUser-ID: DDuckLogin-token: BW3G1&2G1836D872Login-date: 3/12/05 08:15:33.12Login-expires: 3/12/05 19:30.00.00Roles: AccountantApp-data: Company=Acme ...
AuthenticationSystem Data
User Account Data
User Account Restrictions
Application Defined Data
15 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
User authentication drivers Authentication basics What’s in OpenEdge 10.1A Distributed authentication Using OpenEdge 10.1A What’s next?
Agenda
16 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
OpenEdge 10.1A Presents!
CLIENT-PRINCIPAL 4GL Object Trusted Authentication System Registry
(TASR) Database controlled authentication options Language extensions that use CLIENT-
PRINCIPAL objects Optional run-time OpenEdge database
permission checking
17 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
4GL CLIENT-PRINCIPAL Object
Represents a single user’s login session Share a single user authentication
– Between application servers
– Between application server agents Supersedes the SETUSERID() function Set the current user-id for:
– The 4GL Application
– A OpenEdge database connection [ & permissions] Triggers OpenEdge auditing record creation
18 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Trusted Authentication System Registry (TASR)
Used to validate CLIENT-PRINCIPAL– OpenEdge client to AppServer Agent– 4GL Client to OpenEdge database
Supports multiple domains Uses domain’s key for validation Configurable via OpenEdge database
options table Loaded from OpenEdge database Domain
Registry table
19 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
4GL Language Extensions
SECURITY-MANAGER object– SET-CLIENT() method
– LOAD-DOMAINS() method UUID function SETDBCLIENT() function HEXBINARY-ENCODE() function
20 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Release 10.1 Authentication Components
DB Options
OpenEdgeDatabase
Domain Registry
4GL Client, AppServer,WebSpeed Agent
4GL Core
AuthenticationManager
Principal
SECURITY-POLICY
ApplicationTASR
4GL Application
ServiceInterface
DatabaseTASR
Database Connection
Client Login Session
Application Domains
Database Domains
Authentication Options
Domain Configuration
21 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
User authentication issues Authentication basics What’s in OpenEdge 10.1A Distributed authentication Using OpenEdge 10.1A What’s next?
Agenda
Sample Image:
Please replace it
(Insert, Picture, …)
22 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
ClientClientClientClient
Benefits of the State-Free AppServer
AppServerAppServer
Agent
Agent
Agent
AppServerAppServer
Agent
Agent
Agent
ClientClient
23 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
ClientClientClientClient
Benefits of the State-Free AppServer
AppServerAppServer
Agent
Agent
Agent
AppServerAppServer
Agent
Agent
Agent
ClientClient
ClientClient
AdapterAdapter
SOA
24 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
AppServerAppServer
Agent
Agent
AuthenticationManager
AuthenticationManager
ServiceInterface
ServiceInterface
Problem with User Authentication in a State-Free AppServer
ClientClient
LoginLogin
PrincipalPrincipal
AuthenticationSystem
AuthenticationSystem
25 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
AppServerAppServer
Agent
Agent
AuthenticationManager
AuthenticationManager
ServiceInterface
ServiceInterface
Problem with User Authentication in a State-Free AppServer
ClientClient ProcA
?
PrincipalPrincipal
26 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
What’s a Login-Token
PRINCIPALDomain: LDAPState: LoginUser-ID: DDuckLogin-token: BW3G1&2G1836D872Login-date: 3/12/05 08:15:33.12Login-expires: 3/12/05 19:30.00.00Roles: AccountantApp-data: Company=Acme ...
Seal: 24VGWYY872ACE
Login Token
27 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
AppServerAppServer
Agent
Agent
AuthenticationManager
AuthenticationManager
ServiceInterface
ServiceInterface
User Authentication in a State-Free Distributed System
ClientClient
Login
Principal ContextPrincipal Context
Principal
Principal
AuthenticationSystem
AuthenticationSystem
28 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
AppServerAppServer
Agent
Agent
AuthenticationManager
AuthenticationManager
ServiceInterface
ServiceInterface
Principal ContextPrincipal Context
Principal
State-Free User Context Management
ClientClientProcA
29 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
AppServerAppServer
Agent
Agent
AuthenticationManager
AuthenticationManager
ServiceInterface
ServiceInterface
Principal ContextPrincipal Context
Principal
State-Free User Context Management
ClientClient
ProcB
30 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
User authentication drivers Authentication basics Distributed authentication What’s in OpenEdge 10.1A Using OpenEdge 10.1A What’s next?
Agenda
Sample Image:
Please replace it
(Insert, Picture, …)
31 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
DB Options
OpenEdgeDatabase
Domain Registry
Configuring Single CLIENT-PRINCIPAL Context Mode
Data Administration
Utility
4GL Core
AuthenticationManager
SECURITY-POLICY
ApplicationTASR
4GL Application
ServiceInterface
DatabaseTASR
Database Connection
32 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Configuring the SECURITY-POLICY TASR
SECURITY-POLICY:LOAD-DOMAINS(“tasrdb”).
3.Load application TASR at run-time
1.Configure TASR domainsa. Domain name: LDAP
b. Domain key: “Domain key”
2. Configure databases to use application’s TASR
33 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
CLIENT-PRINCIPAL
4GL Core
AuthenticationManager
SECURITY-POLICY
ApplicationTASR
4GL Application
ServiceInterface
User Login: Creating the CLIENT-PRINCIPAL
Principal
AuthenticationSystem
LoginCredentials
LoginCredentials
DB Permissions
OpenEdgeDatabase
Data TablesDatabase
TASR
Database Connection
34 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Creating the CLIENT-PRINCIPAL in the Authentication Manager
1.Create a CLIENT-PRINCIPAL object
CREATE CLIENT-PRINCIPAL hCP.
2.Set required attributeshCP:USER-ID = “DDuck”.hCP:LOGIN-TOKEN = BASE64-ENCODE(UUID).hCP:DOMAIN = “LDAP”.
hCP:ROLES = “Accountant”.
3.Define optional client account attributes
35 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Creating the CLIENT-PRINCIPAL (cont)4.Define optional application properties
hCP:SET-PROPERTY(“SalesOrder=CRU”).hCP:SET-PROPERTY(“CustInfo=R”).
hCP:SEAL(“Domain key”).
5.Commit the user authentication *
* Audit Record Generated
hCP:AUTHENTICATION-FAILED.
prop = hCP:GET-PROPERTY(“CustInfo”).
6.Read-only access to attributes and properties
36 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Sealing a CLIENT-PRINCIPAL Object
PRINCIPALDomain: LDAPState: LoginUser-ID: DDuckLogin-token: BW3G1&2G1836D872Login-date: 3/12/05 08:15:33.12Login-expires: 3/12/05 19:30.00.00Roles: AccountantApp-data: Company=Acme ...
(HMAC)
Seal: 24VGWYY872ACE
Domain AccessKey
hCP:SEAL(“Domain key”).
37 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
CLIENT-PRINCIPAL
4GL Core
AuthenticationManager
SECURITY-POLICY
ApplicationTASR
4GL Application
ServiceInterface
User Login:Sharing CLIENT-PRINCIPLAL Objects
Principal ContextPrincipal Context
Principal
Principal
DatabaseTASR
Database Connection DB Permissions
OpenEdgeDatabase
Data Tables
38 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Sharing User Login Context
CREATE PrincipalContext.token = hCP:EXPORT-PRINCIPAL.tokenid = hCP:LoginToken.RELEASE PrincipalContext.
Define CLIENT-PRINCIPAL storageDEFINE TEMP-TABLE PrincipalContext FIELD tokenid AS CHARACTER FIELD token AS RAW INDEX tokenidIdx IS PRIMARY tokenid.
Export the user’s access token
39 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
CLIENT-PRINCIPAL
4GL Core
AuthenticationManager
4GL Application
ServiceInterface
Running a Remote Procedure:Recovering the CLIENT-PRINCIPAL
Principal ContextPrincipal ContextPrincipal
Principal
SECURITY-POLICY
ApplicationTASR
DatabaseTASR
Database Connection DB Permissions
OpenEdgeDatabase
Data Tables
40 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
CLIENT-PRINCIPAL
4GL Core
AuthenticationManager
4GL Application
ServiceInterface
Running a Remote Procedure:Setting the CLIENT-PRINCIPAL
Principal ContextPrincipal Context
Principal
Principal
SECURITY-POLICY
ApplicationTASR
DatabaseTASR
Database Connection DB Permissions
OpenEdgeDatabase
Data Tables
41 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Retrieving the User Login Context and Setting the User Identity
1. Import the user’s access tokenFIND PrincipalContext WHERE tokenid = “AXy12…”hCP:IMPORT(token).
SECURITY-POLICY:SET-CLIENT(hCP).
2.Setting a single application user identity *
* Audit Record Generated
42 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Validating a CLIENT-PRINCIPAL Object
PRINCIPALDomain: LDAPState: LoginUser-ID: DDuckLogin-token: BW3G1&2G1836D872Login-date: 3/12/05 08:15:33.12Login-expires: 3/12/05 19:30.00.00Roles: AccountantApp-data: Company=Acme ...
(HMAC)
Seal: 24VGWYY872ACE
TASR
== T/F
Domain AccessKey
43 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
CLIENT-PRINCIPAL
4GL Core
AuthenticationManager
4GL Application
ServiceInterface
Logging Out:Deleting CLIENT-PRINCIPLAL Objects
Principal ContextPrincipal Context
Principal
SECURITY-POLICY
ApplicationTASR
DatabaseTASR
Database Connection DB Permissions
OpenEdgeDatabase
Data Tables
44 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Logging out CLIENT-PRINCIPAL Objects and Deletion
hCP:LOGOUT(hCP).
2.Logout a client *
* Audit Record Generated
1. Import the user’s access tokenFIND PrincipalContext WHERE tokenid = “AXy12…”hCP:IMPORT(token).DELETE PrincipalContext.
45 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
User authentication drivers Authentication basics Distributed authentication What’s in OpenEdge 10.1A Using OpenEdge 10.1A What’s next?
Agenda
46 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Au
then
tica
tio
nP
lug
-in
Su
bsy
stem
Authentication Manager Architecture
AuthenticationManager
ProcessControl
LDAPLDAPLDAPPlug-in
4GLPlug-in
4GLProcedures
4GLProcedures
ProgressPlug-in _user_user
API
User ContextSubsystem
Au
dit
ing
OpenEdge
AP/End user
47 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Au
then
tica
tio
nP
lug
-in
Su
bsy
stem
Future Support:More Core Business Services
OpenEdgeAuthentication
Service
ProcessControl
LDAPLDAPLDAPPlug-in
4GLPlug-in
4GLProcedures
4GLProcedures
OpenEdgePlug-in _user_user
API
User ContextSubsystem
Au
dit
ing
OpenEdge UserContext Service
Login()Logout()
OpenEdge
48 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Future Support:More Application Authorization
User Roles
OpenEdgeDatabase
Access Control Lists
4GL Core
SECURITY-POLICY
4GL Application
ServiceInterface
AuthorizationSubsystem
CanAccess(…).
OpenEdgeAuthentication
Subsystem
Login (…).
Principal User Role Support
Access Control Lists
4GL ACLFunctions
4GL Login Functions
49 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
In Summary
Secure user authentication is necessary in today’s world
Distributed user authentication presents many challenges
OpenEdge 10 is providing the answer
50 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Questions?
51 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation
Thank you for your time!
52 DEV-09: User Authentication in OpenEdge 10.1 © 2005 Progress Software Corporation