Try OpenEdge Now
skip to main content
OpenEdge Authentication Gateway Guide
Overview : Enhanced OpenEdge Database Connection Security
 

Enhanced OpenEdge Database Connection Security

The OpenEdge Database includes support for enhanced Client connection security beginning in the OpenEdge 11.6.2 release through a network of interdependent OpenEdge product security features. This enhanced database connection security puts the Database Administration (DBA) in control of which OpenEdge clients may establish and use those connections in order to access their server’s data. With this new level of connection security the DBA is able to:
*Have broader access to user accounts and authentication services
*Share user authentication processes across multiple OpenEdge databases
*Use Role Based Access to control the per-user ability to connect to their database server and/or change the user of that connection
*Selectively control which OpenEdge installations on the network may utilize its authentication service to establish connections
*Use additional audit trail events to track both successful and unsuccessful database connections with additional information about who, what, and from where the connection request originated
The enhanced database connection security provides server-side control over essential authentication, authorization, and auditing security processes. Because the database server now controls those security processes, there is a higher degree of confidence in who may establish and be permitted (or not) to use a connection and access the database data. Once an OpenEdge database server is configured to use enhanced connection security, all database clients are required to delegate ALL connection-related user authentication, authorization, and connection auditing to the database server, and the database server then also employs an additional level of security in its network connections.
The OpenEdge database attains this enhanced level of connection security through its close relationship with its ABL (and as a future roadmap item OpenEdge SQL) clients and the use of a network authentication service that may be shared with all OpenEdge databases and its clients.
An OpenEdge database server optionally delegates its user authentication process to an OpenEdge Authentication Gateway that bridges the gap between OpenEdge and [strong] user authentication products such as Lightweight Directory Access Protocol
(LDAP), Active Directory (AD), and others. The OpenEdge Authentication Gateway employs the same Domain architecture used in all OpenEdge version 11 releases in order to produce native OpenEdge security tokens, ABL Client-Principals. The native OpenEdge security tokens are used in the database server’s connection authorization as well as by the ABL application. The support for ABL client Single Sign-On (SSO) when changing an existing connection’s user identity continues to use the same Domain configuration as is found in all OpenEdge 11 releases.
An OpenEdge database server can now directly execute connection authorization using Role-Based Access Controls (RBAC) in the same fashion as it does with auditing. A new OpenEdge database connection role has been added that gives the DBA direct per-user control over which authenticated users (via a sealed Client-Principal identity) are permitted to establish a connection, or to take control of an existing connection. This authorization process is based on the same native OpenEdge security tokens used in all OpenEdge 11 releases. So while the OpenEdge database server optionally employs an OpenEdge Authentication Gateway for all new user authentication, it can also accept sealed Client-Principal tokens from Progress Application Server (PAS) for OpenEdge servers.
The enhanced OpenEdge database connection security also increases the amount of database connection-related information available in its audit trail. Added is the ability to explicitly track failed connection requests and provide an enhanced level of detail including who, where, and what originated the database server connection request.