Configuring user authentication for Web server logins

As an administrator, you can set preferences in OpenEdge Management that enable users to choose an authentication type for Web server logins. You can configure these preferences in the Authentication Configuration page, and the configuration information is stored in the fathom.properties file.

1. In the OpenEdge Management console, click the Options icon.

2. Click Authorized Users to open the security home page and then select the Authentication Configuration tab.

3. To allow OpenEdge Management to use its built-in authentication mechanism (property-file based authentication), select Use OpenEdge Management Internal Authentication.

4. To allow OpenEdge Management to use OEAG based authentication, select Use OpenEdge Authentication Gateway Authentication.

If you select OEAG based authentication, along with the Authentication gateway URL, you must provide one domain and its access code at the least.

Authentication gateway URL — The URL which OpenEdge Management uses to connect to the OEAG server to authenticate users during a connection.

You must provide valid HTTPS URLs; HTTP URLs are not allowed. When providing the URL, ensure that it does not point directly to localhost (127.0.0.1). Instead, you can use the DNS name with which OpenEdge Management connects to the OEAG server.

Disable SSL host verification — Selecting the check box turns off host verification for an SSL connection to the OEAG server.

Though disabling host name verification is considered unsafe, you can disable it for testing purposes where the OEAG server is not set up with a valid server certificate. However, it is always recommended to enable host name verification once the server certificate is setup.

To secure authentication requests from OpenEdge Management, the OEAG server certificate must be installed in the $DLC/certs directory using certutil. For information about creating and deploying OEAG server certificate, see OpenEdge Getting Started: OpenEdge Authentication Gateway Guide.

Client authentication header name — (Optional) The HTTP authentication header name for the OEAG server.

The default name x-oests-token in this field matches with the default value in the OEAG server, and is used when the server requires a client key to perform authentication. You can change it only if the OEAG server is configured to accept a different token name.

Enabled SSL protocols — The SSL protocols that are to be enabled. The default protocol is TLSv1.2.

It is recommended to use protocol versions equally or more secure than TLSv1.2 to maintain the highest level of security, unless the OEAG server is configured to use a lesser secure protocol.

Enabled SSL cipher suites — The SSL cipher suites that are to be enabled.

Role prefix — The prefix provided to the user roles by the OEAG server. This allows OpenEdge Management to work with the OEAG server that is configured to use other authentication mechanisms such as LDAP.

OpenEdge Management removes the prefix from any role returned from the OEAG server in order to match the role against the internally defined roles. For example, if the OEAG server returns a role ROLE_PSCAdmin with a prefix ROLE_, OpenEdge Management ignores the prefix and considers the role name as PSCAdmin.

5. Provide the domains and their access codes in the Domain configuration grid as described in Validating authentication tokens.

When modifying the domain configuration, it is recommended to disable HTTP and access the web interface through an HTTPS connection with a signed server certificate. This avoids exposing the domain names and domain access codes as clear text when sent across a network.

After submitting the changes made to the authentication mechanism, you must restart the Web server for the changes to take effect. Your current login session expires when you restart the Web server, so log into the management console again.

Note: If you lock yourself out, edit the fathom.properties file to restore the default login mechanism and restart fathom using fathom -stop/fathom -start.