Try OpenEdge Now
skip to main content
Administration Guide
Web application security configurations : User account configurations : Multi-domain support for user accounts : Configuring multiple domains
 
Configuring multiple domains
Configuring for multi-domain support begins with the follow steps:
1. Design the OpenEdge domain name space to be used by the ABL application, and assign a Domain Access Code (DAC) to each domain name.
2. Build a CSV text file with domain names and clear-text DAC pairs, one pair per line. Domain names and DACs are separated by a comma. For example:
domain-name,clear-text-DAC
3. Use the gendomreg utility to create an encrypted Java keystore file from the CSV file. For example:
oe-install-dir/bin/gendomreg domreg.csv domreg.keystore
4. Copy the encrypted Java keystore file to each PAS for OpenEdge instance's .../conf directory.
5. Configure the OEClientPrincipalFilter bean in the oeablSecurity.properties file as follows:
a. Set the OEClientPrincipalFilter.key property to a blank value.
b. Set the OEClientPrincipalFilter.registryFile property and set its value to the file name of the Java keystore that you created in Step 3. For example:
OEClientPrincipalFilter.registryFile=domreg.keystore
c. Set the OEClientPrincipalFilter.domain property to a default domain that has minimal access rights to your ABL application.
d. Optionally configure authz, accntinfo, roles, and other properties.
The next step is to design the role name pattern that will be used to designate an OpenEdge domain. Ideally the name pattern will have a unique prefix that distinguishes it from all other names. The name pattern may also employ a postfix to help establish uniqueness. See Obtaining a domain name from a role name for more information about designing a role name pattern.
Note: Since the OEClientPrincipalFilter bean uses Java RegEx functionality, create a role name pattern that is easy for Java RegEx to parse.
When you have established a role name pattern, construct the Java RegEx pattern that will distinguish the domain name from any other normal user account granted roles. For example, with OED:domain-name as the domain name:
Table 13. Spring users.properties accounts
Role Name
Spring Security Role Name
Java RegEx Match Pattern
ROLE_OED:acme
ROLE_OED:acme
ROLE_OED:(.*)
Table 14. Spring LDAP groupOfUniqueNames object
Role Name
Spring Security Role Name
Java RegEx Match Pattern
cn=OED:acme
ROLE_OED:ACME
ROLE_OED:(.*)
The Spring LDAP Authentication Provider prefixes ROLE_ to any LDAP group name it uses as a user account role, and it converts the LDAP group name to upper case.
Finally, set the OEClientPrincipalFilter bean's domainRoleFilter property to the value of the Java RegEx match pattern.
Note: If your Java RegEx match pattern contains a back slash ( \ ), you may be required to escape it with another backslash ( \\ ).