[Progress Communities] [Progress OpenEdge ABL] Forum Post: Client-server database security (allowing remote database servers to accept connections fro

Status
Not open for further replies.
D

dbeavon

Guest
Can someone please point me to whitepapers about how Progress recommends that *remote* ABL clients be authenticated & authorized to access an OE database? Most of the database connectivity I've seen has been from local, "shared-memory" applications that use the blank user and password. In the case of blank user and passwords, the security is typically implemented in the application layer (ie. in the appserver logic). And no remote connections are allowable to the OE database itself. I like doing custom security in the application layer, but now that we are moving the application layer to another server (a remote PASOE server) there needs to be some database security too. The PASOE database connections will need a way to be authenticated to the database. That type of database authentication should allow PASOE applications to connect from certain production servers (possibly with a shared account.) But the authentication should definitely *disallow* connections from unauthorized clients (eg. developer workstations should be prevented from connecting to a production OE database). Moreover we'd like our local, "shared-memory" connections to continue to work as they do today with the blank user and password. But we don't want this loose level of security in the case that a remote connection is made to the database. I suspect there is a normal progression where an older OE database (that has blank user id's) needs to begin to serving *remote* ABL applications as well. What are the steps that are needed to support that? I was considering the use of I.P. filtering so that only an approved list of remote servers would be able to connect. That would be somewhat analogous to the way that any local process is trusted if it connects with a blank user. I should probably know all this by now given how long I've worked with OE databases. But it seems like the OE RDBMS allows developers to easily defer security concerns. I would be very grateful if someone could point me in the right direction. Again, the scope of the problem is to find a way to allow certain PASOE servers to connect remotely, and disallow any other remote connections. I originally thought I.P. filtering might be a good approach, but I'm not finding a lot of google hits for that (at least not in the context of the OE RDBMS). So I'm guessing that is a non-standard approach and that there might be some better options. Any help would be appreciated. Thanks, David PS. Here are two distinct authentication models that I've started investigating but haven't gotten very far with either of them yet. I'm looking for some initial direction from the community, especially from someone that has already visited this topic in the context of PASOE. Legacy ("_user") authentication and authorization: OpenEdge 11.7 Documentation OE Authentication Gateway https://www.pugchallenge.eu/docs/de...t-the-gate-oeauthgateway.pdf?sfvrsn=917659f_2

Continue reading...
 
Status
Not open for further replies.
Top