To configure a web application to use the OpenEdge Authentication Gateway, set the following properties in the PAS for OpenEdge web application's instance_name/webapps/Web_app_name/WEB-INF/oeablSecurity.properties file:

  1. http.all.authmanager=sts

    Enables the use of an STS AuthenticationProvider.

  2. sts.UserDetails.stsURL=https://oeag-dns-name:oeag-port-number

    Specifies the URL for the Authentication Gateway connection.

  3. (Optional) sts.UserDetails.noHostVerify=true

    Enable the -nohostverify option to turn off host verification. (Only for servers used for application development and testing.)

  4. (Optional) sts.AuthProvider.userDomain=sts-configured-domain-name

    Specify a fixed OpenEdge domain name that is appended to the client's user-id before authenticating with the Authentication Gateway's STS.

  5. (Optional) sts.UserDetails.stsKeystore=client-key_pathname

    Specify the directory where the STS AuthenticationProvider looks for the Authentication Gateway's client key file. The STS AuthenticationProvider searches oeablSecurity.properties files for a specified sts.UserDetails.stsKeystore value in the following order and uses the first value it finds:

    1. $CATALINA_BASE/webapps/<web-app-name>/WEB-INF/
    2. $CATALINA_BASE/ablapps/abl-app-name/conf/
    3. $CATALINA_BASE/conf/
    4. $CATALINA_HOME/conf/

    If the path to the client key file is not specified in any of those oeablSecurity.properties files, the value of the STSKEYSTORE multi-session Agent process environment variable is used. And if STSKEYSTORE is not set, the default client key file in openedge_install_dir/keys is used.

  6. (Optional) sts.UserDetails.sniHost=virtual-hostname

    Use this property when the OpenEdge Authentication Gateway server is configured with multiple virtual hosts that are bound to a single IP address. Specify the hostname that you want your web application to connect to. The web application requests the virtual host's TLS certificate during the TLS handshake instead of the Server URL's host.

Next, edit the web application's URL access control file, instance_name/webapps/Web_app_name/WEB-INF/oeablSecurity.csv. If your URL access controls are role-based (I.e.when a user must be assigned a particular role to gain access), you must change the hasRole(...) field to include one of the role names inserted into a client principal issued by the Authentication Gateway's STS.

Note: If the web application's URL access controls use hasRole(...) and the client principal issued by the Authentication Gateway's STS does not include a role attribute, access to some of the application's URLs will be rejected

Finally, optionally specify any advanced STS AuthenticationProvider properties, which include, but are not limited to:

  • Customized TLC connection attributes
  • A customized HTTP header name that is used to pass client-key authorization to an STS
  • A customized HTTP User-agent header value that identifies the client to an STS

Detailed description of these advanced properties can be found in the instance_name/conf/oeablSecurity.properties.README file.