OpenEdge 12.3 includes an optional Key Distribution application for the OpenEdge Authentication Gateway that provides remote STS client key management for client OpenEdge installations. If you configure your OpenEdge Authentication Gateway to use an STS server key, each remote OpenEdge installation must generate a corresponding STS client key. The STS client key generation must happen on the client system, and requires the client system to have access to the STS server key. With earlier versions of the OpenEdge Authentication Gateway, this was done though a shared file on a remote drive, or by manually copying the STS server key to the client machine. This was a manual process that could leave the STS server key on disk.

OpenEdge 12.3 offers an STS client key management service that runs on the OpenEdge Authentication Gateway through the Key Distribution application. After you install this service on the OpenEdge Authentication Gateway server using the Key Distribution application, then STS client key generation can be done on the client machine by specifying the URL of the OpenEdge Authentication Gateway server and providing the proper credentials. This can be done through the stskeyutil utility, or through the STSKey plugin for the OpenEdge AdminServer.

For more information about configuring an STS server key and STS client key for OpenEdge Authentication Gateway, see STS server key configuration.

The STS client key management service allows system administrators to efficiently manage OpenEdge installations that require an STS client key to access the OpenEdge Authentication Gateway. This service helps administrators avoid the risks of manually creating STS client keys for each OpenEdge installation, and makes it easier to configure remote client machines to use OpenEdge Authentication Gateway.

The STS client key management service is provided by a web application that is packaged as keydist.war. The keydist.war application runs on the OpenEdge Authentication Gateway server, and can only be deployed to an OpenEdge Authentication Gateway server instance. You cannot deploy the keydist.war application to a regular PAS for OpenEdge instance. The keydist.war application is distributed in the $DLC/servers/pasoe/extras directory.

The keydist.war application can be deployed to the OpenEdge Authentication Gateway server using the TCMAN deploy command:
proenv>oeauthserver/bin/tcman deploy %DLC%/servers/pasoe/extras/keydist.war
For more information, see: