This topic describes the steps to configure an OpenEdge database to communicate with the STS.

Domain configuration

Prior to enabling your database to use the Authentication Gateway, you must have domains defined and loaded in the database that match the domains defined in the STS. If all your domains are currently defined in your database, you can dump them from your database with dump_domains.p as described in Data export utility to import into your STS; conversely you can load domain definitions into your database with the dictionary prodict/load_d.p.
Warning: You must add domains to the database before you enable the database to use the Authentication Gateway, so that you are not locked out.
Once you have your domains in agreement between the Authentication Gateway STS server and the database, if you changed domain information in the STS, re-generate an STS Server key. See STS server key configuration.

Load URL of Authentication Gateway STS server

The database must know the URL of the Authentication Gateway STS server. Load the URL of the STS into the database with the STS URL Utility, as shown:
stsurlutil update -url url -db dbname [db-options]
Specify the new URL for the Authentication Gateway to insert into the database configuration using the format: https://<host>[port][/sts-application-name]

For more details on the stsurlutil, see STS URL Utility (stsurlutil).

Connection roles

If you are using roles, you must enable the database and then grant users roles using the STS Connection Role utility.

To enable connection roles, use the following command:
stsconnroleutil enable -db dbname
To grant a user connection roles, use the following command:
stsconnroleutil grantuser -user username -can { yes | no } -db dbname

For details on stsconnroleutil, see STS Connection Role Utility (stsconnroleutil).

Enable the database to use the Authentication Gateway

Once you have added domains and the STS URL to your database, you can enable it to use the Authentication Gateway. Use the following command:
proutil dbname -C enableauthgateway
For more details on the proutil command, see PROUTIL ENABLEAUTHGATEWAY qualifier.

You can disable the use of the Authentication Gateway at any time with PROUTIL DISABLEAUTHGATEWAY. However, once you disable use of the Authentication Gateway in your database, you must re-configure the STS URL prior to running PROUTIL ENABLEAUTHGATEWAY. The PROUTIL DISABLEAUTHGATEWAY deletes the URL from the database. For more information, see PROUTIL DISABLEAUTHGATEWAY qualifier.

Note: OpenSSL 3.1.x provides an improved security to STS enabled database, which causes a backward compatibility issue between OpenEdge 12.8 and earlier releases. To fix the backward compatibility issue, ensure both the STS client and STS server have the same OpenEdge version installed on them. For more information, see Changes with OpenSSL 3.1.x in OpenEdge.