OpenEdge administrators using STS client keys can use the STS client key management service offered in OpenEdge 12.3 for the OpenEdge Authentication Gateway server. STS client keys provide additional security measures, such as site isolation, to OpenEdge installations.

To configure remote STS client key management for OpenEdge installations using syskeyutil:
  1. Deploy the Key Distribution application to the OpenEdge Authentication Gateway server that is configured with an STS server key, for example:
    proenv>oeauthserver/bin/tcman deploy %DLC%/servers/pasoe/extras/keydist.war

    For more information about using an STS server key, see STS server key configuration.

  2. On each OpenEdge Installation that uses the OpenEdge Authentication Gateway server, run the stskeyutil command to generate a corresponding STS client key, for example:
    proenv>stskeyutil install -url https://hostname:port -keystorepath $DLC/keys [-nohostverify] -keydist -onlyifmodified

This command specifies the -keydist option, which indicates that Key Distribution is enabled. The stskeyutil remotely accesses the STS server key from the OpenEdge Authentication Gateway server at the requested URL (-url). The stskeyutil stores the encrypted STS client key in the client machine’s $DLC/keys directory, as specified with the -keystorepath option. The -onlyifmodified option specifies that the OpenEdge client accesses the STS server key, and updates the STS client key, only if the STS server key is newer than the existing STS client key.

The optional -nohostverify switch should not be used in production, but can be used for development and testing. For more information about supported options for the stskeyutil install command, see stskeyutil install utility.

Before the STS client key management service was added to OpenEdge, administrators had to use the stskeyutil command to access a copy of the STS server key, which had to be hosted on each client’s OpenEdge installation. Administrators had to issue an stskeyutil such as the following:
proenv>stskeyutil install -url https://hostname:port -keystorepath $DLC/keys -filename path-to-shared-drive/oests-server.ecp

The STS server key had to be on available to the client machine and specified using the -filename option. After the administrator generated the STS client key, the STS server key had to be manually removed from the client machine. This had to be done on every OpenEdge installation site.

With the STS client key management service, OpenEdge client machines do not need to copy the STS server key locally in order to generate an STS client key. The stskeyutil command generates the STS client key using information obtained from the OpenEdge Authentication Gateway server using the Key Distribution application.