Users connecting from a DataServer application need to provide their foreign data source credentials to the make a connection.

You can make secure connections to a foreign database in the following ways:

  • Wait for the Data Administration tool to prompt you for your data source user ID and password.
  • Provide a -U and -P parameter during OpenEdge client startup.
  • Add user ID and password in the Connection Parameters field of your logical database and they are picked up for processing with the foreign data source connection.

The OpenEdge DataServer for MS SQL Server supports encoding user credentials. Use the genpassword utility to securely encode user credentials for foreign databases by specifying an encoding prefix, for example ae2h1. For more information, see genpassword and Encoding prefix.

Note:
  • The default prefix for encoding login credentials is ae2h1.
  • When creating user credentials, it is recommended to avoid using any encoding prefixes supported by the genpassword utility. For example, ae2h1 should not be used as either a username or password.

Alternatively, you can also use the ENCRYPT-AUDIT-MAC-KEY() method to encode a password for a database connection. For example, the following ABL code demonstrates how OpenEdge applications can use ENCRYPT-AUDIT-MAC-KEY() to securely encode user credentials for foreign databases by specifying the ae2h1 encoding prefix: 

DEFINE INPUT PARAMETER cUserID AS CHARACTER NO-UNDO.
DEFINE INPUT PARAMETER cPasswd AS CHARACTER NO-UNDO.
CONNECT <schema-holder> -1 NO-ERROR.
/* self service */
CONNECT <dsn> -ld <logical-database> -dt MSS
VALUE( " -U " + cUserID + " -P " + 
AUDIT-POLICY:ENCRYPT-AUDIT-MAC-KEY(cPasswd, "ae2h1")) NO-ERROR.
/* client/server */
CONNECT <dsn> -ld <logical-database> -dt MSS
VALUE( " -U " + cUserID + " -P " +
AUDIT-POLICY:ENCRYPT-AUDIT-MAC-KEY(cPasswd, "ae2h1"))
-H <host> -S <port> NO-ERROR.

In this example code, cUserID and cPasswd represent credentials entered by a user to authenticate and establish identity for the database connection. The encoded password is passed as the value of the -P (Password) connection parameter. These credentials are encoded internally on behalf of the application, ensuring that clear text is neither visible to the application nor transmitted over the connection. This security policy is enabled by default.

You can still choose to store credentials in clear text within the dictionary. However, if you encode the credentials as shown in the example, they remain encoded while stored in the schema holder and are automatically decoded by the DataServer when authentication is required for the foreign data source connection.

For more information on setting an encoded password value, see ENCRYPT-AUDIT-MAC-KEY( ) method.

The following table outlines encoding compatibility and connection behavior between different OpenEdge client and server version combinations:
Client version Server version Encoding compatibility Connection behavior
12.2.18 or earlier 12.2.18 or earlier Supported Connects successfully
12.2.19 or later 12.2.18 or earlier Not supported Fails to connect
12.2.18 or earlier 12.2.19 or later Not supported Fails to connect
12.2.19 or later 12.2.19 or later Supported Connects successfully
Note:
  • Encoding requires that both the OpenEdge client and server are on compatible versions. For example, connecting an OpenEdge 12.2.19 or later client to a 12.2.18 or earlier server may fail due to lack of support for newer encoding mechanisms in older server versions.
  • Compatibility is maintained between 12.2.19 and later versions.