To provide continuous improvements to its security features support, OpenEdge 12.2 adds the following features:

Safe User ID

This release introduces the Safe User ID feature, which is provided for ABL applications that access multi-tenant databases through Progress Application Server (PAS) for OpenEdge application servers. The Safe User ID feature helps maintain the synchronization between the database's current user identity and the client for whom the tenant data is being accessed, thereby preventing the tenant's data from becoming available to a user of a different tenant.

A safe user is an identity that has no tenant data access but has the required access privileges to shared data. Ideally, the safe user should be a placeholder identity that is defined in the user account store that is used by the PAS for OpenEdge instance in which the ABL application executes.

This feature provides a safeguard against exposing incorrect tenant data when processing a client request. It enables a mechanism that resets the database connection to this safe user identity when processing each request on the application server. This forces the application to set the connection to a valid tenant user identity for a client request that requires access to tenant data in the database.

To support this feature, OpenEdge provides the following new functionality:

  • The ability to enable the Safe User ID feature on an OpenEdge database instance that is configured for multi-tenancy.

    When the Database Administrator enables this feature, the administrator selects a policy that determines when the safe user identity is set on the connection to the database. The policy corresponds to the execution of either the Activation or Deactivation event policies in the ABL application, which are invoked in response to a client request.

  • Two new methods for the SECURITY-POLICY system handle are described in the ABL Reference:
    • GET-SAFE-USER()—Returns the handle to a copy of the sealed client-principal object that represents the safe user identity for the specified multi-tenant database connection.
    • SET-SAFE-USER()—Sets a multi-tenant database connection's current user identity to the stored safe user identity for the database.

For complete information, see Overview of Safe User ID in Learn about Identity Management.

TDE support for new passphrase recoverable Database Master Key algorithms

At Transparent Data Encryption (TDE) enablement, you can now choose either of two new passphrase recoverable Database Master Key (DMK) key derivation algorithms that offer different key sizes for data security:
  • Advanced Encryption Standard (AES) 128-bit DMK key generation
  • Advanced Encryption Standard (AES) 256-bit DMK key generation

The previous algorithm choice of a passphrase recoverable DMK is deprecated, but you can still use it during a TDE keystore recovery operation. The new selections are not backward compatible.

The TDE keystore recovery process still requires that you use exactly the same recoverable passphrase and DMK passphrase key algorithm, whether you choose the original or one of the newer algorithm versions.

For more information, see Execute the ENABLE ENCRYPTION command in Learn About Security and Auditing.

Improved hashing algorithm for TDE keystore passphrases

To increase passphrase protection, OpenEdge databases use an enhanced hashing algorithm for Transparent Data Encryption (TDE) key store passphrases. In OpenEdge 12.2, newly enabled databases automatically use the new algorithm, and updates to the user or admin passphrase automatically change the algorithm to the enhanced version.

For more information, see Modify passphrases in Learn About Security and Auditing.

Relaxed length restriction for DataServer

Starting with this release, DataServer relaxed the length restrictions for usernames and passwords for Microsoft SQL Server and Oracle DataServer to improve security. For Microsoft SQL Server, the allowed length for user ID and password is 32 and 128 characters, respectively. For Oracle, the allowed length for user ID and password is 30 characters each.

For more information, see Authorization and authentication in OpenEdge Data Management: DataServer for Microsoft SQL Server and Authorization and Authentication for connecting a schema holder in Use the Oracle Data Server.