SECURITY-POLICY system handle

A handle to security policy settings and operations for the current ABL session. These settings and operations support session data cryptography, creating a session registry for trusted security domains, and user authentication and validation.

Syntax

SECURITY-POLICY [ :attribute | :method]

attribute

An attribute of the SECURITY-POLICY handle.

method

A method of the SECURITY-POLICY handle.

Attributes

Methods

Notes

• The LOAD-DOMAINS( ) method loads and locks a trusted domain registry for the session from the local domain registry of a single connected OpenEdge RDBMS. This type of registry supports domains for multi-tenant databases and is the most secure way to create a trusted domain registry for the session.
• The REGISTER-DOMAIN( ) and LOCK-REGISTRATION( ) methods allow you to build and lock an application-defined trusted domain registry for the session. This type of registry requires the non-secure exposure of critical domain information as the domain registry is being built, and is therefore less secure than using the LOAD-DOMAINS( ) method. It also does not support domains for multi-tenant databases.
• The SET-CLIENT( ) method can authenticate (or validate) and set the user identity for a security token represented by a client-principal object using a session trusted domain registry that you have previously loaded. This single method can set the user identity for both the session and existing database connections, depending on the user's domain definition and the design of your application authentication model. (Setting a database connection identity, alone, does not set the session identity.) The method can also set an audit-able session identity. The GET-CLIENT( ) method retrieves the client-principal object previously used to set the current session identity using the SET-CLIENT( ) method. For more information on managing identity, domains, and domain registries, see Learn about Identity Management.
• The following attributes set initial encryption values for use by the GENERATE-PBE-KEY function:
  • ENCRYPTION-SALT attribute
  • PBE-HASH-ALGORITHM attribute
  • PBE-KEY-ROUNDS attribute
• The following attributes allow you to set defaults for the ENCRYPT function and the DECRYPT function:
  • SYMMETRIC-ENCRYPTION-ALGORITHM attribute
  • SYMMETRIC-ENCRYPTION-AAD attribute
  • SYMMETRIC-ENCRYPTION-IV attribute
  • SYMMETRIC-ENCRYPTION-KEY attribute
  • SYMMETRIC-SUPPORT attribute
• The XCODE-SESSION-KEY attribute contains the encryption key used by the COMPILE statement for the current session. This must be the same value used by the XCODE utility.
• The ENCODE-DOMAIN-ACCESS-CODE( ) method allows you to create an encrypted value suitable for storing as the domain access code in the OpenEdge database's domain records. Use the VALIDATE-DOMAIN-ACCESS-CODE( ) method to verify that the encrypted value matches the cleartext value.
• The SET-SAFE-USER( ) method sets a multi-tenant database connection's current user identity to the stored safe user identity for the database. The GET-SAFE-USER( ) method returns the handle to a copy of the sealed client-principal object that represents the safe user identity for the specified database connection. Both methods are only applicable to a Progress Application Server (PAS) for OpenEdge application server.
• The following attributes allow you to set defaults for the GENERATE-PASSWORD-HASH function:
  • PASSWORD-HASH-ALGORITHM attribute
  • PASSWORD-HASH-ROUNDS attribute
  • PASSWORD-HASH-SALT attribute
• The ENCODE-PASSWORD( ) method encodes a specified character expression (typically a password) and returns it as a character value with an Encoding prefix. Use the VALIDATE-PASSWORD( ) method to verify that the cleartext password matches the encoded value.

See also

Client-principal object handle, DECRYPT function, ENCRYPT function, GENERATE-PASSWORD-HASH function, GENERATE-PBE-KEY function, GENERATE-PBE-SALT function, GENERATE-SALT function, GENERATE-RANDOM-KEY function, MESSAGE-DIGEST function