To configure a web application to use the OpenEdge Authentication Gateway, set the following properties in the PAS for OpenEdge web application's instance_name/webapps/Web_app_name/WEB-INF/oeablSecurity.properties file:

  1. Enable the use of an STS AuthenticationProvider by setting the http.all.authmanager to sts:
    http.all.authmanager=sts
  2. Specify the URL for the Authentication Gateway connection by setting the sts.UserDetails.stsURL property:
    sts.UserDetails.stsURL=https://oeag-dns-name:oeag-port-number
  3. (Optional) Enable the -nohostverify option to turn off host verification. 
    sts.UserDetails.noHostVerify=true
    Note: -nohostverify is only for servers used for application development and testing.
  4. (Optional) Specify a fixed OpenEdge domain name that is appended to the client's user ID before authenticating with the Authentication Gateway's STS.
    sts.AuthProvider.userDomain=sts-configured-domain-name
  5. (Optional) Specify the directory where the STS AuthenticationProvider looks for the Authentication Gateway's client key file:
    sts.UserDetails.stsKeystore=client-key_pathname
    The STS AuthenticationProvider searches oeablSecurity.properties files for a specified sts.UserDetails.stsKeystore value in the following order and uses the first value it finds:
    1. $CATALINA_BASE/webapps/web-app-name/WEB-INF/
    2. $CATALINA_BASE/ablapps/abl-app-name/conf/
    3. $CATALINA_BASE/conf/
    4. $CATALINA_HOME/conf/

    If the path to the client key file is not specified in any of those oeablSecurity.properties files, the value of the STSKEYSTORE multi-session Agent process environment variable is used. And if STSKEYSTORE is not set, the default client key file in openedge_install_dir/keys is used.

  6. (Optional) Use the sniHost property when the OpenEdge Authentication Gateway server is configured with multiple virtual hosts that are bound to a single IP address. Specify the hostname that you want your web application to connect to.
    sts.UserDetails.sniHost=virtual-hostname
    The web application requests the virtual host's TLS certificate during the TLS handshake instead of the Server URL's host.

Next, edit the web application's URL access control file, instance_name/webapps/Web_app_name/WEB-INF/oeablSecurity.csv. If your URL access controls are role-based (for example, when a user must be assigned a particular role to gain access), you must change the hasRole(...) field to include one of the role names inserted into a client principal issued by the Authentication Gateway's STS.

Note: If the web application's URL access controls use hasRole(...) and the client principal issued by the Authentication Gateway's STS does not include a role attribute, access to some of the application's URLs will be rejected.

Finally, optionally specify any advanced STS AuthenticationProvider properties, which include, but are not limited to:

  • Customized TLC connection attributes
  • A customized HTTP header name that is used to pass client-key authorization to an STS
  • A customized HTTP User-agent header value that identifies the client to an STS

Detailed description of these advanced properties can be found in the instance_name/conf/oeablSecurity.properties.README file.