As an administrator, you can set preferences in OpenEdge Management that enable users to choose an authentication type for web server logins. You can configure these preferences in the Authentication Configuration page, and the configuration information is stored in the fathom.properties file.

To configure user authentication:

  1. In the OpenEdge Management console, click the Options icon.
    The Options page appears.
  2. Click Authorized Users to open the security home page and then select the Authentication Configuration tab.
    The Authentication Configuration page appears.
  3. To allow OpenEdge Management to use its built-in authentication mechanism (property-file based authentication), select Use OpenEdge Management Internal Authentication.
  4. To allow OpenEdge Management to use OpenEdge Authentication Gateway based authentication, select Use OpenEdge Authentication Gateway Authentication.
    If you select OpenEdge Authentication Gateway based authentication, along with the Authentication gateway URL, you must provide one domain and its access code at the least.
    Provide the required information in the following fields:
    • Authentication gateway URL—The URL which OpenEdge Management uses to connect to the OpenEdge Authentication Gateway server to authenticate users during a connection.

      You must provide valid HTTPS URLs; HTTP URLs are not allowed. When providing the URL, ensure that it does not point directly to localhost (127.0.0.1). Instead, you can use the DNS name with which OpenEdge Management connects to the OpenEdge Authentication Gateway server.

    • Disable SSL host verification—Selecting the check box turns off host verification for a TLS connection to the OpenEdge Authentication Gateway server.

      Though disabling host name verification is considered unsafe, you can disable it for testing purposes where the OpenEdge Authentication Gateway server is not set up with a valid server certificate. However, it is always recommended to enable host name verification once the server certificate is setup.

      To secure authentication requests from OpenEdge Management, the OpenEdge Authentication Gateway server certificate must be installed in the $DLC/certs directory using certutil. For information about creating and deploying OpenEdge Authentication Gateway server certificate, see Learn about the OpenEdge Authentication Gateway.

    • Client authentication header name—(Optional) The HTTP authentication header name for the OpenEdge Authentication Gateway server.

      The default name x-oests-token in this field matches with the default value in the OpenEdge Authentication Gateway server, and is used when the server requires a client key to perform authentication. You can change it only if the OpenEdge Authentication Gateway server is configured to accept a different token name.

    • SNI hostname—Specify the hostname that you want the OpenEdge Authentication Gateway Authentication for OpenEdge Management to connect to. Use this parameter if the OpenEdge Authentication Gateway server implements the Server Name Indication (SNI) and is configured with multiple hosts that are bound to a single IP. If you use the SNI hostname parameter, the OpenEdge Authentication Gateway Authentication sends the hostname during the TLS handshake, enabling the OpenEdge Authentication Gateway server to return the correct TLS certificate to the OpenEdge Authentication Gateway Authentication for OpenEdge Management.
      Note: The OpenEdge Authentication Gateway Authentication for OpenEdge Management will not be established if the SNI hostname parameter has no match with the hostname included in the certificate.
    • Enabled SSL protocols—The TLS protocols that are to be enabled. The default protocols are TLSv1.2 and TLSv1.3.

      It is recommended to use protocol versions equally or more secure than TLSv1.2 to maintain the highest level of security, unless the OpenEdge Authentication Gateway server is configured to use a lesser secure protocol.

    • Enabled SSL cipher suites—The TLS cipher suites that are to be enabled.
    • Role prefix—The prefix provided to the user roles by the OpenEdge Authentication Gateway server. This allows OpenEdge Management to work with the OpenEdge Authentication Gateway server that is configured to use other authentication mechanisms such as LDAP.

      OpenEdge Management removes the prefix from any role returned from the OpenEdge Authentication Gateway server in order to match the role against the internally defined roles. For example, if the OpenEdge Authentication Gateway server returns a role ROLE_PSCAdmin with a prefix ROLE_, OpenEdge Management ignores the prefix and considers the role name as PSCAdmin.

  5. Provide the domains and their access codes in the Domain configuration grid as described in Validate authentication tokens.
    When modifying the domain configuration, it is recommended to disable HTTP and access the web interface through an HTTPS connection with a signed server certificate. This avoids exposing the domain names and domain access codes as clear text when sent across a network.
  6. Click Submit.
    After submitting the changes made to the authentication mechanism, you must restart the Web server for the changes to take effect. Your current login session expires when you restart the Web server, so log into the management console again.
    Note: If you lock yourself out, edit the fathom.properties file to restore the default login mechanism and restart fathom using fathom -stop/fathom -start.