OpenEdge security domain configuration tasks

Save PDF

Last Updated: September 13, 2021
3 minute read

OpenEdge
Version 13.0
Documentation

The specific steps to configure an OpenEdge security domain depend on the OpenEdge product you are setting up. Those steps are contextual to the architecture of each product, where security domain information is stored, and how that information is consumed with the clients of those products.

For information about the names that you can assign to OpenEdge security domains, see Defining the name of a domain.

PAS for OpenEdge

The domain configuration's access codes for a PAS for OpenEdge instance exists within a single Java keystore that is generated by the gendomreg utility. This keystore file is created from a CSV file that contains a list of each authorized domain name and its corresponding domain access code.

Note that when you install PAS for OpenEdge, ABLDomainRegistry.keystore is located by default in the myInstance/conf directory. This file contains encrypted values for the blank domain and its corresponding blank domain access code.

To configure a security domain for PAS for OpenEdge:

Create a domain registry CSV file that lists each OpenEdge security domain name and its associated domain access code in clear-text. Each security domain name and its access code are separated by a comma. For example:
```
acme1.com,123456
acme2.com,654321
acme3.com,098765
```
Start the Proenv command shell.
In the Proenv command shell, run the gendomreg utility to create an encrypted Java keystore file from the CSV file. For example, the following command creates the keystore file ABLDomainRegistry.keystore.
```
$DLC/bin/gendomreg ABLDomainRegistry.csv ABLDomainRegistry.keystore
```
Copy the keystore file into the conf directory of each PAS for OpenEdge instance in your environment.

Note: The keystore file is initially distributed with the default blank domain and blank domain access code. You have the choice of whether to remove the default blank domain, and thereby disable it, or retain it and change its domain access code. The following examples show how to use these .csv file entries (disregard the single quotes that are there to delimit the beginning and end of a .csv file line):

default domain and access code:                        ','  
default domain and a non-blank access code:    ',abcde2'

The remaining domain configuration properties are located in the ABL web application’s oeablSecurity.properties file.

OpenEdge Authentication Gateway

For OpenEdge Authentication Gateway, the security domain configuration comprises two files that are stored in the webapps/ROOT/WEB-INF/config directory of an Authentication Gateway server instance:

domains.json—A simple JSON-formatted text file that you modify to specify the domain configuration.
domains.keystore—Domain access codes for the OpenEdge Authentication Gateway are stored separately as a Java keystore. You create the keystore using the OpenEdge gendomreg command.

Tip: Use a JSON GUI editor to simplify adding and configuring domain configurations.

To configure a security domain for OpenEdge Authentication Gateway:

Make the following updates to the domains.json file:
- Add the OpenEdge security domain names that you want to include.
- For each security domain you add, specify the corresponding authentication type and provider.
  For more information, see OpenEdge Authentication Gateway Tutorial.
- Enable the domain.
- Configure the authentication processes that the domain will support.
- Optionally add to the configuration ABL classes you have written to tailor the CLIENT-PRINCIPAL token provisioning and auditing steps.
Create a domain registry CSV file that lists each OpenEdge security domain name and its associated domain access code in clear-text. Each security domain name and its access code are separated by a comma. For example:
```
acme1.com,123456
acme2.com,654321
acme3.com,098765
```
Start the Proenv command shell.
In the Proenv command shell, run the gendomreg utility to create an encrypted Java keystore file from the CSV file. For example, the following command creates the keystore file domains.keystore.
```
$DLC/bin/gendomreg domainsks.csv domains.keystore
```
Copy the keystore file into the directory in which the domains.json file is located.
For more information, see OpenEdge Authentication Gateway Tutorial.

OpenEdge Database

For OpenEdge Database, you define and configure security domains in each OpenEdge Database instance. You then enable or disable each security domain for run-time use. A security domain for use with OpenEdge Database is:

Configured with an authentication system that has access to valid user accounts and supports user authentication
Authentication-enabled if the domain is enabled for run-time use

OpenEdge Database provides a default domain registry that is stored within two database tables. One table identifies the configured security domain names, and also domain-to-tenant relationships if the database is enabled for multi-tenancy. The second table contains the domain access codes. This arrangement allows OpenEdge Database to access its security domains for authenticating the identities assigned to OpenEdge database connections. These database connections are typically created for the following:

Database clients, such as ABL applications and database utilities
AVM
OpenEdge SQL Server

You configure OpenEdge-supported security domains in an OpenEdge RDBMS using database administration tools, including the:

Database Administration Console in OpenEdge Management
Data Administration utility in the OpenEdge program group on Windows
Admin menu of the character-mode Data Dictionary

For more information, see Domain Maintentance option.

Learn about OpenEdge Security Domains