BUSINESS SOFTWARE
Reference manual – Integrated database authentication
Installation and configuration
ii
iii
This document is intended for Agresso Business World Consultants and customer Super Users,
and thus assumes in-depth knowledge of existing Agresso functionality
Every effort has been made to supply complete and accurate information, however the information
in this document is subject to change without notice. UNIT4 R&D AS assumes no responsibility
for any errors that may occur in the documentation. Please contact your local Agresso Customer
Support centre if you have any questions.
MicrosoftExcel, MicrosoftProject, Windows and Microsoft SQL Server are either
registered trademarks or trademarks of Microsoft Corporation in the Unites States and/or other
countries. All other brand names, product names and company logos are trademarks or registered
trademarks of their respective owners.
This document contains information proprietary to and considered a trade secret of UNIT4 R&D
AS. It is expressly agreed that it shall not be reproduced in whole or in part, disclosed, divulged,
or otherwise made available to any third party either directly or indirectly. Reproduction of this
documentation for any purposes is prohibited without the prior express written authorization of
UNIT4 R&D AS, Oslo, Norway. All rights reserved.
AGRESSO Business Software © 1987-2013
UNIT4 R&D AS, Gjerdrums vei 4, 0401 Oslo, Norway.
iv
Table of contents
Introduction 1
Using application role 2
Database support and requirements 3
Configuration 4
Using Agresso Management Console 5
Introduction 5
Using AMC 7
Options – SQL Server 9
Options – Oracle 11
Add users 13
General configuration options 14
Integrated database authentication - Introduction 1
Introduction
Purpose
The main purpose of this document is to explain how administrators of Smart Client
deployment can install and configure integrated database authentication for Smart Client
users, where the Smart Client is deployed with the Central Configuration Server (Centrally
Configured Client).
Prerequisites
As a reader, you should be familiar with
database security mechanisms,
Agresso Smart Client deployment techniques, and the
Agresso Management Console (AMC).
To install integrated database authentication you need system administrator permissions on
the database.
2 Integrated database authentication - Introduction
Using application role
Logging on to the database
By enabling integrated database authentication when connecting to the database, the Smart
Client will no longer store the database credentials. Instead, the currently logged on
windows user will be authenticated by the database using NTS (Windows NT native
authentication).
When the user is identified – and accepted – the required database connection credentials
are never transmitted over the network, and not stored on disk or in memory on the client’s
machine.
Auditing
After a successful connect, every database operation is performed in the name of the actual
Windows domain user. The unique Smart Client user can always be traced in the database
log (audit log).
Stored procedures
The Smart Client interacts with stored procedures in the database. These are the only items
in the database the domain users can get access to.
The interaction forms a handshake which transfers an encrypted application role password
to the Smart Client. This is then processed by the Smart Client and used to elevate the
permissions needed for the Smart Client to operate on the database.
The application role password
The application role password is a static password and shared by all Smart Client users. It
is generated from Agresso Management Console, and can – and shall – be regenerated at
regular intervals. The password is never shown or exposed in clear text.
No general user access
Note that the users granted access may connect to the database from any database client
tool. Their privileges, however, are restricted to execution of the security procedures.
To get general database access rights, they must connect via the Smart Client. Only the
Smart Client can elevate the user rights.
Integrated database authentication - Introduction 3
Database support and requirements
Security procedures
The integrated security mechanism requires that the stored procedures are installed in the
database, in order to perform the handshake which securely hands the Smart Client the
application role password.
The basic logic is illustrated below.
Try to connect
Check user
Encrypted password Process password OK
Unknown
Check inputCoded string
OK
Access granted to the
Windows Domain user
Smart Client Agresso database
Error
Database systems
The handshake sequence is the same for both Oracle and MS SQL Server, but the setting of
the application role is a bit different.
SQL Server: CLR (Common Language Runtime) must be enabled on the SQL Server.
You use AMC to activate this setting – as an initial step.
Oracle: For Oracle, the security procedures depend on an interface called dbms_crypto
(bundled with the database). This interface must be granted for usage, which requires an
initial step of configuration in the AMC before the procedures are installed.
Using Windows Active Directory
The Smart Client’s database drivers are not concerned with authentication. Using
integrated database authentication, this is a responsibility shared between the database
(SQL Server or Oracle) and users found in Active Directory, as illustrated below:
4 Integrated database authentication - Introduction
Configuration
Set user permissions using AMC
The database permissions given to an Active Directory user (or group) is the permission to
connect to the database, plus execute permissions for the two stored procedures used by the
Smart Client to perform the handshake.
SQL Server: On SQL Server, an AD group (or individual users) can be set up with access
rights to the Agresso database. This means that if a user is removed from an AD group, the
database permissions are removed directly.
Oracle: On Oracle, an AD group can be selected, but only the individual members of the
group will be added as users, not the group itself. Therefore, if a Windows user is removed
from an AD group with access, this will not affect the user’s access rights to the Oracle
database. The user must also be removed manually from Oracle – using AMC.
Note that this restriction do not apply to Oracle Enterprise Edition which allows adding
access to groups.
Traffic encryption
Even if the application role password is transported encrypted to the Smart Client, we
recommend that traffic encryption is enabled on all communication between the Smart
Client and the Database Server. For high security environments it is a prerequisite to
activate traffic encryption.
Encryption will be valid for all clients and for whole sessions.
SQL server: Activation of SSL on SQL Server will force the database to generate an SSL
certificate which is automatically accepted by the Smart Client.
Oracle: For Oracle, the client is forced to initiate encryption of the traffic. A seed of 10-70
random characters is used to achieve the required strength.
Note the following:
SQL server: Traffic encryption can easily be turned on using the Agresso Management
Console, but we strongly recommend that a certificate is requested from a trusted
authority, and that traffic encryption is configured as recommended by latest Microsoft
guidelines.
Oracle: Traffic encryption has to be configured manually. Please contact your local Unit4
technical services if you need consultancy on the subject.
Activation of traffic encryption for Oracle may require licenses beyond the Standard
edition!
Integrated database authentication - Using Agresso Management Console 5
Using Agresso Management Console
Introduction
Prerequisites
The installation instructions in the coming sections assume that the following is in place
Agresso Business World is installed on a server, with the purpose of serving other
network workstations with the Smart Client through Central Configuration Server
functionality.
Agresso Management Console is up and running, and Backoffice Datasource is
configured for the installation described above.
A Centrally Configured Client is configured and ready to use.
Run as administrator
For some of the database operations needed for deployment of the security model and
objects, it is required that the AMC runs with system administrator permissions.
SQL Server: You can log in as sa to run the setup and manage users.
Oracle: Since it’s not possible to log in with sys as SYSDBA on Oracle from AMC, you
will need to create a special user (amcadmin), with sufficient permissions, for the
installation procedures.
Initial preparations – Oracle only
Before you can use AMC and the Integrated Security node, you need to create a special
Oracle user (amcadmin), with the required privileges for installation and setup.
Create administrator – example: The SQL below creates the user amcadmin with
required privileges. You must be logged in as SYS with role SYSDBA to run the script!
DROP USER amcadmin CASCADE;
CREATE USER amcadmin IDENTIFIED BY "MySecretPassword";
GRANT ALTER SESSION TO amcadmin WITH ADMIN OPTION;
GRANT CREATE SESSION TO amcadmin WITH ADMIN OPTION;
GRANT SELECT_CATALOG_ROLE TO amcadmin;
GRANT EXECUTE_CATALOG_ROLE TO amcadmin;
GRANT EXECUTE ON sys.dbms_crypto TO amcadmin WITH GRANT OPTION;
GRANT SELECT ON sys.v_$session TO amcadmin WITH GRANT OPTION;
GRANT SELECT ON sys.v_$session_connect_info TO amcadmin WITH GRANT
OPTION;
GRANT DROP ANY VIEW TO amcadmin WITH ADMIN OPTION;
GRANT CREATE ANY VIEW TO amcadmin WITH ADMIN OPTION;
GRANT DROP ANY TABLE TO amcadmin WITH ADMIN OPTION;
GRANT CREATE ANY TABLE TO amcadmin WITH ADMIN OPTION;
GRANT INSERT ANY TABLE TO amcadmin WITH ADMIN OPTION;
GRANT SELECT ANY TABLE TO amcadmin WITH ADMIN OPTION;
GRANT UPDATE ANY TABLE TO amcadmin WITH ADMIN OPTION;
GRANT ALTER ANY TABLE TO amcadmin WITH ADMIN OPTION;
GRANT DELETE ANY TABLE TO amcadmin WITH ADMIN OPTION;
GRANT CREATE PROCEDURE TO amcadmin WITH ADMIN OPTION;
GRANT CREATE ANY PROCEDURE TO amcadmin WITH ADMIN OPTION;
GRANT EXECUTE ANY PROCEDURE TO amcadmin WITH ADMIN OPTION;
GRANT ALTER ANY PROCEDURE TO amcadmin WITH ADMIN OPTION;
GRANT DROP ANY PROCEDURE TO amcadmin WITH ADMIN OPTION;
GRANT GRANT ANY OBJECT PRIVILEGE TO amcadmin WITH ADMIN OPTION;
GRANT CREATE ROLE TO amcadmin WITH ADMIN OPTION;
GRANT ALTER ANY ROLE TO amcadmin WITH ADMIN OPTION;
6 Integrated database authentication - Using Agresso Management Console
GRANT DROP ANY ROLE TO amcadmin WITH ADMIN OPTION;
GRANT GRANT ANY ROLE TO amcadmin WITH ADMIN OPTION;
GRANT CREATE USER TO amcadmin WITH ADMIN OPTION;
GRANT ALTER USER TO amcadmin WITH ADMIN OPTION;
GRANT DROP USER TO amcadmin WITH ADMIN OPTION;
GRANT ALTER ANY INDEX TO amcadmin WITH ADMIN OPTION;
GRANT CREATE ANY INDEX TO amcadmin WITH ADMIN OPTION;
GRANT DROP ANY INDEX TO amcadmin WITH ADMIN OPTION;
GRANT DROP ANY TRIGGER TO amcadmin WITH ADMIN OPTION;
GRANT CREATE ANY TRIGGER TO amcadmin WITH ADMIN OPTION;
GRANT ALTER ANY TRIGGER TO amcadmin WITH ADMIN OPTION;
Integrated database authentication - Using Agresso Management Console 7
Using AMC
Integrated Security node
Installation and maintenance is done via the Centrally Configured Client’s Integrated
Security node in AMC.
You need to authenticate as a database user having the sufficient permissions to deploy the
security model.
Before integrated authentication is enabled, you will get something like the following:
Prepare (setup)
You use the Setup button to enable integrated security, activate encryption, regenerate the
application role password and manage users which are allowed to logon to the database.
The result of each individual operation (log) will be displayed in a separate window. The
result is as follows:
SQL server: Enables CLR.
Oracle: Prepares the database schema to allow use of the dbms_crypto interface within the
current database.
8 Integrated database authentication - Using Agresso Management Console
Enable
To enable integrated database authentication for the selected Centrally Configured Client,
you simply check the Enabled checkbox.
This will remove the database credentials stored in the CCC’s agresso32.ini file, making
the Centrally Configured Client use the Integrated Database Authentication solution when
connecting to the database.
Integrated database authentication - Using Agresso Management Console 9
Options – SQL Server
Example screen
The example below shows the Integrated Security page having integrated security enabled:
Activate SSL – enable data encryption
Traffic encryption can easily be turned on using the AMC, but we strongly recommend that
a certificate is requested from a trusted authority, and that traffic encryption is configured
as recommended by latest Microsoft guidelines.
Check the SSL Encryption checkbox. If you are using the default ODBC driver, you may
get this warning:
Use correct ODBC Driver
When activating SSL, you must make sure that both the centrally configured client, as well
as all local Smart client machines, uses MS SQL Server Native Client 10.0 as
ODBC driver.
Install driver on central client: For the centrally configured client, you simply select the
driver from AMC (ODBC Driver above).
Install driver on local machines: For local client installation, you will need the
installation package sqlncli.msi. Make sure that sqlncli.msi is distributed to, and
installed on, all Smart client machines.
10 Integrated database authentication - Using Agresso Management Console
Double security
When you activate SSL, the following happens:
1. agresso32.ini will be updated as shown below:
2. In asyssetup, DBC_FORCE_SSL will be set to true.
Note: Unless the contents of agresso32.ini and asyssetup is syncronised, access to the
database will be blocked!
Integrated database authentication - Using Agresso Management Console 11
Options – Oracle
Example screen
This example below shows the upper part of the Integrated Security page having integrated
security enabled:
OS Authentication prefix
You can use a prefix for database users that are identified externally. By default, AMC uses
the Oracle default value, OPS$.
Note: The OS Authenticate prefix has to be set to the same value as used in the Database.
Check this with the command: show parameter os_authent_prefix;
12 Integrated database authentication - Using Agresso Management Console
Activate Network Data Encryption
Note: Traffic encryption has to be configured manually for Oracle. The steps shown below
will only configure the Smart Client sqlnet.ora file. The example shows both encryption
and integrated database authentication sections.
Please contact your local Unit4 technical services if you need consultancy on the subject.
You activate data encryption by checking the checkbox for this purpose.
Result: As a result, the file sqlnet.ora will be written to the file share as shown below:
Note: The sqlnet.ora which is created by AMC could be different from the Database Server
sqlnet.ora. If so you might have to manually change the Smart Client sqlnet.ora to reflect
the correct settings as used in the Database Server sqlnet.ora and listener.ora.
Note: Unless the contents of sqlnet.ora and asyssetup (DBC_FORCE_SSL) is
synchronized, access to the database will be blocked!
Integrated database authentication - Using Agresso Management Console 13
Add users
Add users
To get users from Active Directory and into the database, you use the User Access node:
Procedure
Do as follows:
1. Click the Add... action
A dialog will allow you to select users and groups from Active Directory.
2. Make your selection and click OK
All selected users are listed in AMC and granted access (by default).
Note for Oracle: You need Oracle Enterprise edition to be able to add and grant access
to groups of users. For non-Oracle Enterprise, AMC will extract the users from a
selected group and add them as individual users.
3. You can right click in a selection of users and get access to some adjustment
commands:
Deny will disable access for the selected users/groups without removing them. Denied
users/groups can later be allowed access.
Allow will allow users/groups that have been denied.
Remove is used to completely remove the selected users/groups
14 Integrated database authentication - Using Agresso Management Console
General configuration options
Regenerate password
The application role password can be regenerated at any time:
Reset database changes
By unchecking the Enabled checkbox, the integrated authentication will be disabled and
database authentication will be reset to default for the Centrally Configured Client. This
will restore the database credentials in the CCC’s agresso32.ini file.
All the necessary procedures and structures will be left ready to use in the database.
Remove all traces of integrated security
For troubleshooting purposes you may want to remove all tracks of the integrated
authentication in the database.
You do this by clicking the Reset button.
Result: This will remove all new structures inserted into the database, with some
exceptions.
The users will not be removed. If required, you should therefore remove the users and
before resetting.
Note for Oracle: The new adminstrator (amcadmin) will not be affected by a reset..