BUSINESS SOFTWARE

Reference manual – Integrated database authentication

Installation and configuration

ii

iii

This document is intended for Agresso Business World Consultants and customer Super Users,

and thus assumes in-depth knowledge of existing Agresso functionality

Every effort has been made to supply complete and accurate information, however the information

in this document is subject to change without notice. UNIT4 R&D AS assumes no responsibility

for any errors that may occur in the documentation. Please contact your local Agresso Customer

Support centre if you have any questions.

MicrosoftExcel, MicrosoftProject, Windows and Microsoft SQL Server are either

registered trademarks or trademarks of Microsoft Corporation in the Unites States and/or other

countries. All other brand names, product names and company logos are trademarks or registered

trademarks of their respective owners.

This document contains information proprietary to and considered a trade secret of UNIT4 R&D

AS. It is expressly agreed that it shall not be reproduced in whole or in part, disclosed, divulged,

or otherwise made available to any third party either directly or indirectly. Reproduction of this

documentation for any purposes is prohibited without the prior express written authorization of

UNIT4 R&D AS, Oslo, Norway. All rights reserved.

AGRESSO Business Software © 1987-2013

UNIT4 R&D AS, Gjerdrums vei 4, 0401 Oslo, Norway.

iv

Table of contents

Introduction 1

Using application role 2

Database support and requirements 3

Configuration 4

Using Agresso Management Console 5

Introduction 5

Using AMC 7

Options – SQL Server 9

Options – Oracle 11

Add users 13

General configuration options 14

Integrated database authentication - Introduction 1

Introduction

Purpose

The main purpose of this document is to explain how administrators of Smart Client

deployment can install and configure integrated database authentication for Smart Client

users, where the Smart Client is deployed with the Central Configuration Server (Centrally

Configured Client).

Prerequisites

As a reader, you should be familiar with

database security mechanisms,

Agresso Smart Client deployment techniques, and the

Agresso Management Console (AMC).

To install integrated database authentication you need system administrator permissions on

the database.

2 Integrated database authentication - Introduction

Using application role

Logging on to the database

By enabling integrated database authentication when connecting to the database, the Smart

Client will no longer store the database credentials. Instead, the currently logged on

windows user will be authenticated by the database using NTS (Windows NT native

authentication).

When the user is identified – and accepted – the required database connection credentials

are never transmitted over the network, and not stored on disk or in memory on the client’s

machine.

Auditing

After a successful connect, every database operation is performed in the name of the actual

Windows domain user. The unique Smart Client user can always be traced in the database

log (audit log).

Stored procedures

The Smart Client interacts with stored procedures in the database. These are the only items

in the database the domain users can get access to.

The interaction forms a handshake which transfers an encrypted application role password

to the Smart Client. This is then processed by the Smart Client and used to elevate the

permissions needed for the Smart Client to operate on the database.

The application role password

The application role password is a static password and shared by all Smart Client users. It

is generated from Agresso Management Console, and can – and shall – be regenerated at

regular intervals. The password is never shown or exposed in clear text.

No general user access

Note that the users granted access may connect to the database from any database client

tool. Their privileges, however, are restricted to execution of the security procedures.

To get general database access rights, they must connect via the Smart Client. Only the

Smart Client can elevate the user rights.

Integrated database authentication - Introduction 3

Database support and requirements

Security procedures

The integrated security mechanism requires that the stored procedures are installed in the

database, in order to perform the handshake which securely hands the Smart Client the

application role password.

The basic logic is illustrated below.

Try to connect

Check user

Encrypted password Process password OK

Unknown

Check inputCoded string

OK

Access granted to the

Windows Domain user

Smart Client Agresso database

Error

Database systems

The handshake sequence is the same for both Oracle and MS SQL Server, but the setting of

the application role is a bit different.

SQL Server: CLR (Common Language Runtime) must be enabled on the SQL Server.

You use AMC to activate this setting – as an initial step.

Oracle: For Oracle, the security procedures depend on an interface called dbms_crypto

(bundled with the database). This interface must be granted for usage, which requires an

initial step of configuration in the AMC before the procedures are installed.

Using Windows Active Directory

The Smart Client’s database drivers are not concerned with authentication. Using

integrated database authentication, this is a responsibility shared between the database

(SQL Server or Oracle) and users found in Active Directory, as illustrated below:

4 Integrated database authentication - Introduction

Configuration

Set user permissions using AMC

The database permissions given to an Active Directory user (or group) is the permission to

connect to the database, plus execute permissions for the two stored procedures used by the

Smart Client to perform the handshake.

SQL Server: On SQL Server, an AD group (or individual users) can be set up with access

rights to the Agresso database. This means that if a user is removed from an AD group, the

database permissions are removed directly.

Oracle: On Oracle, an AD group can be selected, but only the individual members of the

group will be added as users, not the group itself. Therefore, if a Windows user is removed

from an AD group with access, this will not affect the user’s access rights to the Oracle

database. The user must also be removed manually from Oracle – using AMC.

Note that this restriction do not apply to Oracle Enterprise Edition which allows adding

access to groups.

Traffic encryption

Even if the application role password is transported encrypted to the Smart Client, we

recommend that traffic encryption is enabled on all communication between the Smart

Client and the Database Server. For high security environments it is a prerequisite to

activate traffic encryption.

Encryption will be valid for all clients and for whole sessions.

SQL server: Activation of SSL on SQL Server will force the database to generate an SSL

certificate which is automatically accepted by the Smart Client.

Oracle: For Oracle, the client is forced to initiate encryption of the traffic. A seed of 10-70

random characters is used to achieve the required strength.

Note the following:

SQL server: Traffic encryption can easily be turned on using the Agresso Management

Console, but we strongly recommend that a certificate is requested from a trusted

authority, and that traffic encryption is configured as recommended by latest Microsoft

guidelines.

Oracle: Traffic encryption has to be configured manually. Please contact your local Unit4

technical services if you need consultancy on the subject.

Activation of traffic encryption for Oracle may require licenses beyond the Standard

edition!

Integrated database authentication - Using Agresso Management Console 5

Using Agresso Management Console

Introduction

Prerequisites

The installation instructions in the coming sections assume that the following is in place

Agresso Business World is installed on a server, with the purpose of serving other

network workstations with the Smart Client through Central Configuration Server

functionality.

Agresso Management Console is up and running, and Backoffice Datasource is

configured for the installation described above.

A Centrally Configured Client is configured and ready to use.

Run as administrator

For some of the database operations needed for deployment of the security model and

objects, it is required that the AMC runs with system administrator permissions.

SQL Server: You can log in as sa to run the setup and manage users.

Oracle: Since it’s not possible to log in with sys as SYSDBA on Oracle from AMC, you

will need to create a special user (amcadmin), with sufficient permissions, for the

installation procedures.

Initial preparations – Oracle only

Before you can use AMC and the Integrated Security node, you need to create a special

Oracle user (amcadmin), with the required privileges for installation and setup.

Create administrator – example: The SQL below creates the user amcadmin with

required privileges. You must be logged in as SYS with role SYSDBA to run the script!

DROP USER amcadmin CASCADE;

CREATE USER amcadmin IDENTIFIED BY "MySecretPassword";

GRANT ALTER SESSION TO amcadmin WITH ADMIN OPTION;

GRANT CREATE SESSION TO amcadmin WITH ADMIN OPTION;

GRANT SELECT_CATALOG_ROLE TO amcadmin;

GRANT EXECUTE_CATALOG_ROLE TO amcadmin;

GRANT EXECUTE ON sys.dbms_crypto TO amcadmin WITH GRANT OPTION;

GRANT SELECT ON sys.v_$session TO amcadmin WITH GRANT OPTION;

GRANT SELECT ON sys.v_$session_connect_info TO amcadmin WITH GRANT

OPTION;

GRANT DROP ANY VIEW TO amcadmin WITH ADMIN OPTION;

GRANT CREATE ANY VIEW TO amcadmin WITH ADMIN OPTION;

GRANT DROP ANY TABLE TO amcadmin WITH ADMIN OPTION;

GRANT CREATE ANY TABLE TO amcadmin WITH ADMIN OPTION;

GRANT INSERT ANY TABLE TO amcadmin WITH ADMIN OPTION;

GRANT SELECT ANY TABLE TO amcadmin WITH ADMIN OPTION;

GRANT UPDATE ANY TABLE TO amcadmin WITH ADMIN OPTION;

GRANT ALTER ANY TABLE TO amcadmin WITH ADMIN OPTION;

GRANT DELETE ANY TABLE TO amcadmin WITH ADMIN OPTION;

GRANT CREATE PROCEDURE TO amcadmin WITH ADMIN OPTION;

GRANT CREATE ANY PROCEDURE TO amcadmin WITH ADMIN OPTION;

GRANT EXECUTE ANY PROCEDURE TO amcadmin WITH ADMIN OPTION;

GRANT ALTER ANY PROCEDURE TO amcadmin WITH ADMIN OPTION;

GRANT DROP ANY PROCEDURE TO amcadmin WITH ADMIN OPTION;

GRANT GRANT ANY OBJECT PRIVILEGE TO amcadmin WITH ADMIN OPTION;

GRANT CREATE ROLE TO amcadmin WITH ADMIN OPTION;

GRANT ALTER ANY ROLE TO amcadmin WITH ADMIN OPTION;

6 Integrated database authentication - Using Agresso Management Console

GRANT DROP ANY ROLE TO amcadmin WITH ADMIN OPTION;

GRANT GRANT ANY ROLE TO amcadmin WITH ADMIN OPTION;

GRANT CREATE USER TO amcadmin WITH ADMIN OPTION;

GRANT ALTER USER TO amcadmin WITH ADMIN OPTION;

GRANT DROP USER TO amcadmin WITH ADMIN OPTION;

GRANT ALTER ANY INDEX TO amcadmin WITH ADMIN OPTION;

GRANT CREATE ANY INDEX TO amcadmin WITH ADMIN OPTION;

GRANT DROP ANY INDEX TO amcadmin WITH ADMIN OPTION;

GRANT DROP ANY TRIGGER TO amcadmin WITH ADMIN OPTION;

GRANT CREATE ANY TRIGGER TO amcadmin WITH ADMIN OPTION;

GRANT ALTER ANY TRIGGER TO amcadmin WITH ADMIN OPTION;

Integrated database authentication - Using Agresso Management Console 7

Using AMC

Integrated Security node

Installation and maintenance is done via the Centrally Configured Client’s Integrated

Security node in AMC.

You need to authenticate as a database user having the sufficient permissions to deploy the

security model.

Before integrated authentication is enabled, you will get something like the following:

Prepare (setup)

You use the Setup button to enable integrated security, activate encryption, regenerate the

application role password and manage users which are allowed to logon to the database.

The result of each individual operation (log) will be displayed in a separate window. The

result is as follows:

SQL server: Enables CLR.

Oracle: Prepares the database schema to allow use of the dbms_crypto interface within the

current database.

8 Integrated database authentication - Using Agresso Management Console

Enable

To enable integrated database authentication for the selected Centrally Configured Client,

you simply check the Enabled checkbox.

This will remove the database credentials stored in the CCC’s agresso32.ini file, making

the Centrally Configured Client use the Integrated Database Authentication solution when

connecting to the database.

Integrated database authentication - Using Agresso Management Console 9

Options – SQL Server

Example screen

The example below shows the Integrated Security page having integrated security enabled:

Activate SSL – enable data encryption

Traffic encryption can easily be turned on using the AMC, but we strongly recommend that

a certificate is requested from a trusted authority, and that traffic encryption is configured

as recommended by latest Microsoft guidelines.

Check the SSL Encryption checkbox. If you are using the default ODBC driver, you may

get this warning:

Use correct ODBC Driver

When activating SSL, you must make sure that both the centrally configured client, as well

as all local Smart client machines, uses MS SQL Server Native Client 10.0 as

ODBC driver.

Install driver on central client: For the centrally configured client, you simply select the

driver from AMC (ODBC Driver above).

Install driver on local machines: For local client installation, you will need the

installation package sqlncli.msi. Make sure that sqlncli.msi is distributed to, and

installed on, all Smart client machines.

10 Integrated database authentication - Using Agresso Management Console

Double security

When you activate SSL, the following happens:

1. agresso32.ini will be updated as shown below:

2. In asyssetup, DBC_FORCE_SSL will be set to true.

Note: Unless the contents of agresso32.ini and asyssetup is syncronised, access to the

database will be blocked!

Integrated database authentication - Using Agresso Management Console 11

Options – Oracle

Example screen

This example below shows the upper part of the Integrated Security page having integrated

security enabled:

OS Authentication prefix

You can use a prefix for database users that are identified externally. By default, AMC uses

the Oracle default value, OPS$.

Note: The OS Authenticate prefix has to be set to the same value as used in the Database.

Check this with the command: show parameter os_authent_prefix;

12 Integrated database authentication - Using Agresso Management Console

Activate Network Data Encryption

Note: Traffic encryption has to be configured manually for Oracle. The steps shown below

will only configure the Smart Client sqlnet.ora file. The example shows both encryption

and integrated database authentication sections.

Please contact your local Unit4 technical services if you need consultancy on the subject.

You activate data encryption by checking the checkbox for this purpose.

Result: As a result, the file sqlnet.ora will be written to the file share as shown below:

Note: The sqlnet.ora which is created by AMC could be different from the Database Server

sqlnet.ora. If so you might have to manually change the Smart Client sqlnet.ora to reflect

the correct settings as used in the Database Server sqlnet.ora and listener.ora.

Note: Unless the contents of sqlnet.ora and asyssetup (DBC_FORCE_SSL) is

synchronized, access to the database will be blocked!

Integrated database authentication - Using Agresso Management Console 13

Add users

Add users

To get users from Active Directory and into the database, you use the User Access node:

Procedure

Do as follows:

1. Click the Add... action

A dialog will allow you to select users and groups from Active Directory.

2. Make your selection and click OK

All selected users are listed in AMC and granted access (by default).

Note for Oracle: You need Oracle Enterprise edition to be able to add and grant access

to groups of users. For non-Oracle Enterprise, AMC will extract the users from a

selected group and add them as individual users.

3. You can right click in a selection of users and get access to some adjustment

commands:

Deny will disable access for the selected users/groups without removing them. Denied

users/groups can later be allowed access.

Allow will allow users/groups that have been denied.

Remove is used to completely remove the selected users/groups

14 Integrated database authentication - Using Agresso Management Console

General configuration options

Regenerate password

The application role password can be regenerated at any time:

Reset database changes

By unchecking the Enabled checkbox, the integrated authentication will be disabled and

database authentication will be reset to default for the Centrally Configured Client. This

will restore the database credentials in the CCC’s agresso32.ini file.

All the necessary procedures and structures will be left ready to use in the database.

Remove all traces of integrated security

For troubleshooting purposes you may want to remove all tracks of the integrated

authentication in the database.

You do this by clicking the Reset button.

Result: This will remove all new structures inserted into the database, with some

exceptions.

The users will not be removed. If required, you should therefore remove the users and

before resetting.

Note for Oracle: The new adminstrator (amcadmin) will not be affected by a reset..