SSL Trusted Relationship for Natural

The main goal is to use the Adabas RBAC facility from Natural as client. Natural is at the moment not able to provide the user and password through the Adabas Client (using the lnk_set_uid_pw() function). The SSL Trusted Relationship should overcome this restriction. Neither Natural itself, nor any customer application should need to be changed.

The idea behind the SSL Trusted Relationship is that a client provides certificates over an SSL connection which are validated in Adabas. If the client provides certificates and they are successfully validated by Adabas, Adabas would assume that the client is allowed to access Adabas without presenting a password. The user id for the RBAC facility in Adabas will be taken from the so called Adabas Session or Adabas ID. The client (Natural) must make sure that the session (especially the user id) will be set up correctly.


Restrictions

We restrict the mechanism of trusted relationship on Natural as client. Only if these three conditions are fulfilled, Adabas trusts the incoming request:

  1. Client uses ADATCPS (SSL) for the communication with Adabas

  2. Client provides valid certificates that can be validated by Adabas

  3. The client is Natural

The client is responsible to provide the user that will be authorized with the RBAC facility of Adabas. The user is taken from the Adabas Session (Adabas ID).

Adabas Operation

Adabas will check the validity of certificates at the connection level. As soon as a client connects via ADATCPS, Adabas will check whether the client provides client certificates. If so, they are validated in any case, regardless the setting of the SSLVERIFY nucleus parameter. A failed verification might not be an error, for example, if the SSLVERIFY is not set, clients need not to provide certificates, but credentials. If the SSLVERIFY option is set and the client certificate is invalid, then the connection will be rejected in any case. Adabas can be accessed in the traditional way in parallel. If using a secured database (RBAC), the clients must provide the user id and password (via the Adabas Client Interface) or use the user exit 21.

Client Configuration

On the client side ADATCP must be configured to use SSL and SSL certificates. This is done in normal cases in the $ACLDIR/config/dbmapping.txt file.

Example:

<dbid> = adatcps://<host>:<sslport>?cert_file=<path>/client_cert.pem&key_file=<path>/client_key.pem

Adabas Configuration

The Adabas nucleus must be configured to use SSL and SSL certificates. In any case, Adabas will not start without server certificates when SSL should be used. That is the minimum requirement.

To enable Adabas to accept trusted Natural users, the nucleus must be configured with the parameter:

SSLTRUST = NATURAL

Example:

[NUCPARMS]
ADATCP
PORTNUMBER = 0
SSLCAFILE = /atc/certs/ca_chain.pem
SSLCERTFILE = /etc/certs/adabas_cert.pem
SSLKEYFILE = /etc/certs/adabas_key.pem
SSLPORTNUMBER = 56220
SSLTRUST = NATURAL
SSLVERRIFY = 0
...
[NUCPARMS-END]

Setting the PORTNUMBER parameter to ‘0’ disables the classic TCP/IP port and only SSL can be used.