Wednesday, June 16, 2021

OEM Authentication

Catch 22

OEM authentication is explained in the SQL Anywhere Help, but that explanation can only be understood by someone who already understands OEM authentication.

John Yossarian's Explanation

This blog post came in the form of an email from a client who offered to help me set Foxhound up to work for clients who use the OEM Edition of SQL Anywhere.

This explanation from John Yossarian (not his real name) was so clear, concise and helpful that I asked for (and received) permission to publish it here.

Breck

from:    John Yossarian <jy@stark.co.uk>
to:      Breck Carter <breck.carter@gmail.com>
date:    Jun 12, 2021, 4:28 PM
subject: Authenticated OEM SQL Anywhere Connections

The three parts of the authentication business are 
  a) licencing the server engine 
  b) authenticating the database and 
  c) authenticating the connection.
 
When you go into the authentication business SAP give you three keys - the keys are all different but match 
each other and the publishing company & application names (ie they won't work with other keys):

- an install key: you use this with dblic.exe -k to create OEM lic files (just like a normal install key) - but 
  we can then redistribute those engines. (this bit isn't your problem of course)

- a database key: this is used once on a database to make it an Authenticated database which will work on 
  the server created with the install key - the setting is persistent. This is done with a SET OPTION command; e.g.

  SET OPTION PUBLIC.DATABASE_AUTHENTICATION='Company=Stark;Application=Winterfell;Signature=XXXXXXXXXX-XXXXXXXXXX'; 

  This step needs SET ANY SECURITY OPTION rights.

- a connection key: This is used by connections to the database. Each connection has a 30 second (or so) grace 
  period to set a temporary Connection_authentication option; e.g.

  SET TEMPORARY OPTION CONNECTION_AUTHENTICATION='Company=Stark;Application=Winterfell;Signature=YYYYYYYYYY-YYYYYYYYYY'

- a non-authenticated connection to an authenticated database running on an OEM engine is allowed to connect 
  but after thirty seconds is strictly read-only.
 
So, if you wanted to support authenticated servers fully, you would need users to supply both the database key 
and the connection key, in the set-up process & then use them as above.