ENCRYPT-AUDIT-MAC-KEY( ) method

Encrypts and encodes the specified character expression and returns an encrypted character value that you can store for later use in message authentication code (MAC) operations.

Return type:

CHARACTER

Applies to:

AUDIT-POLICY system handle

Syntax
ENCRYPT-AUDIT-MAC-KEY ( encrypt-key )

encrypt-key

A character expression containing the key to encrypt. The AVM converts this key to UTF-8 before encrypting it and storing it, which ensures a consistent value regardless of code page settings.

The following code fragment illustrates how to use the ENCRYPT-AUDIT-MAC-KEY( ) method to set a database MAC key value:


DEFINE VARIABLE cVal AS CHARACTER NO-UNDO. DEFINE VARIABLE cKey AS CHARACTER NO-UNDO INITIAL "Open Sesame". . . . cVal = AUDIT-POLICY:ENCRYPT-AUDIT-MAC-KEY(cKey). . . . _db-detail._db-mac-key = cVal.

You can also use the ENCRYPT-AUDIT-MAC-KEY( ) method to generate an encrypted value for an OpenEdge password in order to obscure its cleartext value from hacking. For example:

DEFINE INPUT PARAMETER cUserID AS CHARACTER NO-UNDO. DEFINE INPUT PARAMETER cPasswd AS CHARACTER NO-UNDO. CONNECT C:\OpenEdge\WRK\db\Sports2000 VALUE( "-U " + cUserID + " -P " + "oech1::" + AUDIT-POLICY:ENCRYPT-AUDIT-MAC-KEY(cPasswd)) -H dbserver -S 1900 NO-ERROR.

DEFINE INPUT PARAMETER cUserID AS CHARACTER NO-UNDO.

DEFINE INPUT PARAMETER cPasswd AS CHARACTER NO-UNDO.

CONNECT C:\OpenEdge\WRK\db\Sports2000

  VALUE( "-U " + cUserID +

        " -P " + "oech1::" + AUDIT-POLICY:ENCRYPT-AUDIT-MAC-KEY(cPasswd))

  -H dbserver -S 1900 NO-ERROR.

The cUserID and cPasswd parameters pass in a user ID and password that a user might enter in response to a prompt, in this case to authenticate and set the user identity for a connection created for the sports2000 database.

Therefore, cPasswd contains the cleartext value of the password the user has typed. The "oech1::" prefix is an identifier that tells OpenEdge that the value following the "::" is encrypted in a manner that allows it to recover the cleartext value for internal operations, such as validating a user account password. Without the prefix, OpenEdge interprets the string as the cleartext value a user might type directly, and therefore does not attempt to decrypt.

In this example, the encrypted password is passed as the value of the Password (-P) connection parameter. However, OpenEdge understands this encryption format anywhere that it accepts a password—for example, to set the PRIMARY-PASSPHRASE attribute on the client-principal object handle for OpenEdge-performed user authentication.

For more information on using password encryption in ABL, see the documentation on encrypted passwords in OpenEdge Development: Programming Interfaces.