PRIMARY-PASSPHRASE attribute

Sets the secret passphrase (or password) required to authenticate the user identity asserted through attributes of an unsealed client-principal object (in the INITIAL state). This is the same value that you specify for the Password (-P) connection parameter when you connect to an OpenEdge database with the same user identity.

Note:

This value has no relation to the domain access code used to seal (or validate the identity of a sealed) client-principal object.

Data type:

CHARACTER

Access:

Write-only

Applies to:

Client-principal object handle

The default value is the Unknown value (?).

The value that you set is the cleartext or encrypted value of the password required to authenticate the user account identity specified using the QUALIFIED-USER-ID attribute. For information on setting an encrypted password value, see the ENCRYPT-AUDIT-MAC-KEY( ) method entry in this manual and the documentation on encrypted passwords in OpenEdge Development: Programming Interfaces.

Attempting to read this attribute returns an error message and sets the ERROR attribute to TRUE on the ERROR-STATUS system handle.

ABL also raises ERROR if you attempt to:

Assign the Unknown value (?)

Assign the attribute when the client-principal is sealed and is in the LOGIN, LOGOUT, EXPIRED, or FAILED state (see the LOGIN-STATE attribute entry)

Notes:

OpenEdge uses this value to authenticate a user identity only when you call the SECURITY-POLICY:SET-CLIENT( ) method or the SET-DB-CLIENT function on an unsealed client-principal object, which seals the object and sets the identity in a single, OpenEdge-performed user authentication operation. Use an encrypted value for this attribute especially when you export the unsealed client-principal to a remote authentication service, or to any other ABL session prior to sealing the object. For more information on exporting a client-principal, see the EXPORT-PRINCIPAL( ) method entry in this manual. If your application authenticates the identity, it must also seal the client-principal by calling the SEAL( ) method before using the object to set the identity. However, the SEAL( ) method does not require any setting of this attribute. OpenEdge does not store the setting of this attribute. Once the client-principal object is sealed, OpenEdge removes all trace of the attribute value from the client-principal. There is currently no support for specifying a secondary passphrase value in OpenEdge.

See also:

ENCRYPT-AUDIT-MAC-KEY( ) method, INITIALIZE( ) method