The two authentication options for RED are the following:
Advanced Connect
The Advanced Connect feature provides secure user-based authentication mechanisms for your metadata, sources, and target connections in RED. This feature combines session-based authentication and complete control over ODBC connection strings.
Note
Currently, this feature is only available for SQL Server metadata repositories.
Enabling Advanced Connect
Enable the Advanced Connect feature by first logging in to RED using Advanced Connect and supply a connection string. This sets up the current session of RED with in-memory session credentials which is required before you can successfully enable Advanced Connect on other connections in RED.
After logging in for the first time using Advanced Connection ensure that you also set your metadata connection in RED to use Advanced Connect as this will not be set automatically.
Supported Connection Types
The supported connection types for these features are the following:
- ODBC
- Database
- Extensible Source Connections
Connection Strings
When Advanced Connect is enabled in the connection properties a new field 'Connection String' becomes visible and is required to be populated before continuing. When RED establishes any ODBC connection to a connection flagged as Advanced Connect it will use the connection string provided to make the connection.
This field is stored in the metadata for each connection and accepts the following RED tokens for automatic replacement at runtime to avoid storing any credentials in the metadata.
- $DSN$ - replaced at runtime with the ODBC Data Source Name of the connection.
- $USER$ - replaced at runtime with the Session User Id of the connection.
- $PASSWORD$ - replaced at runtime with Session Password of the connection.
Additionally, the User and Password fields are relabeled 'Session User Id' and 'Session Password' to indicate that these fields are no longer be stored in the metadata.
Session Credentials
When Advanced Connect is enabled in the properties of a connection the User and Password fields are relabeled 'Session User Id' and 'Session Password' to indicate that these fields will no longer be stored in the metadata.
When these fields are populated, and the connection saved then these values are stored in-memory and accessible only to this specific session of RED. See Profiles section for more detail.
Profiles
How it works
For each connection flagged as Advanced Connect RED maintains an in-memory credential set including the username, password, and connection string for each connection. This in-memory credential set is what we term the 'Profile' for authentication during the session of RED.
The in-memory profile is session based and therefore the credentials are specific to the user logged on during that session. The connection string itself is however stored in the metadata so that each RED user still uses the same authentication method as other users while in the RED UI.
Saving Profiles to Disk
Profiles can be saved to disk so that users need not enter usernames and passwords into each of their connections whenever they log in to RED.
To save a Profile including session passwords go to File->Save Profile
Select a name to save the file as and choose to Include Session Passwords. To ensure that all credentials are stored (as needed for the RED Scheduler service) then make sure to open each Advanced Connect flagged connection and set the session credentials prior to saving the Profile.
Note
Session passwords are encrypted at rest (on the file in disk) during the save using Windows DPAPI (user-based) encryption. These profile files will therefore only ever be able to be used and decrypted by the Windows user who saved them. This is an important point when it comes to setting up a RED Windows Scheduler using Advanced Connect as the service user will need to be the same as the user who created the Profile file from RED.
Note
Only Profile files stored in the Windows users AppData directory under sub folders 'WhereScape\RED' will be shown on the RED Login screen.
Tip
The users' AppData location can be found by typing %APPDATA% into the address bar of a Windows browser and pressing enter.
Using Profiles
The following Environment Variables are created at run-time for Scripts associated to Advanced Connect Connections:
Where User, Password and Connection Strings are set from the current RED session credentials in the in-memory Profile.
WSL_<META|TGT|SRC>_CONSTRING contains the complete connection string with tokens $DSN$, $USER$, $PASSWORD$ replaced.
Metadata | Target | Source |
|---|---|---|
WSL_META_DSN | WSL_TGT_DSN | WSL_SRC_DSN |
WSL_META_DSN_ARCH | WSL_TGT_DSN_ARCH | WSL_SRC_DSN_ARCH |
WSL_META_SERVER | WSL_TGT_SERVER | WSL_SRC_SERVER |
WSL_META_DBID | WSL_TGT_DBID | WSL_SRC_DBID |
WSL_META_USER | WSL_TGT_USER | WSL_SRC_USER |
WSL_META_PWD | WSL_TGT_PWD | WSL_SRC_PWD |
WSL_META_CONSTRING | WSL_TGT_CONSTRING | WSL_SRC_CONSTRING |
Using Advanced Connect with Command Line Tools
Dedicated Command Line Interface (RedCli.exe)
For RedCli commands that only perform RED Metadata operations use:--meta-con-string "<connection string>"
For 'RedCli Deployment' commands a full Profile file will be required since both Metadata and Target connections will need to be established--red-profile "<full path to Profile file>"
Note
When using each of the above arguments both --meta-dsn and --meta-dsn-arch are still required but the other --meta- arguments become optional since they can be retrieved from the Profile or be hardcoded in the connection string itself.
RED Client Command Line (med.exe)
For med.exe batch commands the connection string can be provided using:--meta-con-string "<connection string>"
Batch documentation creation example:
med.exe --create-docs --output-dir "C:\temp\my_doco" --meta-dsn "sql15" --meta-dsn-arch "64" --meta-user-name "red1" --meta-password "mypass" --meta-con-string "dsn=$DSN$;uid=$USER$;pwd=$PASSWORD$;database=sql15;"
Note
When using --meta-con-string argument both --meta-dsn and --meta-dsn-arch are still required but the other --meta- arguments become optional depending on your specific connection string requirements.
Enabling Advanced Connect on Extensible Source Connections
To enable Advanced Connect on an Extensible Source Connection you need to edit the UI Configuration for the connection. The new fields are shown below which enables the session credentials and connection string fields, enabling either of these fields will flag the connection as Advanced Connect. See the section Creating the Example Extensible Source Connection Set for more information.
Note
The Session Credentials fields can be enabled without enabling the Connection String field for Extensible Source Connections. This is due to Extensible Source Connections are designed to be flexible and sometimes the Connection String is not needed or is already covered by another configured field. When enabling the Connection String field you must also have Session Credentials enabled too.
Legacy Connect
Legacy Connect is the default for new connections (for backward compatibility) and is the setting used for existing connections from versions prior to RED 9.0.1.0.
In Legacy Connect mode you can only control DSN, User ID and Password attributes when connecting via ODBC which depending on the vendor's ODBC driver can limit the authentication methods available in your environment when working with RED. If not using Windows or Active Directory authentication then credentials are required to be stored in the metadata repository which can be undesirable.