DEV Community

Peter + AI
Peter + AI

Posted on

Uniface 10.4: How to Bulletproof Your Apps with Certification (And Why You Must)

#uniface #security #devops #legacycode

Note: This article was created with the assistance of AI based on official Uniface 10.4 documentation to explain core security concepts and provide practical implementation details.

Hello everyone!

In today's IT landscape, security is no longer a "nice-to-have"—it's an absolute necessity. This is especially true for enterprise applications that process sensitive data. If you are working with Uniface 10.4 (specifically 10.4.03 and later), you have a powerful tool at your disposal to ensure the integrity and security of your applications: Application Certification.

In this article, we'll dive deep into this feature, explaining how it works, why it's critical, and—most importantly—how to implement it correctly in your .asn files.

What is Application Certification in Uniface?

Certifying a deployed Uniface application is effectively digitally signing your software binaries. It protects your data privacy by verifying the validity of your application at runtime. This ensures that your database connection settings cannot be misused by unauthorized applications.

The goal is to verify two things:

  1. Integrity: That your application has not been tampered with.
  2. Authorization: That your database connection is used exclusively by your authorized Uniface applications.

Why is this important?

  • Protection against tampering: Once a Uniface application is certified, Uniface validates the integrity of every supported resource file. Any malicious attempt to modify the application files is detected and blocked immediately.
  • Securing sensitive connection data: Your assignment files (.asn) contain critical information such as usernames, passwords, and paths to your databases. By certifying, you bind the database connection to your specific application signature. Unauthorized or tampered applications trying to use your .asn file will be denied access because they lack the matching private key signature.

How does certification work? (Public/Private Key)

The core of certification is a standard cryptographic key pair (RSA 2048-bit).

  1. Generate Key Pair: You create a key pair, e.g., my_private.pem and my_public.pem.
  2. Sign Application: You use the cert.exe utility (introduced in recent 10.4 updates) to sign your application archive (UAR) or resources using the private key.
  3. Configure Database: You explicitly link the public key (my_public.pem) to your database connection in the assignment file.
  4. Runtime Validation: When the application starts, Uniface checks if the running application's signature matches the public key defined in the driver settings. If they don't match, the database connection is refused.

Technical Deep Dive: The Critical .asn Configuration

Many developers understand the concept but stumble on the implementation. The crucial link happens in your assignment file.

The Setup:

You do not just "place" the key; you must reference it in your DBMS connector settings.

Example .asn Snippet:

[DRIVER_SETTINGS]
; Linking the public key to the MSSQL driver
MSS = U1.0, $DBMS_DEF:my_public_key_string

[LOGICALS]
; Ideally, keep the key content out of plain sight or use references if supported

Note: In practice, the public key is often provided as a string or file reference within the driver parameters ($DBMS_DEF) to enforce the check.

Technical Key Limits:

  • Private Keys: Max 4096 characters (PEM format, RSA PKCS#8).
  • Public Keys: Max 1024 characters.

Practical Example: The "Rogue App" Scenario

Imagine you have an HR application connecting to an Oracle database. The .asn file has the connection string ORA:HR_DB|user|password.

  • Scenario A (No Certification): A developer copies your .asn file to their local machine, points it to their own unauthorized Uniface component, and connects. They now have full read/write access to production HR data.
  • Scenario B (With Certification): You sign your official HR app with your Private Key. In the production .asn, you add the Public Key to the Oracle driver settings.
    • When the rogue developer tries to connect using their unsigned component (or a component signed with a different key) and your .asn file, the Uniface driver checks the signature against the public key.
    • Result: Mismatch. The connection is rejected instantly. The stolen credentials are useless without the signed application binary.

Common Pitfalls & Best Practices

  1. Key Management is King: If you lose your private key, you cannot release updates. If it's stolen, the security model is broken. Store my_private.pem in a secure vault and only access it during the build pipeline.
  2. Automate with cert.exe: Do not sign manually. Integrate cert.exe into your CI/CD pipeline to sign builds automatically before deployment.
  3. Performance Check: While the overhead is minimal (RSA validation happens at connection time), always test startup times, especially if your app creates frequent new database connections rather than pooling them.

Conclusion

Application certification in Uniface 10.4 is a critical security mechanism that goes far beyond simple access control. It hardens your application against tampering and effectively binds your database credentials to your specific binary.

If you haven't implemented this yet, put it on your roadmap for the next sprint. It's a low-effort, high-impact security upgrade.

Have you tried setting up cert.exe in your pipelines yet? Let me know your experiences in the comments!

Top comments (0)