compile Insert rti_der_equates * 09-06-11 rjc added omni_setVolumePassword, der_roleDecrypt *--- * rtiDerClient Operation Codes *--- Equ der_openVolume$ To 1 ; * called by OpenMedia Equ der_openTable$ To 2 ; * called by OpenFile Equ der_oi2lh_key$ To 3 ; * Convert oikey to lhkey - will encrypt if key is encrypted, or do nothing if key is not encrypted Equ der_oi2lh_rec$ To 4 ; * Convert oiRecofd to lhRecord ; * - will encrypt any fields flagged for encryption and allowed for this user. ; * - will fail if some fields are encrypted and use does not have rights to decrypt ; * - will pass through any fields not marked for encryption Equ der_lh2oi_key$ To 5 ; * Complement to oi2lh_key ; * - will decrypt if key is encrypted and user has right to decrypt ; * - will pass through if key is not encrypted or user not allowed Equ der_lh2oi_rec$ To 6 ; * Complement to oi2lh_rec Equ der_closetable$ To 7 ; * called by flush.all Equ der_closeMedia$ To 8 ; * called by detach_volume Equ der_oi2lh_field$ To 9 ; * For indexes, encrypt a vm delimited list of values from a column Equ der_lh2oi_field$ To 10 ; * For indexes, decrypt a vm delimited list of values from a column Equ der_metaTableEncrypt$ To 11 ; * Create the meta information (blob) for a table. Note, this does not encrypt the rows Equ der_metaServerEncrypt$ To 12 ; * Initialise a new DERServer Equ der_metaRoleEncrypt$ To 13 ; * Modify the list of groups assigned to roles such as serveradmin, roleadmin, tableadmin, tableuser Equ der_metaRoleDecrypt$ To 14 ; * returns the roles assigned to the current user Equ der_metaTableImport$ To 15 ; * Moving a table? import the table blob encrypted by public key Equ der_metaTableExport$ To 16 ; * Moving a table? export the table blob encrypted by public key Equ der_metaEncrypt$ To 17 ; * Encrypting data? you can pass the data and a salt. See media operations Equ der_metaDecrypt$ To 18 ; * Decrypting data? you can pass the data and a salt. See media operations Equ der_metaIsTableAdmin$ To 19 ; * Is the current user allowed to administer tables? Equ der_metaCheckVal$ To 20 ; * Get an example encrypted value for a table Equ der_metaIsServerAdmin$ To 21 ; * Equ der_metaIsRoleAdmin$ To 22 ; * Equ der_metaTableChangeGroups$ To 23 ; * Change the list of groups allowed to use a table Equ der_metaIsServerConfigured$ To 24 ; * return true$ if server is configured Equ der_getProtectedFields$ To 25 ; * get the list of fields I can decrypt, based on my groups Equ der_MetaTableDecrypt$ To 26 ; * get the fields, groups, error flag and keyparts flag for a table Equ der_oi2lh_keyBlock$ To 27 ; * For indexes, encrypt a vm delimited list of values from a column Equ der_lh2oi_keyBlock$ To 28 ; * For indexes, decrypt a vm delimited list of values from a column * SYSPTRS etries ** Volume Fields Equ der_Volume$ to 1 ; * the literal "VOLUME" Equ der_BfsType$ to 2 ; * the literal "RTP57E" Equ der_DataLoc$ to 3 ; * Location of the Rev files Equ der_ControlLoc$ to 4 ; * see ControlLoc subfields below ** ControlLoc subfields ( vm delimited ) Equ derCtl_serverAddress$ to 1 ; * ipAddress for derServer (optional default to null) Equ derCtl_serverPort$ to 2 ; * ipPort for derServer (optional default to null) Equ derCtl_protectedVisiblity$ to 3 ; * optional default to dercfg_showprotected$ ( see below ) Equ derCtl_passworded$ to 4 ; * true to require user to enter a password every time volume is attached ( default to false$) Equ derCtl_volId$ to 5 ; * optional, default to a guid, system assigned Equ derCtl_UserPrincipalName$ to 6 ; * UserPrincipalName required by WCF to authenticate kerberos connection to rtiderserver ; * If you pass in the servername and is is not localhost you probably need prinipalname too ; * UserPrincipalName looks like username@domain, where username is the name the service is running as Equ derCtl_TraceFile$ To 7 ; * put in the full path for a file to log to Equ derCtl_TraceItems$ To 8 ;* comma-delimited string of trace options - All, Off, Critical, Error, Warning, Information, Verbose, and/or ActivityTracing * enum for der_protectedVisibility ( hide or show protected fields )? * We can either show or hide the encrypted values a user is not allowed to see. You want to show keys or lookups will fail. Equ dercfg_hideprotected$ To 0 Equ dercfg_showprotected$ To 1 * postions of grooups in the metaServerEncrypt call Equ derCfg_Role_RoleAdmin$ To 1 Equ derCfg_Role_ServerAdmin$ To 2 Equ derCfg_Role_TableAdmin$ To 3 Equ derCfg_Role_Impersonator$ To 4 Equ derCfg_Role_DataUser$ To 5 * Name of the file the installer creates Equ dercfg_InstallerLogFile$ To "derServerInstalled.log" * Media record ( %%DERMEDIA%% ) * MM.DATA.NAME$ = volID , a GUID generated by createMedia * MM.FOREIGN.ATTR$ contains various encryption related subfields Equ der_mediaAttrib_users$ To 1 ; * the guid for this volume Equ der_mediaAttrib_groups$ To 2 ; * the encrypted information, for example users and impersonated groups Equ der_mediaAttrib_visibility$ to 3 ; * Do I show or hide values you don't have rights for Equ der_mediaAttrib_passworded$ to 4 ; * Do I need the credentials ( passphrase and IV) every time I attach the volume? Equ der_mediaAttrib_checkVal$ to 5 ; * Used to confirm that encryption passprhase and IV are as expected * OMNISCRIPT calls - Some of the meta functions are implemented as omniscript calls * start the numbering at 10 to skip over other RTP57 uses of omniscript Equ der_omniEncryptTable$ To 10 ; * a tool wants to update table encryption info ; * handle = mediaHandle, name = table*account returns status Equ der_omniSetImpersonation$ To 11 ; * a tool wants to update user impersonation info for a volume ; * handle = mediaHandle, name, fmc null, record = users, groups Equ der_omniPreMove$ To 12 ; * to support copy table. Need to park the encryption information in a common Equ der_omniPostMove$ To 13 ; * to support copy table. Need to clear the parked encryption information. Equ der_omniSetPortableParams$ To 14 ; * to support portable volumes, pass in passphrase and IV Equ der_omniGetCheckVal$ To 15 ; * return a test value for a table - used to determine if two tables are clones Equ der_omniEncryptExistingTable$ To 16 ; * similar to encrypt table, but can be applied to existing table ; * (so long as no data found in the table, and encryption is currently null) Equ der_omniSetVolumePasswords$ To 17 ; * Change the passwords ( passpharase/ IV ) on an existing volume. The volume must already be attached Equ der_omniTableChangeGroups$ To 18 ; * Change the groups allowed to see data on a table] ; * handle = table handle, record = new group information Equ der_omniTableInfo$ To 19 ; * handle = table handle, record (out) = encryption fields, group information Equ der_omniVolInfo$ To 20 ; * handle = vol handle, record (out) = true if this is encrypted * Encryption parameters * structure of encryption info passed in the openTable Equ encrypted_positions$ To 1 Equ encrypted_group$ To 2 Equ encrypted_writeerror$ To 3 Equ encrypted_keyparts$ To 4 * Token blob for unecrypted tables Equ DER_NOT_ENCRYPTED$ To "<>" Equ DER_ALL_ENCRYPTED$ To "-1" Equ DER_ALL_GROUPS$ To '*' * delimiter for extra info added to the table handle Equ der_handleDelim$ To "~" Declare Function rti_derClient,rti_derImpersonateGroups