Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy
	http://www.oracle.com/technology/documentation/index.html   |   Site Map   |   Search   |   PDF Files   |   Contact   |   Glossary
Tuxedo Doc Home   |   TOP END Domain Gateway   |   Topic List   |   Previous   |   Next   |   Contents

   Using the BEA Tuxedo TOP END Domain Gateway

Clients are authenticated and authorized by BEA TOP END, based on the configuration of the BEA TOP END system. If BEA Tuxedo security is enabled, an additional security check can be done on the BEA Tuxedo node.

If BEA TOP END security is enabled, clients are authenticated at sign-on. The TEDG does not perform client authentication on incoming requests.

The BEA TOP END system performs authorization checks on the client node before a message is sent. If BEA TOP END security is enabled, the client must be granted authorization to access the requested BEA Tuxedo service or queue. The administrator must create ACLs using the BEA TOP END tpsecure(1T) utility for each BEA TOP END user who accesses BEA Tuxedo resources. The BEA TOP END products and functions must match the entries in the DM_LOCAL_SERVICES section of the DMCONFIG file used to map BEA TOP END resources to the BEA Tuxedo system.

The TEDG provides the following levels of access control for incoming requests from the BEA TOP END system:

• In the first level of access control, the DM_LOCAL_SERVICES section of the DMCONFIG file lists the BEA Tuxedo SERVICE entries and QSPACE entries that are to be advertised to the BEA TOP END system.

• In the second level of access control, the domain gateway access control feature can be used to limit access to particular services from specific BEA TOP END nodes (or NI connections).

  The administrator can specify an ACL parameter as part of the DM_LOCAL_SERVICES entry for a specific SERVICE or QSPACE entry. The ACL is specified in the DM_ACCESS_CONTROL section of the DMCONFIG file. Each ACL record contains the names of remote domains allowed to access the service. The remote domains are mapped to BEA TOP END NI instances in the DM_REMOTE_DOMAINS section of the configuration file. Using ACL entries is useful for limiting access to advertised services to specific BEA TOP END nodes.

• In the third level of access control, normal BEA Tuxedo authorization may be performed.

  If a request passes TEDG authorization, normal BEA Tuxedo authorization is performed. If ACL or MANDATORY_ACL is specified in the UBBCONFIG(5) file, then the DOMAINID of the remote domain making the request is used as the BEA Tuxedo user name. If SECURITY=ACL in the UBBCONFIG and there is an entry in the ACL database for this service, the entry must include the DOMAINID of the RDOM; otherwise, the service or enqueue request fails. If SECURITY=MANDATORY_ACL in the UBBCONFIG, there must be an entry in the ACL database for this service, and the entry must include the DOMAINID of the RDOM; otherwise, the service or enqueue request fails.

See Also

• Understanding Security Between the BEA TOP END and BEA Tuxedo Systems