Joining the ATMI Application


	BEA Home \| Events \| Solutions \| Partners \| Products \| Services \| Download \| Developer Center \| WebSUPPORT
	http://www.oracle.com/technology/documentation/index.html \| Site Map \| Search \| PDF Files \| Contact \| Glossary

Tuxedo Documentation \| Using Security in ATMI Applications \| Local Topics \| Previous Topic \| Next Topic \| Contents

In a secure ATMI application, it is necessary to pass security information to the BEA Tuxedo system via a TPINIT buffer for C, or a TPINFDEF-REC record for COBOL. The TPINIT buffer is a special typed buffer used by a client program to pass client identification and authentication information to the system as the client attempts to join the ATMI application. The TPINFDEF-REC record serves the same purpose in a COBOL application.

TPINIT is defined in the atmi.h header file, and TPINFDEF-REC is defined in the COBOL COPY file. They have the following structures.

TPINIT Structure

TPINFDEF-REC Structure

char usrname[MAXTIDENT+2];
char cltname[MAXTIDENT+2];
char passwd[MAXTIDENT+2];
char grpname[MAXTIDENT+2];
long flags;
long datalen;
long data;

Note: MAXTIDENT may contain up to 30 characters.

05 USRNAME PIC X(30).
05 CLTNAME PIC X(30).
05 PASSWD PIC X(30).
05 GRPNAME PIC X(30).
05 NOTIFICATION-FLAG PIC S9(9) COMP-5.
88 TPU-SIG VALUE 1.
88 TPU-DIP VALUE 2.
88 TPU-IGN VALUE 3.
05 ACCESS-FLAG PIC S9(9) COMP-5.
88 TPSA-FASTPATH VALUE 1.
88 TPSA-PROTECTED VALUE 2.
05 DATLEN PIC S9(9) COMP-5.

TPINIT Structure	TPINFDEF-REC Structure
char usrname[MAXTIDENT+2]; char cltname[MAXTIDENT+2]; char passwd[MAXTIDENT+2]; char grpname[MAXTIDENT+2]; long flags; long datalen; long data; Note: MAXTIDENT may contain up to 30 characters.	05 USRNAME PIC X(30). 05 CLTNAME PIC X(30). 05 PASSWD PIC X(30). 05 GRPNAME PIC X(30). 05 NOTIFICATION-FLAG PIC S9(9) COMP-5. 88 TPU-SIG VALUE 1. 88 TPU-DIP VALUE 2. 88 TPU-IGN VALUE 3. 05 ACCESS-FLAG PIC S9(9) COMP-5. 88 TPSA-FASTPATH VALUE 1. 88 TPSA-PROTECTED VALUE 2. 05 DATLEN PIC S9(9) COMP-5.

The fields in the TPINIT buffer/ TPINFDEF-REC record are described in the following table.

Fields in TPINIT Buffer/ TPINFDEF-REC Record

TPINIT Fields

TPINFDEF-REC Fields

Description

usrname

USRNAME

Username.* A null-terminated string of up to 30 characters.

The username represents the caller; writers of client programs might use the same login names used to log in to the host operating system.

cltname

CLTNAME

Client name.* A null-terminated string of up to 30 characters.

The client name represents the client program; writers of client programs might use this field to indicate the job function or role of the user when executing the client program.

passwd

PASSWD

Application password.* A null-terminated string of up to eight characters.

tpinit() or TPINITIALIZE() validates this password by comparing it to the configured application password stored in the TUXCONFIG file.**

grpname

GRPNAME

Group name. A null-terminated string of up to 30 characters. This field is not related to security.

The group name allows a client to be associated with a resource manager group that is defined in the UBBCONFIG file.

flags

NOTIFICATION-FLAG
TPU-SIG

TPU-DIP

TPU-IGN

ACCESS-FLAG

TPSA-FASTPATH

TPSA-PROTECTED

Notification and access flags. This field is not related to security.

The flag settings specify the notification mechanism and system access mode to be used for the client. Selections override (with some exceptions) the values set in the RESOURCES section of the UBBCONFIG file.

datalen

DATALEN

Length of the user-specific data*** that follows.*

To get a size value for this field, writers of client programs written in C can call TPINITNEED with the number of bytes of user-specific data expected to be sent. TPINITNEED is a macro provided in the atmi.h header file.

data

N/A

User-specific data*** of no fixed length.*

tpinit() or TPINITIALIZE() forwards the user-specific data to the authentication server for validation. For default authentication, the authentication server is AUTHSVR.

* This field is required for the USER_AUTH, ACL, and MANDATORY_ACL security levels provided by default authentication and authorization.

** The binary equivalent of the UBBCONFIG file; created using tmloadcf(1).

*** Usually a user password.

TPINIT Fields	TPINFDEF-REC Fields	Description
usrname	USRNAME	Username.* A null-terminated string of up to 30 characters. The username represents the caller; writers of client programs might use the same login names used to log in to the host operating system.
cltname	CLTNAME	Client name.* A null-terminated string of up to 30 characters. The client name represents the client program; writers of client programs might use this field to indicate the job function or role of the user when executing the client program.
passwd	PASSWD	Application password.* A null-terminated string of up to eight characters. tpinit() or TPINITIALIZE() validates this password by comparing it to the configured application password stored in the TUXCONFIG file.**
grpname	GRPNAME	Group name. A null-terminated string of up to 30 characters. This field is not related to security. The group name allows a client to be associated with a resource manager group that is defined in the UBBCONFIG file.
flags	NOTIFICATION-FLAG TPU-SIG TPU-DIP TPU-IGN ACCESS-FLAG TPSA-FASTPATH TPSA-PROTECTED	Notification and access flags. This field is not related to security. The flag settings specify the notification mechanism and system access mode to be used for the client. Selections override (with some exceptions) the values set in the RESOURCES section of the UBBCONFIG file.
datalen	DATALEN	Length of the user-specific data*** that follows.* To get a size value for this field, writers of client programs written in C can call TPINITNEED with the number of bytes of user-specific data expected to be sent. TPINITNEED is a macro provided in the atmi.h header file.
data	N/A	User-specific data*** of no fixed length.* tpinit() or TPINITIALIZE() forwards the user-specific data to the authentication server for validation. For default authentication, the authentication server is AUTHSVR.
* This field is required for the USER_AUTH, ACL, and MANDATORY_ACL security levels provided by default authentication and authorization. The binary equivalent of the UBBCONFIG file; created using tmloadcf(1). * Usually a user password.

The client program calls tpalloc(3c) to allocate a TPINIT buffer. The following sample code prepares to pass eight bytes of application-specific data to tpinit() and enables the client to join an ATMI application.

Allocating a TPINIT Buffer and Joining an ATMI Application

    .
    .
    .
TPINIT *tpinfo;
    .
    .
    .
if ((tpinfo = (TPINIT *)tpalloc("TPINIT",(char *)NULL,
          TPINITNEED(8))) == (TPINIT *)NULL){
          Error Routine
}
    .
    .
    .
tpinit(tpinfo)   /* join an ATMI application */
    .
    .
    .

When a Workstation client calls the tpinit() function or the TPINITIALIZE() routine to join an ATMI application, the following major events occur.

The initiator Workstation client and the target workstation listener (WSL) exchange link-level encryption (LLE) min-max values to be used to set up LLE on the link between the initiator Workstation client and the target WSH. LLE is described in Link-Level Encryption.
The initiator Workstation client and target WSH authenticate one another through the exchange of security tokens. For default authentication, a successful authentication ends with the transfer of client security data from the TPINIT buffer or TPINFDEF-REC record to the target WSH.
After a successful authentication, the initiator Workstation client sends another buffer to the target WSH containing the values of the usrname, cltname, and flags fields, to ensure that the target WSH receives this information for the authenticated Workstation client.

When a native client calls the tpinit() function or the TPINITIALIZE() routine to join an ATMI application, only authentication occurs. In essence, the native client authenticates with itself.

Transferring the Client Security Data

The following figure demonstrate the transfer of data from the TPINIT buffer for a Workstation client. The transfer of data from the TPINFDEF-REC record is similar to what is shown in the figure.

Transferring Data from the TPINIT Buffer for a Workstation Client

Note: The authorization procedure shown in the preceding figure is essentially the same for a native client attempting to join an ATMI application except that no network link or WSH is involved. A native client authenticates with itself.

In the preceding diagram, notice that the information sent to the BEA Tuxedo system differs between default and custom authentication. For default authentication, the values of the cltname, grpname, and flags fields are delivered to the default authentication plug-in at the Workstation client by a means other than through the plug-in interface. However, for custom authentication, writers of client programs can include these values as well as any other values they so choose in the variable length data field.

For a Workstation client and assuming default authentication, the authentication plug-in at the Workstation client uses the passwd/ PASSWD field to encrypt the information when transmitting the information over the network. The encryption algorithm used is 56-bit DES, where DES is an acronym for the Data Encryption Standard. The authentication plug-in at the target WSH uses the application password stored in the TUXCONFIG file to decrypt the information. For a native client, the system simply compares the passwd/ PASSWD field with the application password stored in the TUXCONFIG file.

Note: At the Workstation client, the passwd/ PASSWD field is delivered to the authentication plug-in by a means other than through the authentication plug-in interface. At the WSH, the application password in the TUXCONFIG file is delivered to the authentication plug-in through the authentication plug-in interface during application booting.

After a successful authentication of a Workstation client, the tpinit() function ends with the sending of another buffer to the WSH containing the values of the usrname, cltname, and flags fields, to ensure that the WSH receives this information for the authenticated Workstation client. Similarly, the TPINITIALIZE() routine ends with the sending of another buffer containing the same information. A custom authentication plug-in might not send this information to the WSH during the authentication procedure, and the WSH needs this information for reporting purposes, that is, during an invocation of the tmadmin(1) printclient (pclt) command.

When a Workstation or native client passes the security check, it may initiate service requests and receive replies.

Calling a Service Request Before Joining the ATMI Application

If a client calls a service request (or any ATMI function) before invoking tpinit() or TPINITIALIZE() and assuming the SECURITY configuration for the target ATMI application is not set or is set to NONE, the BEA Tuxedo system automatically invokes tpinit()/ TPINITIALIZE() with a NULL parameter. This behavior has the following consequences:

The TPINIT/ TPINFDEF-REC feature cannot be used.
Default values are used for client naming, unsolicited notification type, and system access mode.
The client cannot be associated with a resource manager group.
An application password cannot be specified.

If a client calls a service request (or any ATMI function) before invoking tpinit() or TPINITIALIZE() and assuming the SECURITY configuration for the target ATMI application is set to APP_PW, USER_AUTH, ACL, or MANDATORY_ACL, the BEA Tuxedo system rejects the service request.