Overview of BEA TOP END Security

Enabling BEA TOP END security means that the BEA TOP END system performs user authentication, user authorization, and node authentication at startup and whenever messages are sent or received. These features cannot be enabled individually. The security realm for a BEA TOP END application is the BEA TOP END system. All nodes in a system must have identical security configurations. When two nodes attempt to connect, the security configuration is checked on both nodes. If security is not configured identically on the two nodes, the connection is refused. When security is enabled, BEA TOP END Node Managers (NM) authenticate each other as part of the connection process.

For the TEDG, BEA TOP END security is enabled by the SECURITY parameter in the DM_LOCAL_DOMAINS section of the DMCONFIG file, and the nm_config file on the BEA TOP END node.

Authentication and Authorization

If BEA TOP END security is enabled, then all clients are authenticated by tp_client_signon(3T) and all subsequent requests for service are checked for authorization. Authentication and authorization work together; they cannot be separated. Authorization is performed on a product and function basis.

Message Protection/Encryption

If BEA TOP END security is enabled, then messages between NIs may be sent in one of the following ways:

Kerberos 4 is used to protect internode messages. The same message protection level is required for all connections within the BEA TOP END system. However, a separate key is created for each connection as part of the connection process. This feature is supplied by the BEA TOP END system; it cannot be replaced by the customer.