Overview of BEA Tuxedo Security


	BEA Home \| Events \| Solutions \| Partners \| Products \| Services \| Download \| Developer Center \| WebSUPPORT
	http://www.oracle.com/technology/documentation/index.html \| Site Map \| Search \| PDF Files \| Contact \| Glossary

Tuxedo Documentation \| Using the BEA Tuxedo TOP END Domain Gateway \| Local Topics \| Previous Topic \| Next Topic \| Contents

A BEA Tuxedo domain may be configured with several levels of security. For details about the various levels of security available for BEA Tuxedo Application-to-Transaction Monitor Interface (ATMI) applications, see UBBCONFIG(5) in the File Formats, Data Descriptions, MIBs, and System Processes Reference.

Authentication/Authorization

You can authenticate a client in either of two ways. You can:

Define an application-wide password (APP_PW)
Specify individual client authentication (USER_AUTH)

The BEA Tuxedo system provides proprietary authentication and authorization services. Authentication is based on a user ID and password for each user. Authorization is based on Access Control Lists (ACLs), which specify the users entitled to access particular resources (services, queues, and events).When a user requests use of a resource, the system searches for an ACL for that resource. If an ACL is found, the system checks it to determine whether the user is authorized to use the resource. The strongest level of security requires explicit authorization (MANDATORY_ACL) for access to any service, queue, or event.

Optional Encryption

Optional encryption can be configured to protect data between nodes. Unlike BEA TOP END encryption, BEA Tuxedo encryption can be enabled without user authentication and authorization.

Public Key Encryption

There are two types of public key encryption used in BEA Tuxedo ATMI applications: message-based encryption and message-based digital signature. Both build on the technology and key management of public/private key encryption algorithms.

Both message-based encryption and message-based digital signatures for application messages are supported between the BEA Tuxedo application and the TEDG but do not apply to messages between the TEDG and BEA TOP END systems.

System Interoperability

The BEA Tuxedo system allows domains to interoperate through domain gateways. Because domains are configured independently, any two domains do not need to have the same security configurations. Gateways provide configuration options that allow administrators to control the level of interoperability between any two domains.

Interdomain Security

Four levels of security are provided by a domain gateway, as specified in the DMCONFIG file:

Gateways can be configured to limit the set of local services made available to remote domains
Access to specific services can be limited to select remote domains
Gateways can be configured to require authentication when attempts are made to connect to remote domains
Links between domains may be encrypted