Configuring Single Sign-on

This topic includes the following sections:

• Single Sign-on with Password Authentication

• Single Sign-on with Password Authentication and the SSL Protocol

• Single Sign-on with the SSL Protocol and Certificate Authentication

 

---

Single Sign-on with Password Authentication

The steps for implementing single sign-on with password authentication are as follows:

1. In the CORBA.connectionpool section of the weblogic.properties file, define the following properties:

   • appaddrlist=//host:port

     where the host and port specify the name and port number of the IIOP Listener/Handler in the BEA Tuxedo domain used with your CORBA application. For more information about the different address formats supported in CORBA applications, see Writing a CORBA Application That Implements Security.

   • username as the name of the WebLogic Server User.

   • userpassword as the password for the WebLogic Server User

   • apppassword as the password of the CORBA application you want to access.

   • securitycontext as Yes. Yes indicates that you want the security context of the WebLogic Server User passed to the BEA Tuxedo domain.

Note: There are other properties in the CORBA.connectionpool section of the weblogic.properties file that are used to set up the connection pool. For more information about setting up CORBA connection pools, see Using WebLogic Enterprise Connectivity in the WebLogic Server online documentation.

2. Use the tpusradd command to define the WebLogic Server User as an authorized user in the BEA Tuxedo domain. The username and password for the WebLogic Server User must appear in the tpusr file exactly as they are defined in the weblogic.properties file.

3. Set -E option of the ISL command to configure the IIOP Listener/Handler to detect and utilize the propagated security context from the WebLogic Server security realm. The -E option of the ISL command requires you to specify a principal name. The principal name is the username as defined in the weblogic.properties file. The ISL command for the IIOP Listener/Handler is defined for the CLOPT parameter in the UBBCONFIG file for the BEA Tuxedo domain.

4. Set the SECURITY parameter in the UBBCONFIG file to USER_AUTH or higher.

 

---

Single Sign-on with Password Authentication and the SSL Protocol

The steps for implementing single sign-on with password authentication and the SSL protocol are as follows:

1. Configure the SSL protocol in the WebLogic Server and the BEA Tuxedo CORBA environments.

   For information about configuring the SSL protocol in the WebLogic Server environment, see Managing Security in the WebLogic Server online documentation.

   For information about configuring the SSL protocol in the CORBA environment, see Single Sign-on.

2. In the CORBA.connectionpool section of the weblogic.properties file define the following properties:

   • appaddrlist=corbalocs://host:port

     where the host and port specify the name and port number of the IIOP Listener/Handler in the BEA Tuxedo domain you want to access. For more information about the different address formats supported in CORBA applications, see Using the Bootstrapping Mechanism.

   • username as the name of the WebLogic Server User.

   • userpassword as the password for the WebLogic Server User.

   • apppassword as the password of the CORBA application you want to access.

   • securitycontext as Yes. Yes indicates that you want the security context of the WebLogic Server User passed to the BEA Tuxedo domain.

   • minencryptionlevel and maxecryptionlevel. These are optional properties. The valid values are 0, 40, 56, and 128. The default is 40 for the minencryptionlevel property. The maxecryptionlevel property defaults to the maximum strength allowed by the license. These two properties are used at the time of the SSL handshake to determine the encryption strength that will be used between the WebLogic Server and BEA Tuxedo CORBA environments.

Note: There are other properties in the CORBA.connectionpool section of the weblogic.properties file that are used to set up CORBA connection pools. For more information about setting up connection pools, see Using WebLogic Enterprise Connectivity in the WebLogic Server online documentation.

3. Use the tpusradd command to define the WebLogic Server User as an authorized user in the BEA Tuxedo domain. The username and password for the WebLogic Server User must appear in the tpusr file exactly as they are defined in the weblogic.properties file.

4. Set -E option of the ISL command to configure the IIOP Listener/Handler to detect and utilize the propagated security context from the WebLogic Server security realm. The -E option of the ISL command requires you to specify a principal name. The principal name is the username as defined in the weblogic.properties file. The ISL command for the IIOP Listener/Handler is defined for the CLOPT parameter in the UBBCONFIG file for the BEA Tuxedo domain.

5. Set the SECURITY parameter in the UBBCONFIG file to USER_AUTH or higher.

 

---

Single Sign-on with the SSL Protocol and Certificate Authentication

The steps for implementing single sign-on with the SSL protocol and certificate authentication are as follows:

1. Configure the SSL protocol in the WebLogic Server and the BEA Tuxedo CORBA environments.

   For information about configuring the SSL protocol in the WebLogic Server environment, see Managing Security in the WebLogic Server online documentation.

   For information about configuring the SSL protocol in the BEA Tuxedo CORBA environment, see Single Sign-on.

2. In the CORBA.connectionpool section of the weblogic.properties file define the following properties:

   • appaddrlist=corbalocs://host:port

     where the host and port specify the name and port number of the IIOP Listener/Handler in the BEA Tuxedo domain you want to access.

   • username as the e-mail address of the subject of the digital certificate.

   • userpassword as the private key of the digital certificate.

   • apppassword as the password of the CORBA application you want to access.

   • securitycontext as Yes. Yes indicates that you want the security context of the WebLogic Server User passed to the BEA Tuxedo domain.

   • minencryptionlevel and maxecrptionlevel. These are optional properties. The valid values are 0, 40, 56, and 128. The default is 40 for the minencryptionlevel property. The maxecryptionlevel property defaults to the maximum strength allowed by the license. These two properties are used at the time of the SSL handshake to determine the encryption strength that will be used between the WebLogic Server and BEA Tuxedo CORBA environments.

   • certificatebasedauth as Yes. Yes indicates that certificate authentication is to be used.

Note: There are other properties in the CORBA.connectionpool section of the weblogic.properties file that are used to set up the CORBA connection pool. For more information about setting up connection pools, see Using WebLogic Enterprise Connectivity in the WebLogic Server online documentation.

3. Use the tpusradd command to define the WebLogic Server User as an authorized user in the BEA Tuxedo domain. The username and password for the WebLogic Server User must appear in the tpusr file exactly as they are defined in the weblogic.properties file.

4. Set -E option of the ISL command to configure the IIOP Listener/Handler to detect and utilize the propagated security context from the WebLogic Server security realm. The -E option of the ISL command requires you to specify a principal name. The principal name is the username as defined in the weblogic.properties file. The ISL command for the IIOP Listener/Handler is defined for the CLOPT parameter in the UBBCONFIG file for the BEA Tuxedo domain.

5. Set the -a option of the ISL command to configure the IIOP Listener/Handler to enable certificate authentication.The ISL command for the IIOP Listener/Handler is defined for the CLOPT parameter in the UBBCONFIG file for the BEA Tuxedo domain.

6. Set the SECURITY parameter in the UBBCONFIG file to USER_AUTH or higher.

Using certificate authentication between the WebLogic Server environment and the BEA Tuxedo CORBA environment implies performing a new SSL handshake to establish a connection from the WebLogic Server environment to a CORBA object in the BEA Tuxedo CORBA environment. In order to support multiple client requests over the same SSL network connection, certificate authentication must be set up as follows:

• Obtain a digital certificate for the WebLogic Enterprise Connectivity process. This digital certificate is presented to the BEA Tuxedo CORBA environment for the purpose of authenticating the identity of the WebLogic Enterprise Connectivity process. Once established, the authenticated connection between the WebLogic Enterprise Connectivity product and the BEA Tuxedo environment remains.

• When a client request is made from the WebLogic Server environment on a CORBA object in the BEA Tuxedo CORBA environment, digital certificates are exchanged between the environments and session keys are generated for both sides of the connection. Because WebLogic Connectivity is part of WebLogic Server, the WebLogic Connectivity process will accept any message from the BEA Tuxedo CORBA environment that has the sessions keys that were created when the SSL connection was established between the environments. The WebLogic Enterprise Connectivity process then forwards the client request using the established SSL connection to the BEA Tuxedo environment.