|
|
|
|
|
|
Configuring Link-Level Encryption
This topic includes the following sections
Understanding min and max Values
Before you can configure LLE for your WebLogic Enterprise application, you need to be familiar with the LLE notation: (min, max). The defaults for these parameters are:
For example, the default min and max values for the United States and Canada LLE version are (0, 128). If you want to change the defaults, you can do so by assigning new values to min and max in the UBBCONFIG file for your application.
Verifying the Installed Version of LLE
Before setting the min and max values for your WebLogic Enterprise application, you need to verify what version of LLE is installed on your machine. You can verify the LLE version installed on a machine by running the tmadmin command in verbose mode as follows:
tmadmin -v
Key lines from the WebLogic Enterprise license file (lic.txt) appear on your computer screen, similar to information in Listing 5-1. The entry 128-bit Encryption Package indicates that the United States and Canada version of LLE is installed.
Listing 5-1 LLE Licence Information
INFO: BEA Engine, Version 2.4
INFO: Serial: 212889588, Expiration 2000-3-15, Maxusers 10000
INFO: Licensed to: ACME CORPORATION
INFO: 128-bit Encryption Package
WebLogic Enterprise license files are located in the following directories:
Windows NT
%TUXDIR%\udataobj\lic.txt
UNIX
$TUXDIR/udataobj/lic.txt
Configuring LLE on WebLogic Enterprise Application Links
To configure LLE in WebLogic Enterprise applications, you need to set the MINENCRYPTBITS and MAXENCRYPTBITS parameters in the UBBCONFIG file for each WebLogic Enterprise application participating in the network connection, as follows:
The possible values for the MINENCRYPTBITS and MAXENCRYPTBITS parameters are 0, 40, and 128. A value of zero means no encryption is used, while 40 and 128 specify the number of significant bits in the encryption key.
Load the configuration file by running tmloadcf. The tmloadcf command parses UBBCONFIG and loads the binary TUXCONFIG file to the location referenced by the TUXCONFIG variable.
Configuring LLE on BEA Tuxedo Workstation Client Links
If Workstation clients are included in an application, the system administrator must configure one or more Workstation Listeners (WSLs) to listen for connection requests from Workstation clients. Each WSL uses one or more associated Workstation Handlers (WSHs) to handle the Workstation client workload. Each WSH can manage multiple Workstation clients by multiplexing all requests and replies with a particular Workstation client over a single connection.
As the system administrator, you enable Workstation client access to the application by specifying a WSL server in the SERVERS section of the application's UBBCONFIG file. You need to specify the -z and -Z command-line options for the WSL server if you want to override the defaults for the LLE min and max parameters. You can only use link-level encryption if LLE is installed on both the local machine and the Workstation client.
Note: At the Workstation client end of a network connection, you use environment variables TMINENCRYPTBITS and TMAXENCRYPTBITS to override the defaults for the LLE min and max parameters.
To configure LLE on Workstation client links, complete the following steps:
*SERVERS
WSL SRVGRP="group_name" SRVID=server_number ...
CLOPT="-A -- -z min -Z max ..."
When the tmboot command starts the application, it passes the "-A -- -z min -Z max" command-line options to the WSL server. When establishing a network link between a Workstation client and the WSH, the Workstation client and WSL negotiate the key size until they agree on the largest key size supported by both.
Configuring LLE on Bridge Links
The WebLogic Enterprise system architecture optimizes network communications by establishing a multiplexed channel among the machines in a multiple-machine application. WebLogic Enterprise application messages flow in both directions over this channel, and the message traffic is managed by a specialized WebLogic Enterprise server known as a Bridge server.
As the system administrator, you place an entry in the NETWORK section of the UBBCONFIG file for each machine in a WebLogic Enterprise application on which a Bridge server resides. You need to specify the MINENCRYPTBITS and MAXENCRYPTBITS optional run-time parameters for the Bridge server if you want to override the defaults for the LLE min and max parameters. Using LLE on Bridge-to-Bridge links is possible only if LLE is installed on the machines where the Bridge servers reside.
To configure LLE on Bridge links, complete the following steps:
*NETWORK
LMID NADDR="bridge_network_address" BRIDGE="bridge_device"
NLSADDR="listen_network_address"
MINENCRYPTBITS=min
MAXENCRYPTBITS=max
LMID is the logical machine where the Bridge server resides; it has direct access to the network device specified in the BRIDGE parameter.
When the tmboot command starts the WebLogic Enterprise application, the Bridge server reads the TUXCONFIG file to access various parameters, including MINENCRYPTBITS and MAXENCRYPTBITS. When establishing a network link with a remote Bridge server, the local and remote Bridge servers negotiate the key size until they agree on the largest key size supported by both.
Configuring LLE on tlisten Links
The tlisten process is a network-independent listener process that provides connections between nodes of a multiple-machine application, on which administrative utilities such as the tmboot command can run. The system administrator installs tlisten on all machines defined in the NETWORK section of the UBBCONFIG file.
To configure LLE on tlisten links, follow the steps given in the previous topic, Configuring LLE on Bridge Links. If you so desire, you can start a separate instance of tlisten on the local machine by entering the command:
tlisten -l nlsaddr [-z min -Z max]
The nlsaddr value must be the same as that specified for the NLSADDR parameter for this machine in the NETWORK section of the UBBCONFIG file.
Configuring LLE on Domain Gateway Links
A domain gateway is a GWTDOMAIN process that relays service requests and service replies between two or more WebLogic Enterprise applications. It provides interoperability through a specially designed transaction processing (TP) protocol that flows over network transport protocols such as TCP/IP.
A domain gateway belongs to a domain gateway group, for which a separate Domains configuration file is required. A domain gateway group consists of a local domain access point (LDOM) and the remote domain access points (RDOMs) with which it communicates. Like the application configuration files, UBBCONFIG and TUXCONFIG, a Domains configuration file is created in text format and then converted to binary format. The text and binary files are referred to as DMCONFIG and BDMCONFIG, respectively. The DMCONFIG and BDMCONFIG files, and the environment variables associated with them, are described on the DMCONFIG(5) reference page in the BEA Tuxedo File Formats and Data Descriptions Reference.
As the system administrator, you must place an entry in the DM_TDOMAIN section of the DMCONFIG file for each local domain access point that will accept requests for local services from remote domain access points. You must also create an entry for each remote domain access point accessible by a defined local domain access point. You need to specify the MINENCRYPTBITS and MAXENCRYPTBITS optional run-time parameters for each domain access point for which you want to override the defaults for the LLE min and max parameters. Domain-to-domain link-level encryption is possible only if LLE is installed on the machines where the domains reside.
To configure LLE on domain gateway links, complete the following steps:
*DM_TDOMAIN
# Local network addresses
LDOM NWADDR="local_domain_network_address"
NWDEVICE="local_domain_device"
MINENCRYPTBITS=min
MAXENCRYPTBITS=max
.
.
.
# Remote network addresses
RDOM NWADDR="remote_domain_network_address"
NWDEVICE="remote_domain_device"
MINENCRYPTBITS=min
MAXENCRYPTBITS=max
.
.
.
LDOM is a local domain access point identifier, and RDOM is a remote domain access point identifier.
In the preceding example, when the tmboot command starts the application, each domain gateway reads the BDMCONFIG file to access various parameters, including MINENCRYPTBITS and MAXENCRYPTBITS, and propagates those parameters to its local and remote domains. When the local domain is establishing a network link with a remote domain, the two domains negotiate the key size until they agree on the largest key size supported by both.
|
|
|
|
|
|
Copyright © 2000 BEA Systems, Inc. All rights reserved.
|