Table of Contents Previous Next


Table of Contents

Introducing ATMI Security
What Security Means
Security Plug-ins
ATMI Security Capabilities
Operating System (OS) Security
Authentication
Authentication Plug-in Architecture
Understanding Delegated Trust Authentication
Establishing a Session
Getting Authorization and Auditing Tokens
Replacing Client Tokens with Server Tokens
Implementing Custom Authentication
Authorization
Authorization Plug-in Architecture
How the Authorization Plug-in Works
Default Authorization
Custom Authorization
Implementing Custom Authorization
Auditing
Auditing Plug-in Architecture
How the Auditing Plug-in Works
Default Auditing
Custom Auditing
Implementing Custom Auditing
Link-Level Encryption
How LLE Works
Encryption Key Size Negotiation
Determining Min-Max Values
Finding a Common Key Size
Backward Compatibility of LLE
Interoperating with Release 6.5 Oracle Tuxedo Software
Interoperating with Pre-Release 6.5 Oracle Tuxedo Software
WSL/WSH Connection Timeout During Initialization
SSL Encryption
How the SSL Protocol Works
Requirements for Using the SSL Protocol
Encryption Key Size Negotiation
Determining Min-Max Values
Finding a Common Key Size
Backward Compatibility of SSL
WSL/WSH Connection Timeout During Initialization
Supported Cipher Suites
SSL Installation
Public Key Security
PKCS-7 Compliant
Supported Algorithms for Public Key Security
Public Key Algorithms
Digital Signature Algorithms
Symmetric Key Algorithms
Message Digest Algorithms
Message-based Digital Signature
Digital Certificates
Certification Authority
Certificate Repositories
Public-Key Infrastructure
Message-based Encryption
Public Key Implementation
Public Key Initialization
Key Management
Certificate Lookup
Certificate Parsing
Certificate Validation
Proof Material Mapping
Implementing Custom Public Key Security
Default Public Key Implementation
Default Authentication and Authorization
Client Naming
User-Client Names
Application Key
User, Group, and ACL Files
Optional and Mandatory ACLs
Security Interoperability
Interoperating with Pre-Release 7.1 Software
Interoperability for Link-Level Encryption
Interoperability for SSL Encryption
Interoperability for Public Key Security
Security Compatibility
Mixing Default/Custom Authentication and Authorization
Mixing Default/Custom Authentication and Auditing
Compatibility Issues for Public Key Security
Compatibility/Interaction with Data-dependent Routing
Compatibility/Interaction with Threads
Compatibility/Interaction with the EventBroker
Compatibility/Interaction with /Q
Compatibility/Interaction with Transactions
Compatibility/Interaction with Domain Gateways
Compatibility/Interaction with Other Vendors’ Gateways
Denial-of-Service (DoS) Defense
Limited/Restricted Connection Numbers
Setting Up Connection Limitations/Restrictions
UBBCONFIG File
Messages
Message Sanity Check
Message Authentication Code (MAC) Usage
Performance Impact
Setting up Message Authentication Code (MAC) Usage
DMCONFIG File Configuration
MIB Configuration
Password Pair Protection
Administering Security
What Administering Security Means
Security Administration Tasks
Setting the Oracle Tuxedo Registry
Purpose of the Oracle Tuxedo Registry
Registering Plug-ins
Configuring an ATMI Application for Security
Editing the Configuration File
Changing the TM_MIB
Using the Oracle Administration Console
Setting Up the Administration Environment
Administering Operating System (OS) Security
Recommended Practices for OS Security
Administering Authentication
Specifying Principal Names
How System Processes Acquire Credentials
Why System Processes Need Credentials
Example UBBCONFIG Entries for Principal Names
Mandating Interoperability Policy
Establishing an Identity for an Older Client
How the WSH Establishes an Identity for an Older Client
How the Domain Gateway Establishes an Identity for an Older Client
How the Server Establishes an Identity for an Older Client
Summarizing How the CLOPT -t Option Works
Example UBBCONFIG Entries for Interoperability
Establishing a Link Between Domains
Example DMCONFIG Entries for Establishing a Link
Setting ACL Policy
Impersonating the Remote Domain Gateway
Example DMCONFIG Entries for ACL Policy
Setting Credential Policy
Administering Authorization
Administering Link-Level Encryption
Understanding LLE min and max Values
Verifying the Installed LLE Version
How to Configure LLE on Workstation Client Links
How to Configure LLE on Bridge Links
How to Configure LLE on tlisten Links
How to Configure LLE on Domain Gateway Links
Administering SSL Encryption
Understanding SSL min and max Values
Verifying the Installed SSL Version
How to Configure SSL on Workstation Client Links
How to Configure SSL on Bridge Links
How to Configure SSL on tlisten Links
How to Configure SSL on Domain Gateway Links
Development Process for the SSL Protocol
Administering Public Key Security
Recommended Practices for Public Key Security
Assigning Public-Private Key Pairs
Setting Digital Signature Policy
Setting a Postdated Limit for Signature Timestamps
Setting a Predated Limit for Signature Timestamps
Enforcing the Signature Policy for Incoming Messages
How the EventBroker Signature Policy Is Enforced
How the /Q Signature Policy Is Enforced
How the Remote Client Signature Policy Is Enforced
Setting Encryption Policy
Enforcing the Encryption Policy for Incoming Messages
How the EventBroker Encryption Policy Is Enforced
How the /Q Encryption Policy Is Enforced
How the Remote Client Encryption Policy Is Enforced
Initializing Decryption Keys Through the Plug-ins
Failure Reporting and Auditing
Digital Signature Error Handling
Encryption Error Handling
Administering Default Authentication and Authorization
Designating a Security Level
Establishing Security by Editing the Configuration File
Establishing Security by Changing the TM_MIB
Establishing Security by Using the Oracle Administration Console
Configuring the Authentication Server
How to Enable Application Password Security
How to Enable User-Level Authentication Security
Setting Up the UBBCONFIG File
Setting Up the User and Group Files
Converting System Security Data Files to Oracle Tuxedo User and Group Files
Adding, Modifying, or Deleting Users and Groups
Enabling Access Control Security
How to Enable Optional ACL Security
Setting Up the UBBCONFIG File
Setting Up the ACL File
How to Enable Mandatory ACL Security
Setting Up the UBBCONFIG File
Setting Up the ACL File
Using the Kerberos Authentication Plug-in
Kerberos Plug-In
Kerberos Supported Platforms
Kerberos Plug-in Features
Kerberos Plug-In Pre-configuration
Kerberos Plug-In Configuration
Configure the Kerberos Plug-in
Restore Default Plug-in
Configure KAUTHSVR
Configure Tuxedo Native Client
Limitations
See Also
Using the Cert-C PKI Encryption Plug-in
Cert-C PKI Encryption Plug-In
Cert-C PKI Encryption Plug-In Pre-configuration
Cert-C PKI Encryption Plug-In Configuration
Configure Certificate Lookup
Configure Key Management
decPassword
privateKeyDir
Configure Certificate Parsing
Configure Certificate Validation
caCertificateFile
crlFile
Sample Registry Command File
Limitations
See Also
Programming Security
What Programming Security Means
Programming an ATMI Application with Security
Setting Up the Programming Environment
Writing Security Code So Client Programs Can Join the ATMI Application
Getting Security Data
Joining the ATMI Application
Transferring the Client Security Data
Calling a Service Request Before Joining the ATMI Application
Writing Security Code to Protect Data Integrity and Privacy
ATMI Interface for Public Key Security
Recommended Uses of Public Key Security
Sending and Receiving Signed Messages
Writing Code to Send Signed Messages
Step 1: Opening a Key Handle for Digital Signature
Step 2 (Optional): Getting Key Handle Information
Step 3 (Optional): Changing Key Handle Information
Step 4: Allocating a Buffer and Putting a Message in the Buffer
Step 5: Marking the Buffer for Digital Signature
Step 6: Sending the Message
Step 7: Closing the Signer’s Key Handle
How the System Generates a Digital Signature
How a Signed Message Is Received
Verifying Digital Signatures
Verifying and Transmitting an Input Buffer’s Signatures
Replacing an Output Buffer’s Signatures
Sending and Receiving Encrypted Messages
Writing Code to Send Encrypted Messages
Step 1: Opening a Key Handle for Encryption
Step 2 (Optional): Getting Key Handle Information
Step 3 (Optional): Changing Key Handle Information
Step 4: Allocating a Buffer and Putting a Message in the Buffer
Step 5: Marking the Buffer for Encryption
Step 6: Sending the Message
Step 7: Closing the Encryption Key Handle
How the System Encrypts a Message Buffer
Writing Code to Receive Encrypted Messages
Step 1: Opening a Key Handle for Decryption
Step 2 (Optional): Getting Key Handle Information
Step 3 (Optional): Changing Key Handle Information
Step 4: Closing the Decryption Key Handle
How the System Decrypts a Message Buffer
Examining Digital Signature and Encryption Information
What Happens When an Originating Process Calls tpenvelope
What Happens When a Receiving Process Calls tpenvelope
Understanding the Composite Signature Status
Example Code for tpenvelope
Externalizing Typed Message Buffers
How to Create an Externalized Representation
How to Convert an Externalized Representation
Example Code for tpexport and tpimport
Implementing Single Point Security Administration
What Single Point Security Administration Means
Single Point Security Administration Tasks
Setting up LAUTHSVR as the Authentication Server
LAUTHSVR Command Line Interface
Setting Up the LAUTHSVR Configuration File
Syntax Requirements for LAUTHSVR Configuration File
LAUTHSVR Configuration File Keywords
Example LAUTHSVR Configuration File
Example UBBCONFIG Using LAUTHSVR
Using Multiple Network Addresses for High Availability
Example LAUTHSVR Configuration of Multiple Network Addresses
Configuring the Database Search Order
Using tpmigldap to Migrate User Information to WebLogic Server
Assigning New Passwords for the tpusr File
tpmigldap Command Line Options
Adding New Tuxedo User Information
Adding New User Information in tpusr or tpgrp
Adding New User Information Using the WebLogic Administration Console
Setting up GAUTHSVR as the Authentication Server
GAUTHSVR Command Line Interface
Setting Up the GAUTHSVR Configuration File
Syntax Requirements for GAUTHSVR Configuration File
GAUTHSVR Configuration File Keywords
Example GAUTHSVR Configuration File
Example UBBCONFIG Using GAUTHSVR
Using tpmigldif to Migrate User Information
Using tpmigldif Command Line Options
tpusr and tpgrp File Format
Creating a Migration Template
Supported LDAP Server Template Example

Copyright © 1994, 2017, Oracle and/or its affiliates. All rights reserved.