Chapter 4 . Security

In order for any security checking to occur, each domain must have a security mechanism in place. For the TUXEDO domain, this is the Authorization Server. Figure 4-1 shows these elements.

Note: A domain without an operational security mechanism in place accepts all transaction requests by treating userids as "trusted users."

There are four sections in two BEA TUXEDO configuration files in which you specify parameters bearing on security. The two configuration files are DMCONFIG and UBBCONFIG.

Userid and password mapping between domains also bears on security. There are five DMADMIN subcommands which you use to enter userids and passwords, set up mappings, remove mappings, remove userids and passwords, and modify passwords.

Figure 4-1 Connect OSI TP Security Elements

Where You Specify Security Parameters

The configuration sections where security is specified are:

• *RESOURCES section of the UBBCONFIG file

• *DM_LOCAL_DOMAINS section of the DMCONFIG file

• *DM_LOCAL_SERVICES section of the DMCONFIG file

• *DM_ACCESS_CONTROL section of the DMCONFIG file

UBBCONFIG File Security Parameters

The *RESOURCES section in this file contains a SECURITY parameter which works in conjunction with the SECURITY parameter in the DMCONFIG file to establish how Connect OSI TP controls access to the local TUXEDO domain. This parameter takes the form:

SECURITY = value

where value is:

NONE

No security is enforced (default)

APP_PW

Remote domain-initiated dmloadcf and dmunloadcf require password authorization through the local application AUTHSVC security process.

USER_AUTH

Same as APP_PW, but additional authorization is required on a per-user basis.

ACL

Same as USER_AUTH, but additional access-control checks are done on service names, queue names, and event names. If no ACL exists for a given name, access is granted.

MANDATORY_ACL

Same as ACL, but if no ACL exists for a given name, access is denied.

In most cases, the UBBCONFIG file has already been configured and you do not need to establish the SECURITY parameter settings, but examining this file enables you to ascertain how Connect OSI TP enforces security.

If this parameter is set to NONE, no security is enforced. If set to APP_PW, the local TUXEDO domain's Authorization Server prompts for the application password. If set to USER_AUTH, ACL, or MANDATORY_ACL, the qualified security is enforced as specified.

DMCONFIG File Security Parameters

Three sections in the DMCONFIG file contain parameters affecting Connect OSI TP control of access to the local TUXEDO domain:

• *DM_LOCAL_DOMAINS section contains a SECURITY parameter which specifies the type of security enforced for the TUXEDO local domain.

• *DM_ACCESS_CONTROL section contains local access control lists used by the TUXEDO domain to associate local resources with remote OSI environments permitted to have access to them.

  Caution: Do not delete the DMCONFIG file. Tables of remote users, remote passwords, and remote mappings are stored in this file. If deleted, all security information must be re-entered.

*DM_LOCAL_DOMAINS section

The SECURITY parameter settings in this section work in conjunction with the SECURITY parameter in the *RESOURCES section of the TUXEDO domain's UBBCONFIG file to establish how Connect OSI TP controls access to the TUXEDO local domain. The parameter takes the form:

SECURITY = value

where value is:

NONE

No security is enforced.

APP_PW

No security is enforced.

DM_USER_PW

User password security is enforced.

If this parameter is set to NONE or APP_PW, the Connect OSI TP domain takes no action with regard to security. If this parameter is set to DM_USR_PW, the Connect OSI TP domain enforces security according to the setting in the TUXEDO domain's UBBCONFIG file (refer to "UBBCONFIG File Security Parameters" on page 4-3).

*DM_LOCAL SERVICES section

The ACL parameter in this section works in conjunction with the ACL_NAME defined in the *DM_ACCESS_CONTROL section to restrict requests made to the local services by remote domains.

How To Administer Security

After setting up and/or checking the security settings for the TUXEDO domain and the OSI domain, you must relate the security information in both domains to each other. To do this, use the addusr and addumap subcommands provided with the dmadmin command interpreter.

Once the user security information in both domains is mapped, you can perform administration on the affected security files in each domain. To do this, use the delumap, modusr, and delusr subcommands.

The following paragraphs discuss how you enter these commands. Refer to the associated reference pages in Appendix B, "Reference Pages" for detailed information about each subcommand.

Adding a Userid and Password

Use the addusr subcommand to define a TUXEDO local domain's user ID and password to the remote domain's External Security Manager. Enter the following command:

addusr -d local_domain_id -R remote_domain_id -u remote_userid

where:

-d

adds the name of the local domain.

-R

adds the name of the remote domain.

-u

adds the remote user name to be added (the system prompts for the user's password).

Use the addumap subcommand to map a local domain userid to a remote domain userid. The userid must be added before it can be mapped. Enter the following command:

addumap -d local_domain_id -R remote_domain_id -p  local_principal_userid -u remote_userid

where:

-d

maps the name of the local domain.

-R

maps the name of the remote domain.

-p

maps the local userid.

-u

maps the remote userid.

Use the delumap subcommand to remove the mapping for a local domain userid to a remote domain userid. Enter the following command:

delumap -d local_domain_id -R remote_domain_id -p  local_principal_userid -u remote_userid

where:

-d

deletes the name of the local domain.

-R

deletes the name of the remote domain.

-p

deletes the local userid.

-u

deletes the remote userid.

Use the delusr subcommand to remove a local TUXEDO domain's user ID and password from the remote domain's External Security Manager. The mapping for a userid must be removed before the userid can be removed. Enter the following command:

delusr -d local_domain_id -R remote_domain_id -u remote_userid

where:

-d

deletes the name of the local domain.

-R

deletes the name of the remote domain.

-u

deletes the remote user name to be deleted.

Use the modusr subcommand to modify a local TUXEDO domain user's password recorded in a remote domain's External Security Manager. Enter the following command:

modusr -d local_domain_id -R remote_domain_id -u remote_userid

where:

-d

designates the name of the local domain.

-R

designates the name of the remote domain.

-u

designates the remote user name whose password is to be modified (the system prompts for the new password).