The following sections explain how to implement single point security administration for Tuxedo and WebLogic Server from the Tuxedo point of view:
Note: | Before setting up single point security, be sure you are familiar with the Tuxedo security architecture and requirements. You may also want to coordinate this effort with your WebLogic or LDAP Administrator. |
If you have both Tuxedo and WebLogic Server deployed in your environment, then you have to manage two sets of security information. Single point security administration allows you to leverage the WebLogic Server security to manage your security database by eliminating user and group information from Tuxedo. You can use WebLogic Server as your security database to authenticate Tuxedo users.
Note: | The Tuxedo ACL information will continue to reside in Tuxedo and is not currently integrated with WebLogic Server 7.0. |
Note: | If you are specifying SECURITY=ACL or SECURITY=MANDATORY_ACL in the RESOURCES section of the UBBCONFIG file, then you must continue to maintain tpgrp and tpacl files in Tuxedo. |
The single point security administration feature leverages the enhanced WebLogic Server 7.0 security and the LDAP to allow single point security administration. You can maintain user security information in WebLogic Server embedded LDAP server and use the WebLogic Server Console to administer the security information from a single system. You must modify the UBBCONFIG file to enable single point security.
To set up single point security, you must provide the Tuxedo security information to the WebLogic Server-embedded LDAP server. This includes migrating or setting up the Tuxedo user (UID) and group (GID) information in WebLogic Server LDAP server so that authentication can be successful. For Tuxedo UID and GID values to be available to WebLogic Server, you must use the tpmigldap
utility, modify the tpusr
file manually with a text editor, or enter the user information via the WebLogic Administration Console.
Note: | The WebLogic Administration Console may be the method used when adding one or two users after the security database is set up. For efficiency and time management, you may prefer using the tpmigldap utility or the tpusr file as a general rule. |
Single point security administration consists of the following tasks:
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/security.html
LAUTHSVR
is a System /T provided server that offers the authentication service while the user security information is located in WebLogic Server. To enable the single security administration feature, you must configure LAUTHSVR
as the authentication server. At runtime, the LAUTHSVR
will retrieve the user information from the WebLogic Server-embedded LDAP and authenticate users. If the authentication is successful, an appkey
is returned to the user, otherwise, authentication fails.
Note: | Tuxedo 10 and greater allows you to configure WebLogic authentication using a more general authentication server, GAUTHSVR (which can be used along with LAUTHSVR or replace it). |
Note: | For more GAUTHSVR information, see Setting up GAUTHSVR as the Authentication Server and
GAUTHSVR(5) , in the BEA Tuxedo File Formats, Data Descriptions, MIBs, and System Processes Reference. |
To define LAUTHSVR
as the authentication server, you must define the following parameters in the UBBCONFIG
file:
SECURITY
must be set to USER_AUTH
, ACL
, or MANDATORY_ACL
in the RESOURCES
section.LAUTHSVR
must be specified in the SERVERS
section.Note: | If LAUTHSVR cannot find a valid configuration file or the file does not exist, it will log an error message in USERLOG and fail to boot. The default LAUTHSVR configuration file is $TUXDIR/udataobj/tpldap and is provided with the product. |
The LAUTHSVR
is the LDAP-based authentication server for Tuxedo. It requires a configuration file, that by default is $TUXDIR/udataobj/tpldap
. You can create your own LAUTHSVR
configuration file or use the default tpldap
file that is available with the product.
The command line interface syntax for LAUTHSVR
is as follows:
-f
full_pathname
Note: | If -f option is omitted, the default LAUTHSVR configuration file tpldap is used. |
The following example instructs LAUTHSVR
to use the default configuration file, tpldap
, in the $TUXDIR/udataobj
directory.
LAUTHSVR SRVGRP=GROUP1 SRVID=2 CLOPT="-A-"
In the following example, LAUTHSVR
uses the myauthsvr.conf
configuration file in the /home/tuxedo/bankapp
directory.
LAUTHSVR SRVGRP=GROUP1 SRVID=2
CLOPT="-A-- -f/home/tuxedo/bankapp/myauthsvr.conf"
LAUTHSVR
supports an input configuration file that contains information such as bind DN and an unencrypted password for bind DN. This configuration file is a plain text file and can be edited using any text editor and must be protected by the system using file permissions. By default the configuration file, named tpldap
, is located in $TUXDIR/udataobj
directory. You can overwrite this file in the command line for LAUTHSVR
. The LAUTHSVR
configuration file contains keyword and value pairs as defined in
Table 4-1.
Although the default values for the LAUTHSVR
configuration file are usually sufficient, a system administrator may choose to configure it with different names. Therefore, you should be aware of the following requirements for the LAUTHSVR
configuration file:
LAUTHSVR
configuration file is a plain text file.Note: | Before an administrator can set up and use the Tuxedo LDAP-based security authentication server, the administrator must change the LDAP administrator password through the WebLogic Administration Console. |
The following table defines the LAUTHSVR
configuration file keywords.
Note: | The only required keyword in the LAUTHSVR configuration file is PASSWORD , which specifies the password for bind DN. All other keywords are optional. |
FILE_VERSION |
||||
LDAP_VERSION |
||||
BINDDN |
||||
BASE |
||||
UID |
||||
PASSWORD |
||||
LDAP_ADDR |
A comma separated list of WebLogic hostnames and ports. The syntax is
[//] hostname [: port ][,[//] hostname [: port ]...] . The default value for port is 7001. If LDAP_ADDR is not specified, LAUTHSVR assumes localhost :7001 is the location to contact the LDAP server.
For more information about specifying multiple network addresses, refer to
Using Multiple Network Addresses for High Availability.
|
|||
EXPIRE |
A numeric value that represents the number of seconds the cached entry is available in the local process memory. A value other than zero will enable caching. A value of zero specifies no caching. The default is zero.
For more information about enabling caching, refer to
Using Multiple Network Addresses for High Availability.
|
|||
SRCH_ORDER |
Valid values are
LDAP or LOCAL , or both separated by a comma. If you specify LOCAL , the search order will use the tpusr file. The default is LDAP .
For more information about database search order, refer to
Configuring the Database Search Order.
|
|||
LOCAL_FILE |
The full pathname of the
tpusr file to be used if LOCAL search order is enabled. The default value is $APPDIR/tpusr .
For more information about database search order, refer to
Configuring the Database Search Order.
|
|||
WLS_DOMAIN |
||||
WLS_REALM |
||||
ADM_GROUP |
||||
OP_GROUP |
||||
TUX_UID_KW |
||||
TUX_GID_KW |
Listing 4-1 shows an example of a LAUTHSVR
configuration file.
#
# Tuxedo LDAP Authentication Server configuration file.
#
# created: Thu May 26 15:36:59 2002
#
FILE_VERSION 1
LDAP_VERSION 3
BINDDN cn=Admin
BASE ou=people,ou=myrealm,dc=mydomain
UID uid
PASSWORD secret
LDAP_ADDR //PLUTO:7001,//Saturn:7001
EXPIRE 0
SRCH_ORDER LDAP
WLS_DOMAIN mydomain
WLS_REALM myrealm
ADM_GROUP Administrators
OP_GROUP Operators
TUX_UID_KW TUXEDO_UID
TUX_GID_KW TUXEDO_GID
# end of file
WARNING: | Because the PASSWORD for the LDAP administrator is in clear text, it is recommended that the system administrator guards this file with correct access permission. |
Listing 4-2 shows an example UBBCONFIG file with SECURITY
set to ACL
and LAUTHSVR
defined.
*RESOURCES
IPCKEY 51002
MASTER site1
MAXACCESSERS 50
MAXSERVERS 20
MAXSERVICES 20
MODEL SHM
LDBAL N
BLOCKTIME 10
SECURITY ACL
AUTHSVC "..AUTHSVC"
*MACHINES
DEFAULT:
APPDIR="/home/tuxedo/application"
TUXCONFIG="/home/tuxedo/application/TUXCONFIG"
TUXDIR="/home/tuxedo/tux81"
Server1 LMID=site1
MAXWSCLIENTS=20
*GROUPS
GROUP1 LMID=site1 GRPNO=1
GROUP2 LMID=site1 GRPNO=2
GROUP3 LMID=site1 GRPNO=3
GROUP4 LMID=site1 GRPNO=4
*SERVERS
DEFAULT:
CLOPT="-A" RESTART=N MAXGEN=5
LAUTHSVR SRVGRP=GROUP1 SRVID=10
CLOPT="-A -- -F /home/tuxedo/application/lauthsvr.conf "
DMADM SRVGRP=GROUP2 SRVID=20
GWADM SRVGRP=GROUP3 SRVID=30
GWTDOMAIN SRVGRP=GROUP3 SRVID=31
Simpserv SRVGRP=GROUP4 SRVID=40
*SERVICES
TOUPPER
It is possible to configure more than one network address for a WebLogic Server domain. This may be a favorable configuration in order to provide high availability for user authentication. The user security information is replicated to all WebLogic Server-embedded LDAP servers in a WebLogic domain. LAUTHSVR
can only connect to one server at a time; however, when a network error occurs, LAUTHSVR
will try to connect to the next available address.
To configure multiple network addresses for LAUTHSVR
, use the LDAP_ADDR
keyword in the LAUTHSVR
configuration file. The order in which the hostnames are specified is the order in which LAUTHSVR
will try to connect. To use caching during authentication, specify the EXPIRE
keyword. The value in this keyword will determine the number of seconds the cached entry is available in the local process memory.
Note: | It is not required to have WebLogic Server available when you boot Tuxedo using tmboot ; however, without the availability of at least one WebLogic Server, LAUTHSVR s ability to authenticate users is limited. |
Note: | Without the availability of WebLogic Server, you can boot Tuxedo and authenticate users using SRCH_ORDER LOCAL . In this case, the user authentication is verified against the tpusr file. For more information about search order, refer to
Configuring the Database Search Order. |
The following example specifies multiple network addresses in the LDAP_ADDR
keyword.
LDAP_ADDR //Pluto:8000,//Saturn,Jupiter
The previous example specifies three WebLogic Server hostnames. The first server runs on Pluto and uses address 8000. The second server runs on Saturn and uses the default address 7001. The third server runs on Jupiter and also uses the default address 7001.
By default the LAUTHSVR
authentication server will search the user information in the WebLogic Server-embedded LDAP server. To enable the use of the tpusr
file in the database search, you must specify LOCAL
in the SRCH_ORDER
keyword. The order that the comma separated values are defined in the SRCH_ORDER
keyword will specify the order in which LAUTHSVR
searches for user information. LAUTHSVR
will search the LDAP server or the tpusr
file or both (according to the order of the values specified).
If there are two or more SRCH_ORDER
entries specified in the LAUTHSVR
configuration file, only the last entry takes effect. In this case a warning message is logged in USERLOG
as well. A warning message also results if you specify a value other than LDAP
or LOCAL
in the SRCH_ORDER
keyword. In this case, the invalid entry is discarded and the default value or a previous valid SRCH_ORDER
entry is used.
The following example specifies that LAUTHSVR
should search the WebLogic Server-embedded LDAP server first for user information. If the user information is not found in the LDAP server, then LAUTHSVR
should look in the tpusr
file.
SRCH_ORDER LDAP,LOCAL
The following example specifies that LAUTHSVR
should search the tpusr
file first for user information. If the user information is not found in the tpusr file, then LAUTHSVR
should look in the WebLogic Server-embedded LDAP server for the information.
SRCH_ORDER LOCAL,LDAP
The following example specifies that LAUTHSVR
should search the tpusr
file only for user information.
SRCH_ORDER LOCAL
You should use the tpmigldap
command utility to migrate Tuxedo user and group information to WebLogic Server.
Before migrating the user and group information, the administrator must assign new passwords for each user so the migration can be successful. This step is required because the passwords in the tpusr file are encrypted with one-way encryption; therefore, it is impossible to retrieve the original password from the file.
There are two ways to handle this password situation:
tpusr
file.
You can modify the tpusr
file using a text editor and change the user password for each user in the file. The password field is the second field in the tpusr
file. The field delimiter is a colon (:). Each user takes up a line in the tpusr
file.
TuxedoUser1:ADdg0w8nfGMag:6001:601:TPCLTNM,*::
TuxedoUser2:0Yq2s6FjbvuU2:6002:601:TPCLTNM,*::
TuxedoUser1:User1Password:6001:601:TPCLTNM,*::
TuxedoUser2:User2Password:6002:601:TPCLTNM,*::
-f
option with the tpmigldap
utility to define a default password for all users.
If a -f option is used, then the argument that follows will be used as a substitute for the password field in the tpusr
file for every user in the file.
The following example command:
tpmigldap -f userpassword -c
will cause "userpassword" to be assigned to every user in the tpusr
file. After the migration, all users will have to use "userpassword" as their password in order to join the Tuxedo application.
The following table defines the command line options for the tpmigldap
utility. The order of the command line options does not matter.
Note: | The tpmigldap command requires the use of -w or -c so the user or group can be added to the WebLogic Server-embedded LDAP database. |
There are two methods for adding new user and group information to the single security LDAP database:
tpusr
text file and then specify the updated file when using the migration utility tpmigldap
. Refer to
Adding New User Information in tpusr or tpgrp
.Note: | Using the WebLogic Administration Console may not be efficient for adding large numbers of users to the LDAP database. In the case of adding several users, you may want to use the tpmigldap utility. |
To add new user information to the single point security LDAP database:
tpusr
file and tpgrp
file to add the new user and group information. Be sure to use the same format previously defined in the file. Be sure to use clear text passwords to add to the LDAP database.tpmigldap
utility using the -u
option and specify the updated tpusr
file and the -g
option and specify the updated tpgrp
file. For example:tpmigldap -u $APPDIR/tpusr -g $APPDIR/tpgrp
To add new user information to the single point security LDAP database using the WebLogic Administration Console:
Security
Realms
myrealm
where myrealm
represents the LDAP security realm.In the Name field specifies the user name.
In the Description field specify the Tuxedo UID and GID values as a string in the following syntax:
<TUXEDO UID KEYWORD>=<decimal value>
<TUXEDO GID KEYWORD>=<decimal value>
where by default, the TUXEDO UID KEYWORD
is TUXEDO_UID
and TUXEDO GID KEYWORD
by default is TUXEDO_GID
. For example:
TUXEDO_UID=2504 TUXEDO_GID=601
.
In the Password field, specify the password for the user. Then confirm the password by entering the password again in the Confirm Password field.
GAUTHSVR
is a System /T provided server usage is similar to LAUTHSVR
, but with the following differences:
GAUTHSVR
can access user security information located in a wide variety of LDAP servers (for example, WebLogic, OpenLDAP, Netscape/IPlanet, Microsoft Active Directory, z/OS LDAP, and so on), using LDAP (Lightweight Directory Access Protocol).Note: | You can also configure WebLogic authentication using LAUTHSVR . GAUTHSVR can be used along with an existing LAUTHSVR or replace it. |
Note: | For more LAUTHSVR information, see Setting up LAUTHSVR as the Authentication Server and
LAUTHSVR(5)," in the BEA Tuxedo File Formats, Data Descriptions, MIBs, and System Processes Reference. |
GAUTHSVR
syntax does not support multiple network addresses for high availability. For more information, see Using Multiple Network Addresses for High Availability.GAUTHSVR
does not support user security information stored in a local file. For more information, see Configuring the Database Search Order.
To enable the single security administration feature, GAUTHSVR
must be configured as the authentication server. GAUTHSVR
authenticates user security information against LDAP
server. It returns appkey
if SECURITY
is set to ACL
or MANDATORY_ACL
when authentication success.
To configure GAUTHSVR
as the authentication server, you must define the following parameters in the UBBCONFIG
file:
SECURITY
must be set to USER_AUTH
, ACL
, or MANDATORY_ACL
in the RESOURCES
section.GAUTHSVR
must be specified in the SERVERS
section.Note: | If GAUTHSVR cannot find a valid configuration file or the file does not exist, it will log an error message in USERLOG and fail to boot. The default GAUTHSVR configuration file is $TUXDIR/udataobj/tpgauth and is provided with the product. |
GAUTHSVR
is an LDAP-based authentication server for Tuxedo. It requires a configuration file, that by default is $TUXDIR/udataobj/tpgauth
.
The command line interface syntax for GAUTHSVR
is as follows:
-f
config
-o
gaconfig.xml
GAUTHSVR
internal configuration file generated from customer configuration file specified by -f
option. The default value is $APPDIR/gaconfig.xml.
-k
gakey.dat
GAUTHSVR
internal configuration file generated from the configuration file (specified in the -f
option). The default value is $APPDIR/gakey.dat.
-v
The following example instructs GAUTHSVR
to use the default configuration file, tpgauth
, in the $TUXDIR/udataobj/tpgauth
directory.
GAUTHSVR SRVGRP=GROUP1 SRVID=2 CLOPT="-A --"
In the following example, GAUTHSVR
use the myauthsvr.conf
configuration file in the /home/tuxedo/bankapp
directory.
GAUTHSVR SRVGRP=GROUP1 SRVID=2
CLOPT="-A -- -f/home/tuxedo/bankapp/myauthsvr.conf"
GAUTHSVR
updates the generated XML
file if tpgauth
is newer than the generated XML
and key files. Only changed or newly added tpgauth
items are updated in the generated XML
file.
Note: | If the XML and key file are not present when GAUTHSVR is booted, GAUTHSVR creates them automatically. |
GAUTHSVR
supports an input configuration file that contains information such as bind DN and an unencrypted password for bind DN. This configuration file is a plain text file and can be edited using any text editor and must be protected by the system using file permissions. By default the configuration file, named tpgauth
, is located in $TUXDIR/udataobj/tpgauth
directory. You can overwrite this file in the command line for GAUTHSVR
.
Table 4-3
lists keywords and value pairs contained in the GAUTHSVR
configuration file.
Although the default values for the GAUTHSVR
configuration file are usually sufficient, you can choose to configure it with different names. Therefore, you should be aware of the following requirements for the GAUTHSVR
configuration file:
GAUTHSVR
configuration file is a plain text file.keyword=value
". #
sign are treated as comments, and are ignored.Principal
must have privileges to access the LDAP database (usually the LDAP administrator).
GAUTHSVR keywords are divided into three groups: basic, advanced, and LDAP schema. Table 4-3, Table 4-4, and Table 4-5 define the GAUTHSVR
configuration file keywords accordingly.
UserCacheExpire |
||
UserCacheSize |
||
SYSADM |
||
SYSOP |
||
Host |
||
Port |
||
Principal |
||
Credential |
||
RetrieveUIDAndGID |
Table 4-7 shows a GAUTHSVR
configuration file for WebLogic Server example. Please refer to this example when configuring other LDAP servers.
#
# Tuxedo LDAP Authentication Server configuration file.
#
# created: Thu May 26 15:36:59 2002
# end of file
# Tuxedo configuration
UserCacheExpire = 600
UserCacheSize = 16384
SYSADM = sysadm
SYSOP = sysop
# LDAP server configuration
Host = server.bea.com
Port = 7001
Principal = cn=Admin
Credential= weblogic
UserObjectClass = person
UserBaseDN = ou=people,ou=myrealm,dc=examples
UserFromNameFilter = (&(uid=%u)(objectclass=person))
UserUIDAttrName = description
UserGroupAttrNames=wlsMemberOf
RetrieveUIDAndGID = true
UIDAttrValueType = UIDAndGID
WARNING: | Because the PASSWORD for the LDAP administrator is in clear text, it is recommended that the system administrator guards this file with correct access permission. |
Listing 4-4 shows an example UBBCONFIG file with SECURITY
set to ACL
and GAUTHSVR
defined.
# UBBCONFIG
*SERVER
GAUTHSVR SVRGRP="SYSGRP" SVRID=100
CLOPT="-A -- -f ${APPDIR}/tpgauth"
ENVFILE="${APPDIR}/tpgauth.env"
You can use the tpmigldif
command utility to migrate Tuxedo user and group information to LDAP servers in LDAP Interchange Format (LDIF). In order to use tpmigldif
, you must create a migration template.
Table 4-6 lists the command line options for the tpmigldif
utility. The order of the command line options does not matter.
Listing 4-5 shows a tpusr
file with five fields separated by a colon:
name:password
(encrypted):user id:group id:client name::
user1:EI4xxxjrCc:16668:601:TPCLTNM,client::
user2:EI4xxxjrCc:16669:602:TPCLTNM,client::
Listing 4-6 shows a tpgrp
file with three fields separated by a colon:
group1::601:
group2::602:
Before migrating the user and group information, the administrator could assign new passwords for each user so the generated LDIF output contains correct password for each user. This step is required because the passwords in the tpusr file are encrypted with one-way encryption; therefore, it is impossible to retrieve the original password from the file.
Using a text-editor, there are two methods you can use to modify tpusr
file passwords:
tpusr
file password field to change the user password for each user in the file. The password field is the second field in the tpusr
file. Each user is entered on a separate line in the tpusr
file. See listing Listing 4-5, for original tpusr
file example.user1:pwd1:16668:601:TPCLTNM,client::
user2:pwd2:16669:602:TPCLTNM,client:
tpusr
file fielduser1:EI4xxxjrCc:16668:601:TPCLTNM,client::pwd1:
user2:EI4xxxjrCc:16669:602:TPCLTNM,client::pwd2:
The migration template is a text file used by the tpmigldif
command utility to translate the tpusr
or tpgrp
file into an LDIF output file.
Listing 4-7 shows a tpusr-template
migration file example. <%n>
refers to a tpusr
file field, where n starts at 1.
Note: | Use <%gn> for group field in tpgrp file for given user. |
dn: CN=<%1>,CN=Users,DC=tuxdev,DC=bea,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
cn: <%1>
description: Tuxedo User, TUXEDO_UID=<%3> TUXEDO_GID=<%4>
password: <%7>
Listing 4-8 shows the LDIF output from the tpusr
-template.
dn: CN=user1,CN=Users,DC=tuxdev,DC=bea,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
cn: user1
description: Tuxedo User, TUXEDO_UID=16668 TUXEDO_GID=601
password: pwd1
dn: CN=user2,CN=Users,DC=tuxdev,DC=bea,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
cn: user2
description: Tuxedo User, TUXEDO_UID=16669 TUXEDO_GID=602
password: pwd2
Tuxedo provides an example template for supported LDAP servers. The files are listed in Table 4-7.
Active Directory2
|
|||
z/OS LDAP, with RACF backend3
|
1All files are available under $TUXDIR/udataobj; 2For Active Directory user's password cannot be added on creation. For help on how to change or reset it, please refer to Microsoft support document, http://support.microsoft.com/kb/269190, http://support.microsoft.com/kb/263991, etc; 3Two things need to be done to activate z/OS RACF account after migration: i) reset the password by z/OS administrator; and ii) logon with the account to change its password. |