Establishing a Link Between Domains


	Corporate Info \| News \| Solutions \| Products \| Partners \| Services \| Events \| Download \| How To Buy
	http://www.oracle.com/technology/documentation/index.html \| Site Map \| Search \| PDF Files \| Contact \| Glossary

Tuxedo Doc Home \| Security \| Topic List \| Previous \| Next \| Contents

Using BEA Tuxedo Security

When a domain gateway (GWTDOMAIN) attempts to establish a network link with another domain gateway, the following major events occur.

The initiator domain gateway and the target domain gateway exchange link-level encryption (LLE) min-max values to be used to set up LLE on the link between the gateways. LLE is described in Link-Level Encryption.
The initiator and target domain gateways authenticate one another through the exchange of security tokens assuming that both gateways are running BEA Tuxedo Release 7.1 or later software.
If one or both of the domain gateways are running BEA Tuxedo pre-Release 7.1 software, the gateway processes use an older (pre-Release 7.1) authentication protocol when setting up the connection.

Parameter Name	Description	Setting
CONNECTION_PRINCIPAL_NAME in DMCONFIG (TA_DMCONNPRINCIPALNAME in DM_MIB)	When this parameter appears in the DM_LOCAL_DOMAINS section of the DMCONFIG file, its value becomes the principal name of the local domain access point when setting up a connection with a remote domain access point.* For default authentication plug-ins, if a value is assigned to CONNECTION_PRINCIPAL_NAME for the local domain access point, it must be the same as the value assigned to the DOMAINID parameter for the local domain access point. If these values do not match, the local domain gateway process will not boot, and the system will generate the following userlog(3c) message: ERROR: Unable to acquire credentials.	1 - 511 characters. If not specified, the principal name defaults to the DOMAINID string for the local domain access point.
When this parameter appears in the DM_REMOTE_DOMAINS section of the DMCONFIG file for a particular remote domain access point, its value becomes the principal name of the remote domain access point when setting up a connection with the local domain access point. For default authentication plug-ins, if a value is assigned to CONNECTION_PRINCIPAL_NAME for a remote domain access point, it must be the same as the value assigned to the DOMAINID parameter for the remote domain access point. If these values do not match, any attempt to set up a connection between the local domain gateway and the remote domain gateway will fail, and the system will generate the following userlog(3c) message: ERROR: Unable to initialize administration key for domain domain_name.	1 - 511 characters. If not specified, the principal name defaults to the DOMAINID string for the remote domain access point.
* The local domain access point is also known as the LDOM (pronounced "el dom") or simply local domain. A remote domain access point is also known as an RDOM (pronounced "are dom") or simply remote domain.

The following diagram demonstrates how a link is established between domains using default authentication plug-ins.

Establishing a Link Between Domains Using Default Authentication

Note: The "Credentials" shown in the preceding diagram were acquired by each domain gateway process at application booting using the CONNECTION_PRINCIPAL_NAME identity configured for the local domain access point.

In the preceding diagram, notice that the information exchanged between the initiator and target domain gateways involves the CONNECTION_PRINCIPAL_NAME strings configured for the domain gateways, as specified in the BDMCONFIG files. Each authentication plug-in uses the password assigned to the remote domain access point (as defined in the DM_PASSWORDS section of the BDMCONFIG file) to encrypt the string before transmitting it over the network, and uses the password assigned to the local domain access point (as defined in the DM_PASSWORDS section of the BDMCONFIG file) to decrypt the received string. The encryption algorithm used is 56-bit DES, where DES is an acronym for the Data Encryption Standard.

For the encryption/decryption operation to succeed, the assigned password for the remote domain access point in the local BDMCONFIG file must be the same as the assigned password for the local domain access point in the remote BDMCONFIG file. (Similarly, if the domain security level is set to APP_PW, the application passwords in the respective TUXCONFIG files must be identical for the encryption/decryption operation to succeed.) For the authentication process to succeed, the received string must match the CONNECTION_PRINCIPAL_NAME string configured for the sender.

When the domain gateways pass the security checks, the link is established, and the gateways can forward service requests and receive replies over the established link.

Example DMCONFIG Entries for Establishing a Link

In the following example, the configurations shown in the local DMCONFIG file are used when establishing a connection through the local domain access point c01 and the remote domain access point b01.

*DM_LOCAL_DOMAINS
# <LDOM name> <Gateway Group name> <domain type> 
#            <domain id> [<connection principal name>] [<security>]...
c01       GWGRP=bankg1
              TYPE=TDOMAIN
              DOMAINID="BA.CENTRAL01"
              CONNECTION_PRINCIPAL_NAME="BA.CENTRAL01"
              SECURITY=DM_PW
      .
      .
      .

*DM_REMOTE_DOMAINS
# <RDOM name> <domain type> <domain id> 
#            [<connection principal name>]...
b01       TYPE=TDOMAIN
              DOMAINID="BA.BANK01"
              CONNECTION_PRINCIPAL_NAME="BA.BANK01"