Enabling Access Control Security


	Corporate Info \| News \| Solutions \| Products \| Partners \| Services \| Events \| Download \| How To Buy
	http://www.oracle.com/technology/documentation/index.html \| Site Map \| Search \| PDF Files \| Contact \| Glossary

Tuxedo Doc Home \| Security \| Topic List \| Previous \| Next \| Contents

Using BEA Tuxedo Security

Default authorization consists of an access control checking feature that determines which users can execute a service, post an event, or enqueue (or dequeue) a message on an application queue. There are two levels of access control security: optional access control list (ACL) and mandatory access control list (MANDATORY_ACL). Only when users are authenticated to join an application does the access control list become active.

By using an access control list, an administrator can organize users into groups and associate the groups with objects that the member users have permission to access. Access control is done at the group level for the following reasons:

System administration is simplified. It is easier to give a group of people access to a new service than it is to give individual users access to the service.
Performance is improved. Because access permission needs to be checked for each invocation of an entity, permission should be resolved quickly. Because there are fewer groups than users, it is quicker to search through a list of privileged groups than it is to search through a list of privileged users.

The access control checking feature is based on three files that are created and maintained by the application administrator:

tpusr contains a list of users
tpgrp contains a list of groups
tpacl contains a list of mappings of groups to application entities (such as services) known as the access control list (ACL)

By parsing the client's application key, which contains information identifying the client as a valid user and valid group member, an entity (such as a service, event, or application queue) can identify the group to which the user belongs; by checking the tpacl file, an entity can determine whether the client's group has access permission.

The application administrator, application operator, and processes or service requests running with the privileges of the application administrator/operator are not subject to ACL permission checking.

If user-level ACL entries are needed, they may be implemented by creating a group for each user, and then mapping the group to the appropriate application entities in the tpacl file.

How to Enable Optional ACL Security

Default authentication offers an optional ACL (ACL) security level that you invoke by specifying SECURITY ACL in your configuration file. This security level requires that each client provide an application password, a user name, and user-specific data, such as a password, to join the application. If there is no entry in the tpacl file associated with the target application entity, the user is permitted to access the entity.

This security level enables an administrator to configure access for only those resources that need more security. That is, there is no need to add entries to the tpacl file for services, events, or application queues that are open to everyone. Of course, if there is an entry in the tpacl file associated with the target application entity and a user attempts to access that entity, the user must be a member of a group that is allowed to access that entity; otherwise, permission is denied.

To enable the ACL security level, follow these steps.

Set up the UBBCONFIG file.
Set up the ACL file.

Instructions for these steps are provided in the following two topics.

Setting Up the UBBCONFIG File

Ensure that you are working on the application MASTER machine and that the application is inactive.
Open UBBCONFIG with a text editor and add the following lines to the RESOURCES and SERVERS sections.
```
*RESOURCES
SECURITY     ACL
AUTHSVC       ..AUTHSVC
          .
          .
          .
```
```
*SERVERS
AUTHSVR SRVGRP="group_name" SRVID=1 RESTART=Y GRACE=600 MAXGEN=2 CLOPT="-A"
```
CLOPT="-A" causes tmboot(1) to pass only the default command-line options (invoked by "-A") to AUTHSVR when tmboot starts the application. By default, AUTHSVR uses the client user information in a file named tpusr to authenticate clients that want to join the application. tpusr resides in the directory referenced by the first path name defined in the application's APPDIR variable.
Load the configuration by running tmloadcf(1). The tmloadcf command parses UBBCONFIG and loads the binary TUXCONFIG file to the location referenced by the TUXCONFIG variable.
The system prompts you for a password. The password you enter may be up to 30 characters long. It becomes the password for the application and remains in effect until you change it by using the passwd command of tmadmin.
Distribute the application password to authorized users of the application through an off-line means such as telephone or letter.

Setting Up the ACL File

The access control checking feature requires a user file named tpusr, a group file named tpgrp, and an ACL file named tpacl. The ACL file contains mappings of groups to application entities. An entity may be a service, event, or application queue.

The following display is a sample entry in the tpacl file.

As the administrator, you must define the entries in the tpacl file, which is located in the directory referenced by the first path name defined in the application's APPDIR variable. The file is a colon-delimited, flat text file, readable and writable only by the application's administrator.

There are two methods of modifying the ACL entries in the tpacl file: by issuing commands or by changing the values of the appropriate attributes in the ACL_MIB.

Changing ACL Entries through Commands

You can add, modify, or delete ACL entries in the tpacl file at any time by running a BEA Tuxedo command provided for that purpose.

Run . . .
To . . .

tpacladd(1)

Add an entry

tpaclmod(1)

Modify an entry

tpacldel(1)

Delete an entry

Run . . .	To . . .
tpacladd(1)	Add an entry
tpaclmod(1)	Modify an entry
tpacldel(1)	Delete an entry

To run any of these commands, follow these steps.

For an inactive application, make sure you are working from the application MASTER machine. For an active application, you may work from any machine in the configuration.
For specific instructions on running a command, see the entry for that command in the BEA Tuxedo Command Reference.

Changing ACL Entries through the ACL_MIB

If you prefer not to use the command-line interface, you can add, modify, or delete ACL entries in tpacl by changing the appropriate attribute values in the T_ACLPERM class in the ACL_MIB(5). This method is more efficient than the command-line interface if you want to add several ACL entries simultaneously, since tpacladd(1) allows you to add only one ACL entry at a time.

Of course, the easiest way to access the MIB is via the BEA Administration Console.

How to Enable Mandatory ACL Security

Default authentication offers a mandatory ACL security level that you invoke by specifying SECURITY MANDATORY_ACL in your configuration file. This security level requires that each client provide an application password, a user name, and user-specific data, such as a password, to join the application. If there is no entry in the tpacl file associated with the target application entity, the client is not permitted to access the entity. In other words, an entry must exist in the tpacl file for every application entity that a client needs to access. For this reason, this level is called mandatory.

Of course, if there is an entry in the tpacl file associated with the target application entity and a user attempts to access that entity, the user must be a member of a group that is allowed to access that entity; otherwise, permission is denied.

To enable the MANDATORY_ACL security level, follow these steps.

Set up the UBBCONFIG file.
Set up the ACL file.

Instructions for these steps are provided in the following two topics.

Setting Up the UBBCONFIG File

Ensure that you are working on the application MASTER machine and that the application is inactive.
Open UBBCONFIG with a text editor and add the following lines to the RESOURCES and SERVERS sections.
```
*RESOURCES
SECURITY     MANDATORY_ACL
AUTHSVC       ..AUTHSVC
          .
          .
          .
```
```
*SERVERS
AUTHSVR SRVGRP="group_name" SRVID=1 RESTART=Y GRACE=600 MAXGEN=2 CLOPT="-A"
```
CLOPT="-A" causes tmboot(1) to pass only the default command-line options (invoked by "-A") to AUTHSVR when tmboot starts the application. By default, AUTHSVR uses the client user information in a file named tpusr to authenticate clients that want to join the application. tpusr resides in the directory referenced by the first path name defined in the application's APPDIR variable.
Load the configuration by running tmloadcf(1). The tmloadcf command parses UBBCONFIG and loads the binary TUXCONFIG file to the location referenced by the TUXCONFIG variable.
The system prompts you for a password. The password you enter may be up to 30 characters long. It becomes the password for the application and remains in effect until you change it by using the passwd command of tmadmin.
Distribute the application password to authorized users of the application through an off-line means such as telephone or letter.

Setting Up the ACL File

See Setting Up the ACL File.