|
|
Security Interoperability
Application developers and administrators must be aware of certain security issues when configuring applications to interoperate with BEA Tuxedo pre-Release 7.1 (6.5 or earlier) software.
Interoperability, as defined in this discussion, is the ability of the current release of BEA Tuxedo software to communicate over a network with a previous release of BEA Tuxedo software. Specifically, inter-domain interoperability and intra-domain interoperability have the following meanings:
Involves one BEA Tuxedo application running BEA Tuxedo Release 7.1 or later software, and another BEA Tuxedo application running BEA Tuxedo pre-Release 7.1 software. See the diagram Inter-Domain Interoperability for clarification.
Involves one machine in a multiple-machine BEA Tuxedo application running BEA Tuxedo Release 7.1 or later software, and another machine in the same application running BEA Tuxedo pre-Release 7.1 software. See the diagram Intra-Domain Interoperability for clarification.
Inter-Domain Interoperability
Interoperating with Pre-Release 7.1 Software
Interoperating with BEA Tuxedo pre-Release 7.1 software is allowed or disallowed at the authentication security level. Authentication, as implemented by BEA Tuxedo Release 7.1 or later software, allows communicating processes to mutually prove their identities.
By default, interoperability with a machine running BEA Tuxedo pre-Release 7.1 software is not allowed. To change the default, an application administrator can use the CLOPT -t option to allow Workstation Handlers (WSHs), domain gateways (GWTDOMAINs), and servers in the Release 7.1 or later application to interoperate with BEA Tuxedo pre-Release 7.1 software. Mandating Interoperability Policy provides instructions for using the CLOPT -t option as well as the security ramifications for authentication and authorization when using CLOPT -t.
Interoperability for Link-Level Encryption
Whenever a network link is established between machines running BEA Tuxedo software, link-level encryption may be used to encrypt data before sending it over the network link, and decrypt it as it comes off the link. Of course, link-level encryption is possible only if LLE is installed on both the sending and receiving machines.
LLE interoperability with BEA Tuxedo pre-Release 7.1 software is described in Backward Compatibility of LLE.
Interoperability for Public Key Security
The following interoperability rules for public key security apply to a machine running Release 7.1 or later BEA Tuxedo software that is configured to interoperate with a machine running BEA Tuxedo pre-Release 7.1 software. To clarify the rules, each rule has an accompanying example scenario involving a Workstation client running BEA Tuxedo pre-Release 7.1 software.
For inter-domain interoperability, Release 7.1 or later domain gateway (GWTDOMAIN) processes enforce the interoperability rules for public key security.
For intra-domain interoperability, Release 7.1 or later native clients, Workstation Handlers (WSHs), or server processes communicating with the local bridge process enforce the interoperability rules for public key security, as shown in the following diagram. A bridge process operates only as a conduit; it does not decrypt message buffer content or verify digital signatures.
Enforcing Intra-Domain Interoperability Rules for Public Key Security
Note: Typically, a Release 7.1 or later WSH does not verify digital signatures. But when routing a digitally signed message buffer to a process running BEA Tuxedo pre-Release 7.1 software, the WSH verifies any digital signatures before removing them.
See Also
|
Copyright © 2000 BEA Systems, Inc. All rights reserved.
|