Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy
	http://www.oracle.com/technology/documentation/index.html   |   Site Map   |   Search   |   PDF Files   |   Contact   |   Glossary
Tuxedo Doc Home   |   TOP END Domain Gateway   |   Topic List   |   Previous   |   Next   |   Contents

   Using the BEA Tuxedo TOP END Domain Gateway

Clients are authenticated and authorized by the BEA Tuxedo system on the basis of how the local domain is configured in the UBBCONFIG(5) file. If BEA TOP END security is enabled, an additional security check can be done on the BEA TOP END node.

Clients are authenticated by the BEA Tuxedo system in the same way as any other BEA Tuxedo client, via user ID and password. Clients are authorized through a standard BEA Tuxedo authorization scheme characterized by the following:

• The TEDG advertises the SERVICE and QSPACE entries listed in the DM_REMOTE_SERVICES section of the DMCONFIG file as services to the local BEA Tuxedo domain. BEA TOP END services not placed in the DMCONFIG file are not accessible by BEA Tuxedo clients.

• Access to services advertised by the TEDG is controlled by the local BEA Tuxedo domain configuration. The level of authorization control is determined by the value of the SECURITY parameter in the UBBCONFIG file for the domain. A value of ACL or MANDATORY_ACL indicates that the BEA Tuxedo system should perform access control checks. A BEA Tuxedo administrator can create ACLs for imported BEA TOP END services.

If the BEA Tuxedo-side security is successful, the TEDG prepares to send the message to the BEA TOP END system. At this point, BEA TOP END security takes over.

If BEA TOP END security is enabled, the TEDG inserts a user ID into all messages passed to the BEA TOP END system. To enqueue requests, the TEDG provides both a user ID and password in each message. The password is protected using the current BEA TOP END algorithm used by RTQ.

The TEDG uses a single set of credentials for all messages passed to the BEA TOP END system:

• The TEDG TOP END user ID (the DOMAINID in the DM_LOCAL_DOMAINS section of the DMCONFIG file)

• A password established through the topendpasswd command in the dmadmin(1) utility

The password is stored in the BDMCONFIG file in an encrypted format. The administrator defines a matching user ID and password in the BEA TOP END security database using the BEA TOP END tpsecure(1T) utility.

If BEA TOP END security is enabled, BEA TOP END message passing requires that messages carry the user ID of the client. Because the user ID is not reauthenticated by the BEA TOP END system, a password is not required; the user ID is provided purely for information. For queuing, the BEA TOP END system requires that both the user ID and password be passed along with the service request. The BEA TOP END system uses these credentials to authenticate the client while processing the queued service request.

The BEA TOP END system does not perform any additional access control checking for message passing requests. However, queued requests are authorized by the BEA TOP END system when they are retrieved by RTQ and the service request is processed. Because all messages from the TEDG are submitted using the TEDG TOP END user ID (that is equal to the local domain DOMAINID), this TEDG user ID must be authorized to perform the requested service. The administrator must create ACLs for the TEDG user ID using the TOP END tpsecure (1T) utility.

• Configuring Security Between BEA TOP END and BEA Tuxedo Systems