How to Create a Domains Access Control List (ACL)


	BEA Home \| Events \| Solutions \| Partners \| Products \| Services \| Download \| Developer Center \| WebSUPPORT
	http://www.oracle.com/technology/documentation/index.html \| Site Map \| Search \| PDF Files \| Contact \| Glossary

Tuxedo Documentation \| Using the BEA Tuxedo Domains Component \| Local Topics \| Previous Topic \| Next Topic \| Contents

To create a domain ACL, you must specify the name of the domain ACL and a list of the remote domains that are part of the list (the Domain Import VIEW List) in the DM_ACCESS_CONTROL section of the DMCONFIG file. The following table describes these two fields.

Domain ACL Field	Description
Domain ACL name	The name of this ACL. A valid name consists of a string of 1-30 characters, inclusive. It must be printable and it may not include a colon, a pound sign, or a newline character. Example: ACLGRP1
Remote Domain list	The list of remote domains that are granted access in this access control list. A valid value in this field is a set of one or more comma-separated remote domain names. Examples: REMDOM1,REMDOM2,REMDOM3

Using Standard BEA Tuxedo Access Control Lists with Imported Remote Services

A remote service imported from a remote domain is viewed simply as a service within a BEA Tuxedo domain. The standard BEA Tuxedo ACL mechanism then, can be used to restrict access to this service by particular groups of users.

For information on using BEA Tuxedo access control lists, refer to the following entries in the BEA Tuxedo Command Reference: tpacladd(1), tpaclmod(1), tpacldel(1), tpusradd(1), tpusrmod(1), tpusrdel(1), tpgrpadd(1), tpgrpmod(1), and tpgrpdel(1).

Setting the ACL Policy for a Remote Domain

As the administrator, you can use the following configuration parameters to set and control the access control list (ACL) policy for remote domains running BEA Tuxedo release 7.1 or later software.

Parameter Name

Description

Setting

ACL_POLICY in DMCONFIG (TA_DMACLPOLICY in DM_MIB)

May appear in the DM_REMOTE_DOMAINS section of the DMCONFIG file for each remote domain access point. Its value for a particular remote domain access point determines whether or not the local domain gateway modifies the identity of service requests received from the remote domain.*

LOCAL or GLOBAL.
Default is LOCAL.

LOCAL means that the local domain modifies the identity of service requests received from this remote domain to the principal name specified in the LOCAL_PRINCIPAL_NAME parameter for this remote domain. GLOBAL means that the local domain uses any credential it might receive from the remote domain on inbound service requests. If no credential is received from the remote domain then the service request will be forwarded to the service without credentials (which will usually fail).

Note: This parameter controls whether or not the local domain accepts a credential from a remote domain. A parameter related to this one is CREDENTIAL_POLICY, which controls whether or not a local domain sends credentials to the remote domain.

LOCAL_PRINCIPAL_NAME in DMCONFIG (TA_DMLOCALPRINCIPALNAME in DM_MIB)

May appear in the DM_REMOTE_DOMAINS section of the DMCONFIG file for each remote domain access point. If the ACL_POLICY parameter is set (or defaulted) to LOCAL for a particular remote domain access point, the local domain gateway modifies the identify of service requests received from the remote domain to the principal name specified in LOCAL_PRINCIPAL_NAME.

1 - 511 characters. If not specified, the principal name defaults to the DOMAINID string for the remote domain access point.

* A remote domain access point is also known as an RDOM (pronounced "are dom") or simply remote domain.

Parameter Name	Description	Setting
ACL_POLICY in DMCONFIG (TA_DMACLPOLICY in DM_MIB)	May appear in the DM_REMOTE_DOMAINS section of the DMCONFIG file for each remote domain access point. Its value for a particular remote domain access point determines whether or not the local domain gateway modifies the identity of service requests received from the remote domain.*	LOCAL or GLOBAL. Default is LOCAL. LOCAL means that the local domain modifies the identity of service requests received from this remote domain to the principal name specified in the LOCAL_PRINCIPAL_NAME parameter for this remote domain. GLOBAL means that the local domain uses any credential it might receive from the remote domain on inbound service requests. If no credential is received from the remote domain then the service request will be forwarded to the service without credentials (which will usually fail). Note: This parameter controls whether or not the local domain accepts a credential from a remote domain. A parameter related to this one is CREDENTIAL_POLICY, which controls whether or not a local domain sends credentials to the remote domain.
LOCAL_PRINCIPAL_NAME in DMCONFIG (TA_DMLOCALPRINCIPALNAME in DM_MIB)	May appear in the DM_REMOTE_DOMAINS section of the DMCONFIG file for each remote domain access point. If the ACL_POLICY parameter is set (or defaulted) to LOCAL for a particular remote domain access point, the local domain gateway modifies the identify of service requests received from the remote domain to the principal name specified in LOCAL_PRINCIPAL_NAME.	1 - 511 characters. If not specified, the principal name defaults to the DOMAINID string for the remote domain access point.
* A remote domain access point is also known as an RDOM (pronounced "are dom") or simply remote domain.

For more information about ACL Policy, refer to Chapter 2, "Administering Security," in Using Security in ATMI Applications.

Setting the Credential Policy for a Remote Domain

As the administrator, you can use the following configuration parameters to set and control the credential policy for remote domains running BEA Tuxedo release 8.0 or later software.

Parameter Name

Description

Setting

CREDENTIAL_POLICY in DMCONFIG (TA_DMCREDENTIAL
POLICY in DM_MIB)

May appear in the DM_REMOTE_DOMAINS section of the DMCONFIG file for each remote domain access point. Its value for a particular remote domain access point determines whether or not the local domain gateway modifies the identity of service requests received from the remote domain.*

LOCAL or GLOBAL.
Default is LOCAL.

If the policy is LOCAL then the domain will not attach the credentials of the user that originated a request with the invocation to the remote domain.

If the policy is GLOBAL then the domain will attach the credentials of the user that originated a request with the invocation to the remote domain.

Note: This parameter controls whether or not user credentials are sent to a remote domain. A parameter related to this one is ACL_POLICY, which controls whether or not incoming credentials are accepted by a domain.

* A remote domain access point is also known as an RDOM (pronounced "are dom") or simply remote domain.

Parameter Name	Description	Setting
CREDENTIAL_POLICY in DMCONFIG (TA_DMCREDENTIAL POLICY in DM_MIB)	May appear in the DM_REMOTE_DOMAINS section of the DMCONFIG file for each remote domain access point. Its value for a particular remote domain access point determines whether or not the local domain gateway modifies the identity of service requests received from the remote domain.*	LOCAL or GLOBAL. Default is LOCAL. If the policy is LOCAL then the domain will not attach the credentials of the user that originated a request with the invocation to the remote domain. If the policy is GLOBAL then the domain will attach the credentials of the user that originated a request with the invocation to the remote domain. Note: This parameter controls whether or not user credentials are sent to a remote domain. A parameter related to this one is ACL_POLICY, which controls whether or not incoming credentials are accepted by a domain.
* A remote domain access point is also known as an RDOM (pronounced "are dom") or simply remote domain.

For more information about Credential Policy, refer to Chapter 2, "Administering Security," in Using Security in ATMI Applications.