|
|
|
|
|
|
How to Enable User-Level Authentication Security
Default authentication offers a user-level authentication security level that you invoke by specifying SECURITY USER_AUTH in your configuration file. This security level requires that in addition to the application password, each client must provide a valid username and user-specific data, such as a password, to join the ATMI application. The per-user password must match the password associated with the combination user-client name stored in a file named tpusr. The checking of per-user password against the password and user-client name in tpusr is carried out by the authentication service AUTHSVC, which is provided by the authentication server AUTHSVR.
To enable the USER_AUTH security level, follow these steps.
Instructions for these steps are provided in the following two topics.
Setting Up the UBBCONFIG File
*RESOURCES
SECURITY USER_AUTH
AUTHSVC AUTHSVC
.
.
.
*SERVERS
AUTHSVR SRVGRP="group_name" SRVID=1 RESTART=Y GRACE=600 MAXGEN=2 CLOPT="-A"
CLOPT="-A" causes tmboot(1) to pass only the default command-line options (invoked by "-A") to AUTHSVR when tmboot starts the ATMI application. By default, AUTHSVR uses the client user information in a file named tpusr to authenticate clients that want to join the ATMI application. tpusr resides in the directory referenced by the first pathname defined in the ATMI application's APPDIR variable.
Setting Up the User and Group Files
AUTHSVR and the access control checking feature available with the default authorization system require a user file named tpusr, which contains a list of client users allowed to join the ATMI application. tpusr is maintained by the application administrator using the tpusradd(1), tpusrdel(1), and tpusrmod(1) commands. The AUTHSVR server takes as input the client user information stored in the tpusr file; it uses this information to authenticate clients that want to join the ATMI application.
The following display is a sample entry in the tpusr file.
AUTHSVR and the access control checking feature also require a group file named tpgrp, which contains a list of groups associated with the client users allowed to join the ATMI application; tpgrp is maintained by the application administrator using the tpgrpadd(1), tpgrpdel(1), and tpgrpmod(1) commands.
AUTHSVC assigns an authenticated client user an application key, which contains a user identifier and associated group identifier for the USER_AUTH, ACL, or MANDATORY_ACL security level. (See Application Key for more information about application keys.)
The following display is a sample entry in the tpgrp file.
As the administrator, you must define lists of users and groups in the tpusr and tpgrp files, both of which are located in the directory referenced by the first path name defined in the ATMI application's APPDIR variable. The files are colon-delimited, flat text files, readable and writable only by the application's administrator.
Converting System Security Data Files to BEA Tuxedo User and Group Files
You may already have files containing lists of users and groups on your host system. You can use them as the user and group files for your ATMI application, but only after converting them to the format required by the BEA Tuxedo system. To convert your files, run the tpaclcvt(1) command, as shown in the following sample procedure. The sample procedure is written for a UNIX host machine.
tpaclcvt -u /etc/password
This command creates the tpusr file and stores the converted data in it. If the tpusr file already exists, tpaclcvt adds the converted data to the file, but it does not add duplicate user information to the file.
Note: For systems on which a shadow password file is used, you are prompted to enter a password for each user in the file.
tpaclcvt -g /etc/group
This command creates the tpgrp file and stores the converted data in it. If the tpgrp file already exists, tpaclcvt adds the converted data to the file, but it does not add duplicate group information to the file.
Adding, Modifying, or Deleting Users and Groups
The BEA Tuxedo system requires that you maintain a list of your application users in a file named tpusr, and a list of groups, in a file named tpgrp. There are two methods of modifying the entries in these files: by issuing commands or by changing the values of the appropriate attributes in the ACL_MIB.
Changing Entries for Users and Groups Through Commands
You can add, modify, or delete entries in the tpusr and tpgrp files at any time by running one of the following commands.
|
Run . . . |
To . . . |
An Entry in This File |
|---|---|---|
|
Add |
tpusr |
|
|
Modify |
||
|
Delete |
||
|
Add |
tpgrp |
|
|
Modify |
||
|
Delete |
To run any of these commands, follow these steps.
Changing Entries for Users and Groups Through the ACL_MIB
If you prefer not to use the command-line interface, you can add, modify, or delete user entries in tpusr by changing the appropriate attribute values in the T_ACLPRINCIPAL class in the ACL_MIB(5). This method is more efficient than the command-line interface if you want to add several user entries simultaneously, since tpusradd(1) allows you to add only one user at a time.
Similarly, you can add, modify, or delete group entries in tpgrp by changing the appropriate attribute values in the T_ACLGROUP class in the ACL_MIB(5). This method is more efficient than the command-line interface if you want to add several group entries simultaneously, since tpgrpadd(1) allows you to add only one group at a time.
Of course, the easiest way to access the MIB is via the BEA Administration Console.
See Also
|
|
|
|
|
|
Copyright © 2001 BEA Systems, Inc. All rights reserved.
|