Configuring Security Between BEA TOP END and BEA Tuxedo Systems

e-docs > Tuxedo > Using the Tuxedo TOP END Domain Gateway with ATMI Applications > Configuring Security Between BEA TOP END and BEA Tuxedo Systems

Using the Tuxedo TOP END Domain Gateway with ATMI Applications

Configuring Security Between BEA TOP END and BEA Tuxedo Systems

This topic includes the following sections:

See Also

"Administering Security" on page 2-1 in Using Security in CORBA Applications
Understanding Security Between the BEA TOP END and BEA Tuxedo Systems

How Security Is Provided Between BEA Tuxedo and BEA TOP END Systems

Security is provided between BEA Tuxedo and BEA TOP END systems as follows.

For Requests Passed . . .	To . . .	Use . . .
From BEA Tuxedo clients	TOP END Domain Gateways (TEDG)	Normal BEA Tuxedo security methods
From the TEDG	BEA Tuxedo servers or queues	Normal BEA Tuxedo security methods
From BEA TOP END clients	TEDG	Normal BEA TOP END security methods
Through the TEDG	N/A	Parameters defined in the DMCONFIG file for the gateway

In addition, you have the following options:

You can configure the TEDG to require authentication when connecting to specific BEA TOP END systems.
You can encrypt the links between BEA TOP END and BEA Tuxedo systems.

Security Prerequisites

The BEA TOP END Security Services Product, version 3.0, is required for security between BEA TOP END and BEA Tuxedo systems. The product must be installed on all BEA TOP END nodes and on any BEA Tuxedo node running a TEDG that has been configured for security.

On the Windows 2000 platform, the BEA TOP END Base product is a prerequisite for installation of the BEA TOP END Security Services product. Therefore, both the BEA TOP END Base product and the BEA TOP END Security Services product must be installed on a Windows 2000 machine that is being used as a BEA Tuxedo node running a TEDG that has been configured for security. Under these circumstances, both products must be installed even if you will not be running a BEA TOP END application on the Windows 2000 machine.

Configuring Security in a BEA Tuxedo System

Defining Security in the UBBCONFIG File

Use the SECURITY parameter in the RESOURCES section of the UBBCONFIG file to specify the type of application security for the BEA Tuxedo domain. This is applicable to the interaction between:

BEA Tuxedo clients and the TEDG
The TEDG and BEA Tuxedo servers/queues

For valid values and syntax for the SECURITY parameter, refer to the UBBCONFIG(5) reference page in the File Formats, Data Descriptions, MIBs, and System Processes Reference.

Defining Security in the DMCONFIG File

The following sections in the DMCONFIG file contain security parameters you define to establish security for a configuration that includes the TEDG:

DM_LOCAL_DOMAINS Section

The SECURITY parameter specified in the DM_LOCAL_DOMAINS section of the DMCONFIG file controls the security level for the TEDG. This parameter specifies whether BEA TOP END security is used by the TEDG for internode authentication and protection. If TYPE=TOPEND, then the following values are valid for the SECURITY parameter:

NONE
CLEAR
SAFE

PRIVATE

This Parameter . . .	Uses BEA TOP END Security	And Specifies . . .
NONE	No	The default value
CLEAR	Yes	No protection is required for internode messages
SAFE	Yes	Messages should be sent using the Kerberos SAFE message checksum
PRIVATE	Yes	Messages should be encrypted using the Kerberos 4 implementation of DES

Values for the SECURITY parameter must be consistent with the BEA TOP END Node Manager (NM) configuration parameters [security] and [internode security] as described in nm_config(4T). Consistency is checked during node signon.

DM_ACCESS_CONTROL Section

This optional section contains local Access Control Lists (ACL) used by the TEDG to restrict access by remote domains to local resources. Each entry consists of an ACL_NAME resource identifier along with a list of required parameters designating remote domains permitted to access the resource. If no entry exists for a local service, the service is accessible to all remote domains.

DM_LOCAL_SERVICES Section

The optional ACL parameter is used by the TEDG to restrict requests from a BEA TOP END remote domain made to specific services or queue spaces defined in SERVICE and QSPACE entries, respectively. Define the ACL parameter as follows:

ACL = identifier

where identifier specifies the name of the access control list (ACL) to be used by the TEDG to restrict requests made to the target service or queue space by BEA TOP END systems. The ACL is defined in the DM_ACCESS_CONTROL section. If this parameter is not specified then access control is not performed for requests to the service or queue space defined in this entry.

See Also

DMCONFIG for GWTOPEND(5) in the File Formats, Data Descriptions, MIBs, and System Processes Reference
nm_config(4T) in the BEA TOP END Programmer's Reference Manual

Using BEA Tuxedo Security Administration Tools to Authorize Intersystem Access

To access BEA Tuxedo services, the TEDG uses the BEA Tuxedo user ID assigned, via DOMAINID, to the appropriate remote domain.

To establish access, by a BEA TOP END application, to BEA Tuxedo resources (services and queue spaces), complete the following procedure.

For each remote domain defined as type TOPEND in the DMCONFIG file, add an entry (remote domain DOMAINID and password) in the BEA Tuxedo security data files, tpusr and tpgrp, and assign the user ID entry to a group. To do so, enter the following command:
```
tpusradd -u uid -g gid DOMAINID
```
You will be prompted for a password for each user ID.

If the application is not active, you must run tpusradd on the master node. If the application is active, you can run this command on any node.

Note: You can add these entries to an existing group, or to a new group. New groups must be created before the tpusradd command can be used.To create a new group, use the tpgrpadd command. For the required syntax, see tpgrpadd(1) in the BEA Tuxedo Command Reference.
Define the SECURITY parameter in the UBBCONFIG file. Add ACL entries based on the following settings in the UBBCONFIG file:
- If SECURITY=ACL, then you may include an entry in the BEA Tuxedo security file for each service and queue space to be accessed by a BEA TOP END remote domain. If you do, add the group associated with each BEA TOP END remote domain DOMAINID that will access a service or queue space to the entry in the BEA Tuxedo security file for that service or queue space.
- If SECURITY=MANDATORY_ACL, then you must include an entry in the ACL database for each service and queue space to be accessed by any BEA TOP END remote domain. Add the group associated with the DOMAINID for each BEA TOP END remote domain that will access a service or queue space to the entry in the BEA Tuxedo security file for that service or queue space.
Run the tpacladd(1) command to add an ACL entry to the BEA Tuxedo security data files, thus authorizing access to BEA Tuxedo resources (that is, services and/or queue spaces) as needed, for each remote domain.
The format of the tpacladd command is as follows:
tpacladd -g gid servicename
tpacladd -g gid queue_space
Note: These commands authorize access to the specified service or queue space for the owners of all user IDs in the group.

See Also

tpacladd(1) in the BEA Tuxedo Command Reference
tpusradd(1) in the BEA Tuxedo Command Reference

Defining a BEA TOP END Password for the TEDG

To access BEA TOP END services through RTQ requests, the TEDG uses the BEA TOP END user ID assigned, via DOMAINID, to the local domain. For each local domain defined as type TOPEND in the DMCONFIG file, you must define a password for the BEA TOP END user ID. To define a password, start the dmadmin(1) utility and enter the topendpasswd command. (See Using the dmadmin Command Interpreter for details.)

Note: Non-RTQ access to BEA TOP END services is granted by defining the TEDG nodes as part of the BEA TOP END system, listing the relevant remote services in the DMCONFIG file, and configuring BEA Tuxedo user access to the TEDG advertised services.

See Also

dmadmin(1) in the BEA Tuxedo Command Reference

Using BEA TOP END Security Administration Tools to Authorize Intersystem Access

After each system generation on the BEA TOP END administration node, add the new BEA Tuxedo services to the BEA TOP END product and function lists. Updating these lists makes it possible to use the tpsecure(1T) utility to authorize BEA TOP END users to access BEA Tuxedo services and queues.

The file $TOPENDADM/admin/$TP_SYSTEM/product.lst contains a list of products defined for the BEA TOP END system and is used to provide choices from which the tpsecure(1T) user may select. If they are not included, add the following names to the list:
1. The product name for each SERVICE entry in the DM_LOCAL_SERVICES section that specifies a TE_PRODUCT and TE_FUNCTION parameter.
2. The RTQ group name for each QSPACE entry in the DM_LOCAL_SERVICES section that specifies a TE_RTQGROUP and TE_RTQNAME parameter.
The file $TOPENDADM/admin/$TP_SYSTEM/prodname.fnc, where prodname is the product name, contains a list of the functions defined for the product in the BEA TOP END system, and is used to provide choices from which the tpsecure(1T) user may select. If the list of functions is incomplete, update it as follows:
1. Add the function name for each SERVICE entry in the DM_LOCAL_SERVICES section that specifies a TE_PRODUCT and TE_FUNCTION parameter to the list of functions for the corresponding product.
2. Add the RTQ queue name (TE_RTQNAME) for each QSPACE entry in the DM_LOCAL_SERVICES section that specifies a TE_RTQGROUP and TE_RTQNAME parameter to the list of functions for the corresponding product (TE_RTQGROUP).
Note: BEA TOP END security requires a UNIX administration node. Hence these files reside only on UNIX systems.
Use the BEA TOP END tpsecure(1T) utility on the BEA TOP END administration node to do the following:

See Also

tpsecure(1T) in the BEA TOP END Programmer's Reference Manual
BEA TOP END Runtime Administration on UNIX
BEA TOP END Security Services on UNIX

Configuring TEDG-to-NI Encryption and Authentication

If, in the DMCONFIG file, you have assigned a value other than NONE to the SECURITY parameter, then you must establish mutual authentication and encryption. To do so, complete the following procedure.

In the BEA TOP END security database, define a Kerberos principle of the form node.system for each node (machine) running the TEDG. The value of node is the name of the machine; the value of system is the name of the BEA TOP END system. (On a UNIX system, you can obtain the name of the machine by running the uname -n command.)
Generate a Kerberos SRVTAB file for each node and make all such files available to each TEDG at start of day. These files are needed by the TEDG when a security level (CLEAR, SAFE, or PRIVATE) is configured in the DMCONFIG file.

For each principle, create a SRVTAB file by using the ext_srvtab(1T) utility on the Kerberos master node. Rename each file as srvtab.system, where the value of system is the BEA TOP END system name of the principle.
Copy each file to the appropriate directory (defined by the APPDIR environment variable) on the TEDG node.

See Also

ext_srvtab(1T) in the BEA TOP END Programmer's Reference Manual
BEA TOP END Runtime Administration on UNIX
BEA TOP END Security Services on UNIX