Using Security in ATMI Applications

Implementing Single Point Security Administration

The following sections explain how to implement single point security administration for Tuxedo and WebLogic Server from the Tuxedo point of view:

• What Single Point Security Administration Means
• Single Point Security Administration Tasks

Note: Before setting up single point security, be sure you are familiar with the Tuxedo security architecture and requirements. You may also want to coordinate this effort with your WebLogic or LDAP Administrator.

 

---

What Single Point Security Administration Means

If you have both Tuxedo and WebLogic Server deployed in your environment, then you have to manage two sets of security information. Single point security administration allows you to leverage the WebLogic Server security to manage your security database by eliminating user and group information from Tuxedo. You can use WebLogic Server as your security database to authenticate Tuxedo users.

Note: The Tuxedo ACL information will continue to reside in Tuxedo and is not currently integrated with WebLogic Server 7.0.

If you are specifying SECURITY=ACL or SECURITY=MANDATORY_ACL in the RESOURCES section of the UBBCONFIG file, then you must continue to maintain tpgrp and tpacl files in Tuxedo.

The single point security administration feature leverages the enhanced WebLogic Server 7.0 security and the LDAP to allow single point security administration. You can maintain user security information in WebLogic Server embedded LDAP server and use the WebLogic Server Console to administer the security information from a single system. You must modify the UBBCONFIG file to enable single point security.

See Also

• Security information for WebLogic Server 8.1at the following URL:

http://download.oracle.com/docs/cd/E13222_01/wls/docs81/security.html

 

---

Single Point Security Administration Tasks

To set up single point security, you must provide the Tuxedo security information to the WebLogic Server-embedded LDAP server. This includes migrating or setting up the Tuxedo user (UID) and group (GID) information in WebLogic Server LDAP server so that authentication can be successful. For Tuxedo UID and GID values to be available to WebLogic Server, you must use the tpmigldap utility, modify the tpusr file manually with a text editor, or enter the user information via the WebLogic Administration Console.

Note: The WebLogic Administration Console may be the method used when adding one or two users after the security database is set up. For efficiency and time management, you may prefer using the tpmigldap utility or the tpusr file as a general rule.

Single point security administration consists of the following tasks:

• Setting up LAUTHSVR as the Authentication Server
• Using tpmigldap to Migrate User Information to WebLogic Server
• Adding New Tuxedo User Information

Setting up LAUTHSVR as the Authentication Server

LAUTHSVR is a System /T provided server that offers the authentication service while the user security information is located in WebLogic Server. To enable the single security administration feature, you must configure LAUTHSVR as the authentication server. At runtime, the LAUTHSVR will retrieve the user information from the WebLogic Server-embedded LDAP and authenticate users. If the authentication is successful, an appkey is returned to the user, otherwise, authentication fails.

To define LAUTHSVR as the authentication server, you must define the following parameters in the UBBCONFIG file:

• SECURITY must be set to USER_AUTH, ACL, or MANDATORY_ACL in the RESOURCES section.
• LAUTHSVR must be specified in the SERVERS section.

Note: If LAUTHSVR cannot find a valid configuration file or the file does not exist, it will log an error message in USERLOG and fail to boot. The default LAUTHSVR configuration file is $TUXDIR/udataobj/tpldap and is provided with the product.

LAUTHSVR Command Line Interface

The LAUTHSVR is the LDAP-based authentication server for Tuxedo. It requires a configuration file, that by default is $TUXDIR/udataobj/tpldap. You can create your own LAUTHSVR configuration file or use the default tpldap file that is available with the product.

The command line interface syntax for LAUTHSVR is as follows:

-f full_pathname

Specifies the full pathname of the LAUTHSVR configuration file.

Note: If -f option is omitted, the default LAUTHSVR configuration file tpldap is used.

The following sample instructs LAUTHSVR to use the default configuration file, tpldap, in the $TUXDIR/udataobj directory.

LAUTHSVR SRVGRP=GROUP1 SRVID=2 CLOPT="-A-"

In the following sample, LAUTHSVR will use the myauthsvr.conf configuration file in the /home/tuxedo/bankapp directory.

LAUTHSVR SRVGRP=GROUP1 SRVID=2 
	CLOPT="-A-- -f/home/tuxedo/bankapp/myauthsvr.conf"

Setting Up the LAUTHSVR Configuration File

LAUTHSVR supports an input configuration file that contains information such as bind DN and an unencrypted password for bind DN. This configuration file is a plain text file and can be edited using any text editor and must be protected by the system using file permissions. By default the configuration file, named tpldap, is located in $TUXDIR/udataobj directory. You can overwrite this file in the command line for LAUTHSVR. The LAUTHSVR configuration file contains keyword and value pairs as defined in Table 4-1.

Syntax Requirements for LAUTHSVR Configuration File

Although the default values for the LAUTHSVR configuration file are usually sufficient, a system administrator may choose to configure it with different names. Therefore, you should be aware of the following requirements for the LAUTHSVR configuration file:

• The LAUTHSVR configuration file is a plain text file.
• Keyword order does not matter; however, there must be at least one space character between the keyword and its value.
• Comments begin with the pound symbol (#). Text after the # is ignored.
• The upper limit of a line is 255 characters. If a line exceeds this upper limit, it will be truncated.
• The bind DN must have privileges to access the LDAP database (usually this is the LDAP administrator).

Note: Before an administrator can set up and use the Tuxedo LDAP-based security authentication server, the administrator must change the LDAP administrator password through the WebLogic Administration Console.

LAUTHSVR Configuration File Keywords

The following table defines the LAUTHSVR configuration file keywords.

Note: The only required keyword in the LAUTHSVR configuration file is PASSWORD, which specifies the password for bind DN. All other keywords are optional.

Table 4-1 LAUTHSVR Configuration File Keywords

Keyword	Value Type	Usage
FILE_VERSION	numeric	The configuration file version. This should always be 1. The default is 1.
LDAP_VERSION	numeric	The LDAP protocol version. Valid values are 2 or 3. The default is 3.
BINDDN	string	The DN used to bind to an LDAP server, usually the DN for the LDAP administrator. The default is "cn=admin".
BASE	string	LDAP search base. The default is "ou=people, ou=myrealm, dc=mydomain", where myrealm is the name of the security realm and mydomain is the name of the WebLogic Server domain.
UID	string	The userid attribute that is used to logon to WebLogic Server and Tuxedo. The default is uid.
PASSWORD	string	The password for bind DN. This is a required keyword and the password is in clear text format.
LDAP_ADDR	string	A comma separated list of WebLogic hostnames and ports. The syntax is [//]hostname[:port][,[//]hostname[:port]...]. The default value for port is 7001. If LDAP_ADDR is not specified, LAUTHSVR assumes localhost:7001 is the location to contact the LDAP server. For more information about specifying multiple network addresses, refer to Using Multiple Network Addresses for High Availability.
EXPIRE	numeric	A numeric value that represents the number of seconds the cached entry is available in the local process memory. A value other than zero will enable caching. A value of zero specifies no caching. The default is zero. For more information about enabling caching, refer to Using Multiple Network Addresses for High Availability.
SRCH_ORDER	string	Valid values are LDAP or LOCAL, or both separated by a comma. If you specify LOCAL, the search order will use the tpusr file. The default is LDAP. For more information about database search order, refer to Configuring the Database Search Order.
LOCAL_FILE	string	The full pathname of the tpusr file to be used if LOCAL search order is enabled. The default value is $APPDIR/tpusr. For more information about database search order, refer to Configuring the Database Search Order. Note: If a directory path is specified other than the default $APPDIR/tpusr, the file must be generated using Tuxedo MIB or tpusradd command line utility. Failure to do this may cause authentication failure.
WLS_DOMAIN	string	The WebLogic Server domain name. The default value is mydomain.
WLS_REALM	string	The WebLogic Server security realm name. The default is myrealm.
ADM_GROUP	string	The WebLogic Server administrator group name. The default is Administrators.
OP_GROUP	string	The WebLogic Server operators group name. The default is Operators.
TUX_UID_KW	string	The keyword used in the description to identify the Tuxedo userid. The default is TUXEDO_UID.
TUX_GID_KW	string	The keyword used in the description to identify the Tuxedo group ID. The default is TUXEDO_GID.

 

Sample LAUTHSVR Configuration File

The following listing is a sample LAUTHSVR configuration file.

Listing 4-1 Sample LAUTHSVR Configuration File

#
# Tuxedo LDAP Authentication Server configuration file.
#
# created: Thu May 26 15:36:59 2002
#
FILE_VERSION			1
LDAP_VERSION			3
BINDDN			cn=Admin
BASE			ou=people,ou=myrealm,dc=mydomain
UID			uid
PASSWORD			secret
LDAP_ADDR			//PLUTO:7001,//Saturn:7001
EXPIRE			0
SRCH_ORDER			LDAP
WLS_DOMAIN			mydomain
WLS_REALM			myrealm
ADM_GROUP			Administrators
OP_GROUP			Operators
TUX_UID_KW			TUXEDO_UID
TUX_GID_KW			TUXEDO_GID
# end of file

Warning: Because the PASSWORD for the LDAP administrator is in clear text, it is recommended that the system administrator guards this file with correct access permission.

Sample UBBCONFIG Using LAUTHSVR

A sample configuration follows with SECURITY set to ACL and LAUTHSVR defined.

Listing 4-2 Sample UBBCONFIG File Using LAUTHSVR

*RESOURCES

IPCKEY		51002
MASTER		site1
MAXACCESSERS		50
MAXSERVERS		20
MAXSERVICES		20
MODEL		SHM
LDBAL		N
BLOCKTIME		10
SECURITY		ACL
AUTHSVC		"..AUTHSVC"

*MACHINES

DEFAULT:
	APPDIR="/home/tuxedo/application"
	TUXCONFIG="/home/tuxedo/application/TUXCONFIG"
	TUXDIR="/home/tuxedo/tux81"
Server1		LMID=site1
			MAXWSCLIENTS=20

*GROUPS

GROUP1		LMID=site1 GRPNO=1
GROUP2		LMID=site1 GRPNO=2
GROUP3		LMID=site1 GRPNO=3
GROUP4		LMID=site1 GRPNO=4

*SERVERS

DEFAULT:
	CLOPT="-A" RESTART=N MAXGEN=5

LAUTHSVR		SRVGRP=GROUP1 SRVID=10
CLOPT="-A -- -F /home/tuxedo/application/lauthsvr.conf "

DMADM		SRVGRP=GROUP2 SRVID=20
GWADM		SRVGRP=GROUP3 SRVID=30
GWTDOMAIN		SRVGRP=GROUP3 SRVID=31

Simpserv		SRVGRP=GROUP4 SRVID=40

*SERVICES

TOUPPER

Using Multiple Network Addresses for High Availability

It is possible to configure more than one network address for a WebLogic Server domain. This may be a favorable configuration in order to provide high availability for user authentication. The user security information is replicated to all WebLogic Server-embedded LDAP servers in a WebLogic domain. LAUTHSVR can only connect to one server at a time; however, when a network error occurs, LAUTHSVR will try to connect to the next available address.

To configure multiple network addresses for LAUTHSVR, use the LDAP_ADDR keyword in the LAUTHSVR configuration file. The order in which the hostnames are specified is the order in which LAUTHSVR will try to connect. To use caching during authentication, specify the EXPIRE keyword. The value in this keyword will determine the number of seconds the cached entry is available in the local process memory.

Note: It is not required to have WebLogic Server available when you boot Tuxedo using tmboot; however, without the availability of at least one WebLogic Server, LAUTHSVRs ability to authenticate users is limited.

Without the availability of WebLogic Server, you can boot Tuxedo and authenticate users using SRCH_ORDER LOCAL. In this case, the user authentication is verified against the tpusr file. For more information about search order, refer to Configuring the Database Search Order.

Sample LAUTHSVR Configuration of Multiple Network Addresses

The following sample specifies multiple network addresses in the LDAP_ADDR keyword.

LDAP_ADDR //Pluto:8000,//Saturn,Jupiter

The previous sample specifies three WebLogic Server hostnames. The first server runs on Pluto and uses address 8000. The second server runs on Saturn and uses the default address 7001. The third server runs on Jupiter and also uses the default address 7001.

Configuring the Database Search Order

By default the LAUTHSVR authentication server will search the user information in the WebLogic Server-embedded LDAP server. To enable the use of the tpusr file in the database search, you must specify LOCAL in the SRCH_ORDER keyword. The order that the comma separated values are defined in the SRCH_ORDER keyword will specify the order in which LAUTHSVR searches for user information. LAUTHSVR will search the LDAP server or the tpusr file or both (according to the order of the values specified).

If there are two or more SRCH_ORDER entries specified in the LAUTHSVR configuration file, only the last entry takes effect. In this case a warning message is logged in USERLOG as well. A warning message also results if you specify a value other than LDAP or LOCAL in the SRCH_ORDER keyword. In this case, the invalid entry is discarded and the default value or a previous valid SRCH_ORDER entry is used.

Sample LAUTHSVR Configuration for Database Search Order

The following sample specifies that LAUTHSVR should search the WebLogic Server-embedded LDAP server first for user information. If the user information is not found in the LDAP server, then LAUTHSVR should look in the tpusr file.

SRCH_ORDER LDAP,LOCAL

The following sample specifies that LAUTHSVR should search the tpusr file first for user information. If the user information is not found in the tpusr file, then LAUTHSVR should look in the WebLogic Server-embedded LDAP server for the information.

SRCH_ORDER LOCAL,LDAP

The following sample specifies that LAUTHSVR should search the tpusr file only for user information.

SRCH_ORDER LOCAL

See Also

• LAUTHSVR(5) in the BEA Tuxedo File Formats, Data Descriptions, MIBs, and System Processes Reference

Using tpmigldap to Migrate User Information to WebLogic Server

You should use the tpmigldap command utility to migrate Tuxedo user and group information to WebLogic Server.

Assigning New Passwords for the tpusr File

Before migrating the user and group information, the administrator must assign new passwords for each user so the migration can be successful. This step is required because the passwords in the tpusr file are encrypted with one-way encryption; therefore, it is impossible to retrieve the original password from the file.

There are two ways to handle this password situation:

• Modify the tpusr file.

You can modify the tpusr file using a text editor and change the user password for each user in the file. The password field is the second field in the tpusr file. The field delimiter is a colon (:). Each user takes up a line in the tpusr file.

The following sample:

TuxedoUser1:ADdg0w8nfGMag:6001:601:TPCLTNM,*::
TuxedoUser2:0Yq2s6FjbvuU2:6002:601:TPCLTNM,*::

could be modified to:

TuxedoUser1:User1Password:6001:601:TPCLTNM,*::
TuxedoUser2:User2Password:6002:601:TPCLTNM,*::

• Use the -f option with the tpmigldap utility to define a default password for all users.

If a -f option is used, then the argument that follows will be used as a substitute for the password field in the tpusr file for every user in the file.

The following sample command:

tpmigldap -f userpassword -c

will cause "userpassword" to be assigned to every user in the tpusr file. After the migration, all users will have to use "userpassword" as their password in order to join the Tuxedo application.

tpmigldap Command Line Options

The following table defines the command line options for the tpmigldap utility. The order of the command line options does not matter.

Note: The tpmigldap command requires the use of -w or -c so the user or group can be added to the WebLogic Server-embedded LDAP database.

Table 4-2 tpmigldap Command Line Options

Command Line Option	Option Argument	Default Value	Usage
-h	hostname	localhost	Hostname of WebLogic Server.
-p	port	7001	Port number for WebLogic Server Administration Console.
-d	domain	mydomain	WebLogic Server domain name.
-r	realm	myrealm	WebLogic Server security realm name.
-i	TUXEDO_UID keyword string	TUXEDO_UID	The keyword string for Tuxedo UID that the administrator wants to use in the WebLogic Server user "description" attribute.
-e	TUXEDO_GID keyword string	TUXEDO_GID	The keyword string for Tuxedo GID that the administrator wants to use in the WebLogic Server user "description".
-f	user password	No default.	The default user password for every user in the tpusr file.
-b	binddn	cn=Admin	LDAP connection bind DN.
-w	password	No default.	The password for bind DN.
-c	Not applicable.	No default.	A prompt for entering a password for bind DN.
-u	full path name	$APPDIR/tpusr	The full directory path for the tpusr file.
-g	full path name	$APPDIR/tpgrp	The full directory path for the tpgrp file.

 

See Also

• tpmigldap(1) in the BEA Tuxedo Command Reference

Adding New Tuxedo User Information

There are two methods for adding new user and group information to the single security LDAP database:

• Add new information to the tpusr text file and then specify the updated file when using the migration utility tpmigldap. Refer to Adding New User Information in tpusr or tpgrp.
• Use the WebLogic Administration Console to add user or group information. Refer to Adding New User Information Using the WebLogic Administration Console.

Note: Using the WebLogic Administration Console may not be efficient for adding large numbers of users to the LDAP database. In the case of adding several users, you may want to use the tpmigldap utility.

Adding New User Information in tpusr or tpgrp

To add new user information to the single point security LDAP database:

Use your existing tpusr file and tpgrp file to add the new user and group information. Be sure to use the same format previously defined in the file. Be sure to use clear text passwords to add to the LDAP database.
Run the tpmigldap utility using the -u option and specify the updated tpusr file and the -g option and specify the updated tpgrp file. For example:

tpmigldap -u $APPDIR/tpusr -g $APPDIR/tpgrp

Adding New User Information Using the WebLogic Administration Console

To add new user information to the single point security LDAP database using the WebLogic Administration Console:

Access the WebLogic Administration Console and select Security —>Realms—> myrealm where myrealm represents the LDAP security realm.




 
Click Configure a new User... and access the General tab.




 

Enter the user information:

In the Name field specifies the user name.

In the Description field specify the Tuxedo UID and GID values as a string in the following syntax:

<TUXEDO UID KEYWORD>=<decimal value>
<TUXEDO GID KEYWORD>=<decimal value>

where by default, the TUXEDO UID KEYWORD is TUXEDO_UID and TUXEDO GID KEYWORD by default is TUXEDO_GID. For example:

TUXEDO_UID=2504 TUXEDO_GID=601.

In the Password field, specify the password for the user. Then confirm the password by entering the password again in the Confirm Password field.

Click Apply to update the LDAP database with the new user information.