BEA Logo BEA WebLogic Enterprise Release 5.0

  Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy

   e-docs.beasys.com   |   Site Map   |   Search   |   PDF Files   |   Contact   |   Glossary

 

   WLE Doc Home   |   Security & Related Topics   |   Previous   |   Next   |   Contents   |   Index

Defining Security for a WLE CORBA Application

This topic includes the following sections:

Setting Parameters for Security in the UBBCONFIG File

To configure security for your WLE application, you need to set parameters in the UBBCONFIG file that define the following:

To set parameters in the UBBCONFIG file, open the file in any text editor. The parameters for security take effect when you use the tmloadcf command to update the configuration parameters for your WLE application. The following sections describe setting the parameters for security in the UBBCONFIG file.

Configuring the Authentication Server

Note: You only need to configure the Authentication Server, if you have specified a value of USER_AUTH or higher for the SECURITY parameter.

Username/Password authentication requires that an authentication server be configured for the purpose of authenticating users by checking their individual passwords against a file of legal users. The WLE system uses a default authentication server called AUTHSRV to perform authentication.

For a WLE application to authenticate users, the value of the AUTHSVC parameter in the RESOURCES section of the UBBCONFIG file needs to specify the name of the process to be used as the authentication server for the WLE application. The service must be called AUTHSVC . If the AUTHSVC parameter is specified in the RESOURCES section of the UBBCONFIG file, the SECURITY parameter must also be specified with a value of at least USER_AUTH . If the value is not specified, an error will occur when the system executes the tmloadcf command.

In addition, you need to define AUTHSVR in the SERVERS section of the UBBCONFIG file. The SERVERS section contains information about the server processes to be booted in the WLE application. For more information about the parameters in the SERVERS section of the UBBCONFIG file, see the Administration Guide in the WebLogic Enterprise online documentation.

Listing 4-1 contains the portion of the UBBCONFIG file that defines the authentication server.

Listing 4-1 Parameters for the Authentication Server

*RESOURCES
SECURITY USER_AUTH
AUTHSVC "AUTHSVC"

*SERVERS
AUTHSVR
SRVGRP="SYS_GRP"
SRVID=1
RESTART=Y
GRACE=60
MAXGEN=2

Defining a Security Level

As part of defining security for a WLE application, you need to define the SECURITY parameter in the RESOURCES section of the UBBCONFIG file. The SECURITY parameter has the following format: 

*RESOURCES
	SECURITY {NONE|APP_PW|USER_AUTH|ACL|MANDATORY_ACL}

Table 4-1 describes the values for the SECURITY parameter.

Table 4-1 Values for the SECURITY Parameter

Value

Description

NONE

Indicates that no password or access checking is performed in the WLE application.

Tobj::PrincipalAuthenticator::get_auth_type() returns a value of TOBJ_NOAUTH .

APP_PW

Indicates that client applications are required to supply an application password to access the WLE domain. The tmloadcf command prompts for an application password.

Tobj::PrincipalAuthenticator::get_auth_type()returns a value of TOBJ_SYSAUTH.

USER_AUTH

Indicates that client applications are required to authenticate themselves to the WLE domain using a password. The value USER_AUTH is similar to APP_PW but, in addition, indicates that user authentication will be done during client initialization. The tmloadcf command prompts for an application password.

Tobj::PrincipalAuthenticator::get_auth_type() returns a value of TOBJ_APPAUTH.

ACL

Indicates that authentication is used in the WLE application and access control checks are performed on interfaces, services, queue names, and event names. If an associated ACL is not found for a name, it is assumed that permission is granted. The tmloadcf command prompts for an application password.

Tobj::PrincipalAuthenticator::get_auth_type returns a value of TOBJ_APPAUTH.

MANDATORY_ACL

Indicates that authentication is used in the WLE application and access control checks are performed on interfaces, services, queue names, and event names. The value MANDATORY_ACL is similar to ACL, but permission is denied if an associated ACL is not found for the name.The tmloadcf command prompts for an application password.

Tobj::PrincipalAuthenticator::get_auth_type returns a value of TOBJ_APPAUTH.

When using Username/Password authentication, the value of the SECURITY parameter must be APP_PW or greater.

If the IIOP Listener/Handler is configured for using certificate-based authentication, the value of the SECURITY parameter must be USER_AUTH or greater.

Setting the Level of Encryption

You can encrypt the messages between WLE applications on different machines in the same WLE domain using link-level encryption. In the UBBCONFIG file for each WLE application, you need to set the MINENCRYPTBITS and MAXENCRYPTBITS parameters for the machines that establish the network connection, as follows.

The possible values for the MINENCRYPTBITS and MAXENCRYPTBITS parameters are 0, 40, and 128. A value of zero means no encryption is used, while 40 and 128 specify the number of significant bits in the encryption key.

Sample UBBCONFIG File for Username/Password Authentication

Listing 4-3 includes a UBBCONFIG file for an application which uses Username/Password authentication. The key sections of the UBBCONFIG file are noted in bold face text.

Listing 4-2 Sample UBBCONFIG File for Username/Password Authentication 

*RESOURCES                               
    IPCKEY    55432              
    DOMAINID  securapp                  
    MASTER    SITE1                     
    MODEL     SHM                       
    LDBAL     N                         
    SECURITY  USER_AUTH                      
    AUTHSVR "AUTHSVC"

*MACHINES                               
    "ICEAXE"                          
    LMID        = SITE1           
    APPDIR      = "D:\M3\samples\corba\SECURAPP"      
    TUXCONFIG   = "D:\M3\samples\corba\SECURAPP\results\tuxconfig"
    TUXDIR      = "D:\WLE5"      
    MAXWSCLIENTS = 10               
*GROUPS                                
    SYS_GRP                           
       LMID    = SITE1                
       GRPNO   = 1                     
    APP_GRP                             
       LMID    = SITE1                 
       GRPNO   = 2                    

*SERVERS                               
    DEFAULT:                           
    RESTART = Y                     
    MAXGEN  = 5                     
    AUTHSVR 
        SRVGRP  = SYS_GRP              
        SRVID   = 1                     
	 RESTART = Y
	 GRACE   = 60
        MAXGEN   = 2
 
    TMSYSEVT                            
        SRVGRP  = SYS_GRP              
        SRVID   = 1                     
    TMFFNAME                        
        SRVGRP  = SYS_GRP               
        SRVID   = 2                     
        CLOPT   = "-A -- -N -M"         
    TMFFNAME                           
        SRVGRP  = SYS_GRP               
        SRVID   = 3                     
        CLOPT   = "-A -- -N"            
    TMFFNAME                            
        SRVGRP  = SYS_GRP               
        SRVID   = 4                     
        CLOPT   = "-A -- -F"            
    simple_server                       
        SRVGRP  = APP_GRP               
        SRVID   = 1                     
        RESTART = N                     
    ISL                                 
        SRVGRP  = SYS_GRP               
        SRVID   = 5                     
        CLOPT    = "-A -- -n //PCWIZ::2500"

Sample UBBCONFIG File for Certificate-Based Authentication

Listing 4-3 includes a UBBCONFIG file for an application which uses certificate-based authentication. The key sections of the UBBCONFIG file are noted in bold face text.

Listing 4-3 Sample UBBCONFIG File for Certificate-Based Authentication 

*RESOURCES                               
    IPCKEY    55432              
    DOMAINID  simpapp                  
    MASTER    SITE1                     
    MODEL     SHM                       
    LDBAL     N                         
    SECURITY  USER_AUTH                      

*MACHINES                               
    "ICEAXE"                          
    LMID        = SITE1           
    APPDIR      = "D:\M3\samples\corba\SIMPAP~1"      
    TUXCONFIG   = "D:\M3\samples\corba\SIMPAP~1\results\tuxconfig"
    TUXDIR      = "D:\WLE5"      
    MAXWSCLIENTS = 10               
*GROUPS                                
    SYS_GRP                           
       LMID    = SITE1                
       GRPNO   = 1                     
    APP_GRP                             
       LMID    = SITE1                 
       GRPNO   = 2                    

*SERVERS                               
    DEFAULT:                           
    RESTART = Y                     
    MAXGEN  = 5                     
    TMSYSEVT                            
        SRVGRP  = SYS_GRP              
        SRVID   = 1                     
    TMFFNAME                        
        SRVGRP  = SYS_GRP               
        SRVID   = 2                     
        CLOPT   = "-A -- -N -M"         
    TMFFNAME                           
        SRVGRP  = SYS_GRP               
        SRVID   = 3                     
        CLOPT   = "-A -- -N"            
    TMFFNAME                            
        SRVGRP  = SYS_GRP               
        SRVID   = 4                     
        CLOPT   = "-A -- -F"            
    simple_server                       
        SRVGRP  = APP_GRP               
        SRVID   = 1                     
        RESTART = N                     
    ISL                                 
        SRVGRP  = SYS_GRP               
        SRVID   = 5                     
        CLOPT   = "-A -- -a -z40 -Z128 -S2458 -n //ICEAXE:2468" 
        SEC_PRINCIPAL_NAME="IIOPListener"              
        SEC_PRINCIPAL_LOCATION="IIOPListener.pem"       
        SEC_PRINCIPAL_PASSVAR="ISH_PASS"

Defining Authorized Users

As part of configuring security for a WLE application, you need to define the principals and groups of principals who have access to the WLE application. The WLE system uses the email address of a principal to map the external identity of a principal represented by a digital certificate to an identity used by a WLE application to authenticate a principal.

You use the tpusradd command to create files containing lists of authorized principals. The tpusradd command adds a new principal entry to the WLE security data files. This information is used by the AUTHSRV to authenticate principals. The file that contains the principals is called tpusr.

The file is a colon-delimited, flat ASCII file, readable only by the administrator of the WLE application. The system file entries have a limit of 512 characters per line. The file is kept in the application directory, specified by the environment variable $APPDIR . The environment variable $APPDIR must be set to the path name of the WLE application.

The tpusradd file should be owned by the administrator account. BEA recommends that the file be protected so that only the owner has read and write privileges for the file and all other users have only read privileges for the file.

When defining names of authorized users for a WLE EJB, there is a one-to-one association between the users defined with the tpusradd command and the security roles defined in the deployment descriptor of the WLE EJB.

The tpusradd command has the following options:

-u uid

The user identification number. uid must be a positive decimal integer below 128K. uid must be unique within the list of existing identifiers for the application. uid defaults to the next available (unique) identifier greater than 0.

-c client_name

A string of printable characters that specifies the name of the principal. The name may not contain a colon (:). pound sign (#), or a newline (n). The principal name must be unique within the list of existing principals for the WLE application. The name of the principal can be either the name of a WLE client application or a WLE EJB.

Listing 4-4 includes a sample tpusradd file.

Listing 4-4 Sample tpusradd File 

Cltname		Uid		
milozzi		122	
smart		555	
patt		1234	
butler		15555

Note: Use the tpgrpadd command to add groups of principals to the WLE security data files.

In addition to the tpusradd and tpgrpadd commands, the WLE product provides the following commands to modify the tpusr and tpgrp files:

For a complete description of the commands, see WLE Reference in the WebLogic Enterprise online documentation.

 

 

Copyright © 1999 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.