|
|
This topic includes the following sections:
To configure security for your WLE application, you need to set parameters in the UBBCONFIG
file that define the following:
Setting Parameters for Security in the UBBCONFIG File
Note: For information about setting security parameters for the IIOP Listener/Handler in the UBBCONFIG file, see Defining Security Parameters for the IIOP Listener/Handler.
To set parameters in the UBBCONFIG
file, open the file in any text editor. The parameters for security take effect when you use the tmloadcf
command to update the configuration parameters for your WLE application. The following sections describe setting the parameters for security in the UBBCONFIG
file.
Note:
You only need to configure the Authentication Server, if you have specified a value of USER_AUTH
or higher for the SECURITY
parameter.
Username/Password authentication requires that an authentication server be configured for the purpose of authenticating users by checking their individual passwords against a file of legal users. The WLE system uses a default authentication server called AUTHSRV
to perform authentication.
For a WLE application to authenticate users, the value of the AUTHSVC
parameter in the RESOURCES
section of the UBBCONFIG
file needs to specify the name of the process to be used as the authentication server for the WLE application. The service must be called AUTHSVC
. If the AUTHSVC
parameter is specified in the RESOURCES
section of the UBBCONFIG
file, the SECURITY
parameter must also be specified with a value of at least USER_AUTH
. If the value is not specified, an error will occur when the system executes the tmloadcf
command.
In addition, you need to define AUTHSVR
in the SERVERS
section of the UBBCONFIG
file. The SERVERS
section contains information about the server processes to be booted in the WLE application. For more information about the parameters in the SERVERS
section of the UBBCONFIG
file, see the Administration Guide in the WebLogic Enterprise online documentation.
Listing 4-1 contains the portion of the UBBCONFIG
file that defines the authentication server.
Listing 4-1
Parameters for the Authentication Server
*RESOURCES *SERVERS As part of defining security for a WLE application, you need to define the SECURITY
parameter in the RESOURCES
section of the UBBCONFIG
file. The SECURITY
parameter has the following format:
*RESOURCES Table 4-1 describes the values for the SECURITY
parameter.
Configuring the Authentication Server
SECURITY USER_AUTH
AUTHSVC "AUTHSVC"
AUTHSVR
SRVGRP="SYS_GRP"
SRVID=1
RESTART=Y
GRACE=60
MAXGEN=2
Defining a Security Level
SECURITY {NONE|APP_PW|USER_AUTH|ACL|MANDATORY_ACL}
When using Username/Password authentication, the value of the SECURITY
parameter must be APP_PW
or greater.
If the IIOP Listener/Handler is configured for using certificate-based authentication, the value of the SECURITY
parameter must be USER_AUTH
or greater.
You can encrypt the messages between WLE applications on different machines in the same WLE domain using link-level encryption. In the UBBCONFIG
file for each WLE application, you need to set the MINENCRYPTBITS
and MAXENCRYPTBITS
parameters for the machines that establish the network connection, as follows.
Setting the Level of Encryption
The possible values for the MINENCRYPTBITS
and MAXENCRYPTBITS
parameters are 0, 40, and 128. A value of zero means no encryption is used, while 40 and 128 specify the number of significant bits in the encryption key.
Listing 4-3 includes a UBBCONFIG
file for an application which uses Username/Password authentication. The key sections of the UBBCONFIG
file are noted in bold face text.
Listing 4-2
Sample UBBCONFIG File for Username/Password Authentication
*RESOURCES *GROUPS AUTHSVR TMSYSEVT TMFFNAME TMFFNAME TMFFNAME simple_server ISL Listing 4-3 includes a UBBCONFIG
file for an application which uses certificate-based authentication. The key sections of the UBBCONFIG
file are noted in bold face text.
Listing 4-3
Sample UBBCONFIG File for Certificate-Based Authentication
*RESOURCES *GROUPS TMSYSEVT TMFFNAME TMFFNAME TMFFNAME simple_server ISL As part of configuring security for a WLE application, you need to define the principals and groups of principals who have access to the WLE application. The WLE system uses the email address of a principal to map the external identity of a principal represented by a digital certificate to an identity used by a WLE application to authenticate a principal.
You use the tpusradd
command to create files containing lists of authorized principals. The tpusradd
command adds a new principal entry to the WLE security data files. This information is used by the AUTHSRV
to authenticate principals. The file that contains the principals is called tpusr.
The file is a colon-delimited, flat ASCII file, readable only by the administrator of the WLE application. The system file entries have a limit of 512 characters per line. The file is kept in the application directory, specified by the environment variable $APPDIR
. The environment variable $APPDIR
must be set to the path name of the WLE application.
The tpusradd
file should be owned by the administrator account. BEA recommends that the file be protected so that only the owner has read and write privileges for the file and all other users have only read privileges for the file.
When defining names of authorized users for a WLE EJB, there is a one-to-one association between the users defined with the tpusradd
command and the security roles defined in the deployment descriptor of the WLE EJB.
The tpusradd
command has the following options:
-u
uid
The user identification number. uid must be a positive decimal integer below 128K. uid must be unique within the list of existing identifiers for the application. uid defaults to the next available (unique) identifier greater than 0.
-c
client_name
A string of printable characters that specifies the name of the principal. The name may not contain a colon (:). pound sign (#), or a newline (n). The principal name must be unique within the list of existing principals for the WLE application. The name of the principal can be either the name of a WLE client application or a WLE EJB.
Listing 4-4 includes a sample tpusradd
file.
Listing 4-4
Sample tpusradd File
Cltname Uid milozzi 122
Note:
Use the tpgrpadd
command to add groups of principals to the WLE security data files.
In addition to the tpusradd
and tpgrpadd
commands, the WLE product provides the following commands to modify the tpusr
and tpgrp
files:
Sample UBBCONFIG File for Username/Password Authentication
IPCKEY 55432
DOMAINID securapp
MASTER SITE1
MODEL SHM
LDBAL N
SECURITY USER_AUTH
AUTHSVR "AUTHSVC"
*MACHINES
"ICEAXE"
LMID = SITE1
APPDIR = "D:\M3\samples\corba\SECURAPP"
TUXCONFIG = "D:\M3\samples\corba\SECURAPP\results\tuxconfig"
TUXDIR = "D:\WLE5"
MAXWSCLIENTS = 10
SYS_GRP
LMID = SITE1
GRPNO = 1
APP_GRP
LMID = SITE1
GRPNO = 2
*SERVERS
DEFAULT:
RESTART = Y
MAXGEN = 5
SRVGRP = SYS_GRP
SRVID = 1
RESTART = Y
GRACE = 60
MAXGEN = 2
SRVGRP = SYS_GRP
SRVID = 1
SRVGRP = SYS_GRP
SRVID = 2
CLOPT = "-A -- -N -M"
SRVGRP = SYS_GRP
SRVID = 3
CLOPT = "-A -- -N"
SRVGRP = SYS_GRP
SRVID = 4
CLOPT = "-A -- -F"
SRVGRP = APP_GRP
SRVID = 1
RESTART = N
SRVGRP = SYS_GRP
SRVID = 5
CLOPT = "-A -- -n //PCWIZ::2500" Sample UBBCONFIG File for Certificate-Based Authentication
IPCKEY 55432
DOMAINID simpapp
MASTER SITE1
MODEL SHM
LDBAL N
SECURITY USER_AUTH
*MACHINES
"ICEAXE"
LMID = SITE1
APPDIR = "D:\M3\samples\corba\SIMPAP~1"
TUXCONFIG = "D:\M3\samples\corba\SIMPAP~1\results\tuxconfig"
TUXDIR = "D:\WLE5"
MAXWSCLIENTS = 10
SYS_GRP
LMID = SITE1
GRPNO = 1
APP_GRP
LMID = SITE1
GRPNO = 2
*SERVERS
DEFAULT:
RESTART = Y
MAXGEN = 5
SRVGRP = SYS_GRP
SRVID = 1
SRVGRP = SYS_GRP
SRVID = 2
CLOPT = "-A -- -N -M"
SRVGRP = SYS_GRP
SRVID = 3
CLOPT = "-A -- -N"
SRVGRP = SYS_GRP
SRVID = 4
CLOPT = "-A -- -F"
SRVGRP = APP_GRP
SRVID = 1
RESTART = N
SRVGRP = SYS_GRP
SRVID = 5
CLOPT = "-A -- -a -z40 -Z128 -S2458 -n //ICEAXE:2468"
SEC_PRINCIPAL_NAME="IIOPListener"
SEC_PRINCIPAL_LOCATION="IIOPListener.pem"
SEC_PRINCIPAL_PASSVAR="ISH_PASS" Defining Authorized Users
smart 555
patt 1234
butler 15555
For a complete description of the commands, see WLE Reference in the WebLogic Enterprise online documentation.
|
Copyright © 1999 BEA Systems, Inc. All rights reserved.
|