If you are specifying SECURITY=ACL or
SECURITY=MANDATORY_ACL in the
RESOURCES section of the
UBBCONFIG file, then you must continue to maintain
tpgrp and
tpacl files in Tuxedo.
LAUTHSVR is a System /T provided server that offers the authentication service while the user security information is located in WebLogic Server. To enable the single security administration feature, you must configure
LAUTHSVR as the authentication server. At runtime, the
LAUTHSVR will retrieve the user information from the WebLogic Server-embedded LDAP and authenticate users. If the authentication is successful, an
appkey is returned to the user, otherwise, authentication fails.
To define LAUTHSVR as the authentication server, you must define the following parameters in the
UBBCONFIG file:
•
|
SECURITY must be set to USER_AUTH, ACL, or MANDATORY_ACL in the RESOURCES section.
|
•
|
LAUTHSVR must be specified in the SERVERS section.
|
Note:
|
If LAUTHSVR cannot find a valid configuration file or the file does not exist, it will log an error message in USERLOG and fail to boot. The default LAUTHSVR configuration file is $TUXDIR/udataobj/tpldap and is provided with the product.
|
The LAUTHSVR is the LDAP-based authentication server for Tuxedo. It requires a configuration file, that by default is
$TUXDIR/udataobj/tpldap. You can create your own
LAUTHSVR configuration file or use the default
tpldap file that is available with the product.
Note:
|
If -f option is omitted, the default LAUTHSVR configuration file tpldap is used.
|
LAUTHSVR supports an input configuration file that contains information such as bind DN and an unencrypted password for bind DN. This configuration file is a plain text file and can be edited using any text editor and must be protected by the system using file permissions. By default the configuration file, named
tpldap, is located in
$TUXDIR/udataobj directory. You can overwrite this file in the command line for
LAUTHSVR. The
LAUTHSVR configuration file contains keyword and value pairs as defined in
Table 4‑1.
Although the default values for the LAUTHSVR configuration file are usually sufficient, a system administrator may choose to configure it with different names. Therefore, you should be aware of the following requirements for the
LAUTHSVR configuration file:
•
|
The LAUTHSVR configuration file is a plain text file.
|
Table 4‑1 defines the
LAUTHSVR configuration file keywords.
Listing 4‑1 shows an example of a
LAUTHSVR configuration file.
WARNING:
|
Because the PASSWORD for the LDAP administrator is in clear text, it is recommended that the system administrator guards this file with correct access permission.
|
Listing 4‑2 shows an example UBBCONFIG file with
SECURITY set to
ACL and
LAUTHSVR defined.
To configure multiple network addresses for LAUTHSVR, use the
LDAP_ADDR keyword in the
LAUTHSVR configuration file. The order in which the hostnames are specified is the order in which
LAUTHSVR will try to connect. To use caching during authentication, specify the
EXPIRE keyword. The value in this keyword will determine the number of seconds the cached entry is available in the local process memory.
By default the LAUTHSVR authentication server will search the user information in the WebLogic Server-embedded LDAP server. To enable the use of the
tpusr file in the database search, you must specify
LOCAL in the
SRCH_ORDER keyword. The order that the comma separated values are defined in the
SRCH_ORDER keyword will specify the order in which
LAUTHSVR searches for user information.
LAUTHSVR will search the LDAP server or the
tpusr file or both (according to the order of the values specified).
If there are two or more SRCH_ORDER entries specified in the
LAUTHSVR configuration file, only the last entry takes effect. In this case a warning message is logged in
USERLOG as well. A warning message also results if you specify a value other than
LDAP or
LOCAL in the
SRCH_ORDER keyword. In this case, the invalid entry is discarded and the default value or a previous valid
SRCH_ORDER entry is used.
The following example specifies that LAUTHSVR should search the WebLogic Server-embedded LDAP server first for user information. If the user information is not found in the LDAP server, then
LAUTHSVR should look in the
tpusr file.
The following example specifies that LAUTHSVR should search the
tpusr file first for user information. If the user information is not found in the tpusr file, then
LAUTHSVR should look in the WebLogic Server-embedded LDAP server for the information.
•
|
“LAUTHSVR(5)” and “GAUTHSVR(5)” in the Oracle Tuxedo File Formats, Data Descriptions, MIBs, and System Processes Reference.
|
You should use the tpmigldap command utility to migrate Tuxedo user and group information to WebLogic Server.
You can modify the tpusr file using a text editor and change the user password for each user in the file. The password field is the second field in the
tpusr file. The field delimiter is a colon (:). Each user takes up a line in the
tpusr file.
•
|
Use the -f option with the tpmigldap utility to define a default password for all users.
|
Table 4‑2 defines the command line options for the
tpmigldap utility. The order of the command line options does not matter.
Note:
|
The tpmigldap command requires the use of -w or -c so the user or group can be added to the WebLogic Server-embedded LDAP database.
|
•
|
“tpmigldap(1)” in the Oracle Tuxedo Command Reference
|
1.
|
Use your existing tpusr file and tpgrp file to add the new user and group information. Be sure to use the same format previously defined in the file. Be sure to use clear text passwords to add to the LDAP database.
|
2.
|
Run the tpmigldap utility using the -u option and specify the updated tpusr file and the -g option and specify the updated tpgrp file. For example:
|
where by default, the TUXEDO UID KEYWORD is
TUXEDO_UID and
TUXEDO GID KEYWORD by default is
TUXEDO_GID. For example:
GAUTHSVR is a System /T provided server usage is similar to
LAUTHSVR, but with the following differences:
•
|
GAUTHSVR can access user security information located in a wide variety of LDAP servers (for example, WebLogic, OpenLDAP, Netscape/IPlanet, Microsoft Active Directory, z/OS LDAP, and so on), using LDAP (Lightweight Directory Access Protocol).
|
To enable the single security administration feature, GAUTHSVR must be configured as the authentication server.
GAUTHSVR authenticates user security information against
LDAP server. It returns
appkey if
SECURITY is set to
ACL or
MANDATORY_ACL when authentication success.
To configure GAUTHSVR as the authentication server, you must define the following parameters in the
UBBCONFIG file:
•
|
SECURITY must be set to USER_AUTH, ACL, or MANDATORY_ACL in the RESOURCES section.
|
•
|
GAUTHSVR must be specified in the SERVERS section.
|
Note:
|
If GAUTHSVR cannot find a valid configuration file or the file does not exist, it will log an error message in USERLOG and fail to boot. The default GAUTHSVR configuration file is $TUXDIR/udataobj/tpgauth and is provided with the product.
|
GAUTHSVR is an LDAP-based authentication server for Tuxedo. It requires a configuration file, that by default is
$TUXDIR/udataobj/tpgauth.
Specifies the full pathname of the GAUTHSVR internal configuration file generated from customer configuration file specified by
-f option. The default value is $APPDIR/gaconfig.xml.
Specifies the full pathname of the GAUTHSVR internal configuration file generated from the configuration file (specified in the
-f option). The default value is $APPDIR/gakey.dat.
GAUTHSVR updates the generated
XML file if
tpgauth is newer than the generated
XML and key files. Only changed or newly added
tpgauth items are updated in the generated
XML file.
Note:
|
If the XML and key file are not present when GAUTHSVR is booted, GAUTHSVR creates them automatically.
|
GAUTHSVR supports an input configuration file that contains information such as bind DN and an unencrypted password for bind DN. This configuration file is a plain text file and can be edited using any text editor and must be protected by the system using file permissions. By default the configuration file, named
tpgauth, is located in
$TUXDIR/udataobj/tpgauth directory. You can overwrite this file in the command line for
GAUTHSVR.
Table 4‑3 lists keywords and value pairs contained in the
GAUTHSVR configuration file.
Although the default values for the GAUTHSVR configuration file are usually sufficient, you can choose to configure it with different names. Therefore, you should be aware of the following requirements for the
GAUTHSVR configuration file:
•
|
The GAUTHSVR configuration file is a plain text file.
|
•
|
The Principal must have privileges to access the LDAP database (usually the LDAP administrator).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If set to false, a referral exception is sent when referrals are encountered during LDAP requests.
|
|
|
|
|
|
|
|
|
|
Listing 4‑3 shows a
GAUTHSVR configuration file for WebLogic Server example. Please refer to this example when configuring other LDAP servers.
WARNING:
|
Because the PASSWORD for the LDAP administrator is in clear text, it is recommended that the system administrator guards this file with correct access permission.
|
Listing 4‑4 shows an example UBBCONFIG file with
SECURITY set to
ACL and
GAUTHSVR defined.
•
|
“GAUTHSVR(5)” and “LAUTHSVR(5)” in the Oracle Tuxedo File Formats, Data Descriptions, MIBs, and System Processes Reference
|
You can use the tpmigldif command utility to migrate Tuxedo user and group information to LDAP servers in LDAP Interchange Format (LDIF). In order to use
tpmigldif, you must create a migration template.
Table 4‑6 lists the command line options for the
tpmigldif utility. The order of the command line options does not matter.
Listing 4‑5 shows a
tpusr file with five fields separated by a colon:
Listing 4‑6 shows a
tpgrp file with three fields separated by a colon:
•
|
Modify the tpusr file password field to change the user password for each user in the file. The password field is the second field in the tpusr file. Each user is entered on a separate line in the tpusr file. See listing Listing 4‑5, for original tpusr file example.
|
Listing 4‑7 shows a
tpusr-template migration file example.
<%n> refers to a
tpusr file field, where n starts at 1.
Note:
|
Use <%gn> for group field in tpgrp file for given user.
|
Listing 4‑8 shows the LDIF output from the
tpusr-template.
dn: CN=user1,CN=Users,DC=tuxdev,DC=bea,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
cn: user1
description: Tuxedo User, TUXEDO_UID=16668 TUXEDO_GID=601
password: pwd1
dn: CN=user2,CN=Users,DC=tuxdev,DC=bea,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
cn: user2
description: Tuxedo User, TUXEDO_UID=16669 TUXEDO_GID=602
password: pwd2
Table 4‑7
Supported LDAP Server Template Example
1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
z/OS LDAP, with RACF backend 3
|
|
|
|