Local Tuxedo Access Points: Security
Configuration Options Related Tasks Related Topics
Use this page to define the security configuration of a local Tuxedo access point that will be used with this WTC server.
Domain gateways can authenticate incoming connections requested by remote Tuxedo access points and outgoing connections requested by local Tuxedo access points. You define when security should be enforced for incoming connections from remote Tuxedo access points. Specify the level of security used by a particular local Tuxedo access point by setting the SECURITY attribute. Data encryption can be used to prevent network-based eavesdroppers from accessing the content of messages or application-generated messages flowing from local Tuxedo access points to remote Tuxedo access points. Configure this security mechanism by setting the MINENCRYPTBITS and MAXENCRYPTBITS attributes.
Configuration Options
Name Description Security The type of application security enforced.
The types of security are:
NONE: No security is used.
APP_PW: Password security is enforced when a connection is established from a remote domain. The application password is defined in the WTCResourcesMBean.
DM_PW: Domain password security is enforced when a connection is established from a remote domain. The domain password is defined in the WTCPasswordsMBean.
MBean Attribute:
WTCLocalTuxDomMBean.Security
Secure value:
DM_PW
Min Encryption Level The minimum encryption key length (in bits) this local Tuxedo access point uses when establishing a session connection. A value of
0
indicates no encryption is used.Value Restrictions:
The MinEncrypBits value must be less than or equal to the MaxEncrypBits value.
A MinEncrypBits value of
40
can be used only with domains running Tuxedo 7.1 or higher.MBean Attribute:
WTCLocalTuxDomMBean.MinEncryptBits
Secure value:
40
Max Encryption Level The maximum encryption key length (in bits) this local Tuxedo access point uses when establishing a session connection. A value of
0
indicates no encryption is used.Value Restrictions:
The MaxEncryptBits value must be greater than or equal to the MinEncrypBits value.
A MaxEncryptBits of
40
can be used only with domains running Tuxedo 7.1 or higher.MBean Attribute:
WTCLocalTuxDomMBean.MaxEncryptBits
Secure value:
128
Use SSL Specifies if the connection initiated or accepted by this Local Tuxedo access point uses SSL on top of its transport layer. Values are:
Off: SSL not used.
TwoWay: Mutual Authentication with SSL required.
OneWay: Server Authentication with SSL required.
Note: If SDP transport is configured for this access point, the configured value of this attribute is ignored and
off
is used.MBean Attribute:
WTCLocalTuxDomMBean.UseSSL
Private Key Alias The string alias used to store and retrieve the Local Tuxedo access point's private key in the keystore. This private key is associated with the Local Tuxedo access point's digital certificate.
MBean Attribute:
WTCLocalTuxDomMBean.PrivateKeyAlias
Private Key PassPhrase The passphrase used to retrieve the server's private key from the keystore. This passphrase is assigned to the private key when it is generated.
When you get the value of this attribute, WebLogic Server does the following:
Retrieves the value of the
PrivateKeyPassPhraseEncrypted
attribute.Decrypts the value and returns the unencrypted passphrase as a String.
When you set the value of this attribute, WebLogic Server does the following:
Encrypts the value.
Sets the value of the
PrivateKeyPassPhraseEncrypted
attribute to the encrypted value.Using this attribute (
PrivateKeyPassPhrase
) is a potential security risk because the String object (which contains the unencrypted passphrase) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.Instead of using this attribute, use
getPrivateKeyPassPhraseEncrypted
.MBean Attribute:
WTCLocalTuxDomMBean.PrivateKeyPassPhrase
Changes take effect after you redeploy the module or restart the server.
KeyStores Location Provides the configuration rule to be used for finding the local access point's identity key store and trust key store. In plain text, it contains information on where the identity key store and trust key store are configured. When KeyStoreLocation is configured with
WLS Store
, WTC uses configuration information from the WLS Key Stores configuration. Otherwise, it uses the key stores information configured in the local access point.MBean Attribute:
WTCLocalTuxDomMBean.KeystoresLocation
Changes take effect after you redeploy the module or restart the server.
Custom Identity KeyStore File Name The path and file name of the identity keystore. The path name can be either be absolute or relative to where the server was booted. The identity key store file name is only used if KeystoreLocation is
Custom Stores
.MBean Attribute:
WTCLocalTuxDomMBean.IdentityKeystoreFileName
Changes take effect after you redeploy the module or restart the server.
Custom Identity KeyStore PassPhrase The custom identity keystore's passphrase. If empty or null, then the keystore will be opened without a passphrase.
This attribute is only used if KeyStores is "Custom Stores".
When you get the value of this attribute, WebLogic Server does the following:
Retrieves the value of the
IdentityKeyStorePassPhraseEncrypted
attribute.Decrypts the value and returns the unencrypted password as a String.
When you set the value of this attribute, WebLogic Server does the following:
Encrypts the value.
Sets the value of the
CustomIdentityKeyStorePassPhraseEncrypted
attribute to the encrypted value.Using this attribute (
CustomIdentityKeyStorePassPhrase
) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.Instead of using this attribute, use
CustomIdentityKeyStorePassPhraseEncrypted
.MBean Attribute:
WTCLocalTuxDomMBean.IdentityKeyStorePassPhrase
Changes take effect after you redeploy the module or restart the server.
Custom Trust KeyStore File Name The path and file name of the trust keystore.
The path name must either be absolute or relative to where the server was booted. This file name is only used if KeyStores is "Custom Stores".
MBean Attribute:
WTCLocalTuxDomMBean.TrustKeyStoreFileName
Custom Trust KeyStore PassPhrase The trust keystore's passphrase. If empty or null, then the keystore will be opened without a passphrase.
This attribute is only used if KeyStores is "Custom Stores".
When you get the value of this attribute, WebLogic Server does the following:
Retrieves the value of the
TrustKeyStorePassPhraseEncrypted
attribute.Decrypts the value and returns the unencrypted password as a String.
When you set the value of this attribute, WebLogic Server does the following:
Encrypts the value.
Sets the value of the
TrustKeyStorePassPhraseEncrypted
attribute to the encrypted value.Using this attribute (
TrustKeyStorePassPhrase
) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.Instead of using this attribute, use
TrustKeyStorePassPhraseEncrypted
.MBean Attribute:
WTCLocalTuxDomMBean.TrustKeyStorePassPhrase
Changes take effect after you redeploy the module or restart the server.