1. When the client program performs a tpinit(), the user’s Tuxedo identity is validated against the tpusr file.
2. When the client program issues a tpcall() or tpacall(), Tuxedo verifies (against the tpacl file) that the user is authorized to invoke the gateway service.
3. When the gateway establishes the initial connection, connection security information (specified as RMTNAME and PASSWORD in the GWICONFIG file) is passed from the TMA TCP Gateway to the remote gateway. If the RMTNAME and PASSWORD values match the values configured on the remote gateway, the connection is established.
Note:
Note:
5. The Tuxedo server performs access checks (based on the tpacl file) to verify that the user has access to the requested service.
1. Code SECURITY in the Oracle Tuxedo UBBCONFIG file. See Oracle Tuxedo File Formats, Data Descriptions, MIBs, And System Processes Reference for more information.
2. Set up user, group, and ACL files. See Oracle Tuxedo Administration Console Online Help and Oracle Tuxedo Using Security in ATMI Applications for more information.
3. Code the security parameter in your TMA TCP Gateway configuration file (GWICONFIG). For GWICONFIG syntax and parameter definitions, refer to the “Configuring Oracle TMA TCP Gateway” section.Part of the process for setting up security for TMA TCP requires you to have user, group, and ACL files. The following sections include these sample files.Listing 4‑1 Sample User (tpusr) FileLines that begin with the pound sign (#) are users that have been changed or deleted by tpusrmod or tpusrdel.
Note: The tpgrp file is only necessary when specifying ACL or MANDATORY_ACL modes for security. If you specify USER_AUTH for security, you can assign users to groups, but they do not correlate to the groups used for security by the remote system.Listing 4‑2 Sample Group (tpgrp) FileThe tpacl file correlates a group and the services to which that group has access. In the tpacl file, the first field specifies what is protected, the second field specifies the type of object being protected (specified in the first field), and the third field specifies the group that has access to the object.In the following example, only users in group 1 (john, jim, richard) can access TOLOWER, and only users in group 2 can access TOUPPER.
Note:
• A remote or local service requires a user’s LTERM informationIn these cases, a client’s user ID, group name, and LTERM can be specified in the data area of a request. For Tuxedo clients, user information specified in the data area is verified by the remote gateway in the usual manner. For remote clients, remote user information is placed in the data area fields by the local gateway to be used by Tuxedo services. In this case, the remote client does not have to populate these fields, but must allocate space for them in the data area.
1.
2. Set WRAP=TPSD in the FOREIGN section corresponding to the remote host in the GWICONFIG file. For syntax and parameter definitions for the FOREIGN section of the GWICONFIG file, refer to the “Defining the FOREIGN Section of the GWICONFIG File” section.
Note: If using a VIEW data format, allocate the extra fields before the application data as defined in Listing 4‑4. If using the STRING data format, allocate 24 additional bytes at the beginning of the string to be used for the security fields.Listing 4‑4 Syntax for C User Data Area Fields