• This feature enables you to generate data for specific events by defining these events on a static XML file (component_events.xml), which makes it very convenient for you to change audit strategies/policies without affecting the application.This figure illustrates you an Oracle Tuxedo event flow with OPSS audit framework when an event (such as tpcall) occurs.Figure 5‑1 Oracle Tuxedo Audit Flow with OPSSOn this figure, an Oracle Tuxedo client invokes an Oracle Tuxedo service. This service then sends a request (also known as "an event") to Oracle Tuxedo Java Server, which has already configured OPSS audit module (.TUXJPSAUDIT). This module then invokes OPSS audit APIs, which check if this event should be audited. If it should be, this module audits it to a local file in an intermediate location (known as the "bus-stop"), creating the audit event structure and collecting event information such as status, initiator, resource, and ECID.You should use epifreg tool to register OPSS plug-ins for Oracle Tuxedo registry. Registering OPSS plug-in will replace the default Oracle Tuxedo audit implement from ULOG to OPSS audit.Listing 5‑1 shows an example.Use the following shell script tools located at $TUXDIR/bin for registering OPSS audit plug-in to Oracle Tuxedo registry:You should use epifunreg tool to unregister OPSS plug-in from Oracle Tuxedo registry. Unregistering OPSS plug-in will restore the default Oracle Tuxedo audit implement back to ULOG.Listing 5‑2 shows an example.Use the following shell script tools located at $TUXDIR/bin for unregistering OPSS audit plug-in from Oracle Tuxedo registry:Follow Oracle Tuxedo Auditing configuration rules to add OPSS audit to Tuxedo Plug-in framework. See Auditing for more information.
• Configure Security Options in UBBCONFIGOracle Tuxedo OPSS Audit Module runs in Oracle Tuxedo Java server (TMJAVASVR), so TMJAVASVR must be configured in your UBBCONFIG. TMJAVASVR handles the entire audit request, advertising audit module .TUXJPSAUDIT, which acts as a bridge between Oracle Tuxedo system with OPSS audit and Oracle Tuxedo application services. Listing 5‑3 shows an example for configuring TMJAVASVR in UBBCONFIG SERVERS section.TMJAVASVR can
• Read configuration file tpopss_audit.xml.
• Advertise audit module .TUXJPSAUDIT, which is implemented with Java code according to tpopss_audit.xml.
• Forward an audit request to .TUXJPSAUDIT.
• Get and execute the results from this .TUXJPSAUDIT.Listing 5‑3 TMJAVASVR Configuration ExampleNow that you have configured TMJAVASVR, you can configure Oracle Tuxedo OPSS Audit Module in Oracle Tuxedo Java Server Configuration File called tpospss_audit.xml, which you can find in ${TUXDIR}/udataobj/tuxj/opss.Two packages that Oralce Tuxedo Java Server uses for this feature are com.oracle.tuxedo.tjopss_12.2.2.0.jar (Oracle Tuxedo ships it and it is located in ${TUXDIR}/udataobj/tuxj/opss) and opss-manifest.jar (OPSS ships it and it is located in the path where -Dcommon.components.home specifies. For example, if you specify -Dcommon.components.home=/testarea/tuxuser/opss_standalone/, this opss-manifest.jar is located in /testarea/tuxuser/opss_standalone/modules/oracle.jps_12.1.2/opss-manifest.jar).See Listing 5‑4 for an example, where the following attributes are specified.Declare the following jvm-options attributes, and make sure every path you set is an absolute path.
• Required jvm-options areThis declares the absolute path of OPSS configuration file jps-config.xml.This declares the absolute path of java.policy.This declares the absolute path of component_events.xml.This declares the component type of TMJAVASVR .TUXJPSAUDIT, determing which component table stores the record to the bus-stop.
• Optional jvm-options areDeclare the following classpath attributes, and make sure every path you set is an absolute path.Oracle Tuxedo ships com.oracle.tuxedo.tjopss_12.2.2.0.jar to integrate OPSS Audit module. This library is located at $TUXDIR/udataobj/tuxj/opss.Oracle OPSS module shipes opss-manifest.jar.Listing 5‑4 Example for tpopss_audit.xmlThis feature requires you to configure the following OPSS configuration files. All of them are located at $TUXDIR/udataobj/tuxj/opss.Oracle Tuxedo integrates with the Oracle Fusion Middleware Audit Framework through jps-config.xml runtime configuration file, which contains the initial filter settings for using OPSS Audit Plug-In. You should declare its absolute path in tpopss_audit.xml configuration file (jvm-options: -Doracle.security.jps.config). See Configure Oracle Tuxedo OPSS Audit Module for more information.See Listing 5‑5 for an example, where jps-config.xml declares serviceInstance audit, whose provider is audit.provider and location is ./audit-store.xml.Listing 5‑5 jps-config.xml Examplejava.policy is the system policy file to grant system-wide code permissions; this policy is represented by a Policy object for Java programming language application environment (specifying which permissions are available for code from various sources, and executing as various principals).For this feature in particular, you should use this file to grant audit store access permissions to all domains in order to to invoke OPSS Audit APIs. You should declare its absolute path in tpopss_audit.xml configuration file (jvm-options: -D Djava.security.policy). See Configure Oracle Tuxedo OPSS Audit Module for more information.See Listing 5‑6 for an example, where the following two grants are specifically added for this feature.
• This is to grant permissions to file:${common.components.home}/modules/oracle.jps_12.1.2/*, where opss-manifest.jar is located.
• This is to grant permissions to file:${oracle.deployed.app.dir}/*, where required configuration files (tpopss_audit.xml, jps-config.xml, component_events.xml, audit-store.xml, java.policy, and system-jazn-data.xml) are located.Listing 5‑6 java.policy Examplecomponent_events.xml is a static file that defines all the audit events that are generated by the OPSS Audit Plug-In; audit-store.xml is the dynamic file that defines all the audit events that are mapped from the static file component_events.xml.After tmboot for Oracle Tuxedo audit module .TUXJPSAUDIT, audit policy for a specific component is stored in audit-store.xml. .TUXJPSAUDIT automatically registers the event component, and maps it from component_events.xml to audit-store.xml; after automatically un-registering the event component, .TUXJPSAUDIT drops it from audit-store.xml.
Note: As Oracle Tuxedo depends on OPSS stand-alone component, audit-store.xml is actually the file that is mainly used for this feature. Nevertheless, you are still required to use the static file component_events.xml to adjust your audit policy and specify component_events.xml in your CLASSPATH. See Change Audit Policy for more information.You should declare the absolute path for component_events.xml in tpopss_audit.xml configuration file (jvm-options: -Doracle.tuxedo.opss.event.config.dir). See Configure Oracle Tuxedo OPSS Audit Module for more information.In component_events.xml configuration file, you must set:Audit-Aware Components, referring to components that are integrated with the Oracle Fusion Middleware Audit Framework so that audit policies can be configured and events can be audited for these components. You should also set componentType in tpopss_audit.xml (jvm-options: -Doracle.tuxedo.audit.type).
• An audit event category contains related events in a functional area. Attributes are categorized into base. You should also set category in tpopss_audit.xml (jvm-options: -Doracle.tuxedo.audit.category).See Listing 5‑7 for an example, where
• componentType is set to tuxedo_opss_template (the same as "<jvm-options>-Doracle.tuxedo.audit.type=tuxedo_opss_template</jvm-options>" in Listing 5‑4)
• category is set to TUXEDOOPSSAUDIT (the same as "<jvm-options>-Doracle.tuxedo.audit.category=TUXEDOOPSSAUDIT</jvm-options>" in Listing 5‑4).Listing 5‑7 component_events.xml Examplesystem-jazn-data.xml is an OPSS configuration file. Oracle Tuxdo provides this file by default in $TUXDIR/udataobj/tuxj/opss, and uses it for this feature. You should keep this file as it is and should not change or remove it. See Oracle Fusion Middleware Security Guide for more information about this file.OPSS audit bus-stop files are named audit_<rotation_index>.log. You can use underscore ("_") as a seperator (current file should not have _<rotation_index>).The location of audit bus-stop files is currently not configurable. Oracle Tuxedo OPSS audit bus-stop file locates at the parent directory of jps-config.xml. For example,See Listing 5‑8 for an example.Listing 5‑8 OPSS Audit Bus-Stop File ExampleYou can add/remove/change events in the static configuration file component_events.xml to change audit policy at any time. Your audit policy change will take effect right after you restart Oracle Tuxedo (after tmboot, .TUXJPSAUDIT automatically update the audit policy in the corresponding dynamic audit-store.xml).See component_events.xml (static) and audit-store.xml (dynamic) for more information.