If you are specifying SECURITY=ACL or
SECURITY=MANDATORY_ACL in the
RESOURCES section of the
UBBCONFIG file, then you must continue to maintain
tpgrp and
tpacl files in Tuxedo.
LAUTHSVR is a System /T provided server that offers the authentication service while the user security information is located in WebLogic Server. To enable the single security administration feature, you must configure
LAUTHSVR as the authentication server. At runtime, the
LAUTHSVR will retrieve the user information from the WebLogic Server-embedded LDAP and authenticate users. If the authentication is successful, an
appkey is returned to the user, otherwise, authentication fails.
To define LAUTHSVR as the authentication server, you must define the following parameters in the
UBBCONFIG file:
•
|
SECURITY must be set to USER_AUTH, ACL, or MANDATORY_ACL in the RESOURCES section.
|
•
|
LAUTHSVR must be specified in the SERVERS section.
|
Note:
|
If LAUTHSVR cannot find a valid configuration file or the file does not exist, it will log an error message in USERLOG and fail to boot. The default LAUTHSVR configuration file is $TUXDIR/udataobj/tpldap and is provided with the product.
|
The LAUTHSVR is the LDAP-based authentication server for Tuxedo. It requires a configuration file, that by default is
$TUXDIR/udataobj/tpldap. You can create your own
LAUTHSVR configuration file or use the default
tpldap file that is available with the product.
Note:
|
If -f option is omitted, the default LAUTHSVR configuration file tpldap is used.
|
LAUTHSVR supports an input configuration file that contains information such as bind DN and an unencrypted password for bind DN. This configuration file is a plain text file and can be edited using any text editor and must be protected by the system using file permissions. By default the configuration file, named
tpldap, is located in
$TUXDIR/udataobj directory. You can overwrite this file in the command line for
LAUTHSVR. The
LAUTHSVR configuration file contains keyword and value pairs as defined in
Table 4‑1.
Although the default values for the LAUTHSVR configuration file are usually sufficient, a system administrator may choose to configure it with different names. Therefore, you should be aware of the following requirements for the
LAUTHSVR configuration file:
•
|
The LAUTHSVR configuration file is a plain text file.
|
Table 4‑1 defines the
LAUTHSVR configuration file keywords.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LDAP search base. The default is “ou=people, ou=myrealm, dc=mydomain”, where myrealm is the name of the security realm and mydomain is the name of the WebLogic Server domain.
|
|
|
|
|
|
The tpldapconf command can be used to create the encrypted password.
|
|
|
A comma separated list of WebLogic hostnames and ports. The syntax is [//]hostname[:port][,[//]hostname[:port]...]. The default value for port is 7001. If LDAP_ADDR is not specified, LAUTHSVR assumes localhost:7001 is the location to contact the LDAP server.
|
|
|
|
|
|
Valid values are LDAP or LOCAL, or both separated by a comma. If you specify LOCAL, the search order will use the tpusr file. The default is LDAP.
|
|
|
The full pathname of the tpusr file to be used if LOCAL search order is enabled. The default value is $APPDIR/tpusr.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Listing 4‑1 shows an example of a
LAUTHSVR configuration file.
WARNING:
|
Because the PASSWORD for the LDAP administrator is in clear text, it is recommended that the system administrator guards this file with correct access permission.
|
Listing 4‑2 shows an example UBBCONFIG file with
SECURITY set to
ACL and
LAUTHSVR defined.
To configure multiple network addresses for LAUTHSVR, use the
LDAP_ADDR keyword in the
LAUTHSVR configuration file. The order in which the hostnames are specified is the order in which
LAUTHSVR will try to connect. To use caching during authentication, specify the
EXPIRE keyword. The value in this keyword will determine the number of seconds the cached entry is available in the local process memory.
By default the LAUTHSVR authentication server will search the user information in the WebLogic Server-embedded LDAP server. To enable the use of the
tpusr file in the database search, you must specify
LOCAL in the
SRCH_ORDER keyword. The order that the comma separated values are defined in the
SRCH_ORDER keyword will specify the order in which
LAUTHSVR searches for user information.
LAUTHSVR will search the LDAP server or the
tpusr file or both (according to the order of the values specified).
If there are two or more SRCH_ORDER entries specified in the
LAUTHSVR configuration file, only the last entry takes effect. In this case a warning message is logged in
USERLOG as well. A warning message also results if you specify a value other than
LDAP or
LOCAL in the
SRCH_ORDER keyword. In this case, the invalid entry is discarded and the default value or a previous valid
SRCH_ORDER entry is used.
The following example specifies that LAUTHSVR should search the WebLogic Server-embedded LDAP server first for user information. If the user information is not found in the LDAP server, then
LAUTHSVR should look in the
tpusr file.
The following example specifies that LAUTHSVR should search the
tpusr file first for user information. If the user information is not found in the tpusr file, then
LAUTHSVR should look in the WebLogic Server-embedded LDAP server for the information.
•
|
LAUTHSVR(5) and GAUTHSVR(5) in the Oracle Tuxedo File Formats, Data Descriptions, MIBs, and System Processes Reference.
|
You should use the tpmigldap command utility to migrate Tuxedo user and group information to WebLogic Server.
You can modify the tpusr file using a text editor and change the user password for each user in the file. The password field is the second field in the
tpusr file. The field delimiter is a colon (:). Each user takes up a line in the
tpusr file.
•
|
Use the -f option with the tpmigldap utility to define a default password for all users.
|
Table 4‑2 defines the command line options for the
tpmigldap utility. The order of the command line options does not matter.
Note:
|
The tpmigldap command requires the use of -w or -c so the user or group can be added to the WebLogic Server-embedded LDAP database.
|
1.
|
Use your existing tpusr file and tpgrp file to add the new user and group information. Be sure to use the same format previously defined in the file. Be sure to use clear text passwords to add to the LDAP database.
|
2.
|
Run the tpmigldap utility using the -u option and specify the updated tpusr file and the -g option and specify the updated tpgrp file. For example:
|
where by default, the TUXEDO UID KEYWORD is
TUXEDO_UID and
TUXEDO GID KEYWORD by default is
TUXEDO_GID. For example:
GAUTHSVR is a System /T provided server usage is similar to
LAUTHSVR, but with the following differences:
•
|
GAUTHSVR can access user security information located in a wide variety of LDAP servers (for example, WebLogic, OpenLDAP, Netscape/IPlanet, Microsoft Active Directory, z/OS LDAP, and so on), using LDAP (Lightweight Directory Access Protocol).
|
To enable the single security administration feature, GAUTHSVR must be configured as the authentication server.
GAUTHSVR authenticates user security information against
LDAP server. It returns
appkey if
SECURITY is set to
ACL or
MANDATORY_ACL when authentication success.
To configure GAUTHSVR as the authentication server, you must define the following parameters in the
UBBCONFIG file:
•
|
SECURITY must be set to USER_AUTH, ACL, or MANDATORY_ACL in the RESOURCES section.
|
•
|
GAUTHSVR must be specified in the SERVERS section.
|
Note:
|
If GAUTHSVR cannot find a valid configuration file or the file does not exist, it will log an error message in USERLOG and fail to boot. The default GAUTHSVR configuration file is $TUXDIR/udataobj/tpgauth and is provided with the product.
|
If you use GAUTHSVR with JDK1.6 or later, please specify the following:
JAVA_OPTS=-Djavax.xml.stream.XMLInputFactory=com.bea.xml.stream.MXParserFactory in your environment before booting
GAUTHSVR.
If you use GAUTHSVR with Java 1.6, please add the 64-bit JRE library path to
LIBPATH. The default library is located in
/usr/java6_64/jre/lib/ppc64. Run
export LIBPATH=/usr/java6_64/jre/lib/ppc64:$LIBPATH to set the correct
LIBPATH.
GAUTHSVR is an LDAP-based authentication server for Tuxedo. It requires a configuration file, that by default is
$TUXDIR/udataobj/tpgauth.
Specifies the full pathname of the GAUTHSVR internal configuration file generated from customer configuration file specified by
-f option. The default value is
$APPDIR/gaconfig.xml.
Specifies the full pathname of the GAUTHSVR internal configuration file generated from the configuration file (specified in the
-f option). The default value is
$APPDIR/gakey.dat.
GAUTHSVR updates the generated
XML file if
tpgauth is newer than the generated
XML and key files. Only changed or newly added
tpgauth items are updated in the generated
XML file.
Note:
|
If the XML and key file are not present when GAUTHSVR is booted, GAUTHSVR creates them automatically.
|
GAUTHSVR supports an input configuration file that contains information such as bind DN and an unencrypted password for bind DN. This configuration file is a plain text file and can be edited using any text editor and must be protected by the system using file permissions. By default the configuration file, named
tpgauth, is located in
$TUXDIR/udataobj/tpgauth directory. You can overwrite this file in the command line for
GAUTHSVR.
Table 4‑3 lists
keywords and value pairs contained in the
GAUTHSVR configuration file.
Although the default values for the GAUTHSVR configuration file are usually sufficient, you can choose to configure it with different names. Therefore, you should be aware of the following requirements for the
GAUTHSVR configuration file:
•
|
The GAUTHSVR configuration file is a plain text file.
|
•
|
The Principal must have privileges to access the LDAP database (usually the LDAP administrator).
|
|
|
|
|
|
|
|
|
The default value is 0 (indicating no limit).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The tpldapconf command can be used to create the encrypted credential.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If set to false, a referral exception is sent when referrals are encountered during LDAP requests.
|
|
|
|
|
|
|
|
|
|
Listing 4‑3 shows a
GAUTHSVR configuration file for WebLogic Server example. Please refer to this example when configuring other LDAP servers.
Note:
|
Make sure UID =* and GID = * in the LDAP description are the same as defined in SECURITY IS ACL.
|
WARNING:
|
Because the PASSWORD for the LDAP administrator is in clear text, it is recommended that the system administrator guards this file with correct access permission.
|
Listing 4‑4 shows an example
UBBCONFIG file with
SECURITY set to
ACL and
GAUTHSVR defined.
•
|
GAUTHSVR(5) and LAUTHSVR(5) in the Oracle Tuxedo File Formats, Data Descriptions, MIBs, and System Processes Reference
|
You can use the tpmigldif command utility to migrate Tuxedo user and group information to LDAP servers in LDAP Interchange Format (LDIF). In order to use
tpmigldif, you must create a migration template.
Table 4‑6 lists the command line options for the
tpmigldif utility. The order of the command line options does not matter.
Listing 4‑5 shows a
tpusr file with five fields separated by a colon:
Listing 4‑6 shows a
tpgrp file with three fields separated by a colon:
•
|
Modify the tpusr file password field to change the user password for each user in the file. The password field is the second field in the tpusr file. Each user is entered on a separate line in the tpusr file. See listing Listing 4‑5, for original tpusr file example.
|
Listing 4‑7 shows a
tpusr-template migration file example.
<%n> refers to a
tpusr file field, where n starts at 1.
Note:
|
Use <%gn> for group field in tpgrp file for given user.
|
Listing 4‑8 shows the LDIF output from the
tpusr-template.
dn: CN=user1,CN=Users,DC=tuxdev,DC=bea,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
cn: user1
description: Tuxedo User, TUXEDO_UID=16668 TUXEDO_GID=601
password: pwd1
dn: CN=user2,CN=Users,DC=tuxdev,DC=bea,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: user
cn: user2
description: Tuxedo User, TUXEDO_UID=16669 TUXEDO_GID=602
password: pwd2
Table 4‑7
Supported LDAP Server Template Example
1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
z/OS LDAP, with RACF backend 3
|
|
|
|
OAUTHSVR is a Tuxedo provided server that offers the authentication and authorization service while the user security information is located in Oracle Access Manager (OAM) Server. To enable the single security administration feature, you must configure
OAUTHSVR as the authentication server. At runtime, the
OAUTHSVR will authenticate and authorize the user using OAM Server
To define OAUTHSVR as the authentication server, you must define the following parameters in the
UBBCONFIG file:
•
|
SECURITY must be set to USER_AUTH, ACL, or MANDATORY_ACL in the RESOURCES section.
|
•
|
A TMJAVASVR with <server-class name="OAUTHSVR"/> must be specified in the SERVERS section.
|
OAUTHSVR supports an input configuration file that contains information such as OAM access client configuration file and the resource type mapping between Tuxedo and OAM. This configuration file is a plain text file and can be edited using any text editor and must be protected by the system using file permissions. By default the configuration file, named tpoam.auth, is located in
$TUXDIR/udataobj directory. You can overwrite this file in the command line for
OAUTHSVR. The
OAUTHSVR configuration file contains keyword and value pairs as defined in
Table 4‑8
•
|
Although the default values for the OAUTHSVR configuration file are usually sufficient, a system administrator may choose to configure it with different names. Therefore, you should be aware of the following requirements for the OAUTHSVR configuration file:
|
•
|
The OAUTHSVR configuration file is a plain text file.
|
Table 4‑8 lists the
OAUTHSVR configuration file keywords.
Table 4‑11 shows an example of a OAUTHSVR configuration file.
Table 4‑12 shows an example
UBBCONFIG file with
SECURITY set to
ACL and
OAUTHSVR defined.
Table 4‑13shows an example Java Server configuration file using OAUTHSVR.
ACL_POLICY and
CREDENTIAL_POLICY impact credential propagation.
When local domain receives request from remote domain, if ACL_POLICY is set to
LOCAL, the local domain removes the OAM session token of any service request received from the remote domain if session token exists. If
ACL_POLICY is set to
GLOBAL the local domain does not remove the OAM session token received with a remote service request.
When a Tuxedo domain sends request to a remote /T domain, if CREDENTIAL_POLICY is set to
LOCAL, then the local domain removes the session token from a local service request destined for the remote domain access point. If
CREDENTIAL_POLICY is set to
GLOBAL, the local domain does not remove the session token from a local service request destined for this remote domain access point.
To authenticate or authorize user requests, username/password pair or valid session token issued by OAM server must exist. If both
username/password pair and valid session token do not exist, it is not possible to impersonate the desired principle; authentication or authorization with OAM server cannot be done.
When domain gateway receives a request, if ACL_POLICY is set to
LOCAL, or the request doesn't contain OAM session token (for example, remote domain doesn't use OAM, or
CREDENTIAL_POLICY is set to
LOCAL, or Tuxedo version of remote domain is not 12.2.2.0.0 or later, or remote domain can't pass OAM session token like WTC), to impersonate the desired principle, the local domain gateway replaces the credential of any service request received from the remote domain with the principle name specified in the
LOCAL_PRINCIPAL_NAME parameter (if not specified, the principle name defaults to the
ACCESSPOINTID string for the remote domain access point) for this remote domain access point, the password will use "Remote Domain Password", that is the
SECURITY parameter in the
DM_LOCAL section of the
DMCONFIG file must set to
DM_PW. User
LOCAL_PRINCIPAL_NAME (or
ACCESSPOINTID) with same password as "Remote Domain Password" must be defined in OAM. If these prerequisites are not met and
SECURITY in
UBBCONFIG is set to
ACL or
MANDATORY_ACL, authorization will fail.