Remote Tuxedo Access Points --> Security

Remote Tuxedo Access Points --> Security

Tasks Related Topics Attributes

Overview

Access Control Lists (ACLs) limit the access to local services within a local Tuxedo access point by restricting the remote Tuxedo access points that can execute these services. Inbound policy from a remote Tuxedo access point is specified using the AclPolicy element. Outbound policy towards a remote Tuxedo access point is specified using the CredentialPolicy element. This allows WebLogic Server and Tuxedo applications to share the same set of users and the users are able to propagate their credentials from one system to the other.
This release of WebLogic Tuxedo Connector provides the following AppKey Generator plug-ins to provide user security information to Tuxedo:
TpUsrFile - Provides traditional Tuxedo TpUserFile functionality for users who do not need single point security administration or custom security authentication.
LDAP - Provides single point security administration that allows you to maintain user security information in a WebLogic Server embedded LDAP server and use the WebLogic Server Console to administer the security information from a single system. Requires Tuxedo 8.1 and higher.
Custom. - Provides the ability for you to create customized security authentication.

Tasks

Configuring Security Attributes for Remote Tuxedo Access Points

Related Topics

Configuring WebLogic Tuxedo Connector

Attributes

Attribute Label

Description

Value Constraints
Acl Policy The inbound access control list (ACL) policy toward requests from a remote access point.
If Interoperate is set to Yes, AclPolicy is ignored.

LOCAL: The local access point modifies the identity of service requests received from a given remote access point to the principal name specified in the local principal name for a given remote access point.

GLOBAL: The local access point passes the service request with no change in identity.
MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: AclPolicy Default: "LOCAL"Valid values:
GLOBAL"

LOCAL"

Credential Policy The outbound access control list (ACL) policy toward requests to a remote access point.
If Interoperate is set to Yes, CredentialPolicy is ignored.

LOCAL: The remote access point controls the identity of service requests received from the local access point to the principal name specified in the local principal name for this remote access point.

GLOBAL: The remote access point passes the service request with no change.
MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: CredentialPolicy Default: "LOCAL"Valid values:
GLOBAL"

LOCAL"

Min Encryption Level The minimum encryption key length (in bits) used when establishing a network connection for a local access point.
A value of 0 indicates no encryption is used.

The value of the MinEncrypBits attribute must be less than or equal to the value of the MaxEncrypBits attribute.

A MinEncrypBits of 40 can be used only with access points running Tuxedo 7.1 or higher.
MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: MinEncryptBits Default: "0"Valid values:
0"

40"

56"

128"

Max Encryption Level The maximum encryption key length (in bits) used when establishing a network connection for a local access point.
A value of 0 indicates no encryption is used.

The value of the MaxEncryptBits attribute must be greater than or equal to the value of the MinEncrypBits attribute.

A MaxEncryptBits of 40 can be used only with access points running Tuxedo 7.1 or higher.
MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: MaxEncryptBits Default: "128"Valid values:
0"

40"

56"

128"

Allow Anonymous Specifies whether the anonymous user is allowed to access Tuxedo. If the anonymous user is allowed to access Tuxedo, the default AppKey will be used for TpUsrFile and LDAP AppKey plug-ins. Interaction with the Custom AppKey plug-in depends on the design of the Custom AppKey generator.MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: AllowAnonymous Default: falseValid values:
true

false

Default AppKey The default AppKey value to be used by the anonymous user and other users who are not defined in the user database if the AppKey plug-in allows them to access Tuxedo. The TpUsrFile and LDAP plug-ins do not allow users that are not defined in user database to access Tuxedo unless Allow Anonymous is enabled.MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: DefaultAppKey Default: "-1"
AppKey Generator Specifies the type of AppKey plug-in used. You can choose from the following:
TpUsrFile.

LDAP.

Custom.
The TpUsrFile is the default plug-in. It uses an imported Tuxedo TPUSR file to provide user security information. Previous releases of WebLogic Tuxedo Connector support this option.The LDAP plug-in utilizes an embedded LDAP server to provide user security information. The user record must define the Tuxedo UID and GID information in the description field. This functionality is not supported in previous releases of WebLogic Tuxedo Connector.A Custom plug-in is provided by users who write their own AppKey generator class to provide the security information required by Tuxedo. This functionality is not supported in previous releases of WebLogic Tuxedo Connector.MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: AppKey Default: "TpUsrFile"Valid values:
TpUsrFile"

LDAP"

Custom"

Tp User File The full path to the user password file containing UID/GID information. This file is generated by the Tuxedo tpusradd utility on the remote Tuxedo domain specified by the remote Tuxedo access point. A copy of this file must be available in your WebLogic Tuxedo Connector environment to provide correct authorization, authentication, and auditing.MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: TpUsrFile

Tuxedo UID Keyword The keyword for Tuxedo UID (user id) when using the Tuxedo migration utility tpmigldap. This keyword is used to find the Tuxedo UID in the user record of the embedded LDAP database.MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: TuxedoUidKw Default: "TUXEDO_UID"
Tuxedo GID Keyword The keyword for Tuxedo GID (group id) used when using the Tuxedo migration utility tpmigldap. The keyword is used to find Tuxedo GID in the user record of the embedded LDAP database.MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: TuxedoGidKw Default: "TUXEDO_GID"
Custom AppKey Class The full pathname to the custom AppKey generator class. The class at this location is loaded at runtime if the Custom AppKey plug-in is selected.MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: CustomAppKeyClass

Custom AppKey Param The optional parameters to be used by the custom AppKey class at the class initialization time.MBean: weblogic.management.
configuration.
WTCRemoteTuxDomMBeanAttribute: CustomAppKeyClassParam

Attribute Label	Description	Value Constraints
Acl Policy	The inbound access control list (ACL) policy toward requests from a remote access point. If Interoperate is set to Yes, AclPolicy is ignored. LOCAL: The local access point modifies the identity of service requests received from a given remote access point to the principal name specified in the local principal name for a given remote access point. GLOBAL: The local access point passes the service request with no change in identity. MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: AclPolicy	Default: "LOCAL"Valid values: GLOBAL" LOCAL"
Credential Policy	The outbound access control list (ACL) policy toward requests to a remote access point. If Interoperate is set to Yes, CredentialPolicy is ignored. LOCAL: The remote access point controls the identity of service requests received from the local access point to the principal name specified in the local principal name for this remote access point. GLOBAL: The remote access point passes the service request with no change. MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: CredentialPolicy	Default: "LOCAL"Valid values: GLOBAL" LOCAL"
Min Encryption Level	The minimum encryption key length (in bits) used when establishing a network connection for a local access point. A value of 0 indicates no encryption is used. The value of the MinEncrypBits attribute must be less than or equal to the value of the MaxEncrypBits attribute. A MinEncrypBits of 40 can be used only with access points running Tuxedo 7.1 or higher. MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: MinEncryptBits	Default: "0"Valid values: 0" 40" 56" 128"
Max Encryption Level	The maximum encryption key length (in bits) used when establishing a network connection for a local access point. A value of 0 indicates no encryption is used. The value of the MaxEncryptBits attribute must be greater than or equal to the value of the MinEncrypBits attribute. A MaxEncryptBits of 40 can be used only with access points running Tuxedo 7.1 or higher. MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: MaxEncryptBits	Default: "128"Valid values: 0" 40" 56" 128"
Allow Anonymous	Specifies whether the anonymous user is allowed to access Tuxedo. If the anonymous user is allowed to access Tuxedo, the default AppKey will be used for TpUsrFile and LDAP AppKey plug-ins. Interaction with the Custom AppKey plug-in depends on the design of the Custom AppKey generator.MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: AllowAnonymous	Default: falseValid values: true false
Default AppKey	The default AppKey value to be used by the anonymous user and other users who are not defined in the user database if the AppKey plug-in allows them to access Tuxedo. The TpUsrFile and LDAP plug-ins do not allow users that are not defined in user database to access Tuxedo unless Allow Anonymous is enabled.MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: DefaultAppKey	Default: "-1"
AppKey Generator	Specifies the type of AppKey plug-in used. You can choose from the following: TpUsrFile. LDAP. Custom. The TpUsrFile is the default plug-in. It uses an imported Tuxedo TPUSR file to provide user security information. Previous releases of WebLogic Tuxedo Connector support this option.The LDAP plug-in utilizes an embedded LDAP server to provide user security information. The user record must define the Tuxedo UID and GID information in the description field. This functionality is not supported in previous releases of WebLogic Tuxedo Connector.A Custom plug-in is provided by users who write their own AppKey generator class to provide the security information required by Tuxedo. This functionality is not supported in previous releases of WebLogic Tuxedo Connector.MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: AppKey	Default: "TpUsrFile"Valid values: TpUsrFile" LDAP" Custom"
Tp User File	The full path to the user password file containing UID/GID information. This file is generated by the Tuxedo tpusradd utility on the remote Tuxedo domain specified by the remote Tuxedo access point. A copy of this file must be available in your WebLogic Tuxedo Connector environment to provide correct authorization, authentication, and auditing.MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: TpUsrFile
Tuxedo UID Keyword	The keyword for Tuxedo UID (user id) when using the Tuxedo migration utility tpmigldap. This keyword is used to find the Tuxedo UID in the user record of the embedded LDAP database.MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: TuxedoUidKw	Default: "TUXEDO_UID"
Tuxedo GID Keyword	The keyword for Tuxedo GID (group id) used when using the Tuxedo migration utility tpmigldap. The keyword is used to find Tuxedo GID in the user record of the embedded LDAP database.MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: TuxedoGidKw	Default: "TUXEDO_GID"
Custom AppKey Class	The full pathname to the custom AppKey generator class. The class at this location is loaded at runtime if the Custom AppKey plug-in is selected.MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: CustomAppKeyClass
Custom AppKey Param	The optional parameters to be used by the custom AppKey class at the class initialization time.MBean: weblogic.management. configuration. WTCRemoteTuxDomMBeanAttribute: CustomAppKeyClassParam