Remote Tuxedo Access Points: Security

edocs Home > Oracle WebLogic Server Documentation > Administration Console Online Help > Remote Tuxedo Access Points: Security

Remote Tuxedo Access Points: Security

Configuration Options Related Tasks Related Topics
Use this page to define the security configuration of a remote Tuxedo access point that will be used with this WTC Service.
Access Control Lists (ACLs) limit the access to local services within a local Tuxedo access point by restricting the remote Tuxedo access points that can execute these services. Inbound policy from a remote Tuxedo access point is specified using the AclPolicy element. Outbound policy towards a remote Tuxedo access point is specified using the CredentialPolicy element. This allows WebLogic Server and Tuxedo applications to share the same set of users and the users are able to propagate their credentials from one system to the other. WebLogic Tuxedo Connector provides the following AppKey Generator plug-ins to provide user security information to Tuxedo:

TpUsrFile—Provides traditional Tuxedo TpUserFile functionality for users who do not need single point security administration or custom security authentication.
LDAP—Provides single point security administration that allows you to maintain user security information in a WebLogic Server embedded LDAP server and use the WebLogic Server Console to administer the security information from a single system. Requires Tuxedo 8.1 and higher.
Custom—Provides the ability for you to create customized security authentication.

Configuration Options

Name Description

ACL Policy
The inbound access control list (ACL) policy toward requests from a remote Tuxedo access point.
The allowed values are:

LOCAL
: The local Tuxedo access point modifies the identity of service requests received from a given remote Tuxedo access point to the principal name specified in the local principal name for a given remote Tuxedo access point.
GLOBAL
: The local Tuxedo access point passes the service request with no change in identity.

Note: If Interoperate is set to Yes, AclPolicy is ignored.
MBean Attribute:
WTCRemoteTuxDomMBean.AclPolicy
Credential Policy
The outbound access control list (ACL) policy toward requests to a remote Tuxedo access point.
The allowed values are:

LOCAL
: The remote Tuxedo access point controls the identity of service requests received from the local Tuxedo access point to the principal name specified in the local principal name for this remote Tuxedo access point.
GLOBAL
: The remote Tuxedo access point passes the service request with no change.

Note:If Interoperate is set to Yes, CredentialPolicy is ignored.
MBean Attribute:
WTCRemoteTuxDomMBean.CredentialPolicy
Min Encryption Level
The minimum encryption key length (in bits) this remote Tuxedo access point uses when establishing a session connection. A value of 0 indicates no encryption is used.
Value Restrictions:
The MinEncrypBits value must be less than or equal to the MaxEncrypBits value. A MinEncrypBits value of 40 can be used only with domains running Tuxedo 7.1 or higher.
MBean Attribute: WTCRemoteTuxDomMBean.MinEncryptBits Secure value: 40
Max Encryption Level
The maximum encryption key length (in bits) this remote Tuxedo access point uses when establishing a session connection. A value of 0 indicates no encryption is used.
Value Restrictions:
The value of the MaxEncryptBits attribute must be greater than or equal to the value of the MinEncrypBits attribute. A MaxEncryptBits of 40 can be used only with domains running Tuxedo 7.1 or higher.
MBean Attribute: WTCRemoteTuxDomMBean.MaxEncryptBits
Allow Anonymous
Whether the anonymous user is allowed to access remote Tuxedo services.
Note: If the anonymous user is allowed to access Tuxedo, the default AppKey will be used for TpUsrFile and LDAP AppKey plug-ins. Interaction with the Custom AppKey plug-in depends on the design of the Custom AppKey generator.
MBean Attribute: WTCRemoteTuxDomMBean.AllowAnonymous
Default AppKey
The default AppKey value to be used by the anonymous user and other users who are not defined in the user database if the plug-in allows them to access Tuxedo.
Note: The TpUsrFile and LDAP plug-ins do not allow users that are not defined in user database to access Tuxedo unless Allow Anonymous is enabled.
MBean Attribute: WTCRemoteTuxDomMBean.DefaultAppKey
AppKey Generator
Specifies the type of AppKey plug-in used.
The allowed values are:

TpUsrFile -
TpUsrFile is the default plug-in. It uses an imported Tuxedo TPUSR file to provide user security information. Previous releases of WebLogic Tuxedo Connector support this option.
LDAP
- The LDAP plug-in utilizes an embedded LDAP server to provide user security information. The user record must define the Tuxedo UID and GID information in the description field. This functionality is not supported in previous releases of WebLogic Tuxedo Connector.
Custom - The Custom plug-in provides the ability to write your own AppKey generator class to provide the security information required by Tuxedo. This functionality is not supported in previous releases of WebLogic Tuxedo Connector.
MBean Attribute: WTCRemoteTuxDomMBean.AppKey
Tp User File
The full path to the user password file containing UID/GID information. (This field is only relevant if you specify TpUsrFile as the AppKey Generator.)
Note: This file is generated by the Tuxedo tpusradd utility on the remote Tuxedo domain specified by the remote Tuxedo access point. A copy of this file must be available in your WebLogic Tuxedo Connector environment to provide correct authorization, authentication, and auditing.
MBean Attribute: WTCRemoteTuxDomMBean.TpUsrFile
Tuxedo UID Keyword
The keyword for Tuxedo UID (User ID) used in the WlsUser when using the Tuxedo migration utility tpmigldap. (This keyword is only relevant if you specify LDAP as the AppKey Generator.)
Note: The keyword is used to find Tuxedo UID in the user record in the embedded LDAP database.
MBean Attribute: WTCRemoteTuxDomMBean.TuxedoUidKw
Tuxedo GID Keyword
The keyword for Tuxedo GID (Group ID) used in the WlsUser when using the Tuxedo migration utility tpmigldap. (This field is only relevant if you specify LDAP as the AppKey Generator.)
Note: The keyword is used to find Tuxedo GID in the user record in the embedded LDAP database.
MBean Attribute: WTCRemoteTuxDomMBean.TuxedoGidKw
Custom AppKey Class
The full pathname to the custom AppKey generator class. (This class is only relevant if you specify Custom as the AppKey Generator.)
Note: This class is loaded at runtime if the Custom AppKey generator plug-in is selected.
MBean Attribute: WTCRemoteTuxDomMBean.CustomAppKeyClass
Custom AppKey Param
The optional parameters to be used by the custom AppKey class at the class initialization time. (This class is only relevant if you specify Custom as the AppKey Generator.)
MBean Attribute:
WTCRemoteTuxDomMBean.CustomAppKeyClassParam

Related Tasks

Configure security for remote APs

Related Topics

Configuring WebLogic Tuxedo Connector

Name	Description
ACL Policy	The inbound access control list (ACL) policy toward requests from a remote Tuxedo access point. The allowed values are: `LOCAL` : The local Tuxedo access point modifies the identity of service requests received from a given remote Tuxedo access point to the principal name specified in the local principal name for a given remote Tuxedo access point. `GLOBAL` : The local Tuxedo access point passes the service request with no change in identity. Note: If Interoperate is set to Yes, AclPolicy is ignored. MBean Attribute: `WTCRemoteTuxDomMBean.AclPolicy`
Credential Policy	The outbound access control list (ACL) policy toward requests to a remote Tuxedo access point. The allowed values are: `LOCAL` : The remote Tuxedo access point controls the identity of service requests received from the local Tuxedo access point to the principal name specified in the local principal name for this remote Tuxedo access point. `GLOBAL` : The remote Tuxedo access point passes the service request with no change. Note:If Interoperate is set to Yes, CredentialPolicy is ignored. MBean Attribute: `WTCRemoteTuxDomMBean.CredentialPolicy`
Min Encryption Level	The minimum encryption key length (in bits) this remote Tuxedo access point uses when establishing a session connection. A value of `0 indicates no encryption is used.` `Value Restrictions:` `The MinEncrypBits value must be less than or equal to the MaxEncrypBits value. A MinEncrypBits value of 40 can be used only with domains running Tuxedo 7.1 or higher.` `MBean Attribute: WTCRemoteTuxDomMBean.MinEncryptBits Secure value: 40`
Max Encryption Level	The maximum encryption key length (in bits) this remote Tuxedo access point uses when establishing a session connection. A value of `0 indicates no encryption is used.` `Value Restrictions:` `The value of the MaxEncryptBits attribute must be greater than or equal to the value of the MinEncrypBits attribute. A MaxEncryptBits of 40 can be used only with domains running Tuxedo 7.1 or higher.` `MBean Attribute: WTCRemoteTuxDomMBean.MaxEncryptBits`
Allow Anonymous	Whether the anonymous user is allowed to access remote Tuxedo services. Note: If the anonymous user is allowed to access Tuxedo, the default AppKey will be used for `TpUsrFile and LDAP AppKey plug-ins. Interaction with the Custom AppKey plug-in depends on the design of the Custom AppKey generator.` `MBean Attribute: WTCRemoteTuxDomMBean.AllowAnonymous`
Default AppKey	The default `AppKey` value to be used by the anonymous user and other users who are not defined in the user database if the plug-in allows them to access Tuxedo. Note: The `TpUsrFile and LDAP plug-ins do not allow users that are not defined in user database to access Tuxedo unless Allow Anonymous is enabled.` `MBean Attribute: WTCRemoteTuxDomMBean.DefaultAppKey`
AppKey Generator	Specifies the type of AppKey plug-in used. The allowed values are: `TpUsrFile -` TpUsrFile is the default plug-in. It uses an imported Tuxedo TPUSR file to provide user security information. Previous releases of WebLogic Tuxedo Connector support this option. `LDAP` - The `LDAP plug-in utilizes an embedded LDAP server to provide user security information. The user record must define the Tuxedo UID and GID information in the description field. This functionality is not supported in previous releases of WebLogic Tuxedo Connector.` `Custom - The Custom plug-in provides the ability to write your own AppKey generator class to provide the security information required by Tuxedo. This functionality is not supported in previous releases of WebLogic Tuxedo Connector.` `MBean Attribute: WTCRemoteTuxDomMBean.AppKey`
Tp User File	The full path to the user password file containing UID/GID information. (This field is only relevant if you specify `TpUsrFile` as the AppKey Generator.) Note: This file is generated by the Tuxedo `tpusradd utility on the remote Tuxedo domain specified by the remote Tuxedo access point. A copy of this file must be available in your WebLogic Tuxedo Connector environment to provide correct authorization, authentication, and auditing.` `MBean Attribute: WTCRemoteTuxDomMBean.TpUsrFile`
Tuxedo UID Keyword	The keyword for Tuxedo UID (User ID) used in the `WlsUser` when using the Tuxedo migration utility `tpmigldap. (This keyword is only relevant if you specify LDAP as the AppKey Generator.)` `Note: The keyword is used to find Tuxedo UID in the user record in the embedded LDAP database.` `MBean Attribute: WTCRemoteTuxDomMBean.TuxedoUidKw`
Tuxedo GID Keyword	The keyword for Tuxedo GID (Group ID) used in the `WlsUser` when using the Tuxedo migration utility `tpmigldap. (This field is only relevant if you specify LDAP as the AppKey Generator.)` `Note: The keyword is used to find Tuxedo GID in the user record in the embedded LDAP database.` `MBean Attribute: WTCRemoteTuxDomMBean.TuxedoGidKw`
Custom AppKey Class	The full pathname to the custom `AppKey` generator class. (This class is only relevant if you specify `Custom` as the AppKey Generator.) Note: This class is loaded at runtime if the `Custom AppKey generator plug-in is selected.` `MBean Attribute: WTCRemoteTuxDomMBean.CustomAppKeyClass`
Custom AppKey Param	The optional parameters to be used by the custom `AppKey` class at the class initialization time. (This class is only relevant if you specify `Custom` as the AppKey Generator.) MBean Attribute: `WTCRemoteTuxDomMBean.CustomAppKeyClassParam`