|
|
|
|
| |
The BDMCONFIG section of the WebLogic Tuxedo Connector XML configuration file describes how to establish connectivity and provide security between domains in the WebLogic Tuxedo Connector and Tuxedo environments. The XML configuration file is composed of configuration parameters that are analogous to the interoperability attributes required for the communication between Tuxedo domains.
The WebLogic Tuxedo Connector is started as part of the WebLogic Server application environment. Any configuration condition that prevents the WebLogic Tuxedo Connector from starting results in an error being logged to the WebLogic Server error log.
The following sections provide configuration information about BDMCONFIG:
Note: For more detailed reference information on the WebLogic Tuxedo Connector XML configuration file, elements and attributes, and the wtc_config.dtd, see The wtc_config.dtd.
Several options can specify the conditions under which a local domain gateway tries to establish a connection with a remote domain. Specify these conditions using the ConnectionPolicy parameter in the T_DM_LOCAL_TDOMAIN and T_DM_REMOTE_TDOMAIN sections of BDMCONFIG.
Connecting at Boot Time (ON_STARTUP)
A policy of ON_STARTUP means that a domain gateway attempts to establish a connection with its remote domain access points at gateway server initialization time. The connection policy retries failed connections at regular intervals determined by the RetryInterval parameter.
The RetryInterval parameter enables failed attempts at connections to remote domains to be retried automatically if the connection policy is ON_STARTUP. You can control the frequency of automatic connection attempts by specifying the interval (in seconds) during which the gateway should wait before trying to establish a connection again.
The MaxRetries number indicates the number of times that a domain gateway tries to establish connections to remote domain access points before quitting. Use only when ConnectionPolicy is set to ON_STARTUP.
Use the maximum value to retry processing until a connection is established. Use the minimum value to disable the automatic retry mechanism.
Connecting on Request (ON_DEMAND)
A connection policy of ON_DEMAND means that a connection is attempted only when requested by either a client request to a remote service or an administrative connect command. The default setting for ConnectionPolicy is ON_DEMAND.
Accepting Incoming Connections (INCOMING_ONLY)
A connection policy of INCOMING_ONLY means that a domain gateway does not attempt an initial connection to remote domain access points at startup. The domain gateway is available for incoming connections from remote domain access points and remote services are advertised when the domain gateway for this local domain access point receives an incoming connection. Connection retry processing is not allowed when the connection policy is INCOMING_ONLY.
A connection policy of LOCAL indicates that a remote domain connection policy is explicitly defaulted to the local domain ConnectionPolicy attribute value. If the remote domain ConnectionPolicy is not defined, the system uses the setting specified by the associated local domain (specified by the LocalAccessPoint).
Dynamic Status is a feature of the gateway process (GWTDOMAIN) to determine the availability of remote services. The connection policy used in the WebLogic Tuxedo Connector configuration file determines whether the Dynamic Status feature is available for a service. The following table describes how each connection policy affects Dynamic Status capability.
Configuring Failover and Failback
The WebLogic Tuxedo Connector supports domain level failover and failback
Note: In the Tuxedo T/ Domain, there is a limit of 3 backup remote domains. The WebLogic Tuxedo Connector has no limit to the number of backup domains allowed to be configured for a service.
Domain failover provides an alternate access to domain services when a failure is detected on a primary remote domain. Failback is provided if a connection to the primary domain is restored when the domain becomes available.
The WebLogic Tuxedo Connector supports authentication of clients, servers, and administrative programs.
The Security parameter in the local domain specifies the level of security allowed by a particular local domain. There are three basic security levels:
Generating Encrypted Passwords
Use weblogic.wtc.gwt.genpasswd to generate encrypted passwords for LocalPassword, RemotePassword, and AppPassword elements. The utility uses a key to encrypt a password that is copied into the WebLogic Tuxedo Connector XML configuration file. The result is a valid WebLogic Tuxedo Connector XML element.
Note: Use of encryption requires appropriate user licenses. For more information, see Licensing.
Call the utility without any arguments to display the command line options.
$ java weblogic.wtc.gwt.genpasswd
Usage: genpasswd Key <LocalPassword|RemotePassword|AppPassword> <local|remote|application>
This section provides examples of each of the password element types.
The following example uses key1 to encrypt "LocalPassword1" as the password of the local domain.
$ java weblogic.wtc.gwt.genpasswd Key1 LocalPassword1 local
<LocalPassword IV="I#^Da0efo1">!djK*87$klbJJ</LocalPassword>
The following example uses mykey to encrypt "RemotePassword1" as the password for the remote domain.
$ java weblogic.wtc.gwt.genpasswd mykey RemotePassword1 remote
<RemotePassword IV="Rq$45%%kK">McFrd3#f41Kl</RemotePassword>
The following example uses key1 to encrypt "test123" as the application password.
$ weblogic.wtc.gwt.genpasswd mykey test123 application
<AppPassword IV="gx8aSkAgLFg=">c98Y/P94HY3rCAVmkF=</AppPassword>
Access Control Lists (ACLs) limit the access to local services within a local domain by restricting the remote domains that can execute these services. Inbound policy from a remote domain is specified using the AclPolicy element. Outbound policy towards a remote domain is specified using the CredentialPolicy element. This allows WebLogic Server and Tuxedo applications to share the same set of users and the users are able to propagate their credentials from one system to the other.
The valid values for this parameter are:
Security Requirements for servers
Security Requirements for clients
Use the following steps to establish an ACL policy:
Note: Tuxedo 6.5 does not have the required security infrastructure to support security mapping.
Add users to the TpUsrFile using the WebLogic Server Console.
Add the security-role and security-role-assignment elements to each EJB used in the application.
After you have added the users and modified the EJBs, only WebLogic Server defined users have permission to access the EJBs.
Modify Tuxedo Environment for ACL
Perform the following steps for inbound and outbound requests to prepare the Tuxedo environment:
Note: If ACL_POLICY="LOCAL", you must configure the remote DOMAINID as a user using tpusradd.
Modify WebLogic Tuxedo Connector Environment for ACL
Perform the following steps to prepare the WebLogic Server environment:
Example: <TpUsrFile>full path name to tpusr</TpUsrFile>.
Example: <CredentialPolicy>GLOBAL</CredentialPolicy>
Note: If the CredentialPolicy value is set to LOCAL, the user information is stripped off.
This section provides an example of how to set up ACL control using the simpapp and simpserv examples.
Use the following steps to establish ACL control:
Note: The | at beginning of the line indicates the changes added to support the security implementation.
<?xml version="1.0"?>
<!--
Copyright (c) 2000 BEA Systems, Inc.
All rights reserved
THIS IS UNPUBLISHED PROPRIETARY
SOURCE CODE OF BEA Systems, Inc.
The copyright notice above does not
evidence any actual or intended
publication of such source code.
-->
<!DOCTYPE ejb-jar PUBLIC '-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN' 'http://java.sun.com/j2ee/dtds/ejb-jar_2_0.dtd'>
<ejb-jar>
<enterprise-beans>
<session>
<ejb-name>Toupper</ejb-name>
<home>weblogic.wtc.examples.simpapp.ToupperHome</home>
<remote>weblogic.wtc.examples.simpapp.Toupper</remote> <ejb-class>weblogic.wtc.examples.simpapp.ToupperBean</ejb-class>
<session-type>Stateful</session-type>
<transaction-type>Container</transaction-type>
</session>
</enterprise-beans>
<assembly-descriptor>
| <security-role>
| <role-name>dom2</role-name>
| </security-role>
| <method-permission>
| <role-name>dom2</role-name>
| <method>
| <ejb-name>Toupper</ejb-name>
| <method-name>Toupper</method-name>
| </method>
| </method-permission>
<container-transaction>
<method>
<ejb-name>Toupper</ejb-name>
<method-intf>Remote</method-intf>
<method-name>*</method-name>
</method>
<trans-attribute>Supports</trans-attribute>
</container-transaction>
</assembly-descriptor>
</ejb-jar>
Note: The | at beginning of the line indicates the changes added to support the security inplementation.
<?xml version="1.0"?>
<!--
Copyright (c) 2000 BEA Systems, Inc.
All rights reserved
THIS IS UNPUBLISHED PROPRIETARY
SOURCE CODE OF BEA Systems, Inc.
The copyright notice above does not
evidence any actual or intended
publication of such source code.
-->
<!DOCTYPE weblogic-ejb-jar PUBLIC '-//BEA Systems, Inc.//DTD WebLogic 6.0.0 EJB//EN' 'http://www.bea.com/servers/wls600/dtd/weblogic-ejb-jar.dtd'>
<weblogic-ejb-jar>
<weblogic-enterprise-bean>
<ejb-name>Toupper</ejb-name>
<stateful-session-descriptor>
<stateful-session-cache>
<max-beans-in-cache>100</max-beans-in-cache>
</stateful-session-cache>
</stateful-session-descriptor>
<jndi-name>tuxedo.services.ToupperHome</jndi-name>
</weblogic-enterprise-bean>
| <security-role-assignment>
| <role-name>dom2</role-name>
| <principal-name>john</principal-name>
| <principal-name>bob</principal-name>
| </security-role-assignment>
</weblogic-ejb-jar>
Note: The | at beginning of the line indicates the changes added to support the security inplementation.
<?xml version="1.0"?>
<!--
Copyright (c) 2000 BEA Systems, Inc.
All rights reserved
THIS IS UNPUBLISHED PROPRIETARY
SOURCE CODE OF BEA Systems, Inc.
The copyright notice above does not
evidence any actual or intended
publication of such source code.
-->
<!DOCTYPE ejb-jar PUBLIC '-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN' 'http://java.sun.com/j2ee/dtds/ejb-jar_2_0.dtd'>
<ejb-jar>
<enterprise-beans>
<session>
<ejb-name>Tolower</ejb-name>
<home>weblogic.wtc.jatmi.TuxedoServiceHome</home>
<remote>weblogic.wtc.jatmi.TuxedoService</remote> <ejb-class>weblogic.wtc.examples.simpserv.TolowerBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
</session>
</enterprise-beans>
<assembly-descriptor>
| <security-role>
| <role-name>rdom2</role-name>
| </security-role>
| <method-permission>
| <role-name>rdom2</role-name>
| <method>
| <ejb-name>Tolower</ejb-name>
| <method-name>service</method-name>
| </method>
</method-permission>
<container-transaction>
<method>
<ejb-name>Tolower</ejb-name>
<method-intf>Remote</method-intf>
<method-name>*</method-name>
</method>
<trans-attribute>Supports</trans-attribute>
</container-transaction>
</assembly-descriptor>
</ejb-jar>
Note: The | at beginning of the line indicates the changes added to support the security inplementation.
<?xml version="1.0"?>
<!--
Copyright (c) 2000 BEA Systems, Inc.
All rights reserved
THIS IS UNPUBLISHED PROPRIETARY
SOURCE CODE OF BEA Systems, Inc.
The copyright notice above does not
evidence any actual or intended
publication of such source code.
-->
<!DOCTYPE weblogic-ejb-jar PUBLIC '-//BEA Systems, Inc.//DTD WebLogic 6.0.0 EJB//EN' 'http://www.bea.com/servers/wls600/dtd/weblogic-ejb-jar.dtd'>
<weblogic-ejb-jar>
<weblogic-enterprise-bean>
<ejb-name>Tolower</ejb-name>
<stateless-session-descriptor>
<pool>
<max-beans-in-free-pool>100</max-beans-in-free-pool>
</pool>
</stateless-session-descriptor>
<jndi-name>tuxedo.services.TOLOWERHome</jndi-name>
</weblogic-enterprise-bean>
| <security-role-assignment>
| <role-name>rdom2</role-name>
| <principal-name>john</principal-name>
| <principal-name>dan</principal-name>
| </security-role-assignment>
</weblogic-ejb-jar>
Note: If ACL_POLICY="LOCAL", you must configure the remote DOMAINID as a user using tpusradd.
Example: <TpUsrFile>full path name to tpusr</TpUsrFile>.
|
Copyright © 2001 BEA Systems, Inc. All rights reserved.
|