1. Release Notes
  2. What’s New and Improved in Oracle Tuxedo (22.1.0.0.0)

2 What’s New and Improved in Oracle Tuxedo (22.1.0.0.0)

Oracle Tuxedo Release 22c (22.1.0.0.0) includes the following new major features and enhancements:

2.1 Security Enforcement

In this release, we introduce the following update of security capabilities to ensure that secure Tuxedo deployment by default.

See Also:

Parent topic: What’s New and Improved in Oracle Tuxedo (22.1.0.0.0)

2.1.1 Mandatory Security Setting

In Oracle Tuxedo Release 22c (22.1.0.0.0), the SECURITY parameter in the UBBCONFIG file is mandatory. If you set the value to NONE, a warning message appears in ULOG: CMDTUX_CAT:8423: WARN: Insecure option NONE is set for the SECURITY keyword. By setting TM_SECURITY_CONFIG to NONE, you indicate that the behavior in previous Tuxedo releases is desired: The SECURITY parameter is optional, and by default, it has the value NONE. No warning is reported to ULOG if the SECURITY value is NONE.

Parent topic: Security Enforcement

2.1.2 Link-Level Encryption

In this release, the LLE is disabled by default. Tuxedo client/server exits with an error, while detecting LLE in use instead of reporting a warning message in the User Log (ULOG). Setting the environment variable TM_ALLOW_NOTLS to Y allows you to enable LLE if you need it for some reason.

WARNING:

LLE is deprecated. Oracle recommends you to use SSL for securing your network links.

When using LLE, set the environment variable LLE_DEPRECATION_WARN_LEVEL to NONE or ONCE to suppress the warning message.

Parent topic: Security Enforcement

2.1.3 Secure Sockets Layer

The following components use TLS 1.2 at link level in the Oracle Tuxedo Release 22c (22.1.0.0.0) by default. The following components fail if SSL is unspecified as a command-line option:

  • Set CLOPT '-s' to start the WSL.
  • Set CLOPT '-s' to start the JSL.
  • Set CLOPT '-S' to start the ISL.
  • Set CLOPT '-s' to start the tlisten.

    BRIDGE fails to start if OPTIONS does not include the SSL setting in the UBBCONFIG file.
    GWTDOMAIN     fails to start if NWPROTOCOL does not include the SSL or SSL_ONE_WAY setting in the DMCONFIG.

    By default, Tuxedo acts as an SSL client or server using TLS 1.2. To enable Tuxedo components to accept TLS 1.0 or 1.1 connections, use the environment variable TM_TLS_FORCE_VER.

    The Oracle Tuxedo Release 22c (22.1.0.0.0) supports the following cipher suites by default:

    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_128_GCM_SHA256

You can use TM_CIPHERSUITES environment variable to specify permitted cipher suites.

The minimum key length of the public key algorithm RSA is 2048 by default . Tuxedo detects the key length when loading the key/certificate, and fails the load if the key length is smaller than 2048. To use a shorter key length, specify the minimum allowed key length in the environment variable TM_MIN_PUB_KEY_LENGTH.

TM_ALLOW_NOTLS can be set to Y to disable SSL/TLS connections for compatibility with the previous release. No encryption occurs at the link level if you set the min/max key length to (0,0).

Parent topic: Security Enforcement

2.1.4 JOLT Client

The JOLT Client uses the following to replace environment variables with Java properties.
  • The Jolt client must connect to the Jolt server using TLS 1.2 by default. You can set Java Property TM_ALLOW_NOTLS to Y to allow the Jolt client to connect to a server that uses LLE or without encryption.
  • You can use the TM_MIN_PUB_KEY_LENGTH Java property to specify the minimum allowed RSA key length. The default key length is 2048 if this property is not enabled.
  • You can use the bea.JOLT.tls.version Java property to set a JOLT Client TLS versions. The default protocol version is TLS1.2 if this property is not enabled.
  • You can use the bea.JOLT.tls.ciphersuites Java property to specify Client cipher suites explicitly. You can set the bea.JOLT.tls.ciphersuites Java property to specify Client cipher suites explicitly. Please use the following cipher suites instead of the default:
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_128_GCM_SHA256

Parent topic: Security Enforcement

2.1.5 Supported Algorithms for Public Key Security

Oracle Tuxedo Release 22c (22.1.0.0.0) supports the following Public Key Security algorithms:
  • Symmetric Key Algorithms:
    1. Data Encryption Standard (DES)
    2. DES3
    3. RC2 (Rivest’s Cipher 2)
    4. RC5
  • Asymmetric Key Algorithms:
    1. Digital Signature Algorithm (DSA)
    2. Rivest, Shamir, and Adelman (RSA)
  • Message Digest Algorithms:
    1. Message Digest (MD5)
    2. Secure Hash Algorithm 1 (SHA1)

Note:

Oracle Tuxedo Release 22c (22.1.0.0.0) includes a few insecure algorithms that are disabled by default. To enable backward compatibility, set the environment variable TM_USE_OLD_CIPHER to Y for backward compatibility reasons.

See Also:

Public Key Security

Parent topic: Security Enforcement

2.1.6 Default Use of TLS 1.2 with XAUTHSVR

In the Oracle Tuxedo Release 22c (22.1.0.0.0), XAUTHSVR uses SSL/TLS protocol to connect to LDAP servers. The default cipher-suites are set to AES256-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-GCM-SHA256. The default TLS version is set to 1.2.

To modify the protocol, configure the TLS_OPTIONS within the OpenLDAP client using a configuration file or an environment variable. For more information, see OpenLDAP Configurations.

See Also:

Setting up the XAUTHSVR Server Configuration File

Parent topic: Security Enforcement

2.1.6.1 Configure XAUTHSVR with WebLogic Server (WLS) 14.1.1
GAUTHSVR is desupported in this release, an alternative is to use XAUTHSVR. Ensure that there is no existing GAUTHSVR configuration in the UBBCONFIG file, then follow the steps to configure XAUTHSVR with WLS (LDAP).
Setting Up the XAUTHSVR Server Configuration File
  1. Open UBBCONFIG file with a text editor.
  2. In REASOURCES section, perform the following:
    1. Set the SECURITY parameter to one of these values: USER_AUTH or AUTHSVC.
    2. Set the OPTIONS parameter to EXT_AA.
    3. Perform the following:
    1. If the SECURITY parameter is set to USER_AUTH, set AUTHSVC to AUTHSVC, which is the service name advertised by the XAUTHSVR server.
  3. Set up A -f <fullpath-to-tpxauth>/tpxauth in the SERVERS section.
    Following is the content of configuration in the tpxauth file: 
    FILE_VERSION 1
LDAP_VERSION 3
BINDDN cn=Admin
BASE ou=people,ou=myrealm,dc=mydomain     <- BaseDN for WLS embedded LDAP. It might be changed according to WLS domain settings
LDAP_ADDR //<hostname or IP address>:<port>      <- WLS server listen address
UID_KW uid
MEMBEROF_KW ismemberof
PWD_KW userPassWord
  4. Encrypt the password in the tpxauth file:
    tploadconf -f tpxauth
  5. Enter password twice for the WLS LDAP BINDDN.
  6. Set the environment variable XAUTH_UID_DN_SUFFIX
    1. Set the ",<BASE>" environment variable. Here, the BASE is the base DN defined in the tpxauth.
      export XAUTH_UID_DN_SUFFIX=",ou=people,ou=myrealm,dc=mydomain"
  7. Set tmloadcf to Y to load the configuration. The tmloadcf command parses UBBCONFIG and loads the binary TUXCONFIG file to the location referenced by the TUXCONFIG variable and enter the password twice to access the application.
  8. tmboot begins the Tuxedo application after passing the ENCRYPTION_REQUIRED=Y parameter.

2.2 Tuxedo Application Leverage Oracle Database Application Continuity

Application Continuity in Oracle Real Application Clusters (RAC), Oracle RAC One Node, and Oracle Active Data Guard hides outages from end users and applications by restoring the in-flight database sessions following recoverable outages. Application Continuity masks outages from end users and applications by recovering the in-flight work for impacted database sessions following outages. Application Continuity performs this recovery beneath the application so that the outage appears to the application as a slightly delayed execution. AC (Application Continuity) was introduced in Oracle DB 12.2. Starting with Oracle Database 19c, Transparent Application Continuity (TAC) transparently tracks and records session and transactional state so the database session can be recovered following recoverable outages. This is accomplished by not requiring application knowledge or application code changes, allowing Transparent Application Continuity to be enabled for your applications.

See Also:

Application Continuity
You have multiple ways to connect Oracle database in a Tuxedo server such as:
  • XA connection

    You can invoke tpopen() parameter to create an XA connection to Oracle database.

  • Oracle Call Interface (OCI) connection

    You can use OCI APIs for connecting to Oracle database.

  • Oracle Pro*C connection

    You can use EXEC SQL CONNECT parameter for connecting to Oracle database.

Tuxedo applications utilize the AC feature with only OCI connection. Ensure that you have OCI 12.2. or higher version for AC support and similarly for TAC support.

How to use the AC feature

Follow the steps to configure to use the Application Continuity:

  1. When AC is enabled on the Oracle Database side, and a Tuxedo server uses OCI APIs to connect to the Oracle Database explicitly, You can indicate whether or not to declare the database request boundary to enable the application continuity feature. You can set the following parameter in the corresponding SERVERS section in Tuxedo UBBCONFIG:
    ORAREQBOUNDARY = {Y | N}
    The default is N.This attribute can also be specified in T_SERVER class through TM_MIB as shown in the following table:
    Attribute Type Permissions Values Default
    TA_ORAREQBOUNDARY string rw-r--r- {Y|N} "N"
  2. When TAC is enabled at the Oracle Database side, and a Tuxedo server uses OCI APIs to connect to the Oracle Database explicitly, the Tuxedo server utilizes the AC feature no matter whether ORAREQBOUNDARY is configured or not, or to any value.

Benefits of Using the AC feature

When the Tuxedo application leverages Oracle Database AC, the Tuxedo server does not have to explicitly call OCI APIs to re-connect to the Oracle Database upon active node failure; instead of, DB connections re-initiate and automatically replay DB APIs, resulting in successful OCI calls.

Tip:

To leverage Tuxedo enhancements when interacting with Oracle Database using OCI APIs, ensure that you are following the steps:
  1. Copy $TUXDIR/libs/tuxociucb.so.1.0 to $ORACLE_HOME/lib/ and set the environment variable ORA_OCI_UCBPKG to: export ORA_OCI_UCBPKG=tuxociucb.
  2. Enter the following to Tuxedo Server CLOPT in UBBCONFIG: 
    -L libclntsh.so -F noECID

Parent topic: What’s New and Improved in Oracle Tuxedo (22.1.0.0.0)

2.3 Secure Use of SNMP

This release deprecates Oracle SNMP Agent Integrator. Oracle recommends you to not use it.

Oracle Tuxedo Release 22c (22.1.0.0.0) includes the following changes:
  • SNMP v1 and SNMP v2 are disabled
  • Default protocol for privacy protocol is changed to AES from DES.
    • Updates to arguments for snmpkey: 
      • -x privProtocol
        This flag indicates the protocols for generated keys. Default protocol is AES 128-bit CFB mode. Valid values are:
        • AES: Indicates AES 128-bit CFB mode.
        • DES: Indicates CBC-DES.
    • Updates to arguments for snmpget,snmpgetnext,snmptest,snmptrap,and snmpwalk: 
      • -x PrivProtocol

        This flag sets the privacy protocol (DES or AES) used for encrypted SNMPv3 messages. The default privProtocol is AES.

See Also:

Parent topic: What’s New and Improved in Oracle Tuxedo (22.1.0.0.0)

2.4 Tuxedo Server CLOPT -o and -e parameters support Tuxedo server and process IDs

By using the Tuxedo Server CLOPT -o and -e parameters, you can redirect stdout and stderr to specific files.

UBBCONFIG Server CLOPT -o and -e parameters support the following placeholders when the environment TM_STDOUTERR_EXT is set to Y: 
%SRVID%: Tuxedo server ID 
%PROCID% : process ID
For example: 
simpserv SRVGRP=GROUP1 SRVID=2341 MIN=2 MAX=2 CLOPT="-A -o mystdout.%SRVID% -e mystderr.%PROCID%.log"

The stdout file names appear to be mystdout.2341 and mystdout.2342 respectively, and the stderr file names appear to be mystderr.<pid>.log.

Parent topic: What’s New and Improved in Oracle Tuxedo (22.1.0.0.0)

2.5 Other Updates in Oracle Tuxedo Release 22c (22.1.0.0.0)

Oracle Tuxedo Release 22c (22.1.0.0.0) includes the following:

  • The Tuxedo Java Server is now certified with the OpenJDK

Parent topic: What’s New and Improved in Oracle Tuxedo (22.1.0.0.0)