08 Secu

2006 BEA Systems, Inc.
219
Tuxedo Application Security
Administration
At the end of this module, you will be able to:
Configure and implement the basic security features
Perform administration security tasks for defining
ACL entries, groups, and users
Configure support for Link-Level Encryption (LLE)
Understand the capabilities of public key encryption
and custom auditing
Module 8
Tuxedo Application Security Administration-1
2006 BEA Systems, Inc. 220
Road Map
1. Tuxedo Security Configurations
Tuxedo Security Capabilities
The Basic Tuxedo Security Model
Configuring Basic Authentication and Authorization
2. Tuxedo Security Administration
3. Link-Level Encryption (LLE)
4. Additional Security Features
Tuxedo Security Capabilities
The BEA Tuxedo system offers the following ATMI
security features:
Authentication
Authorization
Auditing
Link-Level Encryption
Public key security
All of these can be configured by the application
administrator except auditing:
Default implementation logs messages to ULOG
Custom plug-in implementations are vendor-specific
The Basic Tuxedo Security Model

Client
authentication
Database
Server
(Service)
Service
request +
credentials
Privileged agent (server)
performs service
on behalf of client
Access performed under Tuxedos
user ID with database access privileges

BEA
Tuxedo
Security
Client
Credentials
Check
ClientID &
password/s
Configuring Default Authentication and
Authorization
The Basic Tuxedo security model provides for
Authentication and Authorization at four levels:
1. Native Operating System Security
2. Application-wide Password
3. Username/Password Authentication
4. Access Control List (ACL) Authorization
Each level is cumulative:
For example, configuring ACL authorization will still
cause all three lower levels to be applied.
1. Native Operating System Security
Relying on native operating system security includes
these best practices:
Limit access to files and IPC resources to the application
administrator
Have trusted clients run with administrator permissions or
restrict access to workstation clients
In the RESOURCES section, setting SECURITY to
NONE is the default.

10
0101
1110
Setting Operating System Security in UBBCONFIG:
*RESOURCES
SECURITY NONE
UID 110
GID 5
PERM 0660
2. Application-wide Password
If SECURITY is set to APP_PW, the administrator will
be prompted for the password when using tmloadcf.
This password must be supplied by all client programs
when joining this application/domain.
Password is the same for all clients
Applies to remote and native clients
Client applications must be programmed to determine
the current password then provide it when connecting.

10
0101
1110
Setting Application-wide Password Security in UBBCONFIG:
*RESOURCES
...
SECURITY APP_PW
...
Password will be limited
to 30 characters.
3. Username/Password Authentication
Setting SECURITY to USER_AUTH will require the
deployment of an authentication server.
tmloadcf will still prompt for an application password
Tuxedo provides a default AUTHSVR which provides
the AUTHSVC service for user authentication.
Additional administration is required to create a file (tpusr)
containing usernames and passwords.
10
0101
1110
Setting Username/Password Security in UBBCONFIG:
*RESOURCES
SECURITY USER_AUTH
AUTHSVC AUTHSVC
...
*SERVERS
AUTHSVR SRVGRP=SYSGRP SRVID=120
Specify AUTHSVC as the
authentication service to be used
AUTHSVC is advertised
by AUTHSVR
4. Access Control List Authorization
Setting SECURITY to ACL, (or MANDATORY_ACL)
provides for service-level authorization checks.
tmloadcf will still prompt for an application password
The default AUTHSVR also provides the ..AUTHSVC
service for ACL authorizations.
Additional administration is required to create files
containing groups (tpgrp) and ACL restrictions (tpacl).
10
0101
1110
Setting ACL Authorization Security in UBBCONFIG:
*RESOURCES
SECURITY ACL
AUTHSVC ..AUTHSVC
...
*SERVERS
AUTHSVR SRVGRP=SYSGRP SRVID=120
Specify ..AUTHSVC as the authentication
and authorization service to be used
..AUTHSVC is also
advertised by AUTHSVR
Section Review
Identify the Tuxedo security features and the basic
security model
Configure support for default authentication and
authorization

In this section, we learned how to:
Road Map
Tuxedo Security Tasks
Defining Access Control Lists (ACLs)
Adding Users and Groups
Security Administration Tasks
We will now review all the additional tasks associated
with the most restrictive level, ACL Authorization.
Lower levels require only a subset of these tasks.
We still need to be concerned with:
Operating system security best practices
Implementing an application-wide password
Providing for a password rotation and distribution scheme
With ACL Authorization, we can choose two
SECURITY settings:
ACL: Access restricted only to ACL entries
MANADATORY_ACL: Access restricted to all resources
Access Control Lists (ACLs)
Provides group-based access control to application
entities (services, events, and /Q queues)
Access control is administered at the group level to
provide
Easier system administration
Increased performance
Limitations of ACLs:
A user can only be associated with one group at a time
User identification aging is not supported
User, Group, and ACL Files
Three files are used for Tuxedo application security
administration.
tpusr: Lists all user information including encrypted
passwords
tpgrp: Lists all groups with associated group IDs
tpacl: Lists all entities with related group access
restrictions
These files are similar in format to the UNIX
/etc/passwd and /etc/group files.
Multiple values to a line separated by :
Flat ASCII files
Readable only by application administrator
They are created in the associated APPDIR.
Adding ACL Entries with tpacladd
Use the tpacladd utility to create or append the
tpacl file containing access control
information.
Syntax:
tpacladd [-g gid[,gid]] [-t type] name
name
The type of ACL entry. Must be ENQ, DEQ, SERVICE, or
POSTEVENT. (Default is SERVICE)
-t type
A list of one or more existing group IDs or group names. If
not defined, this entry is added with no group access.
-g gid
Description Options
A valid string that represents a SERVICE, /Q Queue, or
EVENT.
Adding, Deleting, and Modifying Entries
Adding a new ACL entry with tpacladd:
> tpacladd g 5,101,Teller t SERVICE INQ
tpaclmod Syntax:
tpaclmod [-g gid[,gid]][-t type] NAME
Modifying an existing entry with tpaclmod:
> tpaclmod g 101,Teller t SERVICE INQ
Deleting an ACL entry with tpacldel:
> tpacldel t SERVICE INQ
The tpacl file can also be edited with tpaclmod
and tpacldel.
Adding Groups with tpgrpadd
Use the tpgrpadd utility to create or append the
tpgrp file containing group definitions.
Syntax:
tpgrpadd [-g gid] grpname
A string of printable characters that specifies the unique
name of this group. (#,:\n) are not allowed.
grpname
If not specified, the group identification number defaults to
the next available (unique) identifier greater than 0.
-g gid
Description Options
Adding, Deleting, and Modifying Groups
Adding a new group with tpgrpadd:
> tpgrpadd g 17 Students
tpgrpmod Syntax:
tpgrpmod [-g gid][-n new_name] GRPNAME
Modifying an existing group with tpgrpmod:
> tpgrpmod g 11 n TuxStudents Students
Deleting a group with tpgrpdel:
> tpgrpdel TuxStudents
The tpgrp file can also be edited with tpgrpmod
and tpgrpdel.
Adding Users with tpusradd
Use the tpusradd utility to create or append the
tpusr file containing authorized principals.
Syntax:
tpusradd [-u uid][-g gid][-c clnt_name] usrname
-c clnt_name
Defines the new user's group membership. It defaults to the
default" group (GID 0).
-g gid
Specifies name of the principal. Must be unique within list of
existing principals for the Tuxedo domain.
usrname
If not specified, the user identification number defaults to
the next available (unique) identifier greater than 0.
-u uid
Description Options
If not specified, the default is the wildcard * which will
authenticate successfully for any client name specified.
Adding, Deleting, and Modifying Users
Adding a new user with tpusradd:
> tpusradd u 103 g 5 c Teller SallyJones
tpusrmod Syntax:
tpusrmod [-u uid][-g gid|grpname]
[-c clntname][-l new_usrname]
[-p] USRNAME
Modifying an existing user with tpusrmod:
> tpusrmod g 7 -c LoanOfficer SallyJones
Deleting a user with tpusrdel:
> tpusrdel SallyJones
The tpusr file can also be edited with tpusrmod
and tpusrdel
Example: Adding Groups, Users, ACLs
Example Security Administration Tasks:
> tmloadcf y ubb.tux
> tpgrpadd g 4 Beatles
> tpgrpadd g 3 Presidents
> tpusradd u 1 g Beatles Paul
> tpusradd u 2 g 4 Ringo
> tpusradd u 3 g 4 George
> tpusradd u 4 g Beatles John
> tpusradd u 40 g 3 Ronald
> tpusradd u 42 g Presidents Bill
> tpusradd u 43 g 3 George
> tpacladd g 3,4 t SERVICE TOUPPER
> tpacladd g Beatles GetMusic
> tpacladd g Presidents GetCongress
First create the TUXCONFIG file
Only Presidents can
access GetCongress
Only Beatles can
access GetMusic
Either group can
access TOUPPER
Changing the Application Password
tmadmin command: passwd
Prompts the Tuxedo system administrator for
the new password
Verifies new password with a second prompt to
re-enter the new password.

Changing Application Password with tmadmin:
tmadmin
> passwd
Enter Application Password: *****
Re-enter Application Password: *****
>
Section Review
Manage Access Control List (ACL) entries
Use the Tuxedo utilities for editing users and groups
Make a dynamic change to the application password
Road Map
Connection Types Supported
Configuring LLE Between Machines
Configuring LLE Between WSC and WSH
Link-Level Encryption (LLE)
Allows for encryption of data transferred over BEA
Tuxedo network links
LLE ensures confidentiality from eavesdroppers.
LLE is point-to-point, that is, data is encrypted every
time it flows over network links.
With Tuxedo 6.5 and 7.1 releases, LLE is a separately
licensed add-on product.
In Tuxedo 8.0, 8.1 and 9.0, LLE usage is included with
the Tuxedo product license.
Connection Types Supported
WSC
LLE LLE
Standard Tuxedo Link Level Encryption
WSH
LLE encrypts all data
between a WSC and
WSH
Server
Data encryption can be enabled for:
Machine to Machine (BRIDGE to BRIDGE)
/WS workstation client to WorkStation Handler (WSH)
tmboot to tlisten
Domain Gateway to Domain Gateway
LLE Between Machines
Connecting process attempts to set up the
communication session; accepting process receives the
initial connection.
Connecting process negotiates encryption level for the
link based on two configured parameters in the
*NETWORK section:
MINENCRYPTBITS:
Minimum encryption level - (0, 56, or 128 bit key size)
MAXENCRYPTBITS:
Maximum encryption level - (0, 56, or 128 bit key size)
LLE Between WSL and /WS Client

By default, all Workstation Clients will be using 128-bit
LLE when connecting to the WSH.
Default MINs for both WSL and WSCs: 0
Default MAXs for both WSL and WSCs: 128
Maximum level of encryption when establishing a
network link between the WSC and WSH.
Minimum level of encryption when establishing a
network link between the WSC and WSH.
-z [0|40|56|128]
Description WSL CLOPT option
-Z [0|40|56|128]
Maximum number of encryption bits permitted for
establishing server connections.
Minimum number of encryption bits permitted for
establishing server connections.
TMMINENCRYPTBITS
Description ENV VAR
TMMAXENCRYPTBITS
Section Review
Use Link-Level Encryption (LLE)
Configure LLE for machines
Configure LLE for Workstation Clients

Road Map
Message-Based Digital Signatures
Message-Based Encryption
BEA Tuxedo Auditing Features
The Extended Tuxedo Security Model
Message-based digital signature and encryption is based on
public keys:
Authenticates originating user; verifies message integrity; message time-
stamp for replay resistance; end-to-end, time-independent verification
Message Digest Algorithm support includes MD5, SHA-1 and others
Tuxedo supports any digital signature algorithms provided by
underlying plug-ins to include:
RSA; ElGamal, Rabin, and Digital Signature Algorithm(DSA)
Public Key security supports these three symmetric key
algorithms:
DES-CBC (Data Encryption Standard for Cipher Block Chaining)
Two-key triple-DES (Data Encryption Standard)
RC2 (Rivests Cipher 2)
Extended security
features are not
available in Tuxedo
version 6.5
Using Extended Security
Tuxedo provides the
API for application developers to sign and/or encrypt request
(data) buffer before making a service request
Service Provider Interface (SPI) for security package vendors
to integrate with Tuxedo
To use features, a third-party security plug-in package
is needed.
The embedded software for message-based encryption
and digital signatures cannot be used without a separate
license.
For more information, refer to the on-line security
documentation at:
http://e-docs.bea.com/tuxedo/tux90/sec/secovr.htm
Auditing Plug-in Architecture
BEA Tuxedo provides for a default auditing and
custom auditing implementations.
Auditing plug-ins work by using:
Auditing decisions based partly on user identity which is
stored in an auditing token.
A fan-out architecture to allow for one or more custom
auditing plug-ins.
Both pre-operation and post-operation audits
Plug-ins are chosen by configuring the BEA Tuxedo
registry.
No configuration is needed to use the default auditing
plug-in.
Default Auditing
The default auditing implementation:
Consists of the System Event Broker and the ULOG (only
security violations are reported by these utilities).
Does not support pre-operation audits.
Is called by any server-side ATMI process.
Examines the clients auditing token along with the
security violation delivered in the post-operation audit
request.

10
0101
1110
Example of default security audit entry in ULOG:
WARN: AUDIT_POSTOP SECURITY FAILURE: who = customer2,
operation_name = SERVICE CALL, operation_target = GETAPPKEY
Section Review
Understand the extended security features in Tuxedo
Identify the functionality of the default auditing
implementation
Lab Exercise
For details on the exercise, refer to the Lab Guide.
If questions arise, ask the instructor.
The instructor will determine the stop time.
Lab 09 SECU: Configure and Test Tuxedo
Application Security
Module Review
Configure and implement the basic security features
Perform administration security task for defining ACL
entries, groups, and users
Configure support for Link-level Encryption (LLE)
Understand the capabilities of public key encryption and
custom auditing
In this module, we learned how to:

08 Secu

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

08 Secu

Uploaded by

Copyright:

Available Formats

2006 BEA Systems, Inc.

You might also like