| |
Local Tuxedo Access Points: Security
Configuration Options Related Tasks Related Topics
Use this page to define the security configuration of a local Tuxedo access point that will be used with this WTC Service.
Domain gateways can authenticate incoming connections requested by remote Tuxedo access points and outgoing connections requested by local Tuxedo access points. You define when security should be enforced for incoming connections from remote Tuxedo access points. Specify the level of security used by a particular local Tuxedo access point by setting the SECURITY attribute. Data encryption can be used to prevent network-based eavesdroppers from accessing the content of messages or application-generated messages flowing from local Tuxedo access points to remote Tuxedo access points. Configure this security mechanism by setting the MINENCRYPTBITS and MAXENCRYPTBITS attributes.
Configuration Options
Name Description Security The type of application security enforced.
The types of security are:
NONE: No security is used.
APP_PW: Password security is enforced when a connection is established from a remote domain. The application password is defined in the WTCResourcesMBean.
DM_PW: Domain password security is enforced when a connection is established from a remote domain. The domain password is defined in the WTCPasswordsMBean.
MBean Attribute:
WTCLocalTuxDomMBean.SecuritySecure value:
DM_PWMin Encryption Level The minimum encryption key length (in bits) this local Tuxedo access point uses when establishing a session connection. A value of
0indicates no encryption is used.Value Restrictions:
The MinEncrypBits value must be less than or equal to the MaxEncrypBits value.
A MinEncrypBits value of
40can be used only with domains running Tuxedo 7.1 or higher.MBean Attribute:
WTCLocalTuxDomMBean.MinEncryptBitsSecure value:
40Max Encryption Level The maximum encryption key length (in bits) this local Tuxedo access point uses when establishing a session connection. A value of
0indicates no encryption is used.Value Restrictions:
The MaxEncryptBits value must be greater than or equal to the MinEncrypBits value.
A MaxEncryptBits of
40can be used only with domains running Tuxedo 7.1 or higher.MBean Attribute:
WTCLocalTuxDomMBean.MaxEncryptBitsSecure value:
128Use SSL Specifies if the connection initiated or accepted by this Local Tuxedo access point uses SSL on top of its transport layer. Values are:
Off: SSL not used.
TwoWay: Mutual Authentication with SSL required.
OneWay: Server Authentication with SSL required.
Note: If SDP transport is configured for this access point, the configured value of this attribute is ignored and
offis used.MBean Attribute:
WTCLocalTuxDomMBean.UseSSLPrivate Key Alias The string alias used to store and retrieve the Local Tuxedo access point's private key in the keystore. This private key is associated with the Local Tuxedo access point's digital certificate.
MBean Attribute:
WTCLocalTuxDomMBean.PrivateKeyAliasPrivate Key PassPhrase The passphrase used to retrieve the server's private key from the keystore. This passphrase is assigned to the private key when it is generated.
When you get the value of this attribute, WebLogic Server does the following:
Retrieves the value of the
PrivateKeyPassPhraseEncryptedattribute.Decrypts the value and returns the unencrypted passphrase as a String.
When you set the value of this attribute, WebLogic Server does the following:
Encrypts the value.
Sets the value of the
PrivateKeyPassPhraseEncryptedattribute to the encrypted value.Using this attribute (
PrivateKeyPassPhrase) is a potential security risk because the String object (which contains the unencrypted passphrase) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.Instead of using this attribute, use
getPrivateKeyPassPhraseEncrypted.MBean Attribute:
WTCLocalTuxDomMBean.PrivateKeyPassPhraseChanges take effect after you redeploy the module or restart the server.
KeyStores Location Provides the configuration rule to be used for finding Local Access Point's identity key store and trust key store. In plain text, it contains information on where the identity key store and trust key store are configured. When KeyStoreLocation is configured with
WLS Store, WTC uses configuration information from the WLS Key Stores configuration. Otherwise, it uses the key stores information configured in the Local Access Point.MBean Attribute:
WTCLocalTuxDomMBean.KeystoresLocationChanges take effect after you redeploy the module or restart the server.
Custom Identity KeyStore File Name The path and file name of the identity keystore. The path name can be either be absolute or relative to where the server was booted. The identity key store file name is only used if KeystoreLocation is
Custom Stores.MBean Attribute:
WTCLocalTuxDomMBean.IdentityKeystoreFileNameChanges take effect after you redeploy the module or restart the server.
Custom Identity KeyStore PassPhrase The custom identity keystore's passphrase. If empty or null, then the keystore will be opened without a passphrase.
This attribute is only used if KeyStores is "Custom Stores".
When you get the value of this attribute, WebLogic Server does the following:
Retrieves the value of the
IdentityKeyStorePassPhraseEncryptedattribute.Decrypts the value and returns the unencrypted password as a String.
When you set the value of this attribute, WebLogic Server does the following:
Encrypts the value.
Sets the value of the
CustomIdentityKeyStorePassPhraseEncryptedattribute to the encrypted value.Using this attribute (
CustomIdentityKeyStorePassPhrase) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.Instead of using this attribute, use
CustomIdentityKeyStorePassPhraseEncrypted.MBean Attribute:
WTCLocalTuxDomMBean.IdentityKeyStorePassPhraseChanges take effect after you redeploy the module or restart the server.
Custom Trust KeyStore File Name The path and file name of the trust keystore.
The path name must either be absolute or relative to where the server was booted. This file name is only used if KeyStores is "Custom Stores".
MBean Attribute:
WTCLocalTuxDomMBean.TrustKeyStoreFileNameCustom Trust KeyStore PassPhrase The trust keystore's passphrase. If empty or null, then the keystore will be opened without a passphrase.
This attribute is only used if KeyStores is "Custom Stores".
When you get the value of this attribute, WebLogic Server does the following:
Retrieves the value of the
TrustKeyStorePassPhraseEncryptedattribute.Decrypts the value and returns the unencrypted password as a String.
When you set the value of this attribute, WebLogic Server does the following:
Encrypts the value.
Sets the value of the
TrustKeyStorePassPhraseEncryptedattribute to the encrypted value.Using this attribute (
TrustKeyStorePassPhrase) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.Instead of using this attribute, use
TrustKeyStorePassPhraseEncrypted.MBean Attribute:
WTCLocalTuxDomMBean.TrustKeyStorePassPhraseChanges take effect after you redeploy the module or restart the server.
|