Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 12 Implementing External Security : Overview

Overview
Intended Audience
This chapter of the manual is meant for security administrators who are fully aware of the operational requirements for their security environment, including the interfaces to the security packages in use at their sites.
When Does TIBCO Object Service Broker Use External Security?
TIBCO Object Service Broker uses external security to control access to the Data Object Broker. This includes the use of the S6BTLADM/hrntladm (Administration Menu) utility, some operator commands, and some utilities. Refer to, Defining Data Object Broker Access for more information.
TIBCO Object Service Broker always uses external security when the audit log generated by TIBCO Object Service Broker security is being archived. Refer to Chapter 9, Archiving the Audit Log Data for more information.
Your TIBCO Object Service Broker system can also be set up to use external security to verify user ID login. This security is in effect at your Execution Environment and session level. Refer to Defining User Validation for more information.
How Does TIBCO Object Service Broker Invoke External Security for Logins?
In TIBCO Object Service Broker, you can set up your processing environment to pass control from TIBCO Object Service Broker security to the native security for your operating environment or an external security provider of your choice. As described in Chapter 2, Security Clearances, setting the SECURITY Execution Environment parameter to EXTERNAL initiates external security processing. If the parameter is set to MIXED, first TIBCO Object Service Broker security is checked and then, if the access does not pass validation, external security processing is initiated.
What is the Default Implementation?
The default implementation supplied with TIBCO Object Service Broker is SECURITY=INTERNAL. This means that only TIBCO Object Service Broker security is used for user ID login verification.
Effects on Data Accesses to Peer TIBCO Object Service Broker Nodes
If SECURITY=EXTERNAL is specified, no additional security is required when a user accesses peer TIBCO Object Service Broker nodes. Both sites do not have to be using the same external security package. If a login is successful at a local node with external security enabled, it is successful at a remote node that has external security enabled.
What External Security Interfaces are Supported?
The following table lists the supported external security interfaces:
System Authorization Facility (SAF) interface: this interface is used by security packages such as RACF, CA-ACF2, and CA-Top Secret.
Generic Security Service (GSS) API: this interface is used by security packages such as Kerberos or Sesame, and by custom security exits.
Lightweight Directory Access Protocol (LDAP) API: this interface can be used to query centralized directory servers.
GSS API: this interface is used by security packages such as Kerberos or Sesame, and by custom security exits.
Reference Information
GSS API
X/Open Preliminary Specification: Generic Security Service API (GSS API)
RFC 1508: Generic Security Service Application Programming Interface
RFC 1509: Generic Security Service API: C-bindings
z/OS SAF interface
IBM RACF documentation or documentation for the external security package your site is using.
See Also
TIBCO Object Service Broker Application Administion about the security requirements for data accesses to peer nodes if TIBCO Object Service Broker security is in use.
TIBCO Object Service Broker for z/OS Installing and Operating or TIBCO Object Service Broker for Open Systems Installing and Operating about the Administration menu and operator commands.
TIBCO Object Service Broker Parameters about Execution Environment parameters.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved