![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |
The operational and security interface environment where you are working determines your implementation requirements in terms of user ID and password validation:
• Open Systems provide their own default security, which can be replaced by other security packages.When external security is enabled, user validation is automatically provided through your external security package. Other than specifying SECURITY=EXTERNAL or MIXED as an Execution Environment parameter, no additional steps are required.
The use of External Security for User Validation in a Native Execution Environment requires that the S6BDR000 program be defined to the External Security package (e.g., CA-Top Secret or CA-ACF2) with a multi-user address space attribute.In CA-Top Secret this is accomplished via the Multi User Single Address Space Subsystem (MUSASS) option and in CA-ACF2 via the Master Facility option.Windows systems can validate user IDs locally or through a domain. If your environment is using domain security, TIBCO Object Service Broker uses the osee.exe process to determine the name of the domain to be queried.Solaris uses the getspnam() function to return a user ID and password for comparison with values supplied by a user. The encrypted passwords for users are stored in a shadow file (/etc/shadow). (Both the getspnam() function and the shadow file must be accessible to a super-user.)The calling program, hrnsecur, must have an effective user ID of the super-user to obtain a secured encrypted password. To set this, complete the following steps:For implementation details about the external database servers, refer to the appropriate Service Gateway manual in the TIBCO Object Service Broker documentation.TIBCO Object Service Broker Parameters about the SECURITY Execution Environment parameter.The external security API is declared in hrnsecur.h, in the install_path/src/security directory.
For the syntax of these functions, refer to the sections below or to install_path/src/security/hrnsecur.h file.Some security providers require the use of an opaque token to authenticate a client to a server. Using this function, the external security provider can create this token. The client caller provides an Execution Environment name, a user ID, and a password. The exit returns a pointer to a token and a length. It is not necessary for the external security provider to use any of the returned information if a token does not have to be built. The created token is specific to the security provider and is not interpreted or used by TIBCO Object Service Broker.
int hrnExtSecClientInit(
char* pszEEName, /* IN: ASCII EE Name */
char* pszUserid, /* IN: ASCII Userid */
char* pszPassword, /* IN: ASCII Password */
int* pnTokenLen, /* OUT: Token length */
void** pToken /* OUT: Security token */
Address of a null-terminated ASCII string containing the Execution Environment name. Address of a null-terminated ASCII string containing the TIBCO Object Service Broker user ID entered by the client. Address of a null-terminated ASCII string containing the TIBCO Object Service Broker password entered by the client. Address of an integer containing the length of the security token to be sent to the Execution Environment. Address of the security token to be sent to the Execution Environment. The hrnExtSecValidateUser function uses this token to authenticate session login.
When using the SDK (C/C++), you must always supply a password among the STARTSS session parameters for a STARTSS cliProc request. If you use external security to avoid supplying a password, use a dummy value for the PASSWORD parameter.
• HRN_EXTSEC_FAIL – the security provider detects an error; the session terminates with a general login failureThis function, given a user ID, password, and token, determines if the user is allowed to log in to the system. The hrnExtSecValidateUser exit is called when the SECURITY Execution Environment parameter is set to EXTERNAL or MIXED.
int hrnExtSecValidateUser(
char* pszUserid, /* IN: ASCII Userid */
char* pszPassword, /* IN: ASCII Password */
char* pszEEName, /* IN: ASCII EE Name */
void* pToken, /* IN: Token */
void** pSecurityEnv /* RESERVED */
);
Address of null-terminated ASCII string containing the TIBCO Object Service Broker user ID entered by the client. Address of null-terminated ASCII string containing the TIBCO Object Service Broker password entered by the client. This can be an empty string if authentication information is being passed via a security token. Address of the security token created by the hrnExtSecClientInit exit invoked for the current client and passed on to the Execution Environment during session login processing.
The length of pToken is not passed as an argument. You should either pass tokens of a predetermined size or embed the length within the token. If you choose to embed the length within the token, you must manage any byte-ordering issues, such as big vs. little endian type.
• HRN_EXTSEC_FAIL – the security provider detects an error; the session terminates with a general login failure
• HRN_EXTSEC_BADUSERID – the user ID is invalid; this error is passed on to the client
• HRN_EXTSEC_BADPASSWORD – the password is invalid; this error is passed on to the clientYou can find the source files used to implement the default Windows, Solaris, LDAP, and GSS modules in the install_path/src/security folder, as shown here:
In the install_path/src/security folder, the hrnsecur.h file contains the declarations of the API contained in the source files in that folder.The following table lists the location for the modules required for a default security implementation and the sample modules required to create a customized loadable module for your site:
![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |