RP/TUX 8.0 - Security context propagation (ISL -E) does not work (Doc ID 769997.1)

Last updated on NOVEMBER 04, 2016

Applies to:

Oracle Tuxedo / Tuxedo / 8.0
Information in this document applies to any platform

Goal

HP11/WLS 5.1 SP3
This was reproduced on W2K, but the target platform is HP-UX 11.00.
Take a simpapp application example (either from WLE 5.1 T-engine or TUXEDO 8.0), and set TUXDIR 
runme --> works
adapt provided ubb, replace simple_i.cpp and simplc.cpp
adapt setenv according to setenv510.cmd (WLE 510) and setenv.cmd (TUXEDO 8.0)
--> tmloadcf -y ubb pointing either to WLE 5.1 or TUXEDO 8.0 (application password = pa)
tpusradd iiop
tpusradd adminuser (password adminuser)
tpusradd pa (password pabgrall)
TOBJADDR points to //MARIA:2468 (ISL configured with -E)
--> if simple_client -ORBid BEA_IIOP is run against WLE 5.1, it runs fine
--> if simple_client -ORBid BEA_IIOP is run against TUXEDO 8.0, it fails with NO_PERMISSION
--> if simple_client -ORBid BEA_IIOP is run against TUXEDO 8.0 and TOBJADDR points to port 2469 (see second ISL in
UBB), it runs...
--> simple_client -ORBid BEA_IIOP WLE 5.1 remote client and TUXEDO 8.0 server and TOBJADDR points to 2468 -->
WORKS!!!

WLS 5.1 SP3 with WLEC configured OK (works fine with WLE 5.1) --> fails with NO_PERMISSION if TUXEDO 8.0 server.
WLS 5.1 configuration:
weblogic.CORBA.connectionPool.simplepool=\
        appaddrlist=//MARIA:2468,\
        failoverlist=//MARIA:2468,\
        minpoolsize=2,\
        maxpoolsize=3,\
        domainname=simpapp,\
        username=adminuser,\
        userpassword=adminuser,\
        userrole=client,\
        apppassword=pa,\
        securitycontext=YES
# PASSWORD PROTECTING SimpappWLEC
weblogic.password.pa=pabgrall
# following servlet is a normal simpappWLStoWLEthroughWLEC servlet --> adapt to default???
weblogic.httpd.register.SimpappWLEC=\
       examples.wlec.servlets.simpapp.SimpappWLEC
weblogic.allow.execute.weblogic.servlet.SimpappWLEC=pa
# END of PASSWORD
--> invoking this servlet will result in user/password prompting --> answer user=pa,pw=pabgrall, as was done in
tpusr... --> works with WLE5.1 and fails with TUXEDO 8.0

What is not shown in the test case is that the customer is using RLI, and uses the get_attributes() function (outlined
in simple_i.cpp) in the RLI, that fails with no SecurityAttribute set...

what should happen:
ISL -E ... -n //MARIA:2468 should work in TUXEDO 8.0 as with WLE 5.1, as documentation did not change..., and should
not lead to NO_PERMISSION exception... It should also run with WLEC as a client for a trusted connection pool...
 
In the TUXEDO 8 documentation this option is still documented (see TUXEDO command reference manual page 93 of 238) :
...
[-E principal_ name]
An optional parameter that indicates the identity of the principal that is required in order to establish a trusted
connection pool. A trusted connection pool can only be established if a CORBA application is configured to require
users to be authenticated. If a remote client application attempts to propagate per-request security information over
a connection that is not part of a trusted connection pool, the accompanying propagated security information will be
ignored.

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms