Security System
This chapter describes the security system provided by Tmax.
1. Overview
Tmax provides a three-level security system: system access control, user authentication, and service access control. The security level can be set with the SECURITY item in the DOMAIN section of the Tmax configuration file. The following values are available.
| Value | Description |
|---|---|
DOMAIN_SEC |
System access control |
USER_AUTH |
User authentication |
ACL | MANDATORY |
Service access control |
NO_SECURITY |
No security |
|
For more information about creating each file (group, user, and acl) and the relevant commands, refer to Tmax Reference Guide. |
2. Level 1 Security (System Access Control)
The level-one security function, system access control, restricts a client’s access to the Tmax system. The client must enter a password required to access the Tmax system, which is used as the password for the account defined in OWNER of the DOMAIN section.
Before registering the password in Tmax, the client must set the password by using the mkpw utility. After system access control is set, the client must register the password with dompwd of the TPSTART_T structure when tpstart() is called. The client must enter the correct password to log in to the Tmax system. If SECURITY is set to NO_SECURITY, the client does not need to set a value for dompwd, to which NULL is passed.
The following is a Tmax configuration file that uses system access control.
#For system authentication, set SECURITY to "DOMAIN_SEC".
*DOMAIN
res1 SHMKEY = 66999, MAXUSER = 256,
SECURITY = "DOMAIN_SEC", OWNER = tmax
*NODE
Tmax TMAXDIR = "/home/tmax",
APPDIR = "/home/tmax/appbin"
*SVRGROUP
svg1 NODENAME = tmax
*SERVER
upper SVGNAME = svg1, RESTART = Y, MAXRSTART = 3
*SERVICE
TOUPPER SVRNAME = upper
TOLOWER SVRNAME = upper, PRIO = 100
The following is an example of specifying a password by using dompwd of the TPSTART_T structure.
...
main(int argc, char *argv[])
{
...
TPSTART_T *tpinfo;
...
if ((tpinfo = (TPSTART_T *)tpalloc(“TPSTART”, NULL, sizeof(TPSTART_T)))== NULL){
error processing routine
}
strcpy(tpinfo->dompwd, “tmax1234”);
if (tpstart(tpinfo) == -1){
error processing routine
}
...
}
3. Level 2 (User Authentication)
The level-two security, user authentication, allows only an authorized user to access the Tmax system.
In order to connect to Tmax by calling tpstart(), a client must register usrname and usrpwd of the TPSTART_T structure. usrname is the user name of the account authenticated by Tmax and usrpwd is the account password. A username and password must be specified by using the mkpw utility. When user authentication is enabled, the client can log into the system only with a valid user name and password.
Because user authentication includes system access control, the client must register a valid dompwd by using the mkpwd utility.
|
The password file must be created and updated before Tmax is configured. |
The following is a Tmax configuration file that uses user authentication.
#In case of User Authentication, set "USER_AUTH”to the SECURITY item.
*DOMAIN
res1 SHMKEY = 66999, MAXUSER = 256,
SECURITY = "USER_AUTH", OWNER = tmax
*NODE
tmax TMAXDIR = "/home/tmax",
APPDIR = "/home/tmax/appbin"
*SVRGROUP
svg1 NODENAME = tmax
*SERVER
upper SVGNAME = svg1, RESTART = Y, AXRSTART = 3
*SERVICE
TOUPPER SVRNAME = upper
TOLOWER SVRNAME = upper, PRIO = 100
The following is an example of setting usrname and usrpwd of the TPSTART_T structure.
...
main(int argc, char *argv[])
{
...
TPSTART_T *tpinfo;
if((tpinfo = (TPSTART_T *)tpalloc(“TPSTART”, NULL,sizeof(TPSTART_T))) == NULL){
error processing routine
}
strcpy(tpinfo->dompwd, “tmax1234”);
strcpy(tpinfo->usrname, “gdhong”) ;
strcpy(tpinfo->usrpwd, “hong0000”) ;
if (tpstart(tpinfo) == -1){
error processing routine
}
...
}
4. Level 3 (Service Access Control)
The level-three security, service access control, restricts an authorized client’s access to services.
Service access control classifies users into groups. A service is available only to users who belong to a group that is authorized for the service. Therefore, service access control requires a group file, one or more user files that belong to the group file, and an ACL file, which is used for associating a user group with certain access permissions to use services. Before using service access control, you must set the SECURITY item to ACL or MANDATORY.
Service access control includes both system access control and user authentication security measures. Therefore, if the parameter in SECURITY is set to ACL (or MANDATORY), a client must pass the level one and two security measures by using the dompwd, usrname, and usrpwd to connect to the Tmax system and gain permission to acces services.
The following is a Tmax configuration file that uses service access control.
*DOMAIN
tmax1 SHMKEY = 78350,
TPORTNO = 8350, SECURITY = ACL, OWNER = starbj0, RACPORT = 3155
*NODE
tmaxh4 TMAXDIR = "/EMC01/starbj81/tmax",
APPDIR = "/EMC01/starbj81/tmax/appbin"
tmaxh2 TMAXDIR = "/data1/starbj81/tmax",
APPDIR = "/data1/starbj81/tmax/appbin",
*SVRGROUP
svg1 NODENAME = "tmaxh4", COUSIN = "svg2", LOAD = 1
svg2 NODENAME = "tmaxh2", LOAD = 5
svg3 NODENAME = "tmaxh4"
*SERVER
svr01001 SVGNAME = svg1
svr_ucs1 SVGNAME = svg3, CLOPT = "-u 35", SVRTYPE = UCS, MIN = 1, MAX = 2
svr_ucs2 SVGNAME = svg3, CLOPT = "-u 37", SVRTYPE = UCS, MIN = 1, MAX = 2
*SERVICE
TOUPPER1 SVRNAME = svr01001
TOUPPER2 SVRNAME = svr01001
LOGIN1 SVRNAME = svr_ucs1
LOGIN2 SVRNAME = svr_ucs2
<Group File>
grp0:x:1001 grp1:x:1 grp2:x:2 grp3:x:3 grp4:x:4 grp5:x:5
<User File>
starbj0:1002:1 starbj1:1:1 starbj2:2:2 starbj3:3:3 starbj4:4:4 starbj5:5:5
<ACL File>
TOUPPER1:SERVICE:1 TOUPPER3:SERVICE:5 TOUPPER5:SERVICE:5
<Client Program>
int main()
{
...
strcpy(tpinfo->usrname, "starbj1");
strcpy(tpinfo->dompwd, "starbj0");
strcpy(tpinfo->usrpwd, "starbj1");
...
if(tpcall("TOUPPER1", sndbuf, 0, &rcvbuf, &rcvlen, 0)==-1){
error routine..
}