Table of Contents
This chapter describes the security system provided by Tmax.
Tmax provides a 3-level security system: system login control, user authentication, and service access control.
The three levels are set by defining SECURITY in the DOMAIN section of the Tmax configuration file.
The following describes the values SECURITY can be set to.
| Configuration Value | Description |
|---|---|
| DOMAIN_SEC | System access control |
| USER_AUTH | User authentication |
| ACL | MANDATORY | Service access control |
| NO_SECURITY | Does not use security functions |
For more information about creating each file (group, user, acl) and the relevant commands, refer to "Tmax Reference Guide"
System access control is the first level of security that controls client access to the Tmax system. Level 1 security sets a single password for the Tmax system, which becomes the password for the account defined in OWNER of the DOMAIN section.
Before registering the password in Tmax, the password must be set by the mkpw utility. Once level 1 security is set, clients must register the password with dompwd of the TPSTART_T structure when tpstart() is called. Unless the password is valid, clients cannot log into the system. If 'SECURITY' is set to 'NO_SECURITY' , dompwd does not need to be specified a value; NULL is transmitted.
The following is a Tmax configuration file that uses level 1 security.
#For system authentication, set SECURITY to "DOMAIN_SEC".
*DOMAIN
res1 SHMKEY = 66999, MAXUSER = 256,
SECURITY = "DOMAIN_SEC", OWNER = tmax
*NODE
Tmax TMAXDIR = "/home/tmax",
APPDIR = "/home/tmax/appbin"
*SVRGROUP
svg1 NODENAME = tmax
*SERVER
upper SVGNAME = svg1, RESTART = Y, MAXRSTART = 3
*SERVICE
TOUPPER SVRNAME = upper
TOLOWER SVRNAME = upper, PRIO = 100
The following specifies a password using dompwd of the TPSTART_T structure.
...
main(int argc, char *argv[])
{
...
TPSTART_T *tpinfo;
...
if ((tpinfo = (TPSTART_T *)tpalloc(“TPSTART”, NULL, sizeof(TPSTART_T)))== NULL){
error processing routine
}
strcpy(tpinfo->dompwd, “tmax1234”);
if (tpstart(tpinfo) == -1){
error processing routine
}
...
}
Level 2 security allows only authorized clients to gain access to the system.
In order to connect to Tmax by calling tpstart(), clients must register usrname and usrpwd of the TPSTART_T structure. usrname is the user account authenticated by Tmax and usrpwd is the password for the account. A user account and password must be specified using the mkpw utility. When user authentication is set, clients can log into the system only with a valid user name and user password.
Since level 2 also includes level 1 security, clients must register a valid dompwd. dompwd also must be set by mkpw.
The password file must be created and updated before Tmax is configured.
The following is a Tmax configuration file that uses level 2 security.
#In case of User Authentication, set "USER_AUTH”to the SECURITY item.
*DOMAIN
res1 SHMKEY = 66999, MAXUSER = 256,
SECURITY = "USER_AUTH", OWNER = tmax
*NODE
tmax TMAXDIR = "/home/tmax",
APPDIR = "/home/tmax/appbin"
*SVRGROUP
svg1 NODENAME = tmax
*SERVER
upper SVGNAME = svg1, RESTART = Y, AXRSTART = 3
*SERVICE
TOUPPER SVRNAME = upper
TOLOWER SVRNAME = upper, PRIO = 100
The following configures usrname and usrpwd of the TPSTART_T structure.
...
main(int argc, char *argv[])
{
...
TPSTART_T *tpinfo;
if((tpinfo = (TPSTART_T *)tpalloc(“TPSTART”, NULL,sizeof(TPSTART_T))) == NULL){
error processing routine
}
strcpy(tpinfo->dompwd, “tmax1234”);
strcpy(tpinfo->usrname, “gdhong”) ;
strcpy(tpinfo->usrpwd, “hong0000”) ;
if (tpstart(tpinfo) == -1){
error processing routine
}
...
}
Service access control is the function that defines the users who can access Tmax system at the service level.
Service access control classifies users into groups. A single service is available only to the users who belongs to the authorized group for the service. In order to use this function, a group file must be generated. The relevant group must contain the users’ file. The user must also create a file named acl, which is used for associating the user groups with access permissions at the service level. To use the relevant function, configure the ACL or MANDATORY value in SECURITY of the DOMAIN section.
The Level 3 security feature contains both the level 1 system access control and the level 2 user authentication features. Therefore, if the parameter in SECURITY is configured as ACL (or MANDATORY), the access control permission can be granted only when accessing the Tmax system by passing through level 1 and level 2 using the dompwd, usrname, and usrpwd fields in the TPSTART_T structure.
The following is a Tmax configuration file that uses level 3 security.
*DOMAIN
tmax1 SHMKEY = 78350,
TPORTNO = 8350, SECURITY = ACL, OWNER = starbj0, RACPORT = 3155
*NODE
tmaxh4 TMAXDIR = "/EMC01/starbj81/tmax",
APPDIR = "/EMC01/starbj81/tmax/appbin"
tmaxh2 TMAXDIR = "/data1/starbj81/tmax",
APPDIR = "/data1/starbj81/tmax/appbin",
*SVRGROUP
svg1 NODENAME = "tmaxh4", COUSIN = "svg2", LOAD = 1
svg2 NODENAME = "tmaxh2", LOAD = 5
svg3 NODENAME = "tmaxh4"
*SERVER
svr01001 SVGNAME = svg1
svr_ucs1 SVGNAME = svg3, CLOPT = "-u 35", SVRTYPE = UCS, MIN = 1, MAX = 2
svr_ucs2 SVGNAME = svg3, CLOPT = "-u 37", SVRTYPE = UCS, MIN = 1, MAX = 2
*SERVICE
TOUPPER1 SVRNAME = svr01001
TOUPPER2 SVRNAME = svr01001
LOGIN1 SVRNAME = svr_ucs1
LOGIN2 SVRNAME = svr_ucs2
<Group File>
grp0:x:1001 grp1:x:1 grp2:x:2 grp3:x:3 grp4:x:4 grp5:x:5
<User File>
starbj0:1002:1 starbj1:1:1 starbj2:2:2 starbj3:3:3 starbj4:4:4 starbj5:5:5
<acl File>
TOUPPER1:SERVICE:1 TOUPPER3:SERVICE:5 TOUPPER5:SERVICE:5
<Client Program>
int main()
{
...
strcpy(tpinfo->usrname, "starbj1");
strcpy(tpinfo->dompwd, "starbj0");
strcpy(tpinfo->usrpwd, "starbj1");
...
if(tpcall("TOUPPER1", sndbuf, 0, &rcvbuf, &rcvlen, 0)==-1){
error routine..
}