3-8 Programming JTA for Oracle WebLogic Server For servers in a WebLogic Server 10.x domain, set participating servers to either default , performance or compatibility.

3.3.4 Configuring Cross Domain Security

Cross Domain Security uses a credential mapper to enable you to configure compatible communication channels between servers in global transactions. For every domain pair that participates in a transaction, a credential mapper is configured. Every domain pair have a different set of credentials which belong to the CrossDomainConnector security role see “Configuring a Cross-Domain User” in Securing Oracle WebLogic Server. See “Enabling Cross Domain Security Between WebLogic Server Domains” and “Configure a Credential Mapping for Cross-Domain Security” in Securing Oracle WebLogic Server.

3.3.4.1 Cross Domain Security is Not Transitive

Servers participating in a transaction set cross-domain credential mapping with each other. Unlike domain-trust, the cross domain security configuration is not transitive; that is, because A trusts B and B trusts C, it is not therefore also true that A trusts C. Consider the follow scenario: ■ DomainA has Server1 coordinator ■ DomainB has Server2 sub-coordinator ■ DomainC has Server3 and Server4 Server3 is a sub-coordinator ■ DomainD has Server5 does not participate in the transaction To set the cross-domain credential mapping in this scenario, do the following: 1. Set cross-domain security in DomainA for DomainB 2. Set cross-domain security in DomainB for DomainA 3. Set cross-domain security in DomainA for DomainC 4. Set cross-domain security in DomainC for DomainA 5. Set cross-domain security in DomainB for DomainC 6. Set cross-domain security in DomainC for DomainB Because DomainD does not participate in the transaction, using cross-domain credential mapping is not required. However, see Section 3.3.4.2, Adding Domains to the Exclude List Based on Transaction Participation for further clarification. To present this information in another way, consider Table 3–4 . A table cell containing Yes indicates that you must configure cross domain security for this domain combination. Table 3–4 Setting Cross Domain Security with Three Participating Domains -- DomainA DomainB DomainC DomainD DomainA No Yes Yes No DomainB Yes No Yes No DomainC Yes Yes No No DomainD No No No No Configuring Transactions 3-9 If you were then to add both DomainD and an additional DomainE to the cross-domain security configuration, the cross-domain credential map would be as shown in Table 3–5 . A table cell containing Yes indicates that you must configure cross domain security for this domain combination.

3.3.4.2 Adding Domains to the Exclude List Based on Transaction Participation

The exclude list provides a mechanism for a server in a domain with Cross Domain Security configured to participate in a transaction with a server in another domain that does not support or have Cross Domain Security enabled. If any server in a domain in which cross domain security is not configured participates in a transaction with any server in a domain in which cross domain security is configured, add that domain to the exclude list of the domain that has cross domain security configured. Security Interoperability Mode is used to establish communication channels for participating domains as described in Section 3.3.4.3, Important Considerations When Configuring Cross Domain Security.