Configuring Transactions 3-9 If you were then to add both DomainD and an additional DomainE to the cross-domain security configuration, the cross-domain credential map would be as shown in Table 3–5 . A table cell containing Yes indicates that you must configure cross domain security for this domain combination.

3.3.4.2 Adding Domains to the Exclude List Based on Transaction Participation

The exclude list provides a mechanism for a server in a domain with Cross Domain Security configured to participate in a transaction with a server in another domain that does not support or have Cross Domain Security enabled. If any server in a domain in which cross domain security is not configured participates in a transaction with any server in a domain in which cross domain security is configured, add that domain to the exclude list of the domain that has cross domain security configured. Security Interoperability Mode is used to establish communication channels for participating domains as described in Section 3.3.4.3, Important Considerations When Configuring Cross Domain Security. You do not need to add the domain to the exclude list of all domains that have cross domain security configured; the domain must explicitly participate in a transaction with the domain in question for this requirement to take effect. Consider the following scenario: ■ Transaction 1: – DomainA has Server1 coordinator – DomainB has Server2 sub-coordinator – DomainC has Server3 and Server4 Server3 is a sub-coordinator – DomainD has Server5 does not participate in the transaction, cross-domain security not configured ■ Transaction 2: – DomainB has Server6 coordinator – DomainD has Server5 sub-coordinator, cross-domain security not configured In this case DomainD has to be in the exclusion list of DomainB because of Transaction 2. You do not need to include it in the exclusion list of DomainA or DomainC because DomainD does not participate in any transactions with servers in these two domains.

3.3.4.3 Important Considerations When Configuring Cross Domain Security

When configuring Cross Domain Security, consider the following guidelines: ■ Domain trust is not required for Cross Domain Security. Table 3–5 Setting Cross Domain Security with Five Participating Domains DomainA DomainB DomainC DomainD DomainE DomainA No Yes Yes Yes Yes DomainB Yes No Yes Yes Yes DomainC Yes Yes No Yes Yes DomainD Yes Yes Yes No Yes DomainE Yes Yes Yes Yes No 3-10 Programming JTA for Oracle WebLogic Server ■ For every domain pair that participates in a transaction, a credential mapper must be correctly configured having a set of credentials which belong to the CrossDomainConnector security role. If the credential mapping is not correct, transactions across the participating domains fail. See “Configure a Credential Mapping for Cross-Domain Security” in Securing Oracle WebLogic Server. ■ Configure one-way SSL to provide additional communication security to protect the transaction from a man-in-the-middle attack. ■ To interoperate with WebLogic domains that either do not support Cross Domain Security or have Cross Domain Security disabled, you must add these domains to the Excluded Domain Names list of every participating WebLogic Server domain that has Cross Domain Security enabled. If the configuration of the Excluded Domain Names list and the CrossDomainSecurityEnabled flag is not consistent in all participating domains, branches of the transaction fail. ■ If Cross Domain Security Enabled flag is disabled or the domain is in the Excluded Domain Names list, then Security Interoperability Mode is used to establish communication channels for participating domains. ■ When enabling or disabling the Cross Domain Security Enabled flag, there may be a period of time where transactions or other remote calls can fail. For transactions, if the commit request fails, the commit is retried after the configuration change is complete. If a transaction RMI call fails during any other request, then the transaction times out and the transaction is rolled back. The rollback is retried until AbandonTimeoutSeconds.

3.3.5 Configuring Security Interoperability Mode