Security Guidelines
Introduction
This document is meant as a guide to implement security features for GridServer Manager. The goal is to provide you with information on what can be done and where you can go to find the information necessary to implement the solutions.
As GridServer uses third-party products, what can be done with those products is likely to change over time. Therefore, it is necessary for you to continue to stay educated on the latest features of third-party products.
This document is specific to GridServer 7.1.0. and assumes that the reader has a working knowledge of GridServer components. If not, see the TIBCO GridServer® Introducing TIBCO GridServer® documentation.
Product Connectivity
This section describes the connectivity between GridServer components.
Communication
-
The communication between the Director and Broker uses TCP on port 5635 by default. See the
-
Manager-Driver Communication
The ports used by the Manager for incoming communication from the Driver are covered in the
-
Manager-Engine Communication
The ports used by the Manager for incoming communication from the Engine are the same as the ports used for the Driver. See Director-Broker Communication.
-
Driver-Engine Communication
The Driver and Engine communicate directly when either of them has Direct Data Transfer (DDT) enabled. If the Driver has DDT enabled, then the Engine attempts to download input data directly from the Driver’s file server. If the Engine has DDT enabled, then the Driver attempts to download the output data directly from the Engine’s file server.
-
Driver DDT
-
Engine DDT
ds.DataDirvalue, see the Invocation Variables topic in the TIBCO GridServer® Developer's Guide -
DDT KB Articles
KB Article 000008671: Using static ports in Engine and Driver DDT settings.
SSL
SSL KB Articles
-
KB Article 000043090: How to configure GridServer to use JSSE SSL implementation instead of OpenSSL
-
KB Article 000036224: Steps for creating SSL certificates that can be used on GridServer Manager
-
KB Article 000031710: Steps to enable extra logging to debug SSL connection errors
Authentication and Authorization
-
Run-As
There are often cases where Services require specific user permissions to access needed resources. By creating the Engine process as a given user, all Service invocations that are run by the Engine can operate with these permissions.
-
Running windows engine as Run-As
Configuring the Windows engine as Run-As is covered in the -
Running UNIX engine as Run-As
Configuring the UNIX engine as Run-As is covered in the -
Running service as Run-As
Configuring Service as Run-As is covered in the
-
NTLM/Kerberos
Pure Kerberos authentication allows windows managers to enable authentication without requiring a password.
For more information about Pure Kerberos authentication, see
-
LDAP Authentication and Authorization
LDAP can be used for:
-
Authentication, where a user name is authenticated against a directory entry;
-
Authorization, where groups assigned to that user map to GridServer roles
-
-
Both authentication and authorization.
For more information about Configuring LDAP, see
-
Role-Based Access Control
GridServer supports a customizable system of role-based access control to provide account security and enable different users to access different areas of the interface. This is covered in the
-
Engine Daemon Authentication
Engine Daemon authentication can be enabled during the Engine installation. This is covered in the
-
Authentication of Grid Components
You can choose to enable Authentication between all Grid components. This is covered in the
Web UI Features
-
Single Sign-On
After logging in once to any Manager, you can use the Grid Single Sign-On (SSO) feature to log in to all Managers on a Grid.
Configuring web Single Sign-On is covered in the
-
Quarantine Broker
When the Quarantine Broker is specified, the Director allows individual Engine instances to log in to either production Brokers or the Quarantine Broker. It is based on the value of the quarantine status of the managing Engine Daemon.
Fore more information about configuring web Single Sign-On, refer to
Updating Third-Party Components
Before updating any third-party components, TIBCO recommends that you contact TIBCO Support to determine if a specific version of a third-party component has been tested with GridServer. While service pack updates generally work, some major or minor version updates can often result in unexpected behavior or exceptions.
-
Configuring Security Options
-
Apache Tomcat
You must be familiar with the many considerations and options related to Tomcat security. Tomcat has its own Security Guide and you are encouraged to review it.
-
XSS Filter
The XSS Filter on the Manager can be enabled or disabled by modifying the associated property in the GridServer Administration Tool at Admin > Manager Configuration > Security > Miscellaneous.
To edit the whitelist, open thexss.xmlfile located atDS_INSTALL/manager/webapps/livecluster/WEB-INF/config/ -
CSRF Filter
The CSRF Filter on the Manager can be enabled or disabled by modifying the associated property in the GridServer Administration Tool at Admin > Manager Configuration > Security > Miscellaneous.
To edit the whitelist, open the
xss.xmlfile located atDS_INSTALL/manager/webapps/livecluster/WEB-INF/config/
-
-
Disabling directory traversal on the File Server port
To disable directory traversal for the Engine file server, update the
Engine.xmlfile with the following code:<contexts c="PropertiesBean" n="Context">
<property n="object" v="DSDataDir" k="data"/>
<property n="object" v="DSWorkDir" k="work"/>
<property n="object" v="$DSProfileDir$/logs" k="logs"/>
</contexts> -
Setting up User Authentication - This is covered in the following guides:
-
TIBCO GridServer® Administration -
-
TIBCO GridServer® Installation -
-
Enabling the Encryption of Task Payloads
To secure the data that is being passed between Drivers and Engines, it is possible to enable encryption for the task payload. This is done by editing the Service Type as follows:
-
In the GridServer Administration tool, select the Services menu.
-
Select Service Types.
-
Edit one of the Service Types options.
-
The feature is listed in the Options section for Service Type and it is called
encryptionEnabled.