Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 4 Implementing ActiveSpaces Security : Security Domain Controllers

Security Domain Controllers
A security domain controller is a TIBCO ActiveSpaces node that is dedicated to enforcing a security domain's defined security behavior for a metaspace associated with the security domain. For example, a security domain controller enforces the level of transport security used for communication between nodes of a metaspace and interfacing to an LDAP system when LDAP user authentication is used.
You must use TCP discovery to apply security to metaspaces. A security domain controller must be a “well known” member of a metaspace. This means that the member's listen URL IP address and port must be part of the discovery URL for the metaspace.
A TIBCO ActiveSpaces application becomes a security domain controller for a metaspace when it connects to a metaspace using all of the following:
1.
2.
See Security Policy Files for detailed information on creating and using security policy files with security domain controllers.
The security domain controller for a metaspace must be running before security domain requestors are allowed to complete their connection to the metaspace. See Security Domain Requestors for more information on security domain requestors.
When choosing an application to be a security domain controller, consider that the highest load on a security domain controller occurs when members are joining a metaspace. This processing is done in a separate thread from your application's thread. If you require quick response times when members join a metaspace, consider running an application that serves only as a security domain controller and does not connect to any spaces.
The ASDomainController example program demonstrates how to handle a domain controller. The ASDomainController example only connects to a metaspaces as a security domain controller.
For more information on the ASDomainController example program, see ASDomainController in Chapter 5, Using the Example Code.
If servicing a lot of metaspace joins is not a concern, you can also use as-agent as a security domain controller. The following example shows how to start as-agent.exe as a security domain controller:
as-agent.exe -metaspace "examplems"
-discovery "tcp://192.168.0.5:50000;192.168.0.10:50000"
-listen "tcp://192.168.0.5:50000"
-security_policy "mypolicy.txt"
You should set up multiple security domain controllers for each metaspace to provide fault tolerance for the security of each metaspace. If the security domain controllers go down for some reason, you lose your security for the metaspace.
Setting Up a Node as a Security Domain Controller
To set up a TIBCO ActiveSpaces node as a security domain controller:
1.
2.
3.
Ensure that there is a metaspace_access entry with the metaspace name and discovery URL for the metaspace the node will connect to, in the Metaspace Access List.
4.
5.
6.
7.
Securely join the metaspace by using the TIBCO ActiveSpaces security API and passing in the security policy file. See the ASDomainController example for each supported programming language to see how the security API is used to connect to a metaspace as a security domain controller.
For some features of TIBCO ActiveSpaces security, the settings in the security policy file work in conjunction with calls to the security API in your application. Depending upon the type of security feature you implement, you might need to modify your application to use the features provided by the security API. See the sections for the individual security features to learn how to implement a particular security feature.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved