TIBCO ActiveSpaces security allows you to restrict transport connections within a security domain to only “trusted” nodes.
To restrict transport connections within a security domain:
Procedure
-
Open the security policy file for the domain in a text editor
-
Go to the line that reads transport_access=false;cert_file=
-
Edit the line to read:
transport_access=true;cert_file=<trusted_certs_file>
where
trusted_certs_file
is the filename for a trusted certificate file that you will create in
step 8.
-
Save the security policy file.
-
Use the
validate policy_file
Admin CLI command to validate the security policy file.
-
Use the Admin CLI to generate a security token file from the security policy file, which contains its own private key and public certificate. This key and certificate are used to verify the identity of a node using the security token file when it tries to initiate any transport connections. For example,
as-admin> create security_token
domain_name "mydomain"
policy_file "mypolicy.txt"
create_identity
token_file "mytoken.txt"
-
Use the
validate token_file Admin CLI command to validate the security token file.
-
Create an empty trusted certificates file to hold the public certificates of the nodes to allow transport connections from.
-
Copy and paste the public certificate of the local token identity from the security token file into the trusted certificates file.
The public certificate is everything in the security token file between and including
-----BEGIN CERTIFICATE---
-----END CERTIFICATE-----
-
Save the trusted certificates file.
-
Start a security domain controller using the security policy file name when connecting to the metaspace.
Result
Metaspace communication within the security domain is now restricted to only security domain controllers and security domain requestors that connect to the metaspace using a security token file whose public certificate is contained in the trusted certificates file.
Copyright © Cloud Software Group, Inc. All Rights Reserved.
