Security Policy Files

A security policy file contains the security settings for one or more security domains. Security domain requestors use a security token file that you generate from a security policy file to connect to a metaspace contained in the Metaspace Access List for a security domain that is defined in the security policy file.

Applications that connect to a metaspace listed in the Metaspace Access List for a security domain in a security policy file use the security policy file to become security domain controllers for the metaspace.

Applications that connect to a metaspace listed in the Metaspace Access List for a security domain in a security policy file, but do not use the security policy file to connect to the metaspace, become security domain requestors for the metaspace.

In general, you should require the security domain requestor to connect to a metaspace using a security token file that is generated from the security policy file. See 'Security Domain Requestors and Security Token Files for more information on security domain requestors and security token files.
Attention: When using security, the Discovery URL is set on both, the policy and token files. Members using either the policy or the token file should not explicitly specify the Discovery URL in the properties of MemberDef.
You can also choose the less secure method of allowing connections without a security token. This is a weaker security solution, but is easier to deploy.
Attention: Remember that Access Control Lists (ACLs) are enforced with respect to the definition of the policy file and not the settings in the LDAP, that is if you have an LDAP server used for authentication.

Procedure

  1. Create a security policy file using the Admin CLI.

    See Creating a Security Policy File for information on how to create a security policy file.

  2. Open the security policy file with a text editor.
  3. Edit the settings for each security domain to define the specific security behavior desired. See Security Domain Settings for information on defining each type of security behavior.
  4. Save and close the security policy file.
  5. Validate the security policy file using the Admin CLI. See Validating a Security Policy File for information on how to validate a security policy file.
  6. If required for your transport security requirements, generate one or more security token files from the security policy file using the Admin CLI. See Security Token Files for detailed information on security token files.
  7. Modify your TIBCO ActiveSpaces application to enable it to function as a security domain controller for a metaspace, and use the security API to have the application connect to the metaspace using the security policy file.
  8. See the ASDomainController example program for each supported programming language to see how the security API is used to connect to a metaspace using a security policy file.
  9. Save, build and run your application.
  • Creating a Security Policy File
    You generate security policy files using the Admin CLI. You then edit the settings for each security domain within the security policy file to fit your particular security needs.
  • Security Domain Settings
  • Validating a Security Policy File
    You validate security policy files using the Admin CLI. After you have finished editing the security settings for the security domains included in the security policy file, validate the file to make sure that your edits to the file seem reasonable before you try to actually use the file
  • Security Policy File Keys and Certificates
    For each security domain, the security policy file also contains: