Security Domain Controllers

A security domain controller is a TIBCO ActiveSpaces node that is dedicated to enforcing a security domain's defined security behavior for a metaspace associated with the security domain.

For example, a security domain controller enforces the level of transport security used for communication between nodes of a metaspace and interfacing to an LDAP system when LDAP user authentication is used.

You must use TCP discovery to apply security to metaspaces. A security domain controller must be a “well known” member of a metaspace. This means that the member's listen URL IP address and port must be part of the discovery URL for the metaspace.

A TIBCO ActiveSpaces application becomes a security domain controller for a metaspace when it connects to a metaspace using all of the following:

  • A security policy file that sets up a security access binding for the metaspace and its discovery list.
  • The discovery list in the binding includes the application's listener address (in ip_address:port or hostname:port format).

See Security Policy Files for detailed information on creating and using security policy files with security domain controllers.

The security domain controller for a metaspace must be running before security domain requestors are allowed to complete their connection to the metaspace. See Security Domain Requestors for more information on security domain requestors.

When choosing an application to be a security domain controller, consider that the highest load on a security domain controller occurs when members are joining a metaspace. This processing is done in a separate thread from your application's thread. If you require quick response times when members join a metaspace, consider running an application that serves only as a security domain controller and does not connect to any spaces.

The ASDomainController example program demonstrates how to handle a domain controller. The ASDomainController example only connects to a metaspaces as a security domain controller.

For more information on the ASDomainController example program, see ASDomainController.

If servicing a lot of metaspace joins is not a concern, you can also use an as-agent as a security domain controller. The following example shows how to start as-agent.exe as a security domain controller: 

as-agent.exe -metaspace "examples"
-listen "tcp://192.168.0.5:50000"
-security_policy "mypolicy.txt"
where metaspace_access=metaspace=examples;discovery=tcp://192.168.0.5:50000;192.168.0.10:50000 is set in mypolicy.txt. You should set up multiple security domain controllers for each metaspace to provide fault tolerance for the security of each metaspace. If all the security domain controllers go down for some reason, no more requestor members can join the metaspace.
Note:

When you set up a domain controller, make sure that the -listen parameter is explicitly set to one (or more) of the URLs IP:PORT included in the discovery URL that is in the policy file. If the discovery URL does not have a port associated with it, the port number of the listen URL must be explicitly set to 50000.

  • Setting Up a Node as a Security Domain Controller
    For some features of TIBCO ActiveSpaces security, the settings in the security policy file work in conjunction with calls to the security API in your application. Depending upon the type of security feature you implement, you might need to modify your application to use the features provided by the security API. See the sections for the individual security features to learn how to implement a particular security feature.