Restricting Transport Access

TIBCO ActiveSpaces security allows you to restrict transport connections within a security domain to only “trusted” nodes.

To restrict transport connections within a security domain:

Procedure

  1. Open the security policy file for the domain in a text editor
  2. Go to the line that reads transport_access=false;cert_file=
  3. Edit the line to read:

    transport_access=true;cert_file=<trusted_certs_file>

    where trusted_certs_file is the filename for a trusted certificate file that you will create in step 8.

  4. Save the security policy file.
  5. Use the validate policy_file Admin CLI command to validate the security policy file.
  6. Use the Admin CLI to generate a security token file from the security policy file, which contains its own private key and public certificate. This key and certificate are used to verify the identity of a node using the security token file when it tries to initiate any transport connections. For example, 
    as-admin> create security_token
domain_name "mydomain"
policy_file "mypolicy.txt"
create_identity
token_file "mytoken.txt"
  7. Use the validate token_file Admin CLI command to validate the security token file.
  8. Create an empty trusted certificates file to hold the public certificates of the nodes to allow transport connections from.
  9. Copy and paste the public certificate of the local token identity from the security token file into the trusted certificates file.
    The public certificate is everything in the security token file between and including
    -----BEGIN CERTIFICATE---
    -----END CERTIFICATE-----
  10. Save the trusted certificates file.
  11. Start a security domain controller using the security policy file name when connecting to the metaspace.

Result

Metaspace communication within the security domain is now restricted to only security domain controllers and security domain requestors that connect to the metaspace using a security token file whose public certificate is contained in the trusted certificates file.