Copyright © Cloud Software Group, Inc. All Rights Reserved
Copyright © Cloud Software Group, Inc. All Rights Reserved


Chapter 5 Transport Communication : Configuration for Secure Rendezvous Daemon
Configuration for Secure Rendezvous Daemon
This section explains the configuration steps required to set up the deployment for the Apache server communicating with the secure Rendezvous daemon (rvsrd).
Configuration Tips
You must consider the following points when configuring the Rendezvous daemons (rvsrd and rvrd), the Apache module, and TIBCO API Exchange Gateway.
Ensure that the subject name configured for Local Area Network (LAN) during the rvsrd daemon configuration on Machine 1 matches the subject name configured for LAN for the rvrd daemon configuration on Machine 2. The authorized subject names used in the rvsrd configuration on Machine 1 must be the same as the subject name used for the rvrd configuration on Machine 2.
Ensure that the authorized subject names used in the configuration of rvsrd on Machine 1 matches the subject name set using the AsgSubject parameter in the Apache module configuration file (mod_ASG.conf) on Machine 1.
Ensure that the subject names configured for rvrd on Machine 2 matches the subject name set using the tibco.clientVar.ASG/modRV/north_request property in the Core Engine properties file. The properties file is located as the ASG_CONFIG_HOME/asg.properties file.
Ensure that the subject name configured using the AsgSubject parameter in the Apache module configuration file (mod_ASG.conf) on Machine 1 matches the subject name set using the tibco.clientVar.ASG/modRV/north_request property in the Core Engine properties file. The properties file is located as the ASG_CONFIG_HOME/asg.properties file.
The listen port used to start the rvsrd daemon on Machine 1 must be different from the listen port used to start the rvrd daemon on Machine 2.
For example,
Start the rvsrd daemon on Machine 1 as follows:
      rvsrd –store rvsrd.store –http 3500 –listen 7500
Start the rvrd daemon on Machine 2 as follows:
      rvrd –store rvrd.store –http 3500 –listen 7502
The network parameter configured in the Apache module configuration file (mod_ASG.conf) on Machine 1 must be same as the network property value set in the Core Engine properties (asg.properties) file.
For example,
In the mod_ASG.conf file on Machine 1, configure the network daemon as follows:
   AsgNetwork ;239.1.1.11
In the Core Engine properties (asg.properties) file on Machine 2, set the network property value as follows:
   tibco.clientVar.ASG/modRV/RvNetwork=;239.1.1.11
The daemon certificate configured for the rvsrd setup must match the certificate specified by the AsgSecureDaemonCert parameter in the Apache module configuration file (mod_ASG.conf).
The user certificate configured for a user during the rvsrd setup must match with the certificate specified by the AsgSecureDaemonKey parameter in the Apache module configuration file (mod_ASG.conf).
Setup and Configure Rendezvous Daemons
Install TIBCO Rendezvous on the machines in the firewall security zone, Machine 1 and Machine 2 as shown in the Secure Deployment with Rendezvous diagram.
Configure the secure Rendezvous daemon (rvsrd or rvsd) on the machine that is outside the firewall. This is shown as Machine 1 in the Secure Deployment with Rendezvous diagram. See TIBCO Rendezvous Administration for detailed instructions to configure rvsrd or rvsd, as required.
Configure the Rendezvous daemon (rvrd or rvd) on the machine that is inside the inner security zone. This is shown as Machine 2 in the Secure Deployment with Rendezvous diagram. See TIBCO Rendezvous Administration for detailed instructions to configure rvrd or rvd, as required.
For rvsrd or rvsd configuration, see Configuration Tips.
Configuration Setup for Apache Module and TIBCO API Exchange Gateway
This section explains the configuration setup for Apache Server, the Apache module and TIBCO API Exchange Gateway on the machines outside and inside the firewall.
Install Apache Server
Install, configure, and setup the Apache server on Machine 1. Refer to TIBCO API Exchange Gateway Installation guide for details.
Install TIBCO API Exchange Gateway
Install TIBCO API Exchange Gateway on the machine within the firewall security zone (Machine 2).
Set up and Configure Apache Module
This section explains the configuration to set up the Apache module.
Set up Apache Module on Machine 1
To set up the Apache module on the machine where Apache server runs (Machine 1), do following:
1.
Copy the following files from the TIBCO API Exchange Gateway installation on Machine 2:
ASG_HOME\modules\http_server\apache\mod_ASG.conf
ASG_ HOME\modules\http_server\apache\mod_asg_rv_inbound.so
2.
Put these files locally on Machine 1 where the Apache server runs. You may put these files in a location accessed by the Apache server.
3.
Open the APACHE_HOME/conf/httpd.conf file for editing.
4.
Add the following line in the file:
   Include <Full Path>/mod_ASG.conf
5.
Save the changes.
Configure Apache Module on Machine 1:
You must configure the Apache module to connect to the secure Rendezvous daemon. To configure the Apache module installed on the machine where Apache server is running (Machine 1), do the following:
1.
Open the mod_ASG.conf file for editing.
2.
Set the parameters as described in the following table:
Table 24 Apache Module Properties
Property
Description
AsgService
Specifies the service parameter configured for rvsrd on Machine 1. For example, 1111.
This parameter value must be configured different from the value specified for rvrd setup on Machine 2.
AsgNetwork
Specifies the network parameter set during the configuration of secure Rendezvous daemon (rvsrd).
This parameter is a random multicast IP address used to broadcast messages to the machines in that multicast group.
For example, ;239.1.1.11
This network parameter value must match the network value set during the configuration of rvrd setup on Machine 2.
AsgDaemon
Specifies the daemon value set during the configuration of secure Rendezvous daemon (rvsrd). For example,
ssl:ASGRVSecure:7500
You must specify the ssl prefix before the machine name, else the connection fails.
AsgSubject
Specifies the subject name used to send the message to the secure Rendezvous daemon (rvsrd).
AsgSecureDaemon
A boolean property to enable or disable the secure Rendezvous daemon connection for the Apache module.
The secure Rendezvous daemon can run on the same or different machines where the Apache server is running.
Possible values are On and Off.
Set this value to On to enable the Apache module to connect to the secure Rendezvous daemon (rvsrd).
AsgSecureDaemonCert
Specifies the path to the public certificate of the secure Rendezvous daemon (rvsrd). This public certificate is configured during the rvsrd setup.
For example,
C:\tibcoasg\tibrv\8.3\certs\cert2.pem
Required.
AsgSecureDaemonUsername
Specifies the username used in rvsrd configuration.
If AsgSecureDaemonUsername is set, the Apache module uses the username and password to connect to the rvsrd daemon.
If AsgSecureDaemonUsername is not set, AsgSecureDaemonKey parameter must be set. See AsgSecureDaemonKey.
Optional.
AsgSecureDaemonPassword
Specifies the password used by the client in rvsrd configuration. The password is required when connecting to the rvsrd daemon either using the username or the client certificate. You can specify an obfuscated password for this parameter. The obfuscated password is generated using the asg-password-obfuscator utility located in the ASG_HOME/bin directory.
Required.
AsgSecureDaemonKey
Specifies the path to the user certificate of secure Rendezvous daemon (rvsrd). This user certificate is configured for a user in the rvsrd setup. The certificate should be in text (PEM) format.
The Apache module connects to the secure Rendezvous daemon (rvsrd) using the user certificate specified by this parameter.
If this parameter is not set, the Apache module connects to the secure Rendezvous daemon (rvsrd) using the username and password specified by AsgSecureDaemonUsername and AsgSecureDaemonPassword parameters.
Optional.
3.
Save the changes to the file.
* 
You can use the asg-password-obfuscator executable to obfuscate the password. The obfuscated password can be used in the AsgSecureDaemonPassword parameter of the mod_ASG.conf file of Apache module. See asg-password-obfuscator Utility for usage details.
Sample Properties For Apache Module
The following is the list of properties with example values for the Apache module set in the mod_ASG.conf file. Refer to Apache Module Properties for the properties description.
 
AsgService 1111
AsgNetwork ;239.1.1.11
AsgDaemon ssl:ASGRVSecure:7500
AsgSecureDaemon On
AsgSecureDaemonCert "C:\tibcoasg\tibrv\8.3\certs\cert2.pem"
AsgSecureDaemonUsername "user"
AsgSecureDaemonPassword "user"
AsgSecureDaemonKey "C:\tibcoasg\tibrv\8.3\certs\Usercert.pem"
 
asg-password-obfuscator Utility
TIBCO API Exchange Gateway provides the asg-password-obfuscator utility. Using this utility, you can generate an obfuscated password used by the Apache module (C module) to communicate with the Rendezvous daemon. The obfuscated password can be set for the AsgSecureDaemonPassword parameter in the Apache module configuration (mod_ASG.conf) file.
Usage
The following is the usage of the utility:
 
Usage: asg-password-obfuscator [-i | -hostname <hostname>] <password>
-i obfuscate with an internal key
-hostname obfuscate using hostname
 
The asg-password-obfuscator utility has the following options:
The -i option generates the obfuscated password that can be used on any machine. This option is less secure as it is machine independent.
The -hostname option generates the obfuscated password specifically for a hostname. This option is more secure as it restricts the encrypted password to be used only for that machine.
* 
Either the -i or -hostname option generates the obfuscated password for the Apache module to communicate with the Rendezvous daemon. These options are used only to generate the encrypted password for the configuration file of the Apache module (mod_ASG.conf).
If you do not use the -i or -hostname options for the asg-password-obfuscator utility, the generated password can be used for the java based modules such as WSS’s keystore.
Example Output
 
C:\tibcoasg\asg\2.1\bin>asg-password-obfuscator -i admin
Obfuscating password ...
Jul 15, 2013 1:52:54 PM com.tibco.security.providers.SecurityVendor_j2se <clinit>
INFO: Initializing JSSE's crypto provider class com.sun.net.ssl.internal.ssl.Provider
in default mode
Obfuscated password (in brackets): [#_R9gvPGRME0hRIveQJJS9i9tAzshJUjfK]
 
 
C:\tibcoasg\asg\2.1\bin>asg-password-obfuscator -hostname secureHost password
Obfuscating password ...
Jul 15, 2013 1:52:54 PM com.tibco.security.providers.SecurityVendor_j2se <clinit>
INFO: Initializing JSSE's crypto provider class com.sun.net.ssl.internal.ssl.Provider in default mode
Obfuscated password (in brackets): [#^R9gvPGRME0hRIveQJJS9i9tAzshJUjfK]
 
Configuring the Core Engine Properties
You must set the following properties for the Core Engine to receive the requests from the Apache module.
To set or edit the properties, follow these steps:
1.
Navigate to the ASG_CONFIG_HOME directory.
2.
Open the asg.properties file in a text editor.
3.
Set or edit the properties as described in the Core Engine Properties table:
Table 25 Core Engine Properties
Property
Description
tibco.clientVar.ASG/modRV/facade_request
Specifies the subject name used by the Rendezvous daemon to listen the requests from the Apache module. The Core Engine listens to the requests on the same subject.
This property value must match the subject value specified in the Apache module configuration file (mod_ASG.conf) for Apache server.
This property value must match the subject value specified for the rvrd configuration.
The default value is: MachineName.asg.north.request
tibco.clientVar.ASG/modRV/RvDaemon
Specifies the value of the Rendezvous daemon for the Core Engine to connect and listen for the requests from the Apache module.
This property value should match the listen port value given for the command to start the rvrd daemon on the machine where the Core Engine runs.
For example,
Set this property value to 7502 for the following command used to start the rvrd daemon:
rvrd –store rvrd.store –http 3500 –listen 7502
This property value must be different from the listen port value given for the command to start the rvsrd daemon on the machine where the Apache server runs.
The default value is: 7500
tibco.clientVar.ASG/modRV/RvNetwork
Specifies the value of the Rendezvous network for the Core Engine to connect and listen for the requests from the Apache module.
This property value must match the network value specified in the Apache module configuration file for Apache server. See Set up and Configure Apache Module.
For example, the value can be specified as:
;239.1.1.11
tibco.clientVar.ASG/modRV/RvService
Specifies the value of the Rendezvous service for the Core Engine to connect and listen for the requests from the Apache module.
For example, 2222
4.
Save the changes to the file.
Sample Properties for Core Engine
The following is the list of properties with example values for the Core Engine set in the asg.properties file. Refer to Core Engine Properties for the properties description.
 
tibco.clientVar.ASG/modRV/facade_request=ASG200-Test.asg.north.request
tibco.clientVar.ASG/modRV/RvDaemon=7502
tibco.clientVar.ASG/modRV/RvNetwork=;239.1.1.11
tibco.clientVar.ASG/modRV/RvService=2222
 
Copyright © Cloud Software Group, Inc. All Rights Reserved
Copyright © Cloud Software Group, Inc. All Rights Reserved