Setting Up DataGrid Security and Authentication
When security is used, any transmission of messages within the DataGrid occurs on a secure transport. A security domain's transport_security setting controls the level of security used for communication within the DataGrid.
Procedure
-
Start BusinessEvents with a non-secure DataGrid cluster.
In order to enable security for the BusinessEvents DataGrid, you first have to configure the cluster to use TCP based discovery (cannot use multicast discovery).
-
Create a security policy file using the ActiveSpaces admin utility (AS_HOME/bin).
as-admin> create security_policy policy_name "mypolicy/mydomain" policy_file "mypolicy.txt"
- Edit the Metaspace Access List for the security domain in the security policy file.
-
Ensure that there is a
metaspace_access entry with the cluster name from the BusinessEvents CDD.
The cluster name and the discovery URL should match the metaspace= and the discovery= values in the policy file.
- Review the Transport Security settings to ensure they are set to meet your security requirements.
- Save your changes to the security policy file.
-
Validate your security policy file using the ActiveSpaces admin utility.
as-admin> validate policy_name "mypolicy" policy_file "mypolicy.txt"
-
Create a security token file using ActiveSpaces admin utility.
as-admin> create security_token domain_name "mydomain" policy_file "mypolicy.txt" token_file "mytoken.txt"
- Ensure that there is a metaspace_access entry with the cluster name from the BusinessEvents CDD.
-
Validate your security token file using the ActiveSpaces admin utility:
as-admin> validate token_file "mytoken.txt"
- Shut down the cluster.
- Open the project CDD file for editing.
-
Each processing unit (PU) is either a
Controller or a
Requester. You can change its role in the
Processing Unit tab using the
be.engine.cluster.as.security.mode.role property to
Requestor or
Controller. settings. By default, TIBCO BusinessEvents assumes all nodes to be requesters. However, every cluster must have at least one controller node.
By default, all PUs are requesters so at least one PU in the cluster needs to be a controller. You can override the cluster level controller or requester settings in the PU by checking the Override checkbox and specifying a value. In most cases you would only need to override the key file paths .
- In the Cluster tab, select the Security Enabled checkbox, for the Object Management, to enable the security.
-
Based on the role of PU as Controller or Requestor update their security settings: Supply the security file based on the se with the following property in the CDD:
- For Controller, specify the path of security policy file and password for its key in the Policy File and Policy File Identity Password fields.
- For Requestor, specify the path of security token file and password for its key in the
Token File and
Token File Identity Password
fields.
Requester settings are dependent on the authentication policy defined in the controller's policy file.
- If the authentication type in the policy file is "userpwd" and authentication source is "system" or "ldap", specify Username and Password. You might also need to specify Domain, if the authentication source is "system".
- If the authentication type in the policy file is "x509", which means that the authentication source is an LDAP configured with certificate-based authentication, then specify LDAP Identity File and Password (in this case the password is for the private key in the identity file).
Copyright © Cloud Software Group, Inc. All rights reserved.