Setting Up Legacy ActiveSpaces Cluster Security and Authentication
When security is used, any transmission of messages within the Legacy ActiveSpaces cluster occurs on a secure transport. A security domain's transport security setting controls the level of security used for communication within the Legacy ActiveSpaces cluster.
Before you beginEnsure the cluster provider is set to Legacy ActiveSpaces, see Setting Up Legacy ActiveSpaces as Cluster and Cache Provider.
Also, ensure that cluster is set to use TCP based discovery, Legacy ActiveSpaces Cluster Discover URL.
- Procedure
- Start TIBCO BusinessEvents with a non-secure Legacy ActiveSpaces cluster.
In order to enable security for the Legacy ActiveSpaces cluster, you first have to configure the cluster to use TCP based discovery (cannot use multicast discovery).
- Create a security policy and security token file by using the Legacy ActiveSpaces admin utility. Ensure that there is a
metaspace_access
entry with the cluster name specified in the CDD file. For details, see TIBCO ActiveSpaces version 2.x Documentation. - Shut down the cluster.
- Open the project CDD file for editing.
- Each processing unit (PU) is either a
Controller or a
Requester. You can change its role on the
Processing Unit tab using the
be.engine.cluster.as.security.mode.role property to
Requestor or
Controller. settings. By default, TIBCO BusinessEvents assumes all nodes to be requesters. However, every cluster must have at least one controller node.
By default, all PUs are requesters so at least one PU in the cluster needs to be a controller. You can override the cluster level controller or requester settings in the PU by checking the Override checkbox and specifying a value. In most cases you would only need to override the key file paths .
- On the Cluster tab, select the Security Enabled checkbox, for the Object Management, to enable the security.
- Based on the role of PU as Controller or Requestor update their security settings: Supply the security file based on the security with the following property in the CDD:
For Controller, specify the path of security policy file and password for its key in the Policy File and Policy File Identity Password fields.For Requestor, specify the path of security token file and password for its key in the Token File and Token File Identity Password fields.
Requester settings are dependent on the authentication policy defined in the controller's policy file.
- If the authentication type in the policy file is "userpwd" and authentication source is "system" or "ldap", specify Username and Password. You might also need to specify Domain, if the authentication source is "system".
- If the authentication type in the policy file is "x509", which means that the authentication source is an LDAP configured with certificate-based authentication, then specify LDAP Identity File and Password (in this case the password is for the private key in the identity file).