Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 24 Cache OM and Cluster Configuration : Configuring DataGrid Transport Security

Configuring DataGrid Transport Security
Transport-level security allows you to protect data being transported within the DataGrid by preventing these issues:
When security is used, any transmission of messages within the DataGrid occurs on a secure transport. A security domain's transport_security setting controls the level of security used for communication within the DataGrid.
The available settings for transport_security are:
encrypted_normal   Use secure transport with 128 bit symmetric key encryption (default).
encrypted_strong   Use secure transport with 256 bit symmetric key encryption.
integrity   Use secure transport without encryption.
The two possible node types in a secure DataGrid are:
Controllers:   Nodes dedicated to enforcing a security domain's defined security behavior for a cluster associated with the security domain. Security domain controllers are the only discovery nodes in a cluster.
Requestors   Nodes that require access to the data in the DataGrid, such as a seeder or a leech, and which need to be authorized by a controller. Requestors can never be used a discovery nodes.
Set Up Policy and Token Files
Follow these steps to set up policy and token files for a given cluster:
1.
2.
as-admin> create security_policy
policy_name "mypolicy/mydomain"
policy_file "mypolicy.txt"
3.
4.
5.
6.
7.
as-admin> validate policy_name "mypolicy" policy_file "mypolicy.txt"
8.
as-admin> create security_token
domain_name "mydomain"
policy_file "mypolicy.txt"
token_file "mytoken.txt"
9.
10.
as-admin> validate token_file "mytoken.txt"
11.
12.
13.
You can change this by setting the role property in the CDD:
be.engine.cluster.as.security.mode.role=Requester or Controller (the value is case-insensitive)
14.
be.engine.cluster.as.security.file=<File location of Controller (policy file) or Requester (token file)>
EXAMPLE:
Suppose you start two nodes in a cluster called mycluster. One is inference engine and the other is a cache engine.
1.
Assume that the LustenURL for the cache ( controller ) is tcp://10.98.192.101:9091 and theLustenURL for the inference ( requester ) is tcp://10.98.192.101:9090.
2.
Generate the policy and token files from as_admin. Edit the metaspace_access line in both files to set the correct cluster name.
3.
metaspace_access=metaspace=mycluster;discovery=tcp://10.98.192.101:9091;
4.
be.engine.cluster.as.security.enable=true
be.engine.cluster.as.security.mode.role=Requester
be.engine.cluster.as.security.file=C:/temp/mytoken.txt
5.
be.engine.cluster.as.security.enable=true
be.engine.cluster.as.security.mode.role=Controller
be.engine.cluster.as.security.file=C:/temp/mypolicy.txt
Restricting Transport Access
Transport level security allows you to restrict transport connections within a security domain to only the “trusted” nodes.
To restrict transport connections within a security domain:
1.
2.
3.
transport_access=true;cert_file=<trusted_certs_file>
where trusted_certs_file is the filename for a trusted certificate file that you will create in step 8.
4.
5.
6.
as-admin> create security_token
domain_name "mydomain"
policy_file "mypolicy.txt"
create_identity
token_file "mytoken.txt"
7.
Use the validate token_file command to validate the security token file.
8.
9.
The public certificate is everything in the security token file between and including
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
10.
11.
DataGrid communication within the security domain is now restricted to only security domain controllers and security domain requestors that connect to the cluster using a security token file whose public certificate is contained in the trusted certificates file.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved