Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 2 Running the Central Administration Server : Security Considerations

Security Considerations
By default, the Central Administration server does not impose security restrictions. That is, it is not automatically configured to use SSL connections or to require login credentials from users. However, you can configure the server to require user credentials, to use SSL when connecting with EMS servers, and to use HTTPS when accepting web browser connections.
How the Central Administration Server Connects to the EMS Server
The Central Administration server connects to the EMS server when:
Credentials
Each time it connects to the EMS server, the Central Administration server presents the credentials passed to it by the user when he or she logged on to the web interface.
If JAAS authentication is not configured, the Central Administration server uses the admin user, with no password, to authenticate with all the EMS servers.
If JAAS authentication is configured, the Central Administration server presents the user ID and password presented when the current user logged on. If the user is attempting to deploy configuration changes but does not have the necessary administrative privileges for the EMS server, the deployment fails.
SSL
When SSL is configured on the EMS server, the Central Administration server can optionally use SSL to communicate with the EMS server. In addition, the Central Administration server can use an identity certificate to authenticate itself to the EMS server.
Configuring JAAS Authentication
You can configure the Central Administration server to use Java Authentication and Authorization Service (JAAS) authentication. JAAS authentication has two purposes:
When JAAS is configured, users must enter credentials when logging into the Central Administration web interface. Central Administration users must be in one of these JAAS groups:
emsca-admin — Grants administrative privileges to members. Administrators may lock and edit an EMS server in Central Administration, and deploy an updated server configuration. However, note that the user must also have administrative privileges for the EMS server before deploying.
You can change the group names with administrative privileges using the --jaas-admins option.
emsca-guest — Grants read-only privileges to members. Guest users are not able to make changes or deploy configurations through Central Administration.
You can change the group names with guest privileges using the --jaas-guests option.
When JAAS is configured, each time a user attempts to add or refresh an EMS server or deploy configuration changes, the Central Administration server uses the JAAS user ID and password presented by the user to authenticate with the EMS server. If the user does not have sufficient privileges, the action fails.
 
To enable JAAS authentication, set the --jaas option at the command line, or through the related setting in the Central Administration configuration file.
JAAS can be configured to fetch user credentials from a property file or from an LDAP server. With LDAP, changes made to Central Administration user credentials are taken into account dynamically. With a property file, it is required to restart the Central Administration server upon altering user credentials.
For more information on JAAS security, see the sample configuration files in EMS_HOME\samples\emsca\jaas.
Configuring SSL Connections with EMS Servers
You can configure the Central Administration server to use SSL when connecting to EMS servers.
The Central Administration server does not verify hostnames or hosts.
There are two supported configuration scenarios: when the EMS server requires an identity certificate from the Central Administration server, and when the EMS server does not require an identity. All EMS servers managed by Central Administration should use the same SSL configuration scenario.
The SSL scenario is determined by EMS server requirements. Depending on these requirements, further SSL settings are configured either through command line options when the Central Administration server is started, or by setting configuration parameters in the Central Administration configuration file:
The Central Administration server uses SSL to connect to the EMS server. This option is only available if EMS servers do not require an identity from connecting services.
This SSL configuration is determined entirely by the EMS server. No options or parameters are set in the Central Administration server.
If the EMS server requires an identity, the Central Administration server can be configured to supply an identity certificate and certificate password.
The syntax and use of these SSL configuration options are further documented in Table 3, Central Administration Server Options:
Enable SSL using the --ems-ssl-identity command line option, or through the related setting in the Central Administration configuration file. This option sets the path to the identity certificate and private key that the Central Administration server uses when identifying itself to the EMS servers.
Provide the SSL password associated with the private key by setting the com.tibco.ems.ssl.password parameter. The command line option --ems-ssl-password is also available, but providing a password on the command line is not recommended and may pose a security risk. Use tibemsadmin -mangle to generate an obfuscated version before providing the password in either configuration file or command line.
If you do not provide the password using the parameter or flag, the Central Administration server requires the SSL decryption password when you log in. Note that this option is only available if JAAS is configured.
Specify an SSL policy using the --ssl-policy command line option, or through the related setting in the Central Administration configuration file. By default, the Central Administration server attempts to connect through any of the listens defined in the EMS server configuration, regardless of whether they are SSL connections or not. Alternately, you can either "require" or "prefer" an SSL connection. If you require SSL, the server will not communicate with the EMS through a non-SSL connection. If you prefer SSL, SSL connections are attempted first.
For more information on using SSL in TIBCO Enterprise Message Service, see Using the SSL Protocol in the TIBCO Enterprise Message Service User’s Guide.
Configuring HTTPS Connections with Web Browsers
You can configure the Central Administration server to accept HTTPS connections from web browsers.
To configure this, provide Central Administration with an identity certificate and certificate password either through command line options when the Central Administration server is started or by setting configuration parameters in the Central Administration configuration file.
The syntax and use of these SSL configuration options are documented in Table 3, Central Administration Server Options:
Enable HTTPS using the --https-identity command line option, or through the related setting in the Central Administration configuration file. This option sets the path to a PKCS12 file or Java KeyStore providing the identity of the Central Administration server to browsers. When HTTPS is enabled, it replaces HTTP on the same port number.
Provide the SSL password associated with the private key by setting the com.tibco.emsca.https.password parameter. The command line option --https-password is also available, but providing a password on the command line is not recommended and may pose a security risk. Use tibemsadmin -mangle to generate an obfuscated version before providing the password in either configuration file or command line.
For testing purposes, you can configure Central Administration with the identity file emsca_https_identity.p12 that is provided in the samples/certs directory and use the corresponding self-signed root certificate with your web browser. For restrictions and details, see the readme.txt file in the same directory.
Configuring Cipher Suites
If desired, you can specify the cipher suites to be used when the Central Administration server uses SSL to connect to EMS servers or accepts web browsers connections with the HTTPS protocol.
To configure this feature, you can either provide a cipher suite specification with the --ssl-ciphers command line option when the Central Administration server is started, or set a configuration parameter in the Central Administration configuration file. Both methods accept the Java Client Syntax described in the TIBCO Enterprise Message Service User’s Guide. This is further documented in Table 3, Central Administration Server Options.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved