Initializing FTL Server Cluster Security
This section details the steps to enable TLS-secured communication and authentication in the FTL server cluster.
Before you begin- TIBCO FTL must already be installed on the machine where this procedure is to be performed.
- The clocks on all machines where FTL servers will be running must be synchronized.
- The YAML configuration must have been generated.
- The clocks on all machines where FTL servers will be running must be synchronized.
- The YAML configuration must have been generated.
Procedure
| 1. | Choose a password that will be used to encrypt the private key data, ie: the keystore password. Write the password to a file. |
echo <password> > keystore_password_file
| 2. | Run the following command to generate the TLS data files. |
tibftlserver --init-security file:<path to keystore_password_file>
This results in the generation of two files - the trust file which contains the public
certificate and the keystore file which contains the encrypted private key data.
| 3. | Copy the trustfile and keystore to the general data directory of each FTL server in the cluster. See Deploying the FTL Server Cluster for details on configuring the general data directory and FTL store-specific data directory for an FTL server. |
| 4. | Add the tls.secure parameter to the globals section of the YAML configuration file and specify the path to keystore_password_file.
|
globals:
# ...
tls.secure: file:<absolute path to keystore_password_file>
Note: There are several other ways to pass the keystore password to the
tls.secure parameter. See the Password Security section of the TIBCO FTL Administration product guide for details.| 5. | Choose a password to be used for authentication and create a new file containing the authentication data for the FTL server cluster. |
echo "admin: <password>, ftl-admin,ftl-internal" > users.txt
If setting up disaster recovery, also write the password to a separate file.
echo <password> > password_file
| 6. | Add the auth.url parameter to the globals section of the YAML configuration file and specify the path to the users.txt file. |
globals:
# ...
auth.url: file://<absolute path to users.txt file>
Note: As an alternative to flat file based internal authentication, FTL also offers support for authentication via an external service. See the Authentication Service section of the TIBCO FTL Administration product guide for details.
With these steps completed, the FTL server cluster can be deployed by following the steps in the next section.