FTL Server Cluster Security

In order to enable security in the FTL server cluster, both TLS-secured communication and authentication must be configured. Deploying with only one of these is not supported.

Note: If you wish to configure OAuth 2.0 authentication, refer to the auth.providers parameter and the oauth2. prefixed parameters in Sections in the FTL Server Cluster Configuration.

TLS-secured Communication

FTL supports two different mechanisms for enabling TLS in the FTL server cluster:

  • User-defined certificates, where administrators provide TLS certificates to the FTL server cluster (and possibly clients, for mTLS authentication). The administrator is responsible for choosing a certificate authority and obtaining the certificates.
  • FTL-generated certificates, where administrators run FTL tools to initialize the required trust file and keys required to enable TLS security in the cluster.

For instructions on configuring TLS-secured communication in the FTL server cluster, refer to the Enabling TLS for FTL Server section in the TIBCO FTL Administration product guide for TIBCO FTL release 7.0.

Authentication

When authentication is enabled, FTL clients (such as the FTL Administration Tool and tibemsjson2ftl) must authenticate to the FTL server cluster and FTL servers in the cluster must also authenticate to each other. FTL supports the following methods of authentication:

  • OAuth 2.0 Authentication: The user provides either an OAuth 2.0 access token (signed JWT token), or the credentials for requesting access tokens from a specified OAuth 2.0 authorization server.
  • mTLS Authentication: The user provides a TLS certificate and its corresponding private key. The FTL server cluster verifies the client's certificate during the TLS handshake.
  • Basic Authentication: The user provides a username and password.

For instructions on configuring authentication in the FTL server cluster, refer to the Authentication sub-section of Authentication and Authorization in the TIBCO FTL Administration product guide for TIBCO FTL release 7.0.

Shared OAuth 2.0 Configuration

When using FTL stores, the EMS server and the FTL server cluster share a common OAuth 2.0 configuration.

If OAuth 2.0 authentication of incoming connections is enabled in the EMS server, the required configuration details are obtained from the FTL server YAML configuration file.

Refer to the description for the user_auth tibemsd.conf parameter and the descriptions for the oauth2. parameters in Sections in the FTL Server Cluster Configuration for more information.

Note: Configuring OAuth 2.0 in the EMS server via the tibemsd.conf OAuth 2.0 parameters is not supported when using FTL stores.