Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 5 Running the EMS Server : Security Considerations

Security Considerations
This section highlights information relevant to secure deployment. We recommend that all administrators read this section.
Secure Environment
To ensure secure deployment, EMS administration must meet the following criteria:
Correct Installation  EMS is correctly installed and configured.
Physical Controls  The computers where EMS is installed are located in areas where physical entry is controlled to prevent unauthorized access. Only authorized administrators have access, and they cooperate in a benign environment.
Domain Control  The operating system, file system and network protocols ensure domain separation for EMS, to prevent unauthorized access to the server, its configuration files, LDAP servers, etc.
Benign Environment  Only authorized administrators have physical access or domain access, and those administrators cooperate in a benign environment.
Destination Security
Three interacting factors affect the security of destinations (that is, topics and queues). In a secure deployment, you must properly configure all three of these items:
The server’s authorization parameter (see Authorization Parameter, below)
The secure property of individual destinations (see secure on page 68)
Authorization Parameter
The server’s authorization parameter acts as a master switch for checking permissions for connection requests and operations on secure destinations. The default value of this parameter is disabled—the server does not check any permissions, and allows all operations. For secure deployment, you must enable this parameter.
Admin Password
For ease in installation and initial testing, the default setting for the admin password is no password at all. Until you set an actual password, the user admin can connect without a password. Once the administrator password has been set, the server always requires it.
To configure a secure deployment, the administrator must change the admin password immediately after installation; see Assign a Password to the Administrator.
Connection Security
When authorization is enabled, the server requires a name and password before users can connect. Only authenticated users can connect to the server. The form of authentication can be either an X.509 certificate or a username and password (or both).
When authorization is disabled, the server does not check user authentication; all user connections are allowed. However, even when authorization is disabled, the user admin must still supply the correct password to connect to the server.
Even when authorization is enabled, the administrator (admin) may explicitly allow anonymous user connections, which do not require password authorization. To allow these connections, create a user with the name anonymous and no password.
Creating the user anonymous does not mean that anonymous has all permissions. Individual topics and queues can still be secure, and the ability to use these destinations (either sending or receiving) is controlled by the access control list of permissions for those destinations. The user anonymous can access only non-secure destinations.
For more information on destination security, refer to the destination property secure on page 68, and Create Users.
Communication Security
For communication security between servers and clients, and between servers and other servers, you must explicitly configure SSL within EMS; see Using the SSL Protocol.
SSL communication requires software to implement SSL on both server and client. The EMS server includes the OpenSSL implementation. Java client programs must use either JSSE (part of the Java environment) or separately purchased SSL software from Entrust; neither of these are part of the EMS product. C client programs can use the OpenSSL library shipped with EMS.
Sources of Authentication Data
The server uses only one source of X.509 certificate authentication data, namely, the server parameter ssl_server_trusted (its value is set in EMS an configuration file). See ssl_server_trusted on page 219.
The server can use three sources of secure password authentication data:
You must safeguard the security of EMS configuration files and LDAP servers.
Timestamp
The administration tool can either include or omit a timestamp associated with the output of each command. To ensure a secure deployment, you must explicitly enable the timestamp feature. Use the following administration tool command:
time on
Passwords
 
Passwords are a significant point of vulnerability for any enterprise. We recommend enforcing strong standards for passwords.
For security equivalent to single DES (an industry minimum), security experts recommend passwords that contain 8–14 characters, with at least one upper case character, at least one numeric character, and at least one punctuation character.
EMS software does not automatically enforce such standards for passwords. You must enforce such policies within your organization.
Audit Trace Logs
Audit information is output to log files (and stderr), and is configured by the server parameters log_trace and console_trace (see Tracing and Log File Parameters).
The DEFAULT setting includes +ADMIN, so all administrative operations produce audit output. For further details, see Table 64, Server Tracing Options.
Audit information in log files is always timestamped.
Administrators can read and print the log files for audit review using tools (such as text editors) commonly available within all IT environments. EMS software does not include a special tool for audit review.
 

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved