![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |
By default, the Central Administration server does not impose security restrictions. That is, it is not automatically configured to use SSL connections or to require login credentials from users. However, you can configure the server to require user credentials and to use SSL when connecting with EMS servers.
The Central Administration server uses the same username and password to log into the EMS server as was used to log in to the Central Administration web interface. When JAAS authentication is not configured, the Central Administration server uses the default credentials of user admin with no password.
• A user refreshes the EMS server configuration stored in Central Administration.Each time it connects to the EMS server, the Central Administration server presents the credentials passed to it by the user when he or she logged on to the web interface.
• If JAAS authentication is not configured, the Central Administration server uses the admin user, with no password, to authenticate with all the EMS servers.
• If JAAS authentication is configured, the Central Administration server presents the user ID and password presented when the current user logged on. If the user is attempting to deploy configuration changes but does not have the necessary administrative privileges for the EMS server, the deployment fails.When SSL is configured on the EMS server, the Central Administration server can optionally use SSL to communicate with the EMS server. In addition, the Central Administration server can use an identity certificate to authenticate itself to the EMS server.
When Central Administration uses SSL connections to communicate with an EMS server, neither the host nor hostname are validated by Central Administration.You can configure the Central Administration server to use the same Java Authentication and Authorization Service (JAAS) authentication that is used by your TIBCO Enterprise Message Service servers. JAAS authentication has two purposes:When JAAS is configured, users must enter credentials when logging into the Central Administration web interface. Central Administration users must be in one of these JAAS groups:
− emsca-admin — Grants administrative privleges to members. Administrators may lock and edit an EMS server in Central Administration, and deploy an updated server configuration. However, note that the user must also have administrative privleges for the EMS server before deploying.
− emsca-guest — Grants read-only privleges to members. Guest users are not able to make changes or deploy configurations through Central Administration.When JAAS is configured, each time a user attempts to add or refresh an EMS server or deploy configuration changes, the Central Administration sever uses the JAAS user ID and password presented by the user to authenticate with EMS server. If the user does not have sufficient privileges, the action fails.To enable JAAS authentication, set the --jaas option at the command line, or through the related setting in the Central Administration configuration file.For more information on JAAS security, see the chapter on Extensible Security in the TIBCO Enterprise Message Service User’s Guide.
The Central Administration server does not verify hostnames or hosts.There are two supported configuration scenarios: when the EMS server requires an identity certificate from the Central Administration server, and when the EMS server does not require an identity. All EMS servers managed by Central Administration should use the same SSL configuration scenario.The SSL scenario is determined by EMS server requirements. Depending on these reqirements, further SSL settings are configured either through command line options when the Central Administration server is started, or by setting configuration parameters in the Central Administration configuration file:The Central Administration server uses SSL to connect to the EMS server. This option is only available if EMS servers do not require an identity from connecting services.This SSL configuration is determined entirely by the EMS server. No options or paramters are set in the Central Administration server.If the EMS server requires an identity, the Central Administraiton server can be configured to supply an identity certificate and certificate password.The syntax and use of these SSL configuration options are further documented in Table 4, Central Administration Server Options:
− Enable SSL using the --ems-ssl-identity command line option, or through the related setting in the Central Administration configuration file. This option sets the path to the identity certificate and private key that the Central Administration server uses when identifying itself to the EMS servers.
− Provide the SSL password associated with the private key by setting the com.tibco.ems.ssl.password parameter. The command line option --ems-ssl-password is also available, but providing a password on the command line is not recommended and may pose a security risk. Use tibemsadmin -mangle to generate an obfuscated version before providing the password in either configuration file or command line.If you do not provide the password using the parameter or flag, the Central Administration server requires the SSL decryption password when you log in. Note that this option is only available if JAAS is configured.
− Specify an SSL policy using the --ssl-policy command line option, or through the related setting in the Central Administration configuration file. By default, the Central Administration server attempts to connect through any of the listens defined in the EMS server configuration, regardless of whether they are SSL connections or not. Alternately, you can either "require" or "prefer" an SSL connection. If you require SSL, the server will not communicate with the EMS through a non-SSL connection. If you prefer SSL, SSL connections are attempted first.For more information on using SSL in TIBCO Enterprise Message Service, see Using the SSL Protocol in the TIBCO Enterprise Message Service User’s Guide.
![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |