Securing Prometheus Adapters

To secure an FTL Prometheus adapter (tibpromgateway process) and the data path from the realm server to the adapter, complete this task. However, the Prometheus monitoring infrastructure itself does not secure monitoring data.

Prerequisites

All realm servers must be secure.

The enterprise authentication system must define user names and associate them with appropriate FTL authorization groups.

Secure realm servers automatically use secure transports for the stream of monitoring data.

Procedure

Example Command Line 

tibpromgateway --pushgateway ppg-host:6464
               --realmserver https://rs-host:7000
               --password-file prom-adapter-creds.txt
               --trust.file ftl-trust.pem

  1. Connect only to secure realm servers using HTTPS.
    When you supply the --realmserver parameter on the adapter command line, specify a URL with HTTPS protocol.
  2. Arrange authentication credentials to the realm server.
    Supply the location of the adapter's credentials as the value of the --password-file parameter on the adapter command line. Ensure that this file is protected from unauthorized access.

    The user name in the file must be in the authorization group ftl.

    For further details, see "Adapter (tibpromgateway) Command Line Reference" in TIBCO FTL Monitoring.

    For file syntax, see "Password File" in TIBCO FTL Administration.

  3. Arrange trust in the realm servers.
    Arrange access to a copy of the realm server trust file.

    Supply the file location as the value of the --trust-file parameter on the adapter command line.

    For further details, see "Trust File" in TIBCO FTL Administration.