A secure realm server is central to the security of any enterprise that communicates using TIBCO FTL messaging software. To secure the realm server, complete this task.
Prerequisites
The enterprise authentication system must define user names and associate them with appropriate FTL authorization groups.
Procedure
-
Secure the realm server data directory on each realm server host computer.
Example Command Line: Primary
echo my-pw | tibrealmserver --secure stdin
--http primary_realm_svr_host:primary_port
--backupto backup_realm_svr_host:backup_port
--auth.url auth_svr_host:port
--auth.user user_name
--auth.password pw
--auth.trust auth-trust.pem
--server.user user_name
--server.password pw
Example Command Line: Backup
echo my-pw | tibrealmserver --secure stdin
--http backup_realm_svr_host:backup_port
--backupfor primary_realm_svr_host:primary_port
--tls.trust.file ftl-trust.pem
--auth.url auth_svr_host:port
--auth.user user_name
--auth.password pw
--auth.trust auth-trust.pem
--server.user user_name
--server.password pw
-
Enable realm server security. Applies to all realm servers.
Specify the parameter
--secure on the realm server command line. Supply a keystore password as its argument in a secure manner.
For details, see these topics in
TIBCO FTL Administration:
- "Running a Secure Realm Server"
- "Keystore File Password Security"
- "Realm Server Executable Reference"
-
Arrange trust among affiliated realm servers.
Primary Realm Server: A secure realm server generates a trust file. Provide copies of the primary realm server's trust file, and make them available to all affiliated realm servers, as well as to all transport bridges, persistence servers, eFTL servers, and application clients.
For further details, see "Trust File" in
TIBCO FTL Administration.
Other Realm Servers: Specify the
--tls.trust.file parameter on the realm server command line. Supply the location of the trust file copy as its argument.
For further details, see "Realm Server Executable Reference" in
TIBCO FTL Administration.
-
Specify the authentication service. Applies to all realm servers.
- External If you specify an external authentication service, specify these parameters on the realm server command line:
- --auth.url Supply the URL where the realm server can connect to the external authentication service.
- --auth.user and
--auth.password Supply credentials to authenticate the realm server to the authentication service.
- --auth.trust Supply the location of the public certificate of the external authentication service, so that service can authenticate itself to the realm server.
For details, see these topics in
TIBCO FTL Administration:
- "Realm Server Authorization Groups"
- "Realm Server Executable Reference"
-
Specify credentials that the realm server uses to authenticate itself to affiliated realm servers. Applies to all realm servers.
Supply the parameters
--server.user and
--server.password on the realm server command line. Ensure that the user name is in the appropriate authorization groups.
Optional. If you prefer to use separate credentials to authenticate to a backup server, supply the parameters
--server.authtobackup.user and
--server.authtobackup.password as well. (These parameters do not apply to backup servers.)
For details, see these topics in
TIBCO FTL Administration:
- "Realm Server Authorization Groups"
- "Realm Server Executable Reference"
Copyright © Cloud Software Group, Inc. All rights reserved.
