Ensuring FTL System Security: Tasks for Administrators

TIBCO FTL software includes several components. To ensure security within and among those components, administrators complete this super-task and all its sub-task topics.

Applications

1. Coordinate with application developers to secure application programs.
   FTL application programs are clients of the realm server. They must use HTTPS to communicate with the realm server.
   Your role includes coordinating with application developers to ensure that application clients trust the secure realm server, and that they supply appropriate credentials when they connect to it. See Coordination.
2. Secure all application transports.
   Application programs must use secure transports to communiate with one another. Your role includes configuring the application and transport definitions in the realm so that all relevant transports use only secure transport protocols.

   Use only these transport protocols:

   • Secure Dynamic TCP
   • Secure TCP

Authentication and Authorization

3. Configure authentication and authorization.
   Your role includes configuring your enterprise authentication and authorization system, such as an LDAP server, with appropriate information to support TIBCO FTL components and application users.
   See Configuring Authentication and Authorization.

Realm Servers

4. Secure all realm servers.
   A secure realm server enforces HTTPS communication whenever it communicates with clients, affiliated realm servers, and browsers.
   Your role is to supply realm server command line parameters to secure those client connections.
   See Securing Realm Servers.

TIBCO FTL Component Services

5. Secure all transport bridge processes.
   Transport bridge processes are clients of the realm server. They must communicate with the realm server using HTTPS.
   Your role includes these subtasks:

   • Supply bridge process command line parameters to secure its connections to the realm server.
   • Verify that the transports interconnected by the bridges use only secure transport protocols.
   See Securing Transport Bridges.
6. Secure all persistence servers.
   Persistence server processes are clients of the realm server, and must use HTTPS to communicate with the realm server, with one another, and with client applications.
   Your role includes these subtasks:

   • Configure the persistence clusters so that all relevant transports use only secure transport protocols.
   • Supply persistence server command line parameters to secure all connections among servers within the cluster, and between servers and their clients.
   See Securing Persistence Servers.
7. Secure all eFTL servers.
   TIBCO eFTL server processes are clients of the realm server. They must use HTTPS to communicate with the realm server. They must use secure transports to communicate with one another, and with eFTL applications.
   Your role includes these subtasks:

   • Reconfigure the automatically-generated eFTL transport definitions so that all relevant transports use only secure transport protocols.
   • Configure channels with appropriate authorization groups.
   • Coordinate with application developers to ensure that eFTL clients connect to the eFTL servers using the secure web sockets protocol (WSS).
   • Supply appropriate values for eFTL server command line parameters.
   See Securing eFTL Servers.
8. Secure all FTL monitoring services.
   The FTL monitoring gateway (tibmongateway) is a client of the realm server. It must use HTTPS to communicate with the realm server.
   Your role includes this subtask:

   • Supply appropriate command line parameters to tibmongateway to secure its connection to the realm server.