To secure an eFTL server, complete this task.
Prerequisites
All realm servers must be secure.
The enterprise authentication system must define user names and associate them with appropriate FTL authorization groups.
If any channels use EMS servers or FTL persistence servers, those servers must also be secure.
Procedure
-
Verify secure transport protocols.
The cluster-facing transport and all the channel application-facing transports must be secure. Check their protocols in the transports grid.
Use only these transport protocols:
- Secure Dynamic TCP
- Secure TCP
Example Command Line
tibeftlserver --realmserver https://rs-host:7000
--listen wss://localhost
--server-cert eftl_publ_cert.pem
--private-key eftl_key.pem
--private-key-password pw
--password-file eftl-svr-creds.txt
--trust-file ftl-trust.pem
--auth.url auth_svr_host:port
--auth.user user_name
--auth.password pw
--auth.trust auth-trust.pem
--ssl-params eftl-ems-ssl.txt
--publish-user
-
Connect only to secure realm servers using HTTPS.
When you supply the
--realmserver parameter on the eFTL command line, specify a URL with HTTPS protocol.
-
Specify TLS secure web sockets for client apps.
When you specify the
--listen parameter on the eFTL server command line, specify a URL with WSS protocol.
Supply the parameters
--server-cert,
--private-key,
--private-key-password.
For further details, see "Server Command Line Reference" in
TIBCO eFTL Administration.
-
Arrange authentication credentials to the realm server.
Supply the location of the eFTL server's credentials as the value of the
--password-file parameter on the persistence server command line. Ensure that this file is protected from unauthorized access.
The user name in the file must be in the authorization group
ftl.
For further details, see "Server Command Line Reference" in
TIBCO eFTL Administration.
-
Arrange trust in the realm servers.
Arrange access to a copy of the realm server trust file.
Supply the file location as the value of the
--trust-file parameter on the eFTL server command line.
For further details, see "Trust File" in
TIBCO FTL Administration.
-
Specify the authentication service.
The eFTL server authenticates its clients using an external authentication service.
Supply the parameters
--auth.url,
--auth.user,
--auth.password, and
--auth.trust on the eFTL server command line.
For further details, see the following topics in
TIBCO eFTL Administration:
- "Client Authentication and Authorization"
- "Server Command Line Reference"
- "Channel Details Panel"
-
Include authenticated user names.
Specify the command line option
--publish-user when starting the eFTL server.
With this option, the eFTL server appends a field to messages published by eFTL client apps when it forwards them to FTL and EMS subscribers. That field contains the authenticated user name of the eFTL publisher. FTL and EMS application code can use this user name to authorize requests.
-
Optional. Specify client authorization groups.
eFTL channels can regulate client access to publish and subscribe operations. To enable this feature, complete the following steps:
-
In the eFTL clusters grid, enable the authorization column for each relevant cluster.
-
In the channel details panel, configure a publish group and a subscribe group for each relevant channel.
-
Ensure that each user name is in the appropriate authorization groups.
-
Optional. Secure FTL persistence servers.
-
Optional. Secure connections to EMS servers.
If any channels use EMS messaging, specify the
--ssl-params parameter on the eFTL server command line. Supply the location of a configuration file as its value.
For details about the content of that file, see "SSL Parameters for EMS Connections" in
TIBCO eFTL Administration.
Copyright © Cloud Software Group, Inc. All rights reserved.
