Securing Persistence Servers

To secure a persistence server, complete this task.

1. Verify that the persistence cluster definition specifies secure transport protocols.
   The client protocol and the disaster recovery (DR) protocol must be secure. For maximum performance, the cluster set protocol can be a non-secure protocol -- but only if all persistence servers of the cluster run within a protected network. Otherwise use a secure protocol for cluster set communications.

   Use only these transport protocols:

   • Secure Dynamic TCP
   • Secure TCP

   For further details, see "Clusters Grid" in TIBCO FTL Administration.

Example Command Line

tibstore --name psvr1
         --realmserver https://rs-host:7000
         --password-file psvr-creds.txt
         --trust.file ftl-trust.pem 

2. Connect only to secure realm servers using HTTPS.
   When you supply the --realmserver parameter on the transport bridge command line, specify a URL with HTTPS protocol.
3. Arrange authentication credentials. Persistence servers authenticate to the realm server using a user name and password pair.
   Supply the location of the persistence server's credentials as the value of the --password-file parameter on the persistence server command line. Ensure that this file is protected from unauthorized access.

   The user name in the file must be in the authorization group ftl.

   For file syntax and other details, see "Persistence Server (tibstore) Command Line Reference" and "Pasword File," both in TIBCO FTL Administration.

4. Arrange trust in the realm servers.
   Arrange access to a copy of the realm server trust file.

   Supply the file location as the value of the --trust.file parameter on the persistence server command line.

   For further details, see "Trust File" in TIBCO FTL Administration.