Securing Log Services

To secure an FTL log service (tiblogsvc process), complete this task.

Prerequisites

All realm servers must be secure.

The enterprise authentication system must define user names and associate them with appropriate FTL authorization groups. The monitoring data base (InfluxDB) must be secure.

Procedure

Example Command Line 

tiblogsvc
          --realmserver https://rs-host:8080
          --secondary-realmserver https://rs-backup-host:8080
          --realmserver-password-file logsvc-creds.txt
          --realmserver-trust-file ftl-trust.pem
          --influx-server https://influx-host:8086
          --influx-password-file logsvc-influx-creds.txt
          --influx-trust-file influx-trust.pem
          --http-certificate logsvc-cert.pem
          --http-key logsvc-key.pem
          --http-password-file my_pw_file

  1. Connect only to secure realm servers using HTTPS.
    When you supply the --realmserver parameters on the log service command line, specify URLs with HTTPS protocol.
  2. Arrange authentication credentials to the realm server.
    Supply the location of the log service's credentials as the value of the --realmserver-password-file parameter on the log service command line. Ensure that this file is protected from unauthorized access.

    The user name in the file must be in the authorization group ftl.

    For further details, see "Log Service Command Line Reference (tiblogsvc)" in TIBCO FTL Monitoring.

    For file syntax, see "Password File" in TIBCO FTL Administration.

  3. Arrange trust in the realm servers.
    Arrange access to a copy of the realm server trust file.

    Supply the file location as the value of the --realmserver-trust-file parameter on the log service command line.

    For further details, see "Trust File" in TIBCO FTL Administration.

  4. Connect only to a secure InfluxDB server using HTTPS.
    When you supply the --influx-server parameter on the log service command line, specify a URL with HTTPS protocol.
  5. Arrange authentication credentials to the InfluxDB server.
    Supply the location of the log service's credentials as the value of the --influx-password-file parameter on the log service command line. Ensure that this file is protected from unauthorized access.

    For further details, see "Log Service Command Line Reference (tiblogsvc)" in TIBCO FTL Monitoring.

    For file syntax, see "Password File" in TIBCO FTL Administration.

  6. Arrange trust in the InfluxDB servers.
    Arrange access to a copy of the InfluxDB server trust file.

    Supply the file location as the value of the --influx-trust-file parameter on the log service command line.

    For further details, see "Trust File" in TIBCO FTL Administration.

  7. Arrange TLS artifacts so the log service can authenticate itself to clients.
    1. Obtain a certificate identity for the log service.
    2. Supply the location of the certificate file as the value of the --http-certificate parameter on the log service command line.
    3. Supply the location of the key file as the value of the --http-key parameter on the log service command line.
      Ensure that this file is protected from unauthorized access.
    4. Supply the key file password using the --http-password-file parameter.
      (The --http-password parameter is not sufficiently secure.)
    5. Ensure that HTTPS clients trust the log service's certificate.
      • Browser Client Install the certificate (or the CA certificate) in the requesting browser.
      • Utility Client Supply the certificate (or the CA certificate) to the request utility. For example, curl --cacert certificate.