Running a Secure Realm Server

A secure realm server can generate all the data it requires for TLS, except for the keystore password, which you must supply.

Prerequisites

  • An authentication service must be running. For background information, see Realm Server Authentication.
  • Choose a keystore file password, and determine the appropriate level of security for that password.

Procedure

  1. When starting the realm server process, supply a command line parameter or configuration file property to specify that the realm server uses TLS security:
    Option Description
    Command Line --secure password
    Configuration File Property com.tibco.tibrealmserver.secure password
    Supply the keystore file password as the value of this parameter or property. The realm server uses this password argument to encrypt and decrypt its keystore file. For information on the form of the password argument, see Keystore File Password Security.
    If the realm server finds TLS data files that it had generated earlier, it uses the password to decrypt the keystore file.

    If it cannot access the data files, or it cannot decrypt the keystore file, then it generates new TLS data files, and uses the password to encrypt the new keystore file. The newly generated data files replace any existing data files.

  2. When starting the realm server process, supply command line parameters properties related to the authentication service.
    For details, see Authentication and Authorization Service.
  3. Supply the trust file to client programs.
    Among the TLS data files that the realm server generates is a trust file. Clients need this file to trust the realm server.
    If a primary realm server generates new TLS data files, you must supply the trust file to all clients, including application programs, affiliated realm servers, other TIBCO FTL components, and browsers that access the realm server GUI.

    For more information, see Trust File.

Related concepts
Related tasks
Related reference