Securing eFTL Services

To secure an eFTL service, complete this task.

Prerequisites

All FTL servers must be secure.

If any channels use EMS servers or FTL persistence services, those services must also be secure.

Procedure

  1. Verify secure transport protocols.
    The cluster-facing transport and all the channel application-facing transports must be secure. Check their protocols in the transports grid.
    Use only these transport protocols:
    • Secure Dynamic TCP
    • Secure TCP

Example Configuration File 

global:
  core.servers:
    ftl1: host1:8585
    ftl2: host2:8585
    ftl3: host3:8585

services:
  eftl: 
    name: my_eftl_cluster
    publish.user true
    auth.url auth_svr_host:port
    auth.user user_name
    auth.password pw
    auth.trust auth-trust.pem
    custom.cert eftl_publ_cert.pem
    custom.cert.private.key eftl_key.pem
    custom.cert.private.key.password pw
    ssl.params eftl-ems-ssl.txt

servers:
  ftl1:
    - realm: {}
    - eftl: {}

  ...

  1. Include authenticated user names.
    Specify the parameter publish.user in the eFTL service section of the FTL server configuration file.
    With this option, the eFTL service appends a field to messages published by eFTL client apps when it forwards them to FTL and EMS subscribers. That field contains the authenticated user name of the eFTL publisher. FTL and EMS application code can use this user name to authorize requests.
  2. Specify the external authentication service.
    eFTL services use an external LDAP authentication service, rather than the built-in authentication service in the FTL server.
    Supply the parameters auth.url, auth.user, auth.password, and auth.trust in the eFTL service section of the FTL server configuration file.
    For further details, see the following topics in TIBCO eFTL Administration:
    • "Client Authentication and Authorization"
    • "Channel Details Panel"
  3. Optional. Specify TLS secure web sockets for legacy client apps.
    If you do not use legacy (3.x) eFTL clients, you may omit this step.
    Supply the parameters custom.cert, custom.cert.private.key, custom.cert.private.key.password. The eFTL service uses the certificate to identify itself to legacy clients.
  4. Optional. Specify client authorization groups.
    eFTL channels can regulate client access to publish and subscribe operations. To enable this feature, complete the following steps:
    1. In the eFTL clusters grid, enable the authorization column for each relevant cluster.
    2. In the channel details panel, configure a publish group and a subscribe group for each relevant channel.
    3. Ensure that each user name is in the appropriate authorization groups.
  5. Optional. Secure FTL persistence services.
    If any channels use FTL persistence stores, then complete the task Securing Persistence Services.
  6. Optional. Secure connections to EMS servers.
    If any channels use EMS messaging, specify the ssl.params parameter in the eFTL service section of the FTL server configuration file. Supply the location of a configuration file as its value.

    For details about the content of that file, see "SSL Parameters for EMS Connections" in TIBCO eFTL Administration.