Securing FTL Servers

Secure FTL servers are central to the security of any enterprise that communicates using TIBCO FTL messaging software. To secure the FTL servers, complete this task. An FTL server can generate all the data it requires for TLS, except for the keystore password, which you must supply.

The FTL server supports TLS 1.3. FTL components use TLS 1.3 when communicating with each other. If possible, the FTL server will use TLS 1.3 when communicating with other components, such as a browser or an eFTL client.

Procedure
1. Remove any obsolete TLS data files from the FTL servers' data directories.
2. Generate TLS data files.
   To generate full-security files, enter:

   tibftlserver --init-security file:<pw_file_name> -c <my_config_file_path> -n <svr_name>

   To prepare the server for authentication-only operation, enter:

   tibftlserver --init-auth-only

   This command instructs the FTL server to generate new TLS data files, encrypting the new keystore file with the password.
   (If the FTL server detects existing TLS files, it does not generate them anew. However, the FTL server does not decrypt or inspect existing files.)
   The server generates TLS files in the data directory (specified in the configuration file). If the data directory is unavailable, the server writes these files to the current directory. After writing the files, the FTL server exits.
3. Distribute the TLS files.
   The keystore file and trust file must be distributed to all FTL servers which include all core servers and auxiliary servers at all sites (including primary, satellite, and DR sites).

   Every server uses the same private key to identify itself. Every server uses the same trust file to verify the identity of FTL servers.

   1. Supply copies of the keystore file and trust file to every FTL server.
      Place these files in the data directory of the servers.

      Note: Specify the data directory in the configuration file for each FTL server.
   2. Supply a copy of the trust file to every client including application programs and browsers that access the FTL server GUI.
      For more information, see Trust File in TIBCO FTL Administration.
   Note: When a server generates new TLS data files, you must redistribute these files.
4. Configure the FTL servers to use TLS security and supply the keystore file password as the property value:

   globals:
       # ...
       tls.secure: <password_argument>

   FTL servers use the password to encrypt and decrypt the keystore file. For information on the form of the password argument, see Password Security in TIBCO FTL Administration.
5. Configure the FTL server properties related to the authentication service.
   FTL servers authenticate and authorize client credentials using the authentication service. Configure the authentication service in the FTL server configuration file.

6. Configure the username and password for communication with affiliated FTL servers.
   If satellite or DR FTL servers will be used, the primary FTL servers must authenticate themselves to the satellite or DR servers and vice versa. Add an appropriate username and password to the configuration file of all FTL servers (primary or satellite or DR). Ensure that this user has the ftl-internal role. See FTL Server Configuration Parameters, "Affiliated FTL Servers".
   

globals:
    # ...
    user: <username>
    password: <password_argument>

7. Start the FTL server processes.
   Start servers using a standard command line (that is, without the --init-security option). For example:

   tibftlserver -c <config_file> -n <server_name>

   Note: See the ftlstart script in the samples directory. The --secure option illustrates a basic way to start a secure FTL server.