Securing FTL Servers

Secure FTL servers are central to the security of any enterprise that communicates using TIBCO FTL messaging software. To secure the FTL servers, complete this task. An FTL server can generate all the data it requires for TLS, except for the keystore password, which you must supply.

Prerequisites

  • The enterprise authentication system (for example, and LDAP system) must define user names and associate them with appropriate FTL authorization groups.
  • An authentication service (either internal or external) must be running. For background information, see "Authentication Service" in TIBCO FTL Administration.
  • Choose a keystore file password, and determine the appropriate level of security for that password.
  • Ensure that the clocks on all servers in a cluster are synchronized.

Procedure

  1. Remove any obsolete TLS data files from the FTL servers' data directories.
  2. Generate TLS data files.
    To generate full-security files, enter: 
    tibftlserver --init-security file:pw_file_name -c my_config_file_path -n svr_name
    To prepare the server for authentication-only operation, enter: 
    tibftlserver --init-auth-only
    This command instructs the FTL server to generate new TLS data files, encrypting the new keystore file with the password.
    (If the FTL server detects existing TLS files, it does not generate them anew. However, the FTL server does not decrypt or inspect existing files.)
    The server generates TLS files in the data directory (specified in the configuration file). If the data directory is unavailable, the server writes these files to the current directory. After writing the files, the FTL server exits.
  3. Distribute the TLS files.
    FTL servers (primary) require the keystore file. Affiliated Servers and clients need the trust file to trust the FTL servers (primary or satellite).

    Every server (primary ) uses the same private key to identify itself. Every server (affiliated server and client) uses the same trust file to verify the identity of FTL servers.

    1. Supply copies of the keystore file and trust file to every FTL server.
      Place these files in the data directory of the servers.
      Note: Specify the data directory in the configuration file for each FTL server.
    2. Supply a copy of the trust file to every client, including application programs and browsers that access the FTL server GUI.
      For more information, see "Trust File" in TIBCO FTL Administration.
    Note: When a server generates new TLS data files, you must redistribute these files.
  4. Configure the FTL servers to use TLS security and supply the keystore file password as the property value: 
    globals:
    # ...
    tls.secure: password_argument
    FTL servers use the password to encrypt and decrypt the keystore file. For information on the form of the password argument, see "Password Security" in TIBCO FTL Administration. .
  5. Configure the FTL server properties related to the authentication service.
    FTL servers authenticate and authorize client credentials using the authentication service. Configure the authentication service in the FTL server configuration file.
  6. Start the FTL server processes.
    Start servers using a standard command line (that is, without the --init-security option). For example: 
    tibftlserver -c config_file -n server_name
    Note: See the ftlstart script in the samples directory. The --secure option illustrates a basic way to start a secure FTL server.
Related concepts