Securing eFTL Services

To secure an eFTL service, complete this task.

Prerequisites

All FTL servers must be secure.

If any channels use EMS servers or FTL persistence services, those services must also be secure.

Procedure

  1. Verify secure transport protocols.
    The cluster-facing transport and all the channel application-facing transports must be secure. Check their protocols in the transports grid.
    Use only these transport protocols:
    • Secure Dynamic TCP
    • Secure TCP
    • Secure Auto

Example Configuration File 

globals:
    core.servers:
        ftl1: host1:8585
        ftl2: host2:8585
        ftl3: host3:8585

services:
    eftl: 
        name: my_eftl_cluster
        publish.user: true
        auth.url: auth_svr_host:port
        auth.user: user_name
        auth.password: pw
        auth.trust: auth-trust.pem
        server.cert: eftl_publ_cert.pem
        private.key: eftl_key.pem
        private.key.password: pw
        ssl.params: eftl-ems-ssl.txt

servers:
    ftl1:
        - realm: {}
        - eftl: {}
    eftl1:
        listen: wss://host1:9191

  # ...

  1. Include authenticated user names.
    Specify the parameter publish.user in the eFTL service section of the FTL server configuration file.
    With this option, the eFTL service appends a field to messages published by eFTL client apps when it forwards them to FTL and EMS subscribers. That field contains the authenticated user name of the eFTL publisher. FTL and EMS application code can use this user name to authorize requests.
  2. If used, specify the authentication service.
    Optionally, eFTL services can use an external authentication service (JAAS, LDAP, etc.), instead the built-in authentication service in the FTL server.
    To do this, supply the parameters auth.url, auth.user, auth.password, and auth.trust in the eFTL service section of the FTL server configuration file.
    For further details, see the following topics in TIBCO eFTL Administration:
    • "Client Authentication and Authorization"
    • "Channel Details Panel"
  3. Optional. For a user-specified certificate instead of the FTL server default certificate, supply the parameters listen, server.cert, private.key, and private.key.password. The eFTL service uses the certificate to identify itself to clients. See the example above.
  4. Optional. Specify client authorization groups.
    eFTL channels can regulate client access to publish and subscribe operations. To enable this feature, complete the following steps:
    1. In the eFTL clusters grid, enable the authorization column for each relevant cluster.
    2. In the channel details panel, configure a publish group and a subscribe group for each relevant channel.
    3. Ensure that each user name is in the appropriate authorization groups.
  5. Optional. Secure FTL persistence services.
    If any channels use FTL persistence stores, then complete the task Securing Persistence Services.
  6. Optional. Secure connections to EMS servers.
    If any channels use EMS messaging, specify the ssl.params parameter in the eFTL service section of the FTL server configuration file. Supply the location of a configuration file as its value.

    For details about the content of that file, see "SSL Parameters for EMS Connections" in TIBCO eFTL Administration.