To secure an eFTL service, complete this task.
Prerequisites
All FTL servers must be secure.
If any channels use EMS servers or FTL persistence services, those services must also be secure.
Procedure
-
Verify secure transport protocols.
The cluster-facing transport and all the channel application-facing transports must be secure. Check their protocols in the transports grid.
Use only these transport protocols:
- Secure Dynamic TCP
- Secure TCP
- Secure Auto
Example Configuration File
globals:
core.servers:
ftl1: host1:8585
ftl2: host2:8585
ftl3: host3:8585
services:
eftl:
name: my_eftl_cluster
publish.user: true
auth.url: auth_svr_host:port
auth.user: user_name
auth.password: pw
auth.trust: auth-trust.pem
server.cert: eftl_publ_cert.pem
private.key: eftl_key.pem
private.key.password: pw
ssl.params: eftl-ems-ssl.txt
servers:
ftl1:
- realm: {}
- eftl: {}
eftl1:
listen: wss://host1:9191
# ...
-
Include authenticated user names.
Specify the parameter
publish.user in the eFTL service section of the FTL server configuration file.
With this option, the eFTL service appends a field to messages published by eFTL client apps when it forwards them to FTL and EMS subscribers. That field contains the authenticated user name of the eFTL publisher. FTL and EMS application code can use this user name to authorize requests.
-
If used, specify the authentication service.
Optionally, eFTL services can use an external authentication service (JAAS, LDAP, etc.), instead the built-in authentication service in the FTL server.
To do this, supply the parameters
auth.url,
auth.user,
auth.password, and
auth.trust in the eFTL service section of the FTL server configuration file.
For further details, see the following topics in
TIBCO eFTL Administration:
- "Client Authentication and Authorization"
- "Channel Details Panel"
-
Optional. For a user-specified certificate instead of the FTL server default certificate, supply the parameters
listen,
server.cert,
private.key, and
private.key.password. The eFTL service uses the certificate to identify itself to clients. See the example above.
-
Optional. Specify client authorization groups.
eFTL channels can regulate client access to publish and subscribe operations. To enable this feature, complete the following steps:
-
In the eFTL clusters grid, enable the authorization column for each relevant cluster.
-
In the channel details panel, configure a publish group and a subscribe group for each relevant channel.
-
Ensure that each user name is in the appropriate authorization groups.
-
Optional. Secure FTL persistence services.
-
Optional. Secure connections to EMS servers.
If any channels use EMS messaging, specify the
ssl.params parameter in the eFTL service section of the FTL server configuration file. Supply the location of a configuration file as its value.
For details about the content of that file, see "SSL Parameters for EMS Connections" in
TIBCO eFTL Administration.
Copyright © Cloud Software Group, Inc. All rights reserved.