Securing Log Services

To secure an FTL log service (tiblogsvc process), complete this task.

Prerequisites

All FTL servers must be secure.

The enterprise authentication system must define user names and associate them with appropriate FTL authorization groups. The monitoring data base (InfluxDB) must be secure.

Procedure

Example Command Line 

tiblogsvc
          --ftlserver https://ftl1:8585|https://ftl2:8585|https://ftl3:8585
          --ftlserver-password-file logsvc-creds.txt
          --ftlserver-trust-file ftl-trust.pem
          --influx-server https://influx-host:8086
          --influx-password-file logsvc-influx-creds.txt
          --influx-trust-file influx-trust.pem
          --http-certificate logsvc-cert.pem
          --http-key logsvc-key.pem
          --http-password-file my_pw_file

  1. Connect only to secure FTL servers using HTTPS.
    When you supply the --ftlserver parameter on the log service command line, specify URLs with HTTPS protocol.
  2. Arrange authentication credentials to the FTL server.
    Supply the location of the log service's credentials as the value of the --ftlserver-password-file parameter on the log service command line. Ensure that this file is protected from unauthorized access.

    The user name in the file must be in the authorization group ftl.

    For further details, see "Log Service Command Line Reference (tiblogsvc)" in TIBCO FTL Monitoring.

    For file syntax, see "Password File" in TIBCO FTL Administration.

  3. Arrange trust in the FTL servers.
    Arrange access to a copy of the FTL server trust file.

    Supply the file location as the value of the --ftlserver-trust-file parameter on the log service command line.

    For further details, see "Trust File" in TIBCO FTL Administration.

  4. Connect only to a secure InfluxDB server using HTTPS.
    When you supply the --influx-server parameter on the log service command line, specify a URL with HTTPS protocol.
  5. Arrange authentication credentials to the InfluxDB server.
    Supply the location of the log service's credentials as the value of the --influx-password-file parameter on the log service command line. Ensure that this file is protected from unauthorized access.

    For further details, see "Log Service Command Line Reference (tiblogsvc)" in TIBCO FTL Monitoring.

    For file syntax, see "Password File" in TIBCO FTL Administration.

  6. Arrange trust in the InfluxDB servers.
    Arrange access to a copy of the InfluxDB server trust file.

    Supply the file location as the value of the --influx-trust-file parameter on the log service command line.

    For further details, see "Trust File" in TIBCO FTL Administration.

  7. Arrange TLS artifacts so the log service can authenticate itself to clients.
    1. Obtain a certificate identity for the log service.
    2. Supply the location of the certificate file as the value of the --http-certificate parameter on the log service command line.
    3. Supply the location of the key file as the value of the --http-key parameter on the log service command line.
      Ensure that this file is protected from unauthorized access.
    4. Supply the key file password using the --http-password-file parameter.
      (The --http-password parameter is not sufficiently secure.)
    5. Ensure that HTTPS clients trust the log service's certificate.
      • Browser Client Install the certificate (or the CA certificate) in the requesting browser.
      • Utility Client Supply the certificate (or the CA certificate) to the request utility. For example, curl --cacert certificate.