Securing eFTL Services

To secure an eFTL service, complete this task.

Before you beginAll FTL servers must be secure. See Securing FTL Servers.

If any channels use EMS servers or FTL persistence services, those services must also be secure.

    Procedure
  1. Verify secure transport protocols.
    The cluster-facing transport and all the channel application-facing transports must be secure. Check their protocols in the transports grid.

    Use only these transport protocols:

    • Secure Dynamic TCP
    • Secure TCP
    • Secure Auto

    2. Example Configuration File
    globals:
    core.servers:
        ftl1: host1:8585
        ftl2: host2:8585
        ftl3: host3:8585
    custom.cert: <custom_cert.pem>
    custom.cert.private.key: <custom_key.pem>
        custom.cert.private.key.password: <custom_pw>

services:
    eftl: 
        name: my_eftl_cluster
        publish.user: true
        eftl.auth.url: <auth_svr_host>:<port>
        eftl.auth.user: <user_name>
        eftl.auth.password: <pw>
        eftl.auth.trust: auth-trust.pem
        ssl.params: eftl-ems-ssl.txt

servers:
    ftl1:
        - realm: {}
        - eftl: {}

  # ...
  2. Include authenticated user names.
    Specify the parameter publish.user in the eFTL service section of the FTL server configuration file.
    With this option, the eFTL service appends a field to messages published by eFTL client apps when it forwards them to FTL and EMS subscribers. That field contains the authenticated user name of the eFTL publisher. FTL and EMS application code can use this user name to authorize requests.
  3. If used, specify the authentication service.
    Optionally, eFTL services can use an external authentication service (JAAS, LDAP, etc.), instead of the built-in authentication service in the FTL server.
    To use an external authentication service, supply the parameters eftl.auth.url, eftl.auth.user, eftl.auth.password, and eftl.auth.trust in the eftl section of the FTL server configuration file.

    For further details, see the following topics in TIBCO eFTL Administration:

  4. Optional. For a user-specified certificate instead of the FTL server default certificate, supply the parameters custom.cert, customer.cert.private.key, and custom.cert.private.key.password in the globals section of the FTL server configuration file. The FTL server uses this certificate to identify itself to clients.
    See the "Example Configuration File" earlier and FTL Server Configuration Parameters in TIBCO FTL Administration.
  5. Optional. Specify client authorization groups.
    eFTL channels can regulate client access to publish and subscribe operations. To enable this feature, complete the following steps:
    1. In the eFTL clusters grid, enable the authorization column for each relevant cluster.
    2. In the channel details panel, configure a publish group and a subscribe group for each relevant channel.
    3. Ensure that each user name is in the appropriate authorization groups.
  6. Optional. Secure FTL persistence services.
    If any channels use FTL persistence stores, then complete the task Securing Persistence Services.
  7. Optional. Secure connections to EMS servers.
    If any channels use EMS messaging, specify the ssl.params parameter in the eFTL service section of the FTL server configuration file. Supply the location of a configuration file as its value.

    For details about the content of that file, see SSL Parameters for EMS Connections in TIBCO eFTL Administration.