Securing eFTL Services

To secure an eFTL service, complete this task.

Before you beginAll FTL servers must enable authentication. Administrators may optionally enable TLS and fine-grained permissions.

If any channels use EMS servers or FTL persistence services, those services must also be secure.

Procedure

  1. Verify secure transport protocols.

    This ensures that authentication (and, optionally, TLS) is enabled for all FTL transport connections.

    The cluster-facing transport and all the channel application-facing transports must be secure. Check their protocols in the transports grid

    Use only these transport protocols:

    • Secure Dynamic TCP
    • Secure TCP
    • Secure Auto

  2. Include authenticated usernames.

    Specify the parameter publish.user in the eFTL service section of the FTL server configuration file.

    With this option, the eFTL service appends a field to messages published by eFTL client apps when it forwards them to FTL and EMS subscribers. That field contains the authenticated username of the eFTL publisher. FTL and EMS application code can use this username to authorize requests.

  3. Enable authentication for eFTL client connections.

  4. Optional. Enable fine-grained permissions for eFTL channels.

  5. Optional. Enable TLS for FTL server. This will also enable TLS for eFTL client connections. For details, see Enabling TLS for FTL Server

  6. Enabling TLS for FTL Server

    Enabling TLS for FTL Server

  7. For details about the content of that file, see SSL Parameters for EMS Connections in TIBCO eFTL Administration.