Securing Applications

To implement security, application developers focus on the realm connect call and its arguments. Complete this task, or use its steps as a checklist.

Administrators determine whether authentication and, optionally, TLS are required for client connections.

If authentication is required, application developers must pass properties that identify the application to the realm connect call. There are three possibilities:

Basic auth (username and password): The application must set the user name and user password properties. The administrator must configure at least one of these auth providers like the built-in flat-file authenticator, the built-in ldap authenticator, or the customizable HTTP(s) authenticator.
mTLS auth: The application must set the CLIENT_CERT and CLIENT_PRIVATE_KEY properties. If the private key is encrypted, the application must set the CLIENT_PRIVATE_KEY_PASSWORD property. TLS is required (see below). The administrator must configure FTL server to use the mTLS auth provider.
Oauth2: The application must provide an oauth2 access token (in signed JWT format), or the URL of an oauth2 server and the credentials needed to obtain an access token. The administrator must configure FTL server to use the oauth2 provider.

If TLS is required (in addition to authentication), application developers must specify the https scheme for all URLs passed to the realm connect call. Applications must also specify how to trust FTL server’s TLS certificate. There are two possibilities:

Trust file: The application must set the TRUST_FILE property. The trust file is supplied by the administrator. This is the only valid method when the administrator uses FTL-generated certificates.
System trust store: If the application does not set a trust file, the FTL library loads the system trust store. The trust roots for the certificate used by the administrator must be installed in the system trust store. This method is only supported when the administrator configures user-defined certificates. (The FTL-generated trust file cannot be installed in the system trust store.)

For details, see Enabling TLS for FTL Server

When using TLS with user-defined certificates, the host name passed to the realm connect call must match the subject alternative name in FTL server's certificate, or the connection fails.

When using TLS, FTL application developers may specify the openssl security level. (The openssl library is used for connections to FTL server or other FTL clients.) In general, a higher security level requires stronger certificates and encryption.

For details, see the developer API Documentation in Web Help or in the FTL include directory.

After the realm connect call, additional secure transports used by the application will automatically enforce authentication and TLS requirements. The administrator must decide which transports to secure (for example, persistence service transports, eFTL service transports, group service transports, or peer-to-peer transports).

The administrator may optionally configure additional authorization checks (permissions) for persistence stores and eFTL channels.

For details, see Authorization

Did you find this helpful?

Yes No