Securing FTL: Overview

To ensure security among FTL applications, eFTL applications, FTL servers, and administrative tools, administrators complete the following tasks.

Procedure

  1. Applications:

    You must enable authentication and authorization at FTL server. You must also decide whether applications communicate directly with each other (peer-to-peer), or if they communicate through persistence services provided by the FTL server (broker-based). For background, see FTL Configuration Overview. Also see Securing Applications.

    If applications need to communicate directly with each other, then you must enable TLS using FTL-generated certificates. For more information, see Enabling TLS for FTL Server Also, all transports used for peer-to-peer communication must be marked as secure in the realm configuration. Use only these transport protocols.

    • Secure Dynamic TCP

    • Secure TCP

    If applications communicate with services provided by FTL server (for example, persistence services), then you may use TLS with FTL-generated certificates or user-defined certificates. Then take additional steps:

    • TLS may be enabled at FTL server (see step 3). Alternatively, administrators may provide TLS termination at an ingress point, or secure the network through other means.

    • Authentication and authorization must be enabled for all relevant services (see step 4).

  2. Authentication and Authorization:

    1. Configure authentication and authorization.

      1. Your role includes configuring your enterprise authentication and authorization system (such as an LDAP service) with appropriate information to support TIBCO FTL components and application users.

      2. For details, see Authentication.

  3. Enabling TLS:

    1. When enabling TLS at FTL server, you must choose whether to use FTL-generated certificates or user-defined certificates. For details, see Enabling TLS for FTL Server.

    2. If providing TLS termination at an ingress point with a user-defined certificate, do not enable TLS at FTL server. Instead, instruct application developers to enable TLS in their applications, and provide the appropriate trust file.

  4. TIBCO FTL Component Services:

    • Secure all transport bridges. Verify that the transports interconnected by the bridges use only secure transport protocols. Transport bridges might be used in the peer-to-peer messaging architecture to bridge networks used by client programs.

      For details, see Securing Transport Bridges.

    • Secure all persistence services. Configure the persistence clusters so that all relevant transports use only secure transport protocols. Persistence clusters are used in the broker-based messaging architecture and provide messaging services on behalf of client programs.

      For details, see Securing Persistence Services.

    • Secure all eFTL services.

      TIBCO eFTL services must use secure transports to communicate with one another, and with eFTL applications. Your role includes these subtasks:

      • Reconfigure the automatically-generated eFTL transport definitions so that all relevant transports use only secure transport protocols.

      • Configure channels with appropriate authorization groups.

      • Coordinate with application developers to ensure that eFTL clients connect to the eFTL services using the secure web sockets protocol (WSS).

  5. Secure the FTL server data directories and files against unwanted access by other users.