Trusted Model

Copyright © Cloud Software Group, Inc. All Rights Reserved

Chapter 4 TIBCO Hawk Security Model : Trusted Model

Trusted Model

The Trusted model provides a simple yet effective mechanism for addressing authorization concerns. It addresses security issues as follows:

•

Authentication: the Trusted security model does not guarantee the authenticity of the request.

•

Integrity: the Trusted security model does not guarantee the integrity of the request.

•

Authorization: the Trusted security model guarantees that only authorized users can perform restricted actions.

•

Privacy: the Trusted security model does not address the privacy of the request. All requests are sent using plain text.

Authorization

The Trusted model uses an ASCII file as a simple yet effective entitlement server. This has the benefit of being easily distributed to all nodes, making it a very scalable mechanism. A scan of the ASCII file for information about the user determines if the request will be granted.

Users are explicitly granted or denied access through the access control file. A user who is not in this file is not allowed to perform any operations on the TIBCO Hawk system. Access control information is in a plain ASCII file located in the HAWK_HOME/examples/security folder.

Copy this file to CONFIG_FOLDER/security manually. See Access Control File, for more details.

Logging

All trusted requests (both Trusted and TrustedWithDomain) can be logged to rolling log files in a directory of your choice.

The current log file is named Trusted.log. When it reaches the maximum size (size), it is closed and renamed Trusted1.log, and a new Trusted.log is started. When the number of logs exceeds the maximum (n), log entries roll over to reuse the oldest log file.

To activate logging, add the following line to the access control file:

<LogService> -log_dir <logDir> -log_max_size <size> -log_max_num <n>

where:

Option

Description

logDir

The directory where the log file is saved.

Make sure this directory exists before you activate logging.

size

The maximum size of the rolling log file in KB. The suffix m or M can be used for indicating MB.

n

The maximum number of rolling log files.

Example Log File Entries

This is an example log entry for an authorized request:

Tue Dec 31 11:14:13 EST 2002: Trusted operation: userID=HAWK-TRUSTDMN\hawkuser, node=hawkuser-DT:none:default, microagent=COM.TIBCO.hawk.microagent.SysInfo, method= getOperatingSystem.

This is an example of an entry for an unauthorized request:

Tue Dec 31 11:19:54 EST 2002: Trusted operation: userID= HAWK-TRUSTDMN\hawkuser, node=hawkuser-DT:none:default, microagent= COM.TIBCO.hawk.microagent.Repository, method= getRBMap - permission denied.

Using both Trusted and TrustedWithDomain

An agent using the Trusted or TrustedWithDomain security model allows users with either Trusted or TrustedWithDomain to access the agent.

•

To allow access to a user who starts Hawk Display (or the Console API application) in Trusted security mode, the entry for <user> specified in the agent’s Trusted.txt or TrustedWithDomain.txt should not include the domain of the user who actually starts Hawk Display (or the Console API application).

•

To allow access to a user who starts Hawk Display in TrustedWithDomain security mode, the entry for <user> specified in the agent’s Trusted.txt or TrustedWithDomain.txt should include the domain of the user who actually starts Hawk Display.

Option	Description
logDir	The directory where the log file is saved. Make sure this directory exists before you activate logging.
size	The maximum size of the rolling log file in KB. The suffix m or M can be used for indicating MB.
n	The maximum number of rolling log files.