Copyright © Cloud Software Group, Inc. All Rights Reserved

To Use the Trusted Model

Two sample access control files are included with TIBCO Hawk.

•	Trusted.txt can be used on UNIX or Microsoft Windows. It is used when the command line specifies Trusted.

•	TrustedWithDomain.txt is for use on Microsoft Windows only, and is used when the command line specifies TrustedWithDomain.

The access control files, Trusted.txt and TrustedWithDomain.txt, are described in the next section.

To use the Trusted model:

If you have multiple Hawk agents running on a machine and these Hawk agents, in turn, belong to different Hawk domains, you can specify separate access control files for each domain.

1.	For each Hawk domain, create a directory:

CONFIG_FOLDER/hawk/domain/<domain-name>/security where <domain-name> is the name of the Hawk domain.

2.	Provide a remote Trusted.txt file to configure a security URL on Agent,

−	add/append the following system parameter to java.extended.properties in tibhawkagent.tra

-Dhawk.security_file_url=file:///D:/temp/Trusted.txt

Or

-Dhawk.security_file_url=http://<hostname:port>/Trusted.txt

The Agent always gives precedence to the local file, if found in hawk/domain folder.

3.	Modify the appropriate sample access control file, Trusted.txt or TrustedWithDomain.txt, according to the requirements of your system.

4.	Save the modified file in the directory you created, without changing the filename. The program automatically searches for the access control file in this directory.

5.	Ensure that the security_policy parameter in Hawk agent configuration is set to one of the following, before starting TIBCO Hawk Agent and Display/WebConsole:

        COM.TIBCO.hawk.security.trusted.Trusted

or

 

        COM.TIBCO.hawk.security.trusted.TrustedWithDomain

The Trusted model is now in effect. The security policy will stay in force as long as the process is running.

Access Control File

To store access control information, the Trusted model uses an ASCII file. Two sample access control files are included with TIBCO Hawk: Trusted.txt and TrustedWithDomain.txt.

Sample access control files are shipped with the TIBCO Hawk software, in the directory HAWK_HOME/examples/security/.

Trusted.txt

This access control file can be used with UNIX or with Microsoft Windows XP.

The user for authorization is the login ID of the TIBCO Hawk Display owner.

TrustedWithDomain.txt

This file can only be used with Microsoft Windows XP, and only when specified in the command used to start TIBCO Hawk agent and Display, as in -security_policy COM.TIBCO.hawk.security.trusted.TrustedWithDomain.

The user is the login ID and the domain where the user is logged on. For example, for user1 in domainX, the user is <domainX>\user1.

Group Operations

A group operation effectively performs a method invocation simultaneously on all of the specified target microagents. It is useful for affecting a group of microagents in a single operation. There are two kinds of group operation: network query and network action.

Wildcard characters + and * affect permissions on group operations and point-to-point invocations as shown in Access Control File.

•	Use + in node access to allow access to group operations.

•	Use * in node access to allow access to point-to-point invocations.

•	Use + in method access to allow access to all INFO and ACTION methods.

•	Use * in method access to allow access.

Access Control File Conventions

The access control file uses the following conventions to grant or deny access.

•	Explicit access for a particular resource implicitly denies access to all other resources in the same class. The defined classes are nodes, microagents, and methods.

•	Explicit restriction for a particular resource implicitly allows access to all other resources in the same class, provided they have been explicitly granted. The defined classes are nodes, microagent, and methods.

•	Permissions always default to the most restrictive case.

File Settings for the Trusted Model

This table presents how individual restrictions and permissions are defined for nodes, microagents, and methods. Individual node, microagent, and method names can be specified. In addition, wildcard characters can be used as shown in the table.

Each individual setting is represented by one line in the access control file. Complex permissions and restrictions can be defined using sets of related lines. For example, you can give a user access to all methods on a node in one line, then in the following line, restrict that user’s access to one of those methods. See Disable Custom Microagent, for further details.

Permissions are granted to a user using the user name. Restrictions are defined by prefixing a bang (!) character to the user name, as shown in the table.

 

Table 16 Access Control File Settings 

Effect	User	Node	Microagent	Method
Full Access Grants full access to all methods on all microagents on all nodes, including group operations.	<user>
Full Restriction Denies access to all methods on all microagents on all nodes, including group operations	!<user>
Node Access: All Nodes Grants point-to-point and group operation invocation access to all methods on all microagents.	<user>	+
Node Access: All Nodes Grants point-to-point invocation access to all methods on all microagents. Does not grant group operation invocation access.	<user>	*
Node Access: Named node Grants invocation access to all methods on all microagents on the named node. You can add several lines for one user to provide access to a set of nodes.	<user>	<node>
Node Restriction: All Nodes Denies point-to-point and group operation invocation access to all methods on all microagents.	!<user>	*
Node Restriction: All Nodes Denies group operation invocation access to all methods on all microagents. (Does not deny point-to-point operation invocations.)	!<user>	+
Node Restriction: Named node Denies invocation access to all methods on all microagents on the named node. You can add several lines for one user to provide access to a set of nodes.	!<user>	<node>
Microagent Access Grants access to all methods on the specified microagent. Wildcard characters can be used in place of a specific node name. See Node Access.	<user>	<node>	<microagent>
Microagent Restriction Denies access to all methods on the specified microagent. Wildcard characters can be used in the Node columns. See Node Restriction above.	!<user>	<node>	<microagent>
Method Access Grants access to all ACTION and INFO methods on the specified microagent (but not ACTIONINFO methods). Wildcard characters can be used in the Node and Microagent columns.	<user>	<node>	<microagent>	+
Method Access Grants access to all INFO methods on the specified microagent (but not ACTION or ACTIONINFO methods). Wildcard characters can be used in the Node and Microagent columns.	<user>	<node>	<microagent>	*
Method Access Grants access to the specified method on the specified microagent. Wildcard characters can be used in the Node and Microagent columns.	<user>	<node>	<microagent>	<method>
Method Restriction Denies access to all methods on the specified microagent. Wildcard characters can be used in the Node and Microagent columns.	!<user>	<node>	<microagent>	*
Method Restriction Denies access to all ACTION and ACTION_INFO methods on the specified microagent. Wildcard characters can be used in the Node and Microagent columns.	!<user>	<node>	<microagent>	+
Method Restriction Denies access to the specified method on the specified microagent. Wildcard characters can be used in the Node and Microagent columns.	!<user>	<node>	<microagent>	<method>

Disable Custom Microagent

The Custom microagent can be disabled by leveraging the Security TrustModel supported by TIBCO Hawk. Users are explicitly granted or denied access through the access control file.

The following steps describe how to disable Custom microagent execution.

1.	If multiple Hawk agents are running on a machine and these Hawk agents in turn belong to different Hawk domains, specify separate access control files for each domain.

For each Hawk domain create a directory HAWK_HOME/domain/<domain-name>/security where <domain-name> is the name of the Hawk domain.

2.	According to the requirements of your system, copy HAWK_HOME/examples/security/Trusted.txt or HAWK_HOME/examples/security/TrustedWithDomain.txt to CONFIG_FOLDER/security/.

3.	Modify the file to add the following lines:

   * * * *

   none * COM.TIBCO.hawk.microagent.Custom +

The first line grants access to all users, on all nodes, and for all microagent methods.

The second line grants access only to the user none, on all nodes for the Custom microagent, where none is a non-existent user. This effectively prevents anyone from executing the Custom microagent.

4.	Ensure that the security_policy parameter in Hawk agent configuration is set to one of the following, before starting TIBCO Hawk Agent and Display/WebConsole::

COM.TIBCO.hawk.security.trusted.Trusted or COM.TIBCO.hawk.security.trusted.TrustedWithDomain

Trusted.txt and TrustedWithDomain File Examples

The following example files demonstrates how a Trusted.txt and TrustedWithDomain.txt access control file might be constructed. The permissions and restrictions defined in this file are explained in the previous section.

Explanation of Settings

The settings in the example files below provide access to the following users as shown here:

•	Grant user1 point-to-point access to all methods on all microagents, except:

−	All ACTION methods on the Custom microagent on all nodes.

−	The specified methods on the Repository microagent on all nodes.

−	The specified methods on the RuleBaseEngine microagent on nodeA.

•	Grant user2 point-to-point and group operation invocation access to all methods on all microagents, except:

−	All ACTION methods on the Custom microagent on all nodes.

−	All ACTION methods on the Repository microagent on all nodes.

−	All ACTION methods on the RuleBase microagent on all nodes.

•	Grant user3 point-to-point and group operation invocation access to all methods on all microagents on all nodes, except:

−	group operation invocation access to all ACTION methods on the RuleBase microagent.

•	Grant user4 full access to all methods on all microagents on nodeB.

•	Grant user5 point-to-point access to all INFO methods on all microagents on all nodes.

Trusted.txt Example File

---

 

#

# This file is used by agent running with COM.TIBCO.hawk.security.trusted.Trusted

# security model.

#

#

# Explanation of Settings:

#

# Grant "user1" point-to-point access to all methods on all Microagents, EXCEPT

# - all ACTION methods on the Custom microagent on all nodes.

# - the specified methods on the Repository microagent on all nodes.

# - the specified methods on the RuleBaseEngine microagent on "nodeA".

#

# Grant "user2" point-to-point and network access to all methods on all

# Microagents, EXCEPT

# - all ACTION methods on the Custom microagent on all nodes.

# - all ACTION methods on the Repository microagent on all nodes.

# - all ACTION methods on the RuleBase microagent on all nodes.

#

# Grant "user3" point-to-point and network access to all methods on all

# Microagents on all nodes, EXCEPT

# - network access to all ACTION methods on the RuleBase microagent.

#

# Grant "user4" full access to all methods on all microagents on nodeB.

#

# Grant "user5" point-to-point access to all INFO methods on all microagents

# on all nodes.

#

#

# Wildcard characters + and * usage:

#

# - Use + in node access for allowing access to group operations.

# - Use * in node access for allowing access to point-to-point invocations.

# - Use + in method access for allowing access to all INFO and ACTION methods.

# - Use * in method access for allowing access to all INFO methods only.

#

#

# File format:

#

# user node microagent method

# access access access

# & & &

# restrictions restrictions restrictions

#

user1 *

!user1 * COM.TIBCO.hawk.microagent.Custom +

!user1 * COM.TIBCO.hawk.microagent.Repository addRuleBase

!user1 * COM.TIBCO.hawk.microagent.Repository updateRuleBase

!user1 * COM.TIBCO.hawk.microagent.Repository deleteRuleBase

!user1 * COM.TIBCO.hawk.microagent.Repository setSchedules

!user1 * COM.TIBCO.hawk.microagent.Repository setRBMap

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine addRuleBase

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine updateRuleBase

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine deleteRuleBase

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine loadRuleBase

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine unloadRuleBase

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine loadRuleBaseFromFile

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine setSchedules

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine setRBMap

 

user2 + * +

!user2 * COM.TIBCO.hawk.microagent.Custom +

!user2 * COM.TIBCO.hawk.microagent.Repository +

!user2 * COM.TIBCO.hawk.microagent.RuleBaseEngine +

 

user3

!user3 + COM.TIBCO.hawk.microagent.RuleBaseEngine +

 

user4 nodeB

 

user5 * * *

 

#

# To activate logging, uncomment the following:

# <LogService> -log_dir logDir -log_max_size size -log_max_num n

#

# where: logDir is the directory where the log file will be stored

# size is the maximum size of a rotating log file in KB.

# A suffix m or M can be used for indicating MB .

# n is the maximum number of rotating log files.

---

 

TrustedWithDomain.txt Example File

---

 

#

# This file is used by agent running with

# COM.TIBCO.hawk.security.trusted.TrustedWithDomain security model.

#

# To allow a user running with COM.TIBCO.hawk.security.trusted.TrustedWithDomain

# security model on Windows platform to access this agent, the user

# specified should include the domain of the user.

# For example, for user1 in domainX, the user should be specified as

# "domainX\user1".

#

# Note that agents using the TrustedWithDomain security model also allow

# users running with COM.TIBCO.hawk.security.trusted.Trusted security model

# to access this agent. For these users, the domain should not be

# included in the user.

#

#

# Explanation of Settings:

#

# Grant "user1" point-to-point access to all methods on all Microagents, EXCEPT

# - all ACTION methods on the Custom microagent on all nodes.

# - the specified methods on the Repository microagent on all nodes.

# - the specified methods on the RuleBaseEngine microagent on "nodeA".

#

# Grant "user2" point-to-point and network access to all methods on all

# Microagents, EXCEPT

# - all ACTION methods on the Custom microagent on all nodes.

# - all ACTION methods on the Repository microagent on all nodes.

# - all ACTION methods on the RuleBase microagent on all nodes.

#

# Grant "user3" point-to-point and network access to all methods on all

# Microagents on all nodes, EXCEPT

# - network access to all ACTION methods on the RuleBase microagent.

#

# Grant "user4" full access to all methods on all microagents on nodeB.

#

# Grant "user5" point-to-point access to all INFO methods on all microagents

# on all nodes.

#

#

# Wildcard characters + and * usage:

#

# - Use + in node access for allowing access to group operations.

# - Use * in node access for allowing access to point-to-point invocations.

# - Use + in method access for allowing access to all INFO and ACTION methods.

# - Use * in method access for allowing access to all INFO methods only.

#

#

# File format:

#

# user node microagent method

# access access access

# & & &

# restrictions restrictions restrictions

#

user1 *

!user1 * COM.TIBCO.hawk.microagent.Custom +

!user1 * COM.TIBCO.hawk.microagent.Repository addRuleBase

!user1 * COM.TIBCO.hawk.microagent.Repository updateRuleBase

!user1 * COM.TIBCO.hawk.microagent.Repository deleteRuleBase

!user1 * COM.TIBCO.hawk.microagent.Repository setSchedules

!user1 * COM.TIBCO.hawk.microagent.Repository setRBMap

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine addRuleBase

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine updateRuleBase

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine deleteRuleBase

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine loadRuleBase

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine unloadRuleBase

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine loadRuleBaseFromFile

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine setSchedules

!user1 nodeA COM.TIBCO.hawk.microagent.RuleBaseEngine setRBMap

 

user2 + * +

!user2 * COM.TIBCO.hawk.microagent.Custom +

!user2 * COM.TIBCO.hawk.microagent.Repository +

!user2 * COM.TIBCO.hawk.microagent.RuleBaseEngine +

 

user3

!user3 + COM.TIBCO.hawk.microagent.RuleBaseEngine +

 

user4 nodeB

 

user5 * * *

 

#

# To activate logging, uncomment the following:

# <LogService> -log_dir logDir -log_max_size size -log_max_num n

#

# where: logDir is the directory where the log file will be stored

# size is the maximum size of a rotating log file in KB.

# A suffix m or M can be used for indicating MB .

# n is the maximum number of rotating log files.

­Running with a localhost rvd

As a further precaution, AMI applications will be required to specify localhost as part of the TIBCO Rendezvous daemon parameter in order to prevent remote connections to its rvd daemon. Instructions to do this for UNIX and Microsoft Windows platforms are given below.

UNIX Procedure

1.	Add a command to start the localhost rvd prior to starting any TIBCO Hawk processes, as follows:

rvd -listen tcp:127.0.0.1:<daemon>

2.	Modify hawkagent.cfg and hawkhma.cfg and, in the -rvd_session parameter, specify the following:

tcp:127.0.0.1:<daemon>

Microsoft Windows Procedure

Use rvntsreg.exe to install a localhost rvd as a Microsoft Windows service.

1.	Create an rvd service using rvntsreg.exe. Use the following parameters:

-listen tcp:127.0.0.1:<daemon>

2.	Make all TIBCO Hawk services dependent upon this new rvd service.

3.	In the Configuration Utility, modify the daemon parameter to the following:

tcp:127.0.0.1:<daemon>

Copyright © Cloud Software Group, Inc. All Rights Reserved