Contents
This article provides a reference for writing a StreamBase Runtime security configuration file where the HOCON type is com.tibco.ep.dtm.configuration.security
.
The root objects in this configuration type are:
LDAP Authentication Realms |
Local Authentication Realms |
Local Admin Authentication Realms |
Role-to-Privileges Mappings |
Secure Communication Client Profiles |
Secure Communication Server Profiles |
Trusted Hosts |
Use the contents menu above to open the root object section of interest.
Each root object can reside in its own configuration file of this configuration type. As an alternative, each root object can be embedded in the same file of this type.
Each configuration file must contain the following header lines, typically found at the beginning of each file:
- name
-
Specifies an arbitrary, case-sensitive string to name this configuration, which must be unique among other files with the same type, if any. Configuration files can refer to each other by this name. Select a name that reminds you of this configuration's type and purpose. For example:
name = "sbsecurity"
- version
-
Specifies an arbitrary version number that you can use to keep track of file versions for this configuration type in your development project. The maintenance of version numbers is under user control; StreamBase does not compare versions when loading configuration files during the fragment launch process. The version number is a string value, and can contain any combination of characters and numbers. For example:
version = "1.0.0"
- type
-
This essential setting specifies the unique HOCON configuration type described on this page.
type = "com.tibco.ep.dtm.configuration.security"
The three header lines taken together constitute a unique signature for each HOCON file in a project's configurations
folder. Each project's configurations
folder can contain only one file with the same signature.
The top-level configuration
object defines the configuration envelope the same way for all HOCON file types.
- configuration
-
On a line below the header element lines, enter the word
configuration
followed by an open brace. Theconfiguration
element is a sibling of thename
,version
, andtype
elements, and serves to define the configuration envelope around this type's objects as described on this page. The file must end with the matching close brace.configuration = { ... ... }
This configuration type defines a single LDAP authentication realm. The realm can contain multiple servers for redundancy to authenticate StreamBase or Live Datamart users and check the roles to which those users belong. It is separate from the base engine configuration and can therefore be managed separately without having to recreate an application archive and redeploy the application.
- LDAPAuthenticationRealm
-
A single LDAP authentication realm. The realm can contain multiple servers for redundancy.
- name
-
The name of this realm, unique across all authentication realms. This field is required. For example:
name = "my-realm"
- servers
-
An array of one or more LDAP servers that authenticate principals in this LDAP realm. This array is required, and must contain at least one element.
- host
-
String. The LDAP server's host name. This name-value pair is optional and its default value is
localhost
.For example:
host = "ldap.example.com"
- portNumber
-
Int. The LDAP server's portNumber number. This name-value pair is optional and its default value is 389.
For example:
portNumber = 390
- principalAuthenticationAlgorithm
-
The type of principal authentication to perform.
BIND authenticates principals by connecting to the LDAP server using the principal name and credentials.
LOCAL_PASSWORD_COMPARE authenticates principals by connecting to the LDAP server using the system principal, searching for the user, retrieving its
principalPasswordAttribute
, and comparing locally with the principal's credentials.REMOTE_PASSWORD_COMPARE is the same as local except that the comparison is performed at the server. This name-value pair is optional and its default value is BIND.
For example:
principalAuthenticationAlgorithm = LOCAL_PASSWORD_COMPARE
- principalPasswordAttribute
-
String. The password attribute of this server's principals. This name-value pair is optional and its default value is userPassword.
- principalSearchFilter
-
String. The LDAP filter expression used when searching for principals. The filter permits Java pattern substitution expressions; {0} is bound to the input principal, and {1} is bound to its corresponding DN. This name-value pair is optional. Default is
CN={0}
.For example:
principalSearch = "CN={0}"
- principalSearchRoots
-
A list of Distinguished Names under which principals are searched for during search-based authentication or user ID-to-DN conversion. This name-value pair is required and must contain at least one element.
For example:
principalRoots = [ "ou=users,dc=example,dc=com" ]
- roleNameAttribute
-
String. Attribute of a role entry that is used to map to privileges. This name-value pair is optional and its default value is CN. For example:
roleAttribute = "roleID"
- roleSearchFilter
-
String. The LDAP filter expression used when searching for roles of which a principal is a member. The filter permits Java pattern substitution expressions; {0} is bound to the input principal, and {1} is bound to its corresponding DN. This name-value pair is optional, with a default value of
"roleOccupant= {1}"
.For example:
roleSearch = "membership={1}"
- roleSearchRoots
-
A list of Distinguished Names under which roles are searched for. This name-value pair is optional and defaults to the value of the
principalRoots
name-value pair. For example:roleRoots = [ "ou=roles,dc=example,dc=com" ]
- secureCommunicationProfileName
-
String. Name of a secure communication client profile to use when configuring secure communications with an LDAP server. This name-value pair is optional and has no default value.
If present, this profile must be used when setting the
ldmSecureInternalCommunicationProfileName
property in Live Datamart Internal Credentials Configuration file or thesecureCommunicationProfileName
property in Live Datamart Client API Listener Configuration file.If not present, LDAP connections do not use secure communication.
For example:
secureCommunicationProfileName = "my-secure-communication-client-profile"
- systemPassword
-
String. The password used by the authentication system to log in to the LDAP server. You can provide an enciphered string for the value; generate the enciphered string with the sbcipher command and prefix
#!
to the generated string. This name-value pair is required.For example:
password = "secret"
- systemPrincipal
-
String. The principal used by the authentication system to log in to the LDAP server and query for principal or role information. This name-value pair is required. For example:
systemPrincipal = "cn=SBLDAPUser,cn=Users,dc=ldap,dc=example,dc=com"
The following is an example of the LDAP realm security configuration subtype.
name = "ldaprealm" version = "1.0.0" type = "com.tibco.ep.dtm.configuration.security" configuration = { LDAPAuthenticationRealm = { name = "ldap-authentication-realm" servers = [ { host = "localhost" portNumber = 389 systemPrincipal = "CN=lvintern,OU=Users,dc=example,dc=com" systemPassword = "lvintern" secureCommunicationProfileName = "secure-client" principalSearchRoots = [ "OU=Users,DC=example,DC=com", ] principalSearchFilter="cn={0}" roleSearchRoots = [ "OU=Roles,DC=example,DC=com" ] roleSearchFilter = "roleOccupant={1}" } ] } }
The local authentication realm contains local user, password, and role information for authenticating StreamBase EventFlow and Live Datamart users.
- LocalAuthenticationRealm
-
Defines a local authentication realm, containing one or more principals.
- name
-
The name of this realm, unique across all authentication realms. This name-value pair is required. For example:
name = "my-realm"
- principals
-
A list of principals in this realm. This name-value pair is optional and has no default value.
- userName
-
The name of the principal. This name-value pair is required and cannot be an empty string. For example:
userName = "bob"
- password
-
The principal's password, either clear text or enciphered. Any parameter value beginning with
#!
is enciphered with the sbcipher tool. This name-value pair is required. For example:password ="secret2"
- roles
-
The roles to which this principal belongs, if any. Each role is an arbitrary text string, which can be bound to various privileges in a role-to-privileges mapping object. This name-value pair is optional. If present, the array must at least one element.
For example:
roles = [ "BasicUser" ]
The following is a sample local authentication configuration file for StreamBase.
name = "localrealm1" version = "1.0.0" type = "com.tibco.ep.dtm.configuration.security" configuration = { LocalAuthenticationRealm = { principals = [ { userName = "Administrator" hashedPassword = "#!M5DSWylszg5aA9AK29MOiaDLq7SMqmTor +nW3qURTrT9E9eqJfTPyyUudCK34nhXHE53PXK6pregp4MW8qrueg==" roles = [ "BasicUser" "StreamBaseSuperuser" "admin" ] passwordExpirationPeriodDays = 12 passwordAlwaysRequired = true trustedHostAccessOnly = false } ] } }
The following is a sample local authentication configuration file for Live Datamart.
name = "authRealm" version = "1.0.0" type = "com.tibco.ep.dtm.configuration.security" configuration = { LocalAuthenticationRealm = { name = "authRealm" principals = [ { userName = "admin" password ="admin" roles = [ "LVAdmin" ] } { userName = "lvintern" password ="lvintern" roles = [ "LVInternal" ] } { userName = "guest" password ="guest" roles = [ "LVGuest" ] } { userName = "tester" password ="tester" roles = [ "LVUser" ] } { userName = "client" password ="client" roles = [ "LVUser" ] } ] } SecureCommunicationServerProfile = { keyStore = "C:/Users/sbuser/Desktop/AddOns/SSL/X509/serverkeystore.jks" keyStorePassword = "changeit" keyStoreType = "JKS" keyPassword = "changeit" name = "serverprofile" requireClientAuthentication = true trustStore = "C:/Users/sbuser/Desktop/AddOns/SSL/X509/truststore.jks" trustStorePassword = "changeit" trustStoreType = "JKS" userNameObjectIdentifierSearchPath = [ "emailAddress", "CN", "DN" ] } SecureCommunicationClientProfile = { name = "clientprofile" keyStore = "C:/Users/sbuser/Desktop/AddOns/SSL/X509/serverkeystore.jks" keyStorePassword = "changeit" keyStoreType = "JKS" keyPassword = "changeit" requireClientAuthentication = true trustStore = "C:/Users/sbuser/Desktop/AddOns/SSL/X509/truststore.jks" trustStorePassword = "changeit" trustStoreType = "JKS" } }
This authentication realm applies to epadmin command users performing such operations as starting and stopping a StreamBase Runtime node. If you do not have admin users in your configuration, the local admin authentication realm is not required.
- LocalAdminAuthenticationRealm
-
Defines a local authentication realm, containing one or more administrator principals.
- principals
-
An array of administrator principals. This name-value pair is optional and has no default value.
- userName
-
The principal name. This name-value pair is required and cannot be an empty string.
For example:
userName = "JohnDoe"
- hashedPassword
-
Principal's password, either in clear text or enciphered. You can provide an enciphered string for an operator parameter’s value, as generated with the sbcipher command; you must prefix
#!
to the generated string.For example:
Password = "M5DSWylszg5aA9AK29MOiaDLq7SMqmTor+nW3qURTrT9E9eqJfT PyyUudCK34nhXHE53PXK6pregp4MW8qrueg"
- roles
-
Roles to which the principal has access, if any. Each role is an arbitrary text string, which can be bound to various privileges in a role-to-privileges mapping object. This name-value pair is optional. If present, the array must contain at least one member.
For example:
roles = [ "BasicUser" ]
- passwordExpirationPeriodDays
-
Password expiration time in days. This name-value pair is optional and its default value is 0, meaning the password never expires.
For example:
passwordExpirationPeriodDays = 12
- passwordAlwaysRequired
-
Sets whether a credential is always required. If true, the principal must always present a credential during authentication, and cannot use the trusted host facility. This name-value pair is optional and its default value is false.
For example:
passwordAlwaysRequired = true
- trustedHostAccessOnly
-
Whether the principal may only be authenticated when connecting from a trusted host.
For example:
trustedHostAccessOnly = false
The following is a sample local admin authentication realm configuration for epadmin users.
name = "localadminrealm1" version = "1.0.0" type = "com.tibco.ep.dtm.configuration.security" configuration = { LocalAdminAuthenticationRealm = { principals = [ { userName = "SBuser" hashedPassword = "LKJALISJDOIQUWEOIAJSLKDJALSJDL" roles = [ "BasicUser" "StreamBaseSuperuser" "admin" ] passwordExpirationPeriodDays = 12 passwordAlwaysRequired = true trustedHostAccessOnly = false } ] } }
- RoleToPrivilegeMappings
-
A description of general privileges associated with roles. Each privilege has an associated resource; a privilege defines what you can do, and its associated resource defines what you can do it.
- privileges
-
An associative array of privileges keyed by role.
- admin
-
String. Role name example.
- privilege
-
The privilege's type. This name-value pair is required.
For example:
privilege = "AdminRunCommand"
- streamBaseSuperuser
-
String. Role name example.
- privilege
-
The privilege's type. This name-value pair is required.
For example:
privilege = "StreamEnqueue"
- resource
-
String. The resource to which the privilege applies. For example, if the privilege allows writing to an event stream, the resource might be the stream name, or a regular expression that matches multiple stream names. If the privilege does not apply to a resource, this name-value pair can be left null. This name-value pair is optional and has no default value.
For example:
resource = "default.InputStream1"
- LDMUserAll
-
String. Role name example.
A role must be assigned at least one privilege. A resource can be assigned to a privilege unless otherwise noted. StreamBase 10 uses HOCON to replace Live Datamart users, roles, and privileges settings that were previously configured in
liveview.properties
andliveview.auth.properties
files in StreamBase 7.- privilege
-
The privilege type that maps to the role. This name-value pair is required.
The following table describes the available Live Datamart privileges that you can assign. The description column maps HOCON-configured privileges to their StreamBase 7 equivalents, where applicable.
The examples below the table describe possible Live Datamart and LiveView Web user roles with privileges and resources assigned to those roles.
Privilege Description API access privileges APIConnect Maps to the Live Datamart connect privilege Stream-related privileges, mapped to the corresponding StreamBase and Live Datamart privileges StreamEnqueue Maps to the StreamBase Enqueue privilege and the Live Datamart tuple:send privilege StreamDequeue Maps to the StreamBase Dequeue privilege LiveViewSBStreamInfoRetrieve Maps to the LiveView sbinfo:get privilege LiveView administrative privileges LiveViewPublisherKill Maps to the LiveView publisher:kill privilege LiveViewQueryKill Maps to the LiveView query:kill privilege LiveViewSessionKill Maps to the LiveView session:kill privilege LiveViewAll LiveView table full ("*") privileges LiveViewShutdown LiveView server shutdown privileges LiveView table alert privileges LiveViewAlertAll Maps to the LiveView alert.* privilege LiveViewAlertDelete Maps to the LiveView alert:delete privilege LiveViewAlertList Maps to the LiveView alert:list privilege LiveViewAlertSet Maps to the LiveView alert:set privilege LiveViewAlertActionAll Maps to the LiveView alertaction:* privilege LiveViewAlertActionDelete Maps to the LiveView alertaction:delete privilege LiveViewAlertActionEmail Maps to the LiveView alertaction:email privilege LiveViewAlertActionJava Maps to the LiveView alertaction:java privilege LiveViewAlertActionOSCommand Maps to the LiveView alertaction:oscmd privilege LiveViewAlertActionPublish Maps to the LiveView alertaction:publish privilege LiveViewAlertActionSendTuple Maps to the LiveView alertaction:sendtuple privilege LiveView table management privileges LiveViewTableAll Maps to the LiveView table:* privilege LiveViewTableDelete Maps to the LiveView table:delete privilege LiveViewTableList Maps to the LiveView table:list privilege LiveViewTableManage Maps to the LiveView table:manage privilege LiveViewTableQuery Maps to the LiveView table:query privilege LiveViewTablePublish Maps to the LiveView table:publish privilege LiveViewTableCCQuery Maps to the LiveView table:ccquery privilege LiveViewTableAdd Maps to the LiveView table:add privilege LiveViewTableRemove Maps to the LiveView table:remove privilege LiveView tuple management privileges LiveViewTupleAll Maps to the LiveView tuple:* privilege LiveViewTupleInfo Maps to the LiveView tuple:info privilege LiveViewTupleSend Maps to the LiveView tuple:send privilege LiveView workspace management privileges LiveViewWorkspaceAll Maps to the LiveView workspace:* privilege LiveViewWorkspaceDelete Maps to the LiveView workspace:delete privilege LiveViewWorkspaceGet Maps to the LiveView workspace:get privilege LiveViewWorkspaceSet Maps to the LiveView workspace:set privilege LiveView Web privileges LiveViewWebDashboardCreate Maps to the LiveView Web dashboard:create privilege LiveViewWebPageCreate Maps to the LiveView Web page:create privilege LiveViewWebCardCreate Maps to the LiveView Web card:create privilege LiveViewWebLinkageCreate Maps to the LiveView Web linkage:create privilege The example below shows a Live Datamart user role,
LVAdmin
, with all Live Datamart privileges. This is equivalent to configuring theliveview.auth.properties
file torole.LVAdmin = *
in StreamBase 7.LVAdmin = [ { privilege = "LiveViewAll" } ]
For those familiar with StreamBase 7, recall that several internal LiveView components were required to make requests to access LiveView server resources, by setting LiveView properties files. When authentication was enabled, for example, these internal requests had to be made in the context of a valid LiveView user configured with the appropriate permissions. A special role,
LVInternal
, satisfied this requirement.In StreamBase 10, instead of configuring LiveView properties files, create a Live Datamart user role,
LVInternal
, and map privileges to the role to perform internal LiveView user functions similar to those in StreamBase 7.For example:
LVInternal = [ { privilege = "APIConnect" } { privilege = "LiveViewShutdown" } { privilege = "LiveViewTableQuery" } { privilege = "LiveViewTablePublish" resource = "LVAlerts" } { privilege = "LiveViewTableDelete" resource = "ItemsSales" } { privilege = "LiveViewTableManage" } { privilege = "LiveViewWorkspaceAll" } ]
The following example shows a Live Datamart user role,
LVUser
, assigned Live Datamart and LiveView Web privileges:LVUser = [ { privilege = "APIConnect" } { privilege = "LiveViewTableList" } { privilege = "LiveViewTableManage" } { privilege = "LiveViewTableAll" resource = "ItemsSales" } { privilege = "LiveViewTableQuery" } { privilege = "LiveViewAlertList" } { privilege = "LiveViewAlertSet" resource = "ItemsSales" } { privilege = "LiveViewAlertDelete" } { privilege = "LiveViewAlertActionPublish" resource = "ItemsSales" } { privilege = "LiveViewAlertActionEmail" resource = "ItemsSales" } { privilege = "LiveViewAlertActionSendTuple" resource = "ItemsSales" } { privilege = "LiveViewTupleInfo" resource = "ItemsSales.DataIn" } { privilege = "LiveViewTupleSend" resource = "ItemsSales.DataIn" } { privilege = "LiveViewWorkspaceGet" resource = "Auth Sample" } { privilege = "LiveViewWebCardCreate" } { privilege = "LiveViewWebDashboardCreate" } { privilege = "LiveViewWebLinkageCreate" } { privilege = "LiveViewWebPageCreate" } ]
The following example shows a Live Datamart user role,
LVGuest
, assigned Live Datamart privileges:LVGuest = [ { privilege = "APIConnect" } { privilege = "LiveViewTableList" } { privilege = "LiveViewTableManage" } { privilege = "LiveViewTableAll" resource = "ItemsSales" } { privilege = "LiveViewTableQuery" } { privilege = "LiveViewAlertList" } { privilege = "LiveViewAlertSet" resource = "ItemsSales" } { privilege = "LiveViewAlertDelete" } { privilege = "LiveViewAlertActionPublish" resource = "ItemsSales" } { privilege = "LiveViewAlertActionEmail" resource = "ItemsSales" } { privilege = "LiveViewAlertActionSendTuple" resource = "ItemsSales" } { privilege = "LiveViewTupleInfo" resource = "ItemsSales.DataIn" } { privilege = "LiveViewTupleSend" resource = "ItemsSales.DataIn" } { privilege = "LiveViewWorkspaceGet" resource = "Auth Sample" } ]
The following example shows a LiveView Web user role,
LVWebUser
, assigned the following privileges:LVWebUser = [ { privilege = "LiveViewWebCardCreate" } { privilege = "LiveViewWebDashboardCreate" } { privilege = "LiveViewWebLinkageCreate" } { privilege = "LiveViewWebPageCreate" } ]
- resource
-
String. The resource to which the privilege applies. If the privilege doesn't apply to a resource, this name-value pair can be left null. This name-value pair is optional and has no default value.
For example:
resource = "myTable"
- basicUser
-
String. Role name example.
- privilege
-
The privilege's type. This name-value pair is required.
For example:
privilege = "StreamEnqueue"
privilege = "StreamDequeue"
- resource
-
String. The resource to which the privilege applies. For example, if the privilege allows writing to an event stream, the resource might be the stream name, or a regular expression that matches multiple stream names. If the privilege does not apply to a resource, this name-value pair can be left null. This name-value pair is optional and has no default value.
For example:
resource = "default.InputStream1"
resource = "default.OutputStream1"
The following is a general sample RoleToPrivilegeMappings configuration file. Each privilege has an associated resource; a privilege defines what you can do, and its associated resource defines what you can do it to.
name = "my-role-mappings" version = "1.0.0" type = "com.tibco.ep.dtm.configuration.security" configuration = { RoleToPrivilegeMappings = { privileges = { admin = [ { privilege = "AdminRunCommand" } ] streamBaseSuperuser = [ { privilege = "StreamEnqueue" resource = "default.InputStream1" } ] basicUser = [ { privilege = "StreamEnqueue" resource = "default.InputStream1" } { privilege = "StreamDequeue" resource = "default.OutputStream1" } ] } } }
The following is a sample RoleToPrivilegeMappings configuration file that includes StreamBase, Live Datamart, and LiveView Web configuration.
name = "my-RoleToPrivilegeMappings" version = "1.0.0" type = "com.tibco.ep.dtm.configuration.security" configuration = { RoleToPrivilegeMappings = { privileges = { AdministratorSpecificCommands = [ { privilege = "AdminRunCommand" resource = "breakpointplugin::Plugin::continueCommand" } { privilege = "AdminRunCommand" resource = "security::SecurityPlugin::display" } ] StreamBaseSuperuser = [ { privilege = "StreamEnqueue" resource = "default.InputStream1" } ] StreamBaseBasicUser = [ { privilege = "StreamEnqueue" resource = "default.InputStream1" } { privilege = "StreamDequeue" resource = "default.OutputStream1" } ] AnotherAdminUser = [ { privilege = "StreamEnqueue" resource = "default.InputStream1" } { privilege = "APIConnect" } ] LDMUserAll = [ { privilege = "LiveViewAlertAll" resource = "alertName1" } { privilege = "LiveViewTupleAll" resource = "mySchema1" } { privilege = "LiveViewTableAll" resource = "myTable1" } { privilege = "LiveViewAlertActionAll" resource = "alertName2" } { privilege = "LiveViewWorkspaceAll" resource = "wsName1" } ] LDMUserAll2 = [ { privilege = "LiveViewAll" } ] LDMUserEach = [ { privilege = "LiveViewShutdown" } { privilege = "LiveViewTableList" resource = "myTable" } { privilege = "LiveViewTableDelete" resource = "myTable" } { privilege = "LiveViewTableManage" resource = "myTable" } { privilege = "LiveViewTableQuery" resource = "myTable" } { privilege = "LiveViewTablePublish" resource = "myTable" } { privilege = "LiveViewAlertDelete" resource = "alertName" } { privilege = "LiveViewAlertSet" resource = "alertName" } { privilege = "LiveViewAlertList" resource = "alertName" } { privilege = "LiveViewWorkspaceGet" resource = "wsName" } { privilege = "LiveViewWorkspaceSet" resource = "wsName" } { privilege = "LiveViewWorkspaceDelete" resource = "wsName" } { privilege = "LiveViewTupleInfo" resource = "stream1" } { privilege = "LiveViewTupleSend" resource = "stream2" } { privilege = "LiveViewAlertActionDelete" resource = "alert1" } { privilege = "LiveViewAlertActionEmail" resource = "alert1" } { privilege = "LiveViewAlertActionJava" resource = "alert1" } { privilege = "LiveViewAlertActionOSCommand" resource = "alert1" } { privilege = "LiveViewAlertActionPublish" resource = "alert1" } { privilege = "LiveViewAlertActionSendTuple" resource = "alert1" } { privilege = "LiveViewWebCardCreate" } { privilege = "LiveViewWebDashboardCreate" } { privilege = "LiveViewWebLinkageCreate" } { privilege = "LiveViewWebPageCreate" } ] } } }
The following is a sample RoleToPrivilegeMappings configuration file that includes only Live Datamart and LiveView Web configuration.
name = "my-role-mappings" version = "1.0.0" type = "com.tibco.ep.dtm.configuration.security" configuration = { RoleToPrivilegeMappings = { privileges = { LVAdmin = [ { privilege = "LiveViewAll" } ] LVInternal = [ { privilege = "APIConnect" } { privilege = "LiveViewShutdown" } { privilege = "LiveViewTableQuery" } { privilege = "LiveViewTablePublish" resource = "LVAlerts" } { privilege = "LiveViewTableDelete" resource = "ItemsSales" } { privilege = "LiveViewTableManage" } { privilege = "LiveViewWorkspaceAll" } ] LVUser = [ { privilege = "APIConnect" } { privilege = "LiveViewTableList" } { privilege = "LiveViewTableManage" } { privilege = "LiveViewTableAll" resource = "ItemsSales" } { privilege = "LiveViewTableQuery" } { privilege = "LiveViewAlertList" } { privilege = "LiveViewAlertSet" resource = "ItemsSales" } { privilege = "LiveViewAlertDelete" } { privilege = "LiveViewAlertActionPublish" resource = "ItemsSales" } { privilege = "LiveViewAlertActionEmail" resource = "ItemsSales" } { privilege = "LiveViewAlertActionSendTuple" resource = "ItemsSales" } { privilege = "LiveViewTupleInfo" resource = "ItemsSales.DataIn" } { privilege = "LiveViewTupleSend" resource = "ItemsSales.DataIn" } { privilege = "LiveViewWorkspaceGet" resource = "Auth Sample" } { privilege = "LiveViewWebCardCreate" } { privilege = "LiveViewWebDashboardCreate" } { privilege = "LiveViewWebLinkageCreate" } { privilege = "LiveViewWebPageCreate" } ] LVGuest = [ { privilege = "APIConnect" } { privilege = "LiveViewTableList" } { privilege = "LiveViewTableManage" } { privilege = "LiveViewTableAll" resource = "ItemsSales" } { privilege = "LiveViewTableQuery" } { privilege = "LiveViewAlertList" } { privilege = "LiveViewAlertSet" resource = "ItemsSales" } { privilege = "LiveViewAlertDelete" } { privilege = "LiveViewAlertActionPublish" resource = "ItemsSales" } { privilege = "LiveViewAlertActionEmail" resource = "ItemsSales" } { privilege = "LiveViewAlertActionSendTuple" resource = "ItemsSales" } { privilege = "LiveViewTupleInfo" resource = "ItemsSales.DataIn" } { privilege = "LiveViewTupleSend" resource = "ItemsSales.DataIn" } { privilege = "LiveViewWorkspaceGet" resource = "Auth Sample" } ] } } }
Each profile has a unique name across all server and client profile types; the name serves as a reference target from other configurations wishing to enable secure communication.
The client profile is for INTERNAL client connections, that is by the server to the server. If you enable SSL on a Live Datamart server, you need both the SecureCommunicationClientProfile and the SecureCommunicationServerProfiles configured. This is due to the server and client certificates having different attributes, and CAs do not issue a single certificate appropriate for both client and server use.
- SecureCommunicationClientProfile
-
A secure communication profile configuration object contains settings used to secure client-side transport connections, for example to external services such as LDAP. Profiles are named, and then referenced as needed by other configurations needing secure communication.
- name
-
The name of this profile, unique across all secure communication profiles. This name-value pair is required. For example:
name = "my-profile"
- keyStore
-
Key store that contains key materials as well as optional trust store information, depending on key store format. It must be a file. If the key store contains multiple private key entries (
aliases
in JKS parlance), the first is used. The path is required to be absolute, therefore the file must exist on the target node's file system. This name-value pair is optional. If present, engines acting as clients can establish secure connections to services and perform client (mutual) authentication. For example:keyStore = "/absolute/path/myKeyStore.jks"
- keyStorePassword
-
String. Keystore password, used to access the keystore contents. You can provide an enciphered string for the value; generate the enciphered string with the sbcipher command and prefix
#!
to the generated string. This name-value pair is required. For example:keyStorePassword = "secret"
- keyPassword
-
String. The password to access the key within the keystore. You can provide an enciphered string for the value; generate the enciphered string with the sbcipher command and prefix
#!
to the generated string. This name-value pair is optional. If absent, the keystore password is used to access the name-value pair.For example:
keyPassword = "anothersecret"
- keyStoreType
-
Key store type. This name-value pair is optional and its default value is
JKS
. For example:keyStoreType = "JKS"
- trustStore
-
Trust store containing CAs by which client certificates must be signed to be trusted. Same comments as for the keystore property above: must be a file; generator responsible for setting system property to an absolute file name. The path is required to be absolute, therefore the file must exist on the target node's file system. This name-value pair is required.
For example:
trustStore = "/absolute/path/myTrustStore.jks"
- trustStorePassword
-
The password to access the trust store. You can provide an enciphered string for the value; generate the enciphered string with the sbcipher command and prefix
#!
to the generated string.For example:
trustStorePassword = "athirdsecret"
- trustStoreType
-
Trust store type. This name-value pair is optional and its default value is JKS.
For example:
trustStoreType = "JKS"
- requireClientAuthentication
-
Enable or disable required client authentication. Enabling requires presence of a key store to sign the client side of the secure communication handshake. This name-value pair is optional, and its default value is false. If its value is true, both a key store and key store password are required.
For example:
requireClientAuthentication = true
The following is a sample that configures a secure communication profile for a client endpoint. A secure communication profile configuration object contains settings used to secure client-side transport connections (for example, to external services such as LDAP). Profiles are named and then referenced as needed by other configurations needing secure communication.
name = "mycommunicationsettings" version = "1.0.0" type = "com.tibco.ep.dtm.configuration.security" configuration = { SecureCommunicationClientProfile = { name = "my-profile" keyStore = "/absolute/path/myKeyStore.jks" keyStorePassword = "secret" keyPassword = "anothersecret" keyStoreType = "JKS" trustStore = "/absolute/path/myTrustStore.jks" trustStorePassword = "athirdsecret" trustStoreType = "JKS" requireClientAuthentication = true } }
Each profile has a unique name across all server and client profile types; the name serves as a reference target from other configurations wishing to enable secure communication.
This profile is for the Live Datamart API listener. For SSL with client certificate authentication, the profile contains a trust store used to validate incoming server certificates. Also, if you enable SSL on a Live Datamart server, you need both the Secure Communication Client Profile and the Secure Communication Server Profiles configured. This is due to the server and client certificates having different attributes, and certificate authorities do not issue a single certificate appropriate for both client and server use.
- SecureCommunicationServerProfile
-
A secure communication profile configuration object contains settings used to secure server-side transport connections, for example from EventFlow and LiveView API clients. Profiles are named, and then referenced as needed by other configurations needing secure communication.
- name
-
The name of this profile, unique across all secure communication profiles. This name-value pair is required. For example:
name = "my-profile"
- keyStore
-
Key store that contains key materials as well as optional trust store information, depending on key store format. It must be a file. If the key store contains multiple private key entries (
aliases
in JKS parlance), the first is used. The path is required to be absolute, therefore the file must exist on the target node's file system. This name-value pair is optional. If present, engines acting as clients can establish secure connections to services and perform client (mutual) authentication. For example:keyStore = "/absolute/path/myKeyStore.jks"
- keyStorePassword
-
String. Keystore password, used to access the keystore contents. You can provide an enciphered string for the value; generate the enciphered string with the sbcipher command and prefix
#!
to the generated string. This name-value pair is required. For example:keyStorePassword = "secret"
- keyPassword
-
String. The password to access the key within the keystore. You can provide an enciphered string for the value; generate the enciphered string with the sbcipher command and prefix
#!
to the generated string. This name-value pair is optional; if absent, the keystore password is used to access the name-value pair.For example:
keyPassword = "anothersecret"
- keyStoreType
-
Key store type. This name-value pair is optional and its default value is
JKS
. For example:keyStoreType = "JKS"
- trustStore
-
Trust store containing CAs used to establish trust. As with the
keystore
property, the store must be a an absolute file that exists on the target node's file system. This key is optional. If present, engine API listeners can perform client (mutual) authentication with their clients.For example:
trustStore = "/absolute/path/myTrustStore.jks"
- trustStorePassword
-
The password to access the trust store. You can provide an enciphered string for the value; generate the enciphered string with the sbcipher command and prefix
#!
to the generated string.For example:
trustStorePassword = "athirdsecret"
- trustStoreType
-
Trust store type. This name-value pair is optional and its default value is JKS.
For example:
trustStoreType = "JKS"
- requireClientAuthentication
-
Enable or disable required client authentication. Enabling requires presence of a key store to sign the client side of the secure communication handshake. This name-value pair is optional, and its default value is false. If its value is true, both a key store and key store password are required.
For example:
requireClientAuthentication = true
- userNameObjectIdentifierSearchPath
-
An array of attribute keywords or X.509 object identifiers (OIDs), indicating the order in which the client's X.509 certificate subject Distinguished Name attributes are searched for to find a user name for authorization purposes. This name-value pair is only relevant if
requireClientAuthentication
is enabled. Supported attribute keywords areuserID
,CN
,emailAddress
, andDN
. This name-value pair is optional and its default value is the search orderemailAddress
,CN
,DN
.For example:
userNameObjectIdentifierSearchPath = [ "userID", "CN", "1.2.3.4", "DN" ]
The following sample configures a secure communication profile for a server endpoint. A secure communication profile configuration object contains settings used to secure server-side transport connections (for example, from EventFlow and LiveView API clients). Profiles are named and then referenced as needed by other configurations needing secure communication.
name = "mycommunicationsettings" version = "1.0.0" type = "com.tibco.ep.dtm.configuration.security" configuration = { SecureCommunicationServerProfile = { name = "my-profile" keyStore = "/absolute/path/myKeyStore.jks" keyStorePassword = "secret" keyPassword = "anothersecret" keyStoreType = "JKS" trustStore = "/absolute/path/myTrustStore.jks" trustStorePassword = "athirdsecret" trustStoreType = "JKS" requireClientAuthentication = true userNameObjectIdentifierSearchPath = [ "userID", "CN", "1.2.3.4", "DN" ] } }
The default local authentication source in a node supports the configuration of trusted hosts, which allows for expedited authentication of principals when the authentication request originates with a network connection from a configured trusted host. Authentication from a trusted host passes without consideration for credentials. That is, if the authentication request originates from a trusted host, the StreamBase Runtime trusts that the host-based authentication mechanism (such as a UNIX login) to have verified the identity of the principal.
- TrustedHosts
-
A list of hosts from which users do not need to authenticate when executing administrative commands. Hosts must be in an array.
- hosts
-
String. The host names, such as fully qualified domain names, simple names, DNS names, and IP addresses.
For example:
hosts = [ "192.168.1.1" "a.tibco.com" "b.tibco.com" "c.tibco.com" "my-host" ]