AMS is configured through one or more files that use HOCON syntax, which itself is a form of JSON. The supplied AMS.conf file is located in $AMS_HOME/conf. However, you can also use your own site-specific configuration file and store it in a directory of your choosing. To accomplish this, the AMS start script can prepend any customer-supplied classpath elements to the classpath used to start the AMS server. AMS overrides the default configuration file with the custom one.
AMS is configured through one or more files that use HOCON syntax, which itself is a form of JSON. The supplied AMS.conf file is located in $AMS_HOME/conf. However, you can also use your own site-specific configuration file and store it in a directory of your choosing. To accomplish this, use the --conf option to start the AMS server. For example, ams-server --conf /path/to/my/site-specific-AMS.conf.
The following shows the configuration's HOCON properties, usage, and syntax examples, where applicable.
Mandatory configuration file header line, followed by an open brace "{". The file must end with the matching close brace.
com.tibco.ep.ams.configuration = {
...
...
}
The path to the database file and the username and password to access the file. The path can be absolute or relative to the working directory from which the AMS is started.
Default:
filePath = "data/ams-h2-persistence"
Database user account name. Default:
userName = "sa"
Password for the database user. Default:
password = ""
The port the AMS server listens on and whether that port is configured for secure (TLS) communication.
TCP port for the client API to listen on. This property is optional. The default value is 2185 (non-secure) and the range is 0 to 65535. AMS recommends using port 2443 when secure communication is required (which therefore requires setting the secure property, below, to true).
For example:
portNumber = 2185
A secure-transport indicator. If true, use TLS to secure communication to the client; if false do not. Enabling secure communication requires that the engine have a secure communication configuration, or this indicator value is ignored. This property is optional and its default value is false.
For example:
secure = false
The keystore file, keystore password, and key password to use when using secure (TLS) communication.
String. File path to a keystore that contains the server's certificate as well as optional trust store information, depending on keystore format. It must be a file, since the implementation uses the JSSE system property javax.net.ssl.keystore to make the keystore available to TLS, and that must be a file. If the keystore contains multiple private key entries ("aliases" in JKS parlance), the first is used.
Default:
keyStore = "localhost.jks"
String. Keystore password, used to access the keystore contents. You can provide an enciphered string for the value. This required property is encryptable as part of the node-level secrecy system described in the StreamBase Administration Guide in the TIBCO StreamBase® documentation.
Default:
keyStorePassword = "password"
Default:
keyPassword = "password"
Client authentication is not currently supported in the AMS.
Default:
trustStore = "localhost.jks"
Default:
trustStorePassword = "password"
An array of cipher suites that can be used for TLS encryption. If this property is not used, AMS uses all the cipher suites that are installed with the JVM. When this element is present, AMS is limited to the suites you list.
Default:
cipherSuites = [ "SSL_RSA_WITH_RC4_128_MD5" "SSL_RSA_WITH_RC4_128_SHA" ]
When configured for local realm authentication, the AMS user, password, and role information is used to seed users and roles in the AMS persistence realm.
An array of zero or more user names, passwords, and their roles. This property is optional and has no default value.
String. AMS user name. This property is required and cannot be an empty string.
AMS user password. This property is encryptable as part of the node-level secrecy system described in the StreamBase Administration Guide in the TIBCO StreamBase® documentation.
An array of zero or more role names of which the user is a member. For more information about roles, see User Roles.
Default:
principals = [
{
userName = "admin"
password = "admin"
roles = ["AMSAdmin"]
}
{
userName = "deploy"
password = "deploy"
roles = ["AMSDeploy"]
}
{
userName = "nopriv"
password = "nopriv"
roles = []
}
]
The authentication system uses this element to log in to the LDAP server to enumerate user roles and to authenticate users.
When multiple LDAP servers are specified in this realm, this property defines the order in which the servers are connected for authentication. To authenticate in a round robin (the default) fashion specify round-robin. To authenticate against LDAP servers until the first successfully authentication request specify first-hit.
serverConnectAlgorithm = "round-robin"
An array of LDAP servers, with the following default configuration:
servers = [
{
authenticationCredentials = {
userName = "CN=Administrator,CN=Users,DC=mycompany,DC=com"
password = "password"
}
host = "adserver.mycompany.com"
portNumber = 389
secure = true
principalRoot = "CN=Users,DC=mycompany,DC=com"
principalSearch = "CN={0}"
roleRoot = "CN=Groups,DC=mycompany,DC=com"
roleSearch = "distinguishedName={0}"
roleAttribute = "memberOf"
}
]
The authentication system needs to log in to the LDAP server to enumerate user roles and to authenticate users. The login credentials can be specified one of two ways. If this property is present, its user and password are used to log in. If it is not present, the authentication system uses TLS and a private key to log in. The latter requires that secure communication be configured.
String. The user name used by the authentication system to log in to the LDAP server. Maps to the java.naming.security.principal naming context property. This property is required.
String. The password used by the authentication system to log in to the LDAP server. You can provide an enciphered string for the value. For example, generate the enciphered string with the ams-server --cipher command. This property is required.
String. The LDAP server's host name. This property is optional and its default value is localhost.
For example:
host = "ldap.example.com"
Int. The LDAP server's port to connect to AMS. This property is optional and its default value is 389.
AMS does not currently support secure communication to LDAP servers, so this property is unused.
For example:
secure= true
String. The Distinguished Name pattern that describes the directory information tree on the LDAP server, from the required entry to the directory root. Principal names will be applied to the pattern during authentication. This property is required.
For example:
principalRoot = "CN=Users,DC=mycompany,DC=com"
String. The key name and index within the LDAP to use when looking up principals. This property is required.
For example:
principalSearch = "cn={0}"
String. The Distinguished Name pattern that describes the directory information tree on the LDAP server, for role search. This property is required.
For example:
roleRoot = "o=yourcompany/ou=yourdepartment"
String. Search criteria for role membership given a principal substituted into the '{0}' token. This property is required.
For example:
roleSearch = "cn={0}"
String. Attribute for a user showing the roles of which they are a member. This property is required.
For example:
roleAttribute = "memberOf"
Configuration for authenticating users against an OpenID Connect providers.
Properties that control how identities are bound to AMS profiles after authenticating with an identity provider if no matching AMS profile is found. Configure the actions to take when no binding exists between an identity and an AMS profile.
For example:
bindAction = "AUTO_CREATE"
Valid values are:
Fails the login request.
Default. Creates a new AMS profile using the configured OpenID Connect claim as the username.
Presents a login form to the user, who enters the credentials of an existing AMS profile, creating the binding between the identity and profile.
Presents a login form in the web client to the user, who enters the credentials of an existing AMS profile or requests the creation of a new profile.
The OpenID Connect claim used for the username of auto-created AMS profiles. Valid values include: email, name (username), and family_name (surname). Default:
autoCreateUsernameClaim = "email"
Determines whether auto-created users, or users created through the sign-up form, are initially enabled. One of {true | false}. Default:
autoCreateUserEnabled = "false"
A comma-delimited list of role(s) to assign to auto-created users. If empty, auto-created users are assigned no roles. An administrator would then have to assign one or more roles to the user through the web client.
autoCreateDefaultRoles = ""
Zero or more filters to apply to auto-create AMS profile requests. A filter contains the name of a fully qualified Java path that conforms to the com.tibcp.ep.ams.auth.AMSAutoCreateFilter interface along with zero or more parameters associated with each filter.
In the example below, a filter is used to restrict the creation of AMS profiles to users within a specific email domain.
autoCreateFilters = [
{
javaClass = "com.tibco.ep.ams.auth.AMSAutoCreateEmailFilter"
params = [
{
name = "domains"
value = "mycompany.com"
}
]
Use this property to configure authentication against one or more OpenID Connect identity providers.
Contains an array of one or more OpenID Connect identity providers.
Many organizations have one or more providers, including their own. The AMS.conf file provides two default provider configurations, Google and Auth0. For single sign-on to AMS to succeed, AMS also requires the identity provider configuration to be set up between your organization and your providers.
The following shows the default properties in the AMS.conf file:
providers = [
{
name = "Google"
issuer = "https://accounts.google.com"
clientId = "place your Google client ID here"
clientSecret = "place your Google client secret here"
}
{
name = "Auth0"
issuer = "https://jtk-test.auth0.com"
clientId = "place your Auth0 client ID here"
clientSecret = "place your Auth0 client secret here"
subjectProviderMappings = [
{
subjectPrefix = "google-oauth2"
provider = "Google"
}
]
Array, which can be a comma-separated list or each on a new line. Enables one or more of the realms defined in the configuration file:
| LocalAuthenticationRealm |
| LDAPAuthenticationRealm |
| AMSPersistenceRealm |
| OpenIDConnectAuthenticationRealm |
| LocalAuthenticationRealm |
For example:
AMSRealmList = [ LocalAuthenticationRealm, LDAPAuthenticationRealm, AMSPersistenceRealm, OpenIDConnectAuthenticationRealm LocalAuthenticationRealm ]
A description of general privileges associated with roles. Each privilege has an associated resource; a privilege defines what you can do, and its associated resource defines what you can do it to. For more information about roles and permissions, see User Access Control.
An associative array of AMS privileges keyed by role. The default below defines the AMSAdmin role with all privileges included:
privileges = {
AMSAdmin = [
{
privilege = "*"
}
]
AMSDeploy = [
{
privilege = "artifact:deploy"
resource = "MyProject/MyArtifact"
}
]
}
Zero or more StreamBase service names from which to accept deployment requests. If empty, the AMS responds to all services. Service names can contain Java-compatible wildcards.
Uncomment the following line to respond to requests only from services starting with myservice.
filter = [ // myservice.* ]
These credentials are used when deploying artifacts using a Target Type of StreamBase Service Name.
services = [
{
serviceName = "myservice"
userName = "guest"
password = "guest"
}
]
An array defining one or more source control management repositories, whose directories can be used as the source for creating AMS SCM projects. The AMS.conf file provides configuration for two such SCM systems, one each for Git and Subversion.
A unique name for this repository instance.
Set to true to enable this repository and false otherwise. Default is false.
Valid values are GIT, SUBVERSION, or CUSTOM.
Required only when type == CUSTOM.
Repository URL.
Repository branch name (defaults to master).
Repository username (can be enciphered with ams-server --cipher).
Repository password (can be enciphered with ams-server --cipher).
Path to Subversion, Git, or custom executable.
Interval in seconds between attempts to pull repository updates into AMS, or 0 to disable periodic pulling.
AMS provides a HOCON-formatted configuration file that allows you to configure security settings and user access control. The port number the server listens on is the prototypical example of a site-specific value that you can configure.
// Site-specific modifications to the AMS server configuration
com.tibco.ep.ams.configuration {
Database {
// The path to the database file and the username and password to access the file.
// The path can be absolute or relative to the working directory from which the AMS
// is started.
filePath = "data/ams-h2-persistence"
userName = "sa"
password = ""
}
ClientAPIListener = {
// The port the AMS server listens on and whether that port is configured for secure (TLS)
// communication
portNumber = 2185
secure = false
}
CommunicationSecurity = {
// The keystore file, keystore password, and key password when using secure (TLS) communication
keyStore = "localhost.jks"
keyStorePassword = "password"
keyPassword = "password"
// Client authentication is not currently supported in the AMS
clientAuthentication = {
trustStore = "localhost.jks"
trustStorePassword = "password"
cipherSuites = [
"SSL_RSA_WITH_RC4_128_MD5"
"SSL_RSA_WITH_RC4_128_SHA"
]
}
}
LocalAuthenticationRealm = {
// Users and their passwords and roles. Passwords can be enciphered with the
// sbcipher utility for additional security.
principals = [
{
userName = "admin"
password = "admin"
roles = ["AMSAdmin"]
}
{
userName = "deploy"
password = "deploy"
roles = ["AMSDeploy"]
}
{
userName = "nopriv"
password = "nopriv"
roles = []
}
]
}
LDAPAuthenticationRealm = {
// Configuration for authenticating users against an LDAP server
serverConnectAlgorithm = "round-robin"
servers = [
{
authenticationCredentials = {
userName = "CN=Administrator,CN=Users,DC=mycompany,DC=com"
password = "password"
}
host = "adserver.mycompany.com"
portNumber = 389
secure = true
principalRoot = "CN=Users,DC=mycompany,DC=com"
principalSearch = "CN={0}"
roleRoot = "CN=Groups,DC=mycompany,DC=com"
roleSearch = "distinguishedName={0}"
roleAttribute = "memberOf"
}
]
}
OpenIDConnectAuthenticationRealm {
// Properties that control how identities are bound to AMS profiles after
// authenticating with an identity provider if no matching AMS profile is found.
IdentityToAMSProfileBinding = {
// Configure the action(s) to take when no binding exists between an identity and
// an AMS profile. Valid values are:
//
// FAIL - Fails the login request.
//
// AUTO_CREATE - Creates a new AMS profile using the configured OpenID Connect claim
// as the username.
//
// SIGN_IN - Presents a login form to the user, who enters the credentials of an existing
// AMS profile, creating the binding between the identity and profile.
//
// SIGN_IN_OR_SIGN_UP - Presents a login form to the user, who enters the credentials of
// an existing AMS profile or requests the creation of a new profile.
bindAction = "AUTO_CREATE"
// The OpenID Connect claim used for the username of auto-created AMS profiles. Valid values
// include: email, name, family_name
autoCreateUsernameClaim = "email"
// Determines whether auto-created users, or users created through the sign-up form, are
// initially enabled
autoCreateUserEnabled = "false"
// A comma-delimited list of role(s) to assign to auto-created users
autoCreateDefaultRoles = ""
// Zero or more filters to apply to auto-create AMS profile requests. A filter contains the name
// of a fully-qualified Java path that conforms to the com.tibcp.ep.ams.auth.AMSAutoCreateFilter
// interface along with zero or more parameters associated with each filter. In the example below,
// a filter is used to restrict the creation of AMS profiles to users within a specific email domain.
// For an auto-create request to succeed, it must pass all the configured filters.
autoCreateFilters = [
{
javaClass = "com.tibco.ep.ams.auth.AMSAutoCreateEmailFilter"
params = [
// Comma-delimited list of acceptable email domains
{
name = "domains"
value = "mycompany.com"
}
]
}
]
}
// Configuration for authentication against one or more OpenID Connect identity providers
IdentityProviders = {
providers = [
{
name = "Google"
issuer = "https://accounts.google.com"
clientId = "place your Google client ID here"
clientSecret = "place your Google client secret here"
}
{
name = "Auth0"
issuer = "https://jtk-test.auth0.com"
clientId = "place your Auth0 client ID here"
clientSecret = "place your Auth0 client secret here"
subjectProviderMappings = [
{
subjectPrefix = "google-oauth2"
provider = "Google"
}
]
}
]
}
}
AMSRealmList = [
// Enables one or more of the realms defined above: LocalAuthenticationRealm,
// LDAPAuthenticationRealm, AMSPersistenceRealm, or OpenIDConnectAuthenticationRealm
LocalAuthenticationRealm
]
RoleToPrivilegeMappings = {
// Map of roles to permissions.
privileges = {
AMSAdmin = [
{
privilege = "*"
}
]
AMSDeploy = [
{
privilege = "artifact:deploy"
}
]
}
}
DeploymentServiceNames = {
// Zero or more StreamBase service names from which to accept deployment requests. If empty, the AMS responds to all
// services. Service names can contain Java-compatible wildcards.
filter = [
// Uncomment the following line to respond to requests only from services starting with "myservice"
// myservice.*
]
// Credentials for one or more StreamBase services. These credentials are used when deploying artifacts
// using a Target Type of StreamBase Service Name.
services = [
{
serviceName = "myservice"
userName = "guest"
password = "guest"
}
]
}
SourceControlManagement {
repositories = [
{
name = "REPO1" // A unique name for this repository instance
enabled = false // Set to true to enable this repository and false otherwise
type = "GIT" // Valid values are GIT, SUBVERSION, or CUSTOM
javaClass = "" // Required only when type == CUSTOM
url = "https://svn.mycompany.com/path/to/repository" // Repository URL
branch = "master" // Repository branch name (defaults to master)
username = "myusername" // Repository username (can be enciphered with ams-server --cipher)
password = "mypassword" // Repository password (can be enciphered with ams-server --cipher)
executable = "/usr/bin/git" // Path to Subversion, Git, or custom executable
pullIntervalSeconds = 0 // Interval in seconds between attempts to pull repository updates into AMS, or 0 to disable periodic pulling
}
{
name = "REPO2" // A unique name for this repository instance
enabled = false // Set to true to enable this repository and false otherwise
type = "SUBVERSION" // Valid values are GIT, SUBVERSION, or CUSTOM
javaClass = "" // Required only when type == CUSTOM
url = "https://svn.mycompany.com/path/to/repository" // Repository URL
username = "myusername" // Repository username (can be enciphered with ams-server --cipher)
password = "mypassword" // Repository password (can be enciphered with ams-server --cipher)
executable = "/usr/bin/svn" // Path to Subversion, Git, or custom executable
pullIntervalSeconds = 0 // Interval in seconds between attempts to pull repository updates into AMS, or 0 to disable periodic pulling
}
]
}
}