Contents
LiveView has several customizations for logging, port usage, and authentication.
See StreamBase Logging for a full explanation of server logging settings. For
LiveView, system logging is controlled by a configuration file. These files are by
default installed in the $STREAMBASE_HOME/liveview/server/engine/conf folder. The available
logging configuration files are:
- logback.xml
-
Default logging setting.
- LVDebugLogback.xml
-
Enable verbose logging. This setting enables LVDEBUG messages to view detailed information on queries submitted to LiveView Server.
- LVAlertDebugLogback.xml
-
Enable verbose debug for alert functionality.
- LVSBDebugLogback.xml
-
Enable logging of all debugging, including all StreamBase debugging. This setting enables verbose logging for both LiveView Server and the underlying StreamBase Server for multi-layered issues.
By default, LiveView uses logback for logging. You can change the logging
configuration by setting the environment variable STREAMBASE_LIVEVIEW_LOG equal to the name of the preconfigured log
files. For example setting STREAMBASE_LIVEVIEW_LOG=LVDebugLogback.xml will set LiveView Server
logging to the verbose level.
You can also change the logging for all LiveView projects by editing the default
LiveView Server sbconf file, which is installed as $STREAMBASE_HOME/liveview/server/engine/sbd.sbconf and setting the
system property logback.configurationFile:
<sysproperty name="logback.configurationFile" value="$STREAMBASE_HOME/liveview/server/engine/conf/LogbackConfigFile.xml"/>
Note that the value attribute must be set to the full
path to the configuration file.
Note
LiveView logging settings work in tandem with StreamBase server logging. Depending on your server configuration settings, you may overwrite one set of logging configurations with another. See the TIBCO StreamBase CEP Administration Guide's article on StreamBase Logging for more information on background mode logging settings.
A running LiveView instance uses two ports. Each LiveView instance requires two TCP ports: one for server processes (streambase-port) and one for client connections (liveview-port). By default, these port numbers are 10000 and 10080. When you start a LiveView project, both ports are in use. There are three ways that you can change the port numbers for a server process:
-
Start the server with the command-line client lv-server and use the --streambase-port and --liveview-port options. The is option supersedes all other options. For example, the following lv-server command would start a project named
liveview-projecton ports 10001 and 10081:lv-server run --streambase-port 10001 --liveview-port 10081
liveview_project -
Use the sbd.sbconf file to set the system properties
tcp-portandliveview.port. This option supersedes the environment variable option in (3).To specify port numbers in an sbd.sbconf, set the following options:
-
In the
<server>element insbd.sbconf, add thetcp-portparameter:<server> <param name="tcp-port" value="
new-port-value"/> </server> -
In the
<java-vm>element, add theliveview.portsystem property (whose value should differ from that of thetcp-portparameter):<java-vm> <sysproperty name="liveview.port" value="
different-new-port-value" /> </java-vm>
If you are running from StreamBase Studio, edit the ports as follows:
-
Right-click on a project folder, or on any of the lvconf files for a project, and select → . This opens the External Tools Configurations dialog.
-
In the Options pane, set the port numbers.
-
Click .
-
-
Set the environment variables liveview.streambase.connection.pool.port and liveview.port. This option will be overridden by either option (1) or option (2).
LiveView can be configured to verify the identity of clients (authentication) and ensure that authenticated clients have permission to access the requested LiveView resources (authorization).
LiveView authentication and authorization, hereafter referred to as simply
authentication, is configured through a properties file, liveview.properties, located in your LiveView project's top-level
directory. This file allows you to enable authentication, specify a "security
realm," and configure realm-specific attributes. The two security realms are
currently supported:
- Properties file
-
Users, passwords, roles, and permissions are configured in a second properties file,
liveview.auth.properties, located in your LiveView project's top-level directory - Active Directory server
-
Users and roles (groups) are retrieved from an Active Directory server, while the mapping of roles to LiveView permissions is retrieved from
liveview.auth.properties.
The LiveView Authentication/Authorization sample provides template liveview.properties and liveview.auth.properties files that can be used as the basis for
enabling authentication in your LiveView application. To load and run the project,
follow these steps:
When LiveView authentication is enabled, a LiveView client identifies itself to the server with a username and password. These credentials can be included in a LiveView URI by placing them between the protocol field and server name in the URI. For example:
lv://myusername:myPassword@localhost
Note that a colon (:) delimits the username and
password, while an at sign (@) delimits the
username/password and server name.
The template liveview.properties file in the LiveView
Authentication sample contains a section for each of the two security realms:
-
Properties File:
# Properties file authentication/authorization # # Uncomment these lines to enable authentication/authorization using a properties file. # #liveview.security.auth.filter=authcBasic #liveview.security.auth.realm=properties #liveview.security.auth.properties.file=liveview.auth.properties
-
Active Directory:
# Active Directory authentication/authorization # # Uncomment these lines to enable authentication/authorization using Active Directory. # #liveview.security.auth.filter=authcBasic #liveview.security.auth.realm=activeDirectory #liveview.security.auth.properties.file=liveview.auth.properties # # Uncomment these lines and provide your site-specific Active Directory values: # #liveview.security.auth.active.dir.url=ldap://adserver.mycompany.com #liveview.security.auth.active.dir.username=CN=Administrator,CN=Users,DC=mycompany,DC=com #liveview.security.auth.active.dir.password=mypassword #liveview.security.auth.active.dir.search.base=CN=Users,DC=mycompany,DC=com #liveview.security.auth.active.dir.group.membership.attr=memberOf
To enable authentication, uncomment the lines within liveview.properties pertaining to your chosen security realm. If
using a properties file realm, template values are provided that allow the sample
to be run out-of-the-box. For Active Directory, replace the template values with
your site-specific Active Directory values such as URL, system username and
password, or other values.
Passwords within liveview.properties and liveview.auth.properties can be stored as either clear or
enciphered text. Encipher a password as follows:
sbcipher -c "mypassword" cA8lR8fz+XBf0QaVP0jxTO6LFCWQhL2PagLXTEVF9RFEB6nkFQB9MXKea7qW7+3IhBgXBtxqhkNx0FUPE2jAJw==
Replace the clear text password in liveview.properties, liveview.auth.properties, or sbd.sbconf with the enciphered text returned by sbcipher, e.g.,
liveview.security.auth.active.dir.password=cA8lR8fz+XBf0QaVP0jxTO6LFCWQhL2PagLXTEVF9RFEB6nkFQB9MXKea7qW7+3IhBgXBtxqhkNx0FUPE2jAJw==
Each LiveView user can have one or more role. The mapping of users to roles depends
upon the configured realm. When using a property file, this mapping is contained in
liveview.auth.properties:
# LiveView user-to-role mapping #user.<name> = <password>,<role1>,<role2>,... user.lvmanager = lvmanager,LVAdmin user.lvguest = lvguest,LVUser user.lvinternal = lvinternal,LVIntern
In the example above, there are three users: lvmanager, lvguest, and lvinternal, which have roles of LVAdmin, LVUser, and LVIntern, respectively. When using Active Directory, user-to-role
mapping is retrieved from the Active Directory server using, by default, the
memberOf attribute. The Active Directory attribute
used for user-to-role mapping can be changed with the liveview.security.auth.active.dir.group.membership.attr property
in liveview.properties.
Each role can be assigned one or more permissions, some of which can be
hierarchical. Users with multiple roles inherit the permissions from all assigned
roles. Role-to-permission mapping is contained in liveview.auth.properties:
# LiveView role-to-permission mapping #role.<name> = <permission1>,<permission2>,... role.LVAdmin = * role.LVUser = connect, table:list, table:manage, table:query:Items, table:publish:Items, table:delete:Items, alert:list, alert:set, alert:delete role.LVIntern = connect, table:query:*
The following table lists the available permissions and their use within LiveView.
| Permission | Description | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| * | Allows full access to all LiveView resources. | ||||||||||||||
| connect | Allows a user to connect to LiveView. | ||||||||||||||
| shutdown | Allows a user to shut down the LiveView server. This permission is typically granted only to LiveView administrators. | ||||||||||||||
| table[:<operation>[:<table-name>]] |
This hierarchical permission controls access to LiveView tables. It contains between one and three elements delimited with colons. The second element specifies the table operation as follows:
If the third element is absent, or contains |
||||||||||||||
| alert[:<operation>[:<table-name>]] |
This hierarchical permission controls access to LiveView alerts. It contains between one and three elements delimited with colons. The second element specifies the alert operation as follows:
|
||||||||||||||
| alertaction[:<type>[:<table-name>]] |
This hierarchical permission controls access to adding LiveView alerts actions. It contains between one and three elements delimited with colons. The second element specifies the type of alert action as follows:
|
||||||||||||||
| workspace[:<operation>] |
This hierarchical permission controls access to LiveView workspaces. It contains either one or two elements delimited with a colon. The second element specifies the workspace operation as follows:
|
Several internal LiveView components are required to make requests to access
LiveView server resources. When authentication is enabled, these internal requests
must be made in the context of a valid LiveView user configured with the
appropriate permissions. A special role, LVInternal,
is available to satisfy this requirement. Two system properties, liveview.internal.username and liveview.internal.password, specify the credentials of the
internal LiveView user configured with the LVInternal
role. The LiveView Authentication/Authorization Sample sets the internal user's
credentials in a StreamBase configuration file, sbd.sbconf. Enciphered Passwords describes how to encipher passwords, including
that for the internal user, for added security.
Changes to users, roles, and permissions in liveview.auth.properties are recognized dynamically by LiveView.
By default, changes are processed within 1 second of this file being saved.
The liveview.security.auth.reload.interval.seconds
property in liveview.properties can be used to change
the interval, in seconds, that LiveView uses to detect changes.
Network traffic between LiveView clients and the server can run over a secure connection by enabling LiveView SSL. This is particularly important when authentication is enabled and usernames and passwords are sent over the wire.
To use SSL, configure LiveView server to listen on an SSL port, and direct LiveView
clients SSL-enabled connections to that port. When SSL is enabled, the LiveView
server, by default, listens on both a non-SSL port and an SSL port. To configure
the server to listen on an SSL port only, set the liveview.ssl.only property to true,
either in your LiveView project's liveview.properties
or StreamBase configuration (sbd.sbconf) file.
SSL is enabled in the LiveView server by setting the liveview.ssl.port property in one of three ways:
-
Start the LiveView server with the
--liveview-ssl-portoption:lv-server --liveview-ssl-port 10443 run <path-to-lv-project>
-
In your LiveView project's
liveview.propertiesfile, uncomment the line that sets the LiveView SSL port:liveview.ssl.port=10443
A template
liveview.propertiesfile is provided with the LiveView Authentication/Authorization sample. -
In the
<java-vm>element of your LiveView project's StreamBase configuration file,sbd.sbconf, set theliveview.ssl.portproprerty:<java-vm> <sysproperty name="liveview.ssl.port" value="10443"/> </java-vm>
When SSL is enabled, the LiveView server requires a Java keystore and password to
identify itself to LiveView clients, and a Java truststore and password for
internal LiveView components that make client requests to the LiveView server. The
LiveView Authentication/Authorization sample provides a pre-populated keystore file
that is used for both roles and is configured within the sample's StreamBase
configuration file, sbd.sbconf, as follows:
<java-vm>
<param name="jvm-args" value="
-Dliveview.keystore=mykeystore
-Dliveview.keystore.password=mypassword
-Djavax.net.ssl.trustStore=mykeystore
-Djavax.net.ssl.trustStorePassword=mypassword
"/>
</java-vm>
To connect to a LiveView server using SSL, LiveView clients use URIs with a
protocol of lvs rather than lv. When configured for SSL, a LiveView server listens, by
default, on port 10443. This is also the default port of a LiveView URI when
using the lvs protocol. You can override the default
LiveView SSL port by adding an explicit port number to the URI, e.g.,
lvs://myusername:myPassword@localhost:10444
When connecting to LiveView via SSL, the LiveView client and server perform an
SSL handshake, which includes the server sending its certificate to the client.
If the client isn't configured to trust the server's certificate, the handshake
fails and the connection isn't established. For Java-based SSL clients, such as
LiveView Desktop, LiveView Workspace Manager, the lv-client command, or other
Java applications that use the LiveView Java client API to connect to the
LiveView server, the trust relationship can be configured by setting the
javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties, respectively, with
the path and password of a Java keystore file containing the LiveView server's
certificate. When using the LiveView Authentication/Authorization sample, the
server's certificate is located in the mykeystore
file provided with the sample.
Configuring the trust relationship for non-Java LiveView clients is beyond the scope of this document.
How to access StreamBase that has been locked down.
If you are using authentication to protect your StreamBase environment from unintended use, you need to configure your LiveView projects to work with the authentication-enabled StreamBase Server.
To enable LiveView to run with a StreamBase server on which authentication is enabled, you must set four LiveView system properties:
-
liveview.streambase.admin.username: The username of an SBAdmin-enabled StreamBase user.
-
liveview.streambase.admin.password: The password of an SBAdmin-enabled StreamBase user.
-
liveview.streambase.user.username: The username of the StreamBase user without SBAdmin privileges.
-
liveview.streambase.user.password: The password of the StreamBase user without SBAdmin privileges.
The following StreamBase configuration file, placed in the top-level directory of the project directory, enables StreamBase authentication (using the parameters under the <authentication> tag) and allows LiveView Server to run with the authentication-enabled StreamBase Server (using the systems properties under the <java-vm> tag):
<?xml version="1.0"?>
<streambase-configuration xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.streambase.com/schemas/sbconf/">
<authentication>
<param name="enabled" value="true"/>
<param name="type" value="sb-password-file"/>
<param name="filepath" value="./sbpasswd"/>
</authentication>
<java-vm>
<sysproperty name="liveview.streambase.admin.username" value="sbmanager" />
<sysproperty name="liveview.streambase.admin.password" value="sbmanager" />
<sysproperty name="liveview.streambase.user.username" value="sbtest" />
<sysproperty name="liveview.streambase.user.password" value="sbtest" />
</java-vm>
To match this configuration create the users as follows:
sbuseradmin -f sbpasswd --add -n sbmanager -p sbmanager -r SBAdmin sbuseradmin -f sbpasswd --add -n sbtest -p sbtest -r SBUser
To encipher the passwords in this configuration, for each password run the following commands (commands shown on two lines for clarity):
sbcipher -c"sbmanager" mF4Tooh8qipplnZwa6PN3qLhuxAosmGBpxriEmhVVuqWphq+rXBybWV6XfxZUgMWwUvmcqtiy5UcbIVlMCswLw== sbcipher -c"sbtest" KX4vUpjZgQfav3gHujZ08jqeJtvJFX+WyNu4nzX4TBhGErDVDGRfHjKI7yXn/jW4OXx4Bei7hXlGxjKAg0hTmw==
Now, replace the password properties with these values:
<sysproperty name="liveview.streambase.admin.password" value="mF4Tooh8qipplnZwa6PN3qLhuxAosmGBpxriEmhVVuqWphq+rXBybWV6XfxZUgMWwUvmcqtiy5UcbIVlMCswLw==" /> <sysproperty name="liveview.streambase.user.password" value="KX4vUpjZgQfav3gHujZ08jqeJtvJFX+WyNu4nzX4TBhGErDVDGRfHjKI7yXn/jW4OXx4Bei7hXlGxjKAg0hTmw==" />
By default, when you run a LiveView project, LiveView creates an lv-bin directory for generated project files and an lv-systemdata directory for generated project data. (These directories are hidden by default; you can change the default view with the Package Explorer filters.) You can add a system property to the project sbconf file (liveview.project.out) that defines a writable folder for files and metadata that LiveView Server generates:
<sysproperty value="..\out" name="liveview.project.out"/>
The value of this property can be an absolute or relative path. If it is a relative path, it will be appended to the liveview.project.home. If the specified folder is not writable, LiveView throws an exception. LiveView Server redirects all generated files and metadata to this path.
The lv-bin folder is written under the specified folder (for example, ..\out\lv-bin). If this property is not specified, the output folder is assumed to be the project home (lv-bin is then created in \project_home\lv-bin.) The the project_home folder is not writable, the compiler first tries the user's folder and then tries the temp folder. This information is logged. If LiveView cannot find a writable folder, it throws an exception.
If only 'sysproperty name="liveview.project.out"...' is set, SB/LV writes lv-bin and lv-systemdata to the lv.project.out directory.
If both 'sysproperty name="liveview.project.out"...' and 'sysproperty name="liveview.systemdata.directory"...' are set, lv-bin goes into lv.project.out and lv-systemdata goes in lv.systemdata.directory.
If only 'sysproperty name="liveview.systemdata.directory"...' is set, lv-bin goes in the project workspace and lv-systemdata goes in lv.systemdata.directory.