Configuring the Proxy Server

Note

This topic describes the behavior of the StreamBase Proxy Server before StreamBase release 7.1.3, when the Proxy Server handled both SSL and LDAP authentication. Starting with release 7.1.3, the LDAP authentication feature was moved into StreamBase Server itself. See Using LDAP Authentication.

This topic describes how to enable configure the StreamBase proxy server to enable security for StreamBase clients.

Before beginning this procedure, read Using the Proxy Server for an overview of the main components in the proxy server-based security environment.

The StreamBase proxy server, sbproxy, is configured using the security section of the sbd server's configuration file. When the security element exists, the sbd runs in secure mode: it listens for connections only on localhost, so connections from remote computers cannot be made. In this way all communications between clients and the sbd go through the sbproxy server.

In the following procedure, conditional steps are given in the form of questions. Answer the questions by choosing the appropriate options for your security requirements or environment. All configuration steps refer to the security section of the sbconf file that will be used. Consult the reference documentation in StreamBase Server Configuration File XML Reference for details about editing the security elements in the sbconf file. After completing each step, please go on to the next step unless told to stop.

Specify the server certificate keystore and password, by adding an ssl-authentication element. For example:

<security>
  <ssl-authentication>
    <param name="keystore" value="../test/proxy/security/signed.keystore"/>
    <param name="keystore-password" value="secret"/>
    <param name="key-password" value="secret1"/>
  </ssl-authentication>

Do you have client certificates?
Yes
Add the client-ssl-connections element as follows:
```
<client-ssl-connections>
  <param name="require-client-authentication" value="true"/>
</client-ssl-connections><security>
```
No

You can omit the client-ssl-connections element, because its value is "false" by default.
Will you be using LDAP?
No

Do not configure LDAP parameters; go on to Step 4.

Yes
Add the ldap element. Within it, add a server element for each LDAP server you will use, specifying the server's host and port number.

In each server section, add param elements specifying the root and search information.

Here is an example of the ldap section at this point:

<ldap> <server host="parallels" port="839"> <param name="principal-root" value="ou=Users,dc=example,dc=com"/> <param name="principal-search" value="cn={0}"/> </ldap>

How will your LDAP servers be accessed? Choose one of the following options:

sbconf will pass username and password to LDAP

In each server section, add param elements specifying the root-dn and password credentials. For example:

<param name="root-dn" value="cn=Manager,dc=example,dc=com"/> <param name="password" value="secret"/>

LDAP client certificate will authenticate the sbproxy to the LDAP server

In each server section, add param elements specifying the keystore, keystore-password, and, optionally, key-password. For example:

<param name="keystore" value="ldapuser.keystore"/> <param name="keystore-password" value="secret"/> <param name="key-password" value="secret1"/>
Do you want to perform authentication in the sbconf file for finer-grained access control?
No
Add the following param element, with the value attribute set to "false" as shown here:
```
<param name="perform-authentication" value="false"/>
```
The effect of this setting depends on the form of SSL you use:
If you are using 1-way SSL, no username or password is required and actions are not restricted. This is the weakest proxy-based security setting.

If you are using 2-way SSL, the client must provide a client certificate. Once logged in, users are not restricted.
Stop; you have completed this procedure.
Yes
The sbconf file is set to perform authentication by default. Therefore, you can either omit the following element, or include it with the value parameter set to "true", as shown below:

<param name="perform-authentication" value="true"/>

Define roles by adding one or more role elements. For each role, specify the actions that you want to allow. For example:

<role name="InnocentBystander"> <param name="action" value="Administrate"/> <param name="action" value="Status"/> <param name="action" value="Enqueue default.InputStream1"/> <param name="action" value="Dequeue default.OutputStream1"/> </role>

Are you using LDAP?

Yes

No further user restrictions should be specified in the sbconf file, which controls only the mapping of roles to actions. The following controls are provided outside of the sbconf:

If you are using 1-way SSL, the user/role mapping and password checking come from the LDAP server.

If you are using 2-way SSL, user/role mapping comes from the LDAP server; password checking comes from the client certificate.

No

Add a user-data element. and answer the following question:

For each user, add a child user element.

In each user element, control user actions. Choose one of these options:

Are you using 1-way SSL?

Identify the user, assign one or more roles, and provide a password by adding param elements for principal name, role, and password. This example assigns two roles to a user:

<user> <param name="cn" value="cn=Alice Pleasance Liddell,ou=Users,dc=example, dc=com"/> <param name="role" value="InnocentBystander"/> <param name="role" value="StreamBaseSuperuser"/> </user>

Are you using 2-way SSL?

Identify the user and assign one or more roles, by adding param elements for principal name and role. (The password is provided by the client certificate.) For example:

<user> <param name="cn" value="EMAILADDRESS=bobn@streambase.com, CN=Bob Newhart, OU=Users, O=StreamBase Systems, L=Waltham, ST=Massachusetts, C=US"/> <param name="role" value="InnocentBystander"/> <param name="password" value="secret"/> </user>

You have completed this procedure.