Using StreamBase Server Simple Authentication

To protect your StreamBase environment from unintended use, you can enable simple authentication directly in StreamBase by defining parameters in the deployed server configuration file, and by associating users with three types of StreamBase roles. When this type of authentication is enabled, each user must provide valid username and password credentials when they enter StreamBase commands or connect with custom-written StreamBase clients.

By default, StreamBase authentication is disabled. This topic explains how to change the authentication settings.

Notes

  • The authentication credentials that you define for use with StreamBase have no connection with system-level accounts: they are independent of each other. While you could use the same user-name and password combinations for StreamBase and a system-level account, it is not necessary. The important point is that the sbuseradmin command described in this topic does not interact with your operating system's accounts.

  • StreamBase authentication is not encrypted. To configure encrypted authentication using external X.509 certificates and LDAP, see Using the Proxy Server.

Enabling StreamBase Server authentication involves the following steps:

Defining Roles

StreamBase authentication involves assigning users to any of three roles. For each role, users are authorized to run specific commands:

StreamBase Authorization: Roles and Commands

Role Commands Authorized
SBUser sbc
SBDeveloper sbc
SBAdmin sbc, sbadmin

Note

In previous releases, the SBUser role was authorized to run sbc, while the SBDeveloper role was authorized to run both sbc and sbdb. However, the sbdb command was removed in release 6.3. The SBDeveloper role still exists, but no longer provides a privilege level different from the SBUser role.

A user can be assigned more than one StreamBase user role.

If authentication is disabled (the default), these roles need not be defined.

Enabling Authentication

You can change authentication parameters for the StreamBase Server instance that will host your application by editing the server configuration file for that instance. Generate a default configuration file in Studio or on the command line as described in Creating New Server Configuration Files, and then edit the file as described in this section. The standard name for a server configuration file is sbd.sbconf. For details on the XML grammar of server configuration files, see StreamBase Server Configuration File XML Reference.

In the configuration file, look for the <authentication> section, much like the following example:

<authentication>
    <!-- Should the sbd require clients to authenticate themselves?
         Disabled by default -->
    <param name="enabled" value="false"/>
    <!-- Authentication parameters.  Currently the only authentication
         type is sb-password-file. -->
    <param name="type" value="sb-password-file"/>
    <param name="filepath" value="${STREAMBASE_HOME}/etc/sbpasswd"/>
</authentication>

Authentication is disabled by default. To enable it, change the value of the enabled parameter to true.

Setting User Names, Passwords, and User Roles

The StreamBase authentication user name and password are uniquely used for StreamBase client-to-server authentication, and are not shared with any other authentication system. For example, the StreamBase user name and password does not reuse your Windows domain user name, or your LDAP or NIS user name. You define separate and independent user names and passwords for use only with StreamBase authentication.

StreamBase user names and passwords are stored in a file named sbpasswd, which is installed by default in:

STREAMBASE_HOME/etc/sbpasswd

For example, on UNIX, the default location is:

/opt/tibco/sb-cep/n.m/etc/sbpasswd

To add, update, or delete users, run the sbuseradmin command.

The syntax for adding a user is:

sbuseradmin -a -n user-name -p password -r user-role

If you omit the –p option, the command prompts for a password:

sbuseradmin -a -n user-name -r user-role
Password:

The password prompt is not repeated, so be sure to type the password carefully. To correct a mistyped password (evidenced by failures to connect to the server with the password you expect to work), remove and re-add the StreamBase user name.

On Windows, the sbpasswd file in STREAMBASE_HOME\etc can be accessed only by members of the Administrators group.

On UNIX, the sbpasswd file is installed with root as owner. If the sbpasswd file protection remains unchanged, you must have root access to run the sbuseradmin command. If you do not have root access, an error is returned when you attempt to run sbuseradmin. The following shows a successful sbuseradmin command:

sbuseradmin -a -n sbmichael -p secr3t1ve -r SBDeveloper
Added user sbmichael

For the user-role parameter, provide one user role, or a comma-separated list of roles, from the user role keywords shown in Defining Roles.

Connecting with Authentication Enabled

Specify StreamBase user names and passwords as part of the StreamBase URI you pass with the –u option when using the sbc and sbadmin commands, or when connecting with custom-written client code. (You can also specify the user name and password as part of the default StreamBase URI in the environment variable STREAMBASE_SERVER, but this places the password in clear text in the environment.)

To specify a StreamBase user name and password, append ;user=username;password=password to the StreamBase URI you pass to the server. An example URI is:

sb://localhost:10000/;user=sbmichael;password=secr3t1ve

See sburi for details on the format of the StreamBase URI.

Use a command like the following example to list entities at the StreamBase Command Prompt on Windows:

sbc -u sb://localhost:10000/;user=sbmichael;password=secr3t1ve list

When specifying authentication parameters at the UNIX shell prompt, enclose the StreamBase URI in quotes to escape the shell's interpretation of the semicolon:

sbc -u "sb://localhost:10000/;user=sbmichael;password=secr3t1ve" list

Back to top ^