Configuring the Proxy Server

Note

Starting with release 7.1.3, the LDAP authentication feature became part of StreamBase Server itself. See Using LDAP Authentication.

This topic describes how to enable configure the StreamBase proxy server to enable security for StreamBase clients.

Before beginning this procedure, read Using the Proxy Server for an overview of the main components in the proxy server-based security environment.

The StreamBase proxy server, sbproxy, is configured using the security section of the sbd server's configuration file. When the <security> element exists, the sbd runs in secure mode: it listens for connections only on localhost, so connections from remote computers cannot be made. In this way all communications between clients and the sbd go through the sbproxy server.

In the following procedure, conditional steps are given in the form of questions. Answer the questions by choosing the appropriate options for your security requirements or environment. All configuration steps refer to the <security> section of the sbconf file that will be used. Consult the reference documentation in StreamBase Server Configuration File XML Reference for details about editing the security elements in the sbconf file. After completing each step, please go on to the next step unless told to stop.

  1. Specify the server certificate keystore and password, by adding an <ssl-authentication> element. For example:

    <security>
      <ssl-authentication>
        <param name="keystore" value="../test/proxy/security/signed.keystore"/>
        <param name="keystore-password" value="secret"/>
        <param name="key-password" value="secret1"/>
      </ssl-authentication>
    
  2. Do you have client certificates?

    Yes

    Add the <client-ssl-connections> element as follows:

    <client-ssl-connections>
      <param name="require-client-authentication" value="true"/>
    </client-ssl-connections><security>
    
    No

    You can omit the <client-ssl-connections> element, because its value is "false" by default.

  3. Will you be using LDAP?

    No

    Do not configure LDAP parameters; go on to Step 4.

    Yes
    1. Add the <ldap> element. Within it, add a <server> element for each LDAP server you will use, specifying the server's host and port number.

    2. In each server section, add <param> elements specifying the root and search information.

      Here is an example of the LDAP section at this point:

      <ldap>
      <server host="parallels" port="839">
        <param name="principal-root" value="ou=Users,dc=example,dc=com"/>
        <param name="principal-search" value="cn={0}"/>
      </server>
      </ldap>
      
    3. How will your LDAP servers be accessed? Choose one of the following options:

      sbconf will pass username and password to LDAP

      In each server section, add <param> elements specifying the root-dn and password credentials. For example:

      <param name="root-dn" value="cn=Manager,dc=example,dc=com"/>
      <param name="password" value="secret"/>
      
      LDAP client certificate will authenticate the sbproxy to the LDAP server

      In each server section, add <param> elements specifying the keystore, keystore-password, and, optionally, key-password. For example:

      <param name="keystore" value="ldapuser.keystore"/>
      <param name="keystore-password" value="secret"/>
      <param name="key-password" value="secret1"/>
      
  4. Do you want to perform authentication in the sbconf file for finer-grained access control?

    No

    Add the following param element, with the value attribute set to "false" as shown here:

    <param name="perform-authentication" value="false"/>
    

    The effect of this setting depends on the form of SSL you use:

    • If you are using one-way SSL, no username or password is required and actions are not restricted. This is the weakest security setting.

    • If you are using two-way SSL, the client must provide a client certificate. Once logged in, users are not restricted.

    Stop; you have completed this procedure.

    Yes
    1. The sbconf file is set to perform authentication by default. Therefore, you can either omit the following element, or include it with the value parameter set to "true", as shown below:

      <param name="perform-authentication" value="true"/>
      
    2. Define roles by adding one or more <role> elements. For each role, specify the actions that you want to allow. For example:

      <role name="InnocentBystander">
        <param name="action" value="Administrate"/>
        <param name="action" value="Status"/>
        <param name="action" value="Enqueue default.InputStream1"/>
        <param name="action" value="Dequeue default.OutputStream1"/>
      </role>
      
    3. Are you using LDAP?

      Yes

      No further user restrictions should be specified in the sbconf file, which controls only the mapping of roles to actions. The following controls are provided outside of the sbconf:

      • If you are using one-way SSL, the user and role mapping and the password checking come from the LDAP server.

      • If you are using two-way SSL, the user and role mapping comes from the LDAP server, while password checking comes from the client certificate.

      No
      1. Add a <user-data> element and answer the following question:

      2. For each user, add a child <user> element.

      3. In each <user> element, control user actions. Choose one of these options:

        Are you using one-way SSL?

        Identify the user, assign one or more roles, and provide a password by adding <param> elements for principal name, role, and password. This example assigns two roles to a user:

        <user>
          <param name="cn" value="cn=Alice Pleasance Liddell,ou=Users,dc=example,
            dc=com"/>
          <param name="role" value="InnocentBystander"/>
          <param name="role" value="StreamBaseSuperuser"/>
          <param name="password" value="secret"/>
        </user>
        
        Are you using two-way SSL?

        Identify the user and assign one or more roles, by adding <param> elements for principal name and role. (The password is provided by the client certificate.) For example:

        <user>
          <param name="cn" value="EMAILADDRESS=bobn@tibco, CN=Bob Newhart, 
            OU=Users, O=TIBCO StreamBase, L=Waltham, ST=Massachusetts, C=US"/> 
          <param name="role" value="InnocentBystander"/>
        </user>
        

        You have completed this procedure.

See also: