Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 3 Managing Access Control Lists : Configuring Access Control Lists

Configuring Access Control Lists
There are many reasons to configure ACLs:
Use of ACLs to provide a basic level of security for accessing your network is recommended. If you do not configure ACLs on your system clients can connect from any host and all messages being published into your network could be received by all clients connecting to your network.
Access Control List Configuration Commands
This section describes the commands you use to specify settings and configuration for the ACL facility.
product-key
When no product key is enabled, only the default features of the P-7500 system are available. To enable a product key on a system to unlock extra feature content such as ACLs, enter the product-key Admin EXEC command:
tibco# admin
tibco(admin)# product-key key-value
Where:
key-value is the product key provided by TIBCO. Product keys can contain up to 40 alphanumeric characters, and are specific for the P-7500 system and set of features they unlock. If the provided key value does not match the P-7500 system, then there is no effect.
The no version of this command (no product-key key-value) removes the named product key and restarts the P-7500 system.
profile-mapping
The Profile Mapping CONFIG level allows you to associate the username and mapped service of a client to a configured ACL profile. You reach this level by entering:
tibco(config)# create profile-mapping {[username name] [service mapped-service] | default}
Or
tibco(config)# profile-mapping {[username name] [service mapped-service] | default}
Where:
The create version of the command creates a profile mapping for a username and a mapped service that did not already exist.
name is the username of the client. User names ids are case sensitive. If the username parameter is unspecified, the profile mapping applies to any username.
mapped-service is the Rendezvous Service, specified as a decimal value from 0 to 65,535. If the service parameter is left unspecified, the profile mapping applies to any service.
default asks to map all usernames and mapped services to the profile mapping
The no version of the command removes the named profile mapping from the P-7500 system.
acl-profile
To assign a client’s configured ACL profile to the profile mapping, enter the acl-profile Profile Mapping CONFIG command:
tibco(config-profile-mapping)# acl-profile name
Where:
name is the name of the specified ACL profile.
The no version of this command (no acl-profile) deletes the ACL profile from the profile mapping.
acl client-connect
To configure client connection access control parameters default-action and exception for the TIBCO Messaging Appliance P-7500 system, enter the client-connect Access Control List CONFIG command:
tibco(config)# acl client-connect
Entering the client-connect Access Control List CONFIG command moves you to the ACL Client Connect CONFIG level:
tibco(config-acl-cc)#
default-action
To set the default action for client connection access attempts, enter the default-action ACL Client Connect CONFIG command:
tibco(config-acl-cc)# default-action {allow | disallow}
Where:
allow configures the client connection access to allow connections
disallow configures the client connection access to block connections (system default)
exception
To set the exceptions to the default action for client connection access attempts, enter the exception ACL Client Connect CONFIG command:
tibco(config-acl-cc)# exception cidr-addr
Where:
cidr-addr is the IP address and network mask combination of the excepted client in Classless Inter-Domain Routing (CIDR) form: nnn.nnn.nnn.nnn/dd (where nnn is 0-255, dd is 0-32)
acl profile
To configure ACL client profiles for publishing and subscription subject access control on the TIBCO Messaging Appliance P-7500 system, enter the profile Access Control List CONFIG command:
tibco(config)# acl
tibco(config-acl)# create profile name
Or
tibco(config-acl)# profile name
Where:
The create version of the command creates a new ACL profile that did not already exist.
name is the name of the specified ACL profile.
The no version of this command (no profile name) deletes the specified ACL profile from the P-7500 system.
Entering the profile Access Control List CONFIG command moves you to the ACL Profile CONFIG level within the CLI for configuring publishing and subscription subject access control parameters:
tibco(config-acl-profile)#
acl profile publish-subject
To configure the publishing subject access control parameters default-action and exception for ACL profiles, enter the publish-subject ACL Profile CONFIG command:
tibco(config-acl-profle)# publish-subject
Entering the publish-subject ACL Profile CONFIG command moves you to the ACL Profile Publish Subject CONFIG level:
tibco(config-acl-profile-publish-subject)#
default-action
To set the default action for publishing subject access attempts, enter the default-action ACL Profile Publish Subject CONFIG command:
tibco(config-acl-profile-publish-subject)# default-action {allow | disallow}
Where:
allow configures the publishing subject access to allow the publishing of subjects (system default)
disallow configures the publishing subject access to block the publishing of subjects
exception
To set the exceptions to the default action for publishing subject access attempts, enter the exception ACL Profile Publish Subject CONFIG command:
tibco(config-acl-profile-publish-subject)# exception subject
Where:
subject is the name of the publishing subject to be excepted in the form a.b.c
acl profile subscribe-subject
To configure the subscription subject access control parameters default-action and exception for ACL profiles, enter the publish-subject ACL Profile CONFIG command:
tibco(config-acl-profle)# subscribe-subject
Entering the subscribe-subject ACL Profile CONFIG command moves you to the ACL Profile Subscribe Subject CONFIG level:
tibco(config-acl-profile-subscribe-subject)#
default-action
To set the default action for subscription subject access attempts, enter the default-action ACL Profile Subscribe Subject CONFIG command:
tibco(config-acl-profile-subscribe-subject)# default-action {allow | disallow}
Where:
allow configures the subscription subject access to allow the subscribing to subjects (system default)
disallow configures the subscription subject access to block the subscribing to subjects
exception
To set the exceptions to the default action for subscription subject access attempts, enter the exception ACL Profile Subscribe Subject CONFIG command:
tibco(config-acl-profile-subscribe-subject)# exception subject
Where:
subject is the name of the subscription subject to be excepted in the form a.b.c
Steps to Configure Access Control Lists
To configure ACLs on your P-7500 system, use the following basic procedures. The exact steps required may vary depending on your network conditions and preferred configuration.
Before attempting to configure the ACL feature, verify that it is unlocked by entering the show product-key User EXEC command. If locked, enter the product-key ADMIN Exec command to unlock the ACL feature:
The following example configures ACLs such that:
Controlling Which Clients Can Connect to the P-7500 System
To control which clients can connect to the P-7500 system:
1.
Enter the client-connect Access Control List CONFIG command:
        tibco(config)# acl client-connect
        tibco(config-acl-cc)#
2.
        tibco(config-acl-cc)# default-action allow
3.
       tibco(config-acl-cc)# default-action exception 10.10.0.0/16
       For more information, refer to “acl client-connect” on page  44.
4.
Validate the client-connect ACL rule is correct by entering the show acl client-connect User Exec command. The output should be similar to this:
        tibco(config-acl-cc)# show acl client-connect
 
        Client Connect Default Action : allow
         Exceptions : 1
         10.10.0.0/16
You have completed this procedure.
Controlling Which Subjects a Client May Publish and Subscribe To
To control which subjects a client on the P-7500 system may publish and subscribe to, on a client by client basis:
1.
        tibco(config)# create acl profile fruit
        tibco(config-acl-profile)#
       For more information, refer to “acl profile” on page  45.
2.
        tibco(config-acl-profile)# publish-subject
        tibco(config-acl-profile-publish-subject)# default-action allow
3.
        tibco(config-acl-profile-publish-subject)# exception FRUIT.BANANAS
       For more information, refer to “acl profile publish-subject” on page  46.
4.
        tibco(config-acl-profile)# subscribe-subject
        tibco(config-acl-profile-subscribe-subject)# default-action allow
5.
        tibco(config-acl-profile-subscribe-subject)# exception FRUIT.APPLES
       For more information, refer to “acl profile subscribe-subject” on page  46.
6.
Validate the ACL profile is correct by entering the show acl profile User Exec command. The output should be similar to this:
        tibco(config-acl-profile)# show acl profile fruit
 
        Profile Name : fruit
         Publish Subject Default Action : allow
         Exceptions : 1
         FRUIT.BANANAS
         Subscribe Subject Default Action : allow
         Exceptions : 1
         FRUIT.APPLES
       For more information, refer to “show acl profile” on page  51.
7.
Create a profile map for the clients. In this example, the profile map applies to all usernames in the service (thus the username parameter is left unspecified to mean "any username"):
        tibco(config)# create profile-mapping service 7000
8.
        tibco(config-profile-mapping)# acl-profile fruit
       For more information, refer to “profile-mapping” on page  43.
9.
Validate the profile mapping is correct by entering the show profile-mapping User Exec command.
        (config-profile-mapping)# show profile-mapping
 
        Username :
        Service :
         ACL Profile : default
 
        Username :
        Service : 7000
         ACL Profile : fruit
You have completed this procedure.
 

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved