Use of ACLs to provide a basic level of security for accessing your network is recommended. If you do not configure ACLs on your system clients can connect from any host and all messages being published into your network could be received by all clients connecting to your network.
When no product key is enabled, only the default features of the P-7500 system are available. To enable a product key on a system to unlock extra feature content such as ACLs, enter the product-key Admin EXEC command:
key-value is the product key provided by TIBCO. Product keys can contain up to 40 alphanumeric characters, and are specific for the P-7500 system and set of features they unlock. If the provided key value does not match the P-7500 system, then there is no effect.
The no version of this command (
no product-key key-value) removes the named product key and restarts the P-7500 system.
The Profile Mapping CONFIG level allows you to associate the username and mapped service of a client to a configured ACL profile. You reach this level by entering:
name is the username of the client. User names ids are case sensitive. If the username parameter is unspecified, the profile mapping applies to any username.
mapped-service is the Rendezvous Service, specified as a decimal value from 0 to 65,535. If the service parameter is left unspecified, the profile mapping applies to any service.
default asks to map all usernames and mapped services to the profile mapping
name is the name of the specified ACL profile.
The no version of this command (no acl-profile) deletes the ACL profile from the profile mapping.
To configure client connection access control parameters default-action and exception for the TIBCO Messaging Appliance P-7500 system, enter the client-connect Access Control List CONFIG command:
Entering the client-connect Access Control List CONFIG command moves you to the ACL Client Connect CONFIG level:
cidr-addr is the IP address and network mask combination of the excepted client in Classless Inter-Domain Routing (CIDR) form: nnn.nnn.nnn.nnn/dd (where nnn is 0-255, dd is 0-32)
To configure ACL client profiles for publishing and subscription subject access control on the TIBCO Messaging Appliance P-7500 system, enter the profile Access Control List CONFIG command:
name is the name of the specified ACL profile.
The no version of this command (no profile
name) deletes the specified ACL profile from the P-7500 system.
Entering the profile Access Control List CONFIG command moves you to the ACL Profile CONFIG level within the CLI for configuring publishing and subscription subject access control parameters:
To configure the publishing subject access control parameters default-action and exception for ACL profiles, enter the publish-subject ACL Profile CONFIG command:
Entering the publish-subject ACL Profile CONFIG command moves you to the ACL Profile Publish Subject CONFIG level:
subject is the name of the publishing subject to be excepted in the form a.b.c
To configure the subscription subject access control parameters default-action and exception for ACL profiles, enter the publish-subject ACL Profile CONFIG command:
Entering the subscribe-subject ACL Profile CONFIG command moves you to the ACL Profile Subscribe Subject CONFIG level:
subject is the name of the subscription subject to be excepted in the form a.b.c
To configure ACLs on your P-7500 system, use the following basic procedures. The exact steps required may vary depending on your network conditions and preferred configuration.
1.
|
Enter the client-connect Access Control List CONFIG command:
|
tibco(config)# acl client-connect
tibco(config-acl-cc)# default-action allow
tibco(config-acl-cc)# default-action exception 10.10.0.0/16
For more information, refer to
“acl client-connect” on page 44.
tibco(config-acl-cc)# show acl client-connect
Client Connect Default Action : allow
tibco(config)# create acl profile fruit
tibco(config-acl-profile)#
For more information, refer to
“acl profile” on page 45.
tibco(config-acl-profile)# publish-subject
tibco(config-acl-profile-publish-subject)# default-action allow
tibco(config-acl-profile-publish-subject)# exception FRUIT.BANANAS
tibco(config-acl-profile)# subscribe-subject
tibco(config-acl-profile-subscribe-subject)# default-action allow
tibco(config-acl-profile-subscribe-subject)# exception FRUIT.APPLES
tibco(config-acl-profile)# show acl profile fruit
Publish Subject Default Action : allow
Subscribe Subject Default Action : allow
For more information, refer to
“show acl profile” on page 51.
tibco(config)# create profile-mapping service 7000
tibco(config-profile-mapping)# acl-profile fruit
For more information, refer to
“profile-mapping” on page 43.
(config-profile-mapping)# show profile-mapping