tibco ftl securityabout this product tibco® is proud to announce the latest release of tibco ftl®...

TIBCO FTL®

SecuritySoftware Release 5.4April 2018

Two-Second Advantage®

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCHEMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (ORPROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THEEMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANYOTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.

USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS ANDCONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTEDSOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THECLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOADOR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE)OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USERLICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THESOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, ANDYOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BEBOUND BY THE SAME.

ANY SOFTWARE ITEM IDENTIFIED AS THIRD PARTY LIBRARY IS AVAILABLE UNDERSEPARATE SOFTWARE LICENSE TERMS AND IS NOT PART OF A TIBCO PRODUCT. AS SUCH,THESE SOFTWARE ITEMS ARE NOT COVERED BY THE TERMS OF YOUR AGREEMENT WITHTIBCO, INCLUDING ANY TERMS CONCERNING SUPPORT, MAINTENANCE, WARRANTIES,AND INDEMNITIES. DOWNLOAD AND USE THESE ITEMS IS SOLELY AT YOUR OWNDISCRETION AND SUBJECT TO THE LICENSE TERMS APPLICABLE TO THEM. BY PROCEEDINGTO DOWNLOAD, INSTALL OR USE ANY OF THESE ITEMS, YOU ACKNOWLEDGE THEFOREGOING DISTINCTIONS BETWEEN THESE ITEMS AND TIBCO PRODUCTS.

This document contains confidential information that is subject to U.S. and international copyright lawsand treaties. No part of this document may be reproduced in any form without the writtenauthorization of TIBCO Software Inc.

TIBCO, the TIBCO logo, Two-Second Advantage, TIB, Information Bus, FTL, eFTL, Rendezvous, andLogLogic are either registered trademarks or trademarks of TIBCO Software Inc. in the United Statesand/or other countries.

Enterprise Java Beans (EJB), Java Platform Enterprise Edition (Java EE), Java 2 Platform EnterpriseEdition (J2EE), and all Java-based trademarks and logos are trademarks or registered trademarks ofOracle Corporation in the U.S. and other countries.

All other product and company names and marks mentioned in this document are the property of theirrespective owners and are mentioned for identification purposes only.

THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOTALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASEDAT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWAREVERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICALERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESECHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCOSOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.

THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY ORINDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE,INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.

2

TIBCO FTL® Security

Copyright © 2010–2018 TIBCO Software Inc. ALL RIGHTS RESERVED.

TIBCO Software Inc. Confidential Information

3


Contents

Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

About this Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

TIBCO Documentation and Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Product Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Developing Secure Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Ensuring FTL System Security: Tasks for Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Coordination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configuring Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Securing Realm Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Securing Transport Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Securing Persistence Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Securing eFTL Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Securing Monitoring and Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Securing Monitoring Gateway Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Securing InfluxDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Securing Grafana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Securing Log Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4


Figures

Connections among FTL Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

5


About this Product

TIBCO® is proud to announce the latest release of TIBCO FTL® software.

This release is the latest in a long history of TIBCO products that leverage the power of InformationBus® technology to enable truly event-driven IT environments. To find out more about how TIBCO FTLsoftware and other TIBCO products are powered by TIB® technology, please visit us at www.tibco.com.

TIBCO FTL software is part of TIBCO® Messaging.

Product Editions

TIBCO Messaging is available in a community edition and an enterprise edition.

TIBCO Messaging - Community Edition is ideal for getting started with TIBCO Messaging, forimplementing application projects (including proof of concept efforts), for testing, and for deployingapplications in a production environment. Although the community license limits the number ofproduction processes, you can easily upgrade to the enterprise edition as your use of TIBCO Messagingexpands.

The community edition is available free of charge. It is a full installation of the TIBCO Messagingsoftware, with the following limitations and exclusions:

● Users may run up to 100 application instances or 1000 web/mobile instances in a productionenvironment.

● Users do not have access to TIBCO Support, but you can use TIBCO Community as a resource(https://community.tibco.com).

TIBCO FTL in the Community Edition has the following additional limitations and exclusions:

● Excludes transport bridges.

● Excludes the RDMA transport protocol.

● Excludes disaster recovery features.

● Excludes customizable dashboards and monitoring gateway.

TIBCO Messaging - Enterprise Edition is ideal for all application development projects, and fordeploying and managing applications in an enterprise production environment. It includes all featurespresented in this documentation set, as well as access to TIBCO Support.

The enterprise edition of TIBCO ActiveSpaces® use the enterprise edition of TIBCO Messaging andinclude a license for it. The community editions of those related products are compatible with both theenterprise and community editions of TIBCO Messaging.

6


HTTP://WWW.TIBCO.COM/

https://community.tibco.com

TIBCO Documentation and Support Services

How to Access TIBCO Documentation

Documentation for TIBCO products is available on the TIBCO Product Documentation website, mainlyin HTML and PDF formats.

The TIBCO Product Documentation website is updated frequently and is more current than any otherdocumentation included with the product. To access the latest documentation, visit https://docs.tibco.com.

Product-Specific Documentation

Documentation for TIBCO products is not bundled with the software. Instead, it is available on theTIBCO Documentation site. To access the documentation web page for this product from a localsoftware installation, open the following file:

TIBCO_HOME/product_info/TIB_ftl_5.4.0_docinfo.html

TIBCO_HOME is the top-level directory in which TIBCO products are installed.

● On Windows platforms, the default TIBCO_HOME is C:\tibco.

● On UNIX platforms, the default TIBCO_HOME is /opt/tibco.

The following documents for this product can be found on the TIBCO Documentation site.

TIBCO FTL® Documentation Set

● TIBCO FTL Concepts This booklet presents an intuitive introduction to the fundamental concepts ofFTL software.

● TIBCO FTL Development Application developers and architects read this manual to understandconcepts relevant in any supported programming language.

● TIBCO FTL API Reference Application developers use this HTML documentation to learn the detailsof the FTL API in specific programming languages.

● TIBCO FTL Administration Administrators read this manual to learn how to use the realm serverand its interfaces, and how to define a realm. Developers can also benefit from understanding FTLsoftware from an administrator’s perspective.

● TIBCO FTL Security This manual contains security-related tasks for administrators and security tipsfor application developers.

● TIBCO FTL Monitoring Administrators read this manual to learn about monitoring and metrics.Developers read this manual to learn how an application can subscribe to the stream of monitoringdata.

● TIBCO FTL Shifting to FTL This manual contrasts TIBCO FTL with TIBCO Enterprise MessageService™, and offers suggestions to smooth your transition to TIBCO FTL. Application developers,architects, and administrators familiar with TIBCO Enterprise Message Service read this manual.

● TIBCO FTL Installation Read this manual before installing or uninstalling the product.

● TIBCO FTL Glossary The glossary contains brief definitions of key terms used in all other parts ofthe documentation set.

● TIBCO FTL Release Notes Read the release notes for a list of new and changed features. Thisdocument also contains lists of known issues and closed issues for this release.

TIBCO eFTL™ Documentation Set

7


https://docs.tibco.com

https://docs.tibco.com

TIBCO eFTL software is documented separately. Administrators use the FTL realm server GUI toconfigure and monitor the eFTL service. For information about these GUI pages, see the documentationset for TIBCO eFTL software.

How to Contact TIBCO Support

You can contact TIBCO Support in the following ways:

● For an overview of TIBCO Support, visit http://www.tibco.com/services/support.

● For accessing the Support Knowledge Base and getting personalized content about products you areinterested in, visit the TIBCO Support portal at https://support.tibco.com.

● For creating a Support case, you must have a valid maintenance or support contract with TIBCO.You also need a user name and password to log in to https://support.tibco.com. If you do not have auser name, you can request one by clicking Register on the website.

How to Join TIBCO Community

TIBCO Community is the official channel for TIBCO customers, partners, and employee subject matterexperts to share and access their collective experience. TIBCO Community offers access to Q&A forums,product wikis, and best practices. It also offers access to extensions, adapters, solution accelerators, andtools that extend and enable customers to gain full value from TIBCO products. In addition, users cansubmit and vote on feature requests from within the TIBCO Ideas Portal. For a free registration, go to https://community.tibco.com.

Product Page on TIBCO Community

The following TIBCO Community page is a quick route to information about the TIBCO FTL productfamily: https://community.tibco.com/products/tibco-ftl.

8


http://www.tibco.com/services/support

https://support.tibco.com

https://support.tibco.com

https://ideas.tibco.com/

https://community.tibco.com

https://community.tibco.com/products/tibco-ftl

Security Features

TIBCO FTL software includes the following security features.

● Secure transports for communications among application peer processes.

● TLS to secure TCP and Dynamic TCP transports.

● HTTPS for secure connections to the realm server and other components.

● Authentication and authorization service.

9


Security Vulnerabilities

This topic describes the key security technologies for TIBCO FTL software. In addition to these keytechnologies, security also depends in part upon correct configuration and use of its components andcapabilities.

OpenSSL

Security features that protect FTL connections and communications depend on the implementation ofOpenSSL. If the security of OpenSSL were compromised, FTL and applications that use FTL could bevulnerable as well.

10


Product Connectivity

TIBCO FTL includes several interconnecting components, and also connects with other TIBCO andthird-party products. You can secure all connections within the TIBCO product family.

Connections among FTL Processes

Realm ServerAuthentication Service

Client Application

Client Application

PersistenceServer

PersistenceServer

eFTLServer

eFTL Client App eFTL Client App

Transport Bridge Process

eFTLServer

eFTLServer

AffiliatedRealm Server

AffiliatedRealm Server

Monitoring Gateway

EMSServer

Browser

or Web API Admin

Log ServiceVisualization Tools

Monitoring and Log

Database

The diagram depicts the variety of components and other processes that communicate within an FTLrealm. (To simplify the diagram, the diagram omits redundant connections to duplicate processes, suchas the connection from affiliated realm servers to the authentication service.)

This document addresses the security issues that arise for each type of connection, and the actions youmust take to ensure security.

The minimum viable secure deployment includes at least one realm server, an authentication service,and at least two client applications. You must secure these components. All other processes in thediagram are optional, but if you use them, you must secure them.

Diagram components in pink are third-party products. While FTL components attempt to interact withthem in a secure fashion, TIBCO does not warrant the security of third-party products.

11


Developing Secure Applications

For security, application developers focus on the realm connect call and its arguments. Complete thistask, or use its steps as a checklist.

Prerequisites

The application developer and administrators have already coordinated to exchange security-relatedinformation and artifacts. See Coordination.

Procedure

1. Coordinate for secure transports.Coordinate with administrators to specify secure transports. Record this administrative requirementon the Endpoint Coordination Form.

2. Secure connections to realm servers using HTTPS.In the realm connect call, specify HTTPS as the protocol in the serverURL argument.For example, https://rs-host:7000.

3. Authenticate clients to the realm server.In the realm connect call, supply client credentials using the USERNAME and USERPASSWORDproperties.

The administrator must ensure that the user is in the authorization group ftl.

4. Arrange trust in the realm servers.The application must trust the realm server.

Request the realm server trust file from the administrator.

In the realm connect call, supply either the location of the trust file, or its contents as a string in PEMencoding. The following properties organize that information in the connect call:

● TRUST_TYPE

● TRUST_FILE

● TRUST_PEM_STRING

For details, see the API documentation.

5. Verify authorization for requests.If the application responds to requests, verify that the requestor has authorization for the request.If a request is forwarded from an eFTL client, the _user field of each request message contains therequestor's user name. For details, see "User Field" in TIBCO eFTL Concepts.

12


Ensuring FTL System Security: Tasks for Administrators

TIBCO FTL software includes several components. To ensure security within and among thosecomponents, administrators complete this super-task and all its sub-task topics.

Procedure

Applications

1. Coordinate with application developers to secure application programs.FTL application programs are clients of the realm server. They must use HTTPS to communicatewith the realm server.Your role includes coordinating with application developers to ensure that application clients trustthe secure realm server, and that they supply appropriate credentials when they connect to it. See Coordination.

2. Secure all application transports.Application programs must use secure transports to communiate with one another. Your roleincludes configuring the application and transport definitions in the realm so that all relevanttransports use only secure transport protocols.

Use only these transport protocols:

● Secure Dynamic TCP● Secure TCP

Authentication and Authorization

3. Configure authentication and authorization.Your role includes configuring your enterprise authentication and authorization system, such as anLDAP server, with appropriate information to support TIBCO FTL components and applicationusers.See Configuring Authentication and Authorization.

Realm Servers

4. Secure all realm servers.A secure realm server enforces HTTPS communication whenever it communicates with clients,affiliated realm servers, and browsers.Your role is to supply realm server command line parameters to secure those client connections.See Securing Realm Servers.

TIBCO FTL Component Services

5. Secure all transport bridge processes.Transport bridge processes are clients of the realm server. They must communicate with the realmserver using HTTPS.Your role includes these subtasks:

● Supply bridge process command line parameters to secure its connections to the realm server.● Verify that the transports interconnected by the bridges use only secure transport protocols.

See Securing Transport Bridges.

6. Secure all persistence servers.Persistence server processes are clients of the realm server, and must use HTTPS to communicatewith the realm server, with one another, and with client applications.

13


Your role includes these subtasks:

● Configure the persistence clusters so that all relevant transports use only secure transportprotocols.

● Supply persistence server command line parameters to secure all connections among serverswithin the cluster, and between servers and their clients.

See Securing Persistence Servers.

7. Secure all eFTL servers.TIBCO eFTL server processes are clients of the realm server. They must use HTTPS to communicatewith the realm server. They must use secure transports to communicate with one another, and witheFTL applications.Your role includes these subtasks:

● Reconfigure the automatically-generated eFTL transport definitions so that all relevanttransports use only secure transport protocols.

● Configure channels with appropriate authorization groups.● Coordinate with application developers to ensure that eFTL clients connect to the eFTL servers

using the secure web sockets protocol (WSS).● Supply appropriate values for eFTL server command line parameters.

See Securing eFTL Servers.

8. Secure all FTL monitoring services.The FTL monitoring gateway (tibmongateway) is a client of the realm server. It must use HTTPS tocommunicate with the realm server.Your role includes this subtask:

● Supply appropriate command line parameters to tibmongateway to secure its connection to therealm server.

CoordinationTo secure a system that communicates using FTL software, administrators and application developersmust coordinate to share security requirements and artifacts. The TIBCO FTL and TIBCO eFTLdocumentation sets include coordination forms to guide this conversation and record importantinformation, such as security requirements and settings. This topic highlights the artifacts andinformation that that pertain to security.

FTL Application Development

● Trust File

Administrators supply a copy of the realm server trust file to developers and operations staff.

Developers code applications to specify the location or contents of the trust file in the realm connectcall.

● Credentials

Administrators configure user credentials for authentication and authorization, and supply them todevelopers for testing applications and to operations staff for running applications.

eFTL Application Development

● Credentials

Administrators configure user credentials for authentication and authorization. Supply credentialsto developers so they can test applications. Supply credentials to device users so they can runapplications that connect to a secure eFTL server.

14


● eFTL Server Certificate

Administrators supply developers either with the public key certificate of the TIBCO eFTL server, orwith a trusted certificate authority (CA).

● eFTL Authorization Groups

Developers inform administrators about the publish and subscribe requirements of apps.

Administrators configure channels with publish and subscribe authorization groups.

Configuring Authentication and AuthorizationTo enforce enterprise authentication and authorization requirements in TIBCO FTL realm servers andTIBCO eFTL servers, complete this task.

Procedure

1. Select an authentication service.Choose one of the following:

● The realm server's internal flat-file authentication service● The sample external JAAS authentication service, in combination with your enterprise's LDAP

server● Another external authentication server

In this context, "internal" indicates that the authentication service is inside the realm serverprocess. "External" indicates that the authentication service is separate from the realmserver, and the realm server connects to it.

2. Configure user names, passwords, and authorization groups.Configure user credentials either in a flat file, or in your enterprise LDAP, depending on your choicein step 1.For the file syntax of the internal authentication service, see "Using the Internal Flat-FileAuthentication Service" in TIBCO FTL Administration.

● Ensure that users who run realm servers are in the appropriate authorization groups: ftl-primary, ftl-satellite, ftl-backup, ftl-dr.

● Ensure that administrators who configure the FTL realm are in the group ftl-admin.● Ensure that users who run FTL application programs or FTL services are in the group ftl.● Ensure that device users who run eFTL apps are in the appropriate publish and subscribe

authorization groups.● You may also configure other authorization groups to manage access within your enterprise.

3. Start the external authentication service.

● If you chose an external authentication service in step 1, start that service before starting therealm server processes.

To start the sample external JAAS service, complete the task "Using the External JAASAuthentication Service" in TIBCO FTL Administration.

● If you chose the internal flat-file authentication service in step 1, no further action is necessary,as that service starts automatically when you start the realm server.

What to do next

Complete the task Securing Realm Servers.

15


Securing Realm ServersA secure realm server is central to the security of any enterprise that communicates using TIBCO FTLmessaging software. To secure the realm server, complete this task.

Prerequisites

The enterprise authentication system must define user names and associate them with appropriate FTLauthorization groups.

Procedure

1. Secure the realm server data directory on each realm server host computer.

Example Command Line: Primaryecho my-pw | tibrealmserver --secure stdin --http primary_realm_svr_host:primary_port --backupto backup_realm_svr_host:backup_port --auth.url auth_svr_host:port --auth.user user_name --auth.password pw --auth.trust auth-trust.pem --server.user user_name --server.password pw

Example Command Line: Backupecho my-pw | tibrealmserver --secure stdin --http backup_realm_svr_host:backup_port --backupfor primary_realm_svr_host:primary_port --tls.trust.file ftl-trust.pem --auth.url auth_svr_host:port --auth.user user_name --auth.password pw --auth.trust auth-trust.pem --server.user user_name --server.password pw

2. Enable realm server security. Applies to all realm servers.Specify the parameter --secure on the realm server command line. Supply a keystore password asits argument in a secure manner.For details, see these topics in TIBCO FTL Administration:

● "Running a Secure Realm Server"

● "Keystore File Password Security"

● "Realm Server Executable Reference"

3. Arrange trust among affiliated realm servers.Primary Realm Server: A secure realm server generates a trust file. Provide copies of the primaryrealm server's trust file, and make them available to all affiliated realm servers, as well as to alltransport bridges, persistence servers, eFTL servers, and application clients.

For further details, see "Trust File" in TIBCO FTL Administration.Other Realm Servers: Specify the --tls.trust.file parameter on the realm server command line.Supply the location of the trust file copy as its argument.

For further details, see "Realm Server Executable Reference" in TIBCO FTL Administration.

4. Specify the authentication service. Applies to all realm servers.

● External If you specify an external authentication service, specify these parameters on therealm server command line:

16


— --auth.url Supply the URL where the realm server can connect to the externalauthentication service.

— --auth.user and --auth.password Supply credentials to authenticate the realm server tothe authentication service.

— --auth.trust Supply the location of the public certificate of the external authenticationservice, so that service can authenticate itself to the realm server.

For details, see these topics in TIBCO FTL Administration:

● "Realm Server Authorization Groups"


5. Specify credentials that the realm server uses to authenticate itself to affiliated realm servers.Applies to all realm servers.Supply the parameters --server.user and --server.password on the realm server commandline. Ensure that the user name is in the appropriate authorization groups.

Optional. If you prefer to use separate credentials to authenticate to a backup server, supply theparameters --server.authtobackup.user and --server.authtobackup.password as well.(These parameters do not apply to backup servers.)For details, see these topics in TIBCO FTL Administration:

● "Realm Server Authorization Groups"


Securing Transport BridgesTo secure a transport bridge process, complete this task.

Prerequisites

All realm servers must be secure.


Procedure

1. Verify that the transports interconnected by the bridge use only secure network transport protocols.Use only these transport protocols:

● Secure Dynamic TCP

● Secure TCP

Example Command Linetibbridge --realmserver https://rs-host:7000 --password-file bridge1-creds.txt --trust.file ftl-trust.pem

2. Connect only to secure realm servers using HTTPS.Specify HTTPS as the protocol in the URL value of the --realmserver parameter on the transportbridge command line.

3. Arrange authentication credentials.The bridge service authenticates itself to the realm server using a user name and password pair.

17


Supply the location of the bridge process' credentials as the value of the --password-fileparameter on the transport bridge command line. Ensure that this file is protected fromunauthorized access.

The user name in the file must be in the authorization group ftl.

For file syntax and other details, see "Transport Bridge Executable Reference" in TIBCO FTLAdministration.

4. Arrange trust in the realm servers.Arrange access to a copy of the realm server trust file.

Supply the file location as the value of the --trust.file parameter on the transport bridgecommand line.

For further details, see "Trust File" in TIBCO FTL Administration.

Securing Persistence ServersTo secure a persistence server, complete this task.

Prerequisites



Procedure

1. Verify that the persistence cluster definition specifies secure transport protocols.The client protocol and the disaster recovery (DR) protocol must be secure. For maximumperformance, the cluster set protocol can be a non-secure protocol -- but only if all persistenceservers of the cluster run within a protected network. Otherwise use a secure protocol for cluster setcommunications.


● Secure Dynamic TCP● Secure TCP

For further details, see "Clusters Grid" in TIBCO FTL Administration.

Example Command Linetibstore --name psvr1 --realmserver https://rs-host:7000 --password-file psvr-creds.txt --trust.file ftl-trust.pem

2. Connect only to secure realm servers using HTTPS.When you supply the --realmserver parameter on the transport bridge command line, specify aURL with HTTPS protocol.

3. Arrange authentication credentials. Persistence servers authenticate to the realm server using a username and password pair.Supply the location of the persistence server's credentials as the value of the --password-fileparameter on the persistence server command line. Ensure that this file is protected fromunauthorized access.


For file syntax and other details, see "Persistence Server (tibstore) Command Line Reference" and"Pasword File," both in TIBCO FTL Administration.

18



Supply the file location as the value of the --trust.file parameter on the persistence servercommand line.


Securing eFTL ServersTo secure an eFTL server, complete this task.

Prerequisites



If any channels use EMS servers or FTL persistence servers, those servers must also be secure.

Procedure

1. Verify secure transport protocols.The cluster-facing transport and all the channel application-facing transports must be secure. Checktheir protocols in the transports grid.


● Secure Dynamic TCP

● Secure TCP

Example Command Linetibeftlserver --realmserver https://rs-host:7000 --listen wss://localhost --server-cert eftl_publ_cert.pem --private-key eftl_key.pem --private-key-password pw --password-file eftl-svr-creds.txt --trust-file ftl-trust.pem --auth.url auth_svr_host:port --auth.user user_name --auth.password pw --auth.trust auth-trust.pem --ssl-params eftl-ems-ssl.txt --publish-user

2. Connect only to secure realm servers using HTTPS.When you supply the --realmserver parameter on the eFTL command line, specify a URL withHTTPS protocol.

3. Specify TLS secure web sockets for client apps.When you specify the --listen parameter on the eFTL server command line, specify a URL withWSS protocol.

Supply the parameters --server-cert, --private-key, --private-key-password.

For further details, see "Server Command Line Reference" in TIBCO eFTL Administration.

4. Arrange authentication credentials to the realm server.Supply the location of the eFTL server's credentials as the value of the --password-file parameteron the persistence server command line. Ensure that this file is protected from unauthorized access.

19



For further details, see "Server Command Line Reference" in TIBCO eFTL Administration.


Supply the file location as the value of the --trust-file parameter on the eFTL server commandline.


6. Specify the authentication service.The eFTL server authenticates its clients using an external authentication service.Supply the parameters --auth.url, --auth.user, --auth.password, and --auth.trust on theeFTL server command line.

For further details, see the following topics in TIBCO eFTL Administration:

● "Client Authentication and Authorization"

● "Server Command Line Reference"

● "Channel Details Panel"

7. Include authenticated user names.Specify the command line option --publish-user when starting the eFTL server.With this option, the eFTL server appends a field to messages published by eFTL client apps whenit forwards them to FTL and EMS subscribers. That field contains the authenticated user name ofthe eFTL publisher. FTL and EMS application code can use this user name to authorize requests.

8. Optional. Specify client authorization groups.eFTL channels can regulate client access to publish and subscribe operations. To enable this feature,complete the following steps:a) In the eFTL clusters grid, enable the authorization column for each relevant cluster.b) In the channel details panel, configure a publish group and a subscribe group for each relevant

channel.c) Ensure that each user name is in the appropriate authorization groups.

9. Optional. Secure FTL persistence servers.If any channels use FTL persistence stores, then complete the task Securing Persistence Servers.

10. Optional. Secure connections to EMS servers.If any channels use EMS messaging, specify the --ssl-params parameter on the eFTL servercommand line. Supply the location of a configuration file as its value.

For details about the content of that file, see "SSL Parameters for EMS Connections" in TIBCO eFTLAdministration.

Securing Monitoring and Log DataTo ensure end-to-end security for monitoring and log data, complete all the subtasks of this task.

Prerequisites

Ensure that the realm server is secure, and its clients can connect using HTTPS.

Procedure

1. Secure the monitoring gateway.See Securing Monitoring Gateway Services.

20


2. Secure the InfluxDB server.See Securing InfluxDB.

3. Secure the Grafana server.See Securing Grafana.

4. Secure the log service.See Securing Log Services.

Securing Monitoring Gateway ServicesTo secure an FTL monitoring gateway service (tibmongateway process), complete this task.

Prerequisites



Secure realm servers automatically use secure transports for the stream of monitoring data.

Procedure

Example Command Linetibmongateway --realmserver https://rs-host:7000 --password-file mon-gw-creds.txt --trust-file ftl-trust.pem --influx-server https://influx-host:8086 --influx-trust-file inflx.pem

1. Connect only to secure realm servers using HTTPS.When you supply the --realmserver parameter on the gateway command line, specify a URL withHTTPS protocol.

2. Arrange authentication credentials to the realm server.Supply the location of the gateway's credentials as the value of the --password-file parameter onthe gateway command line. Ensure that this file is protected from unauthorized access.


For further details, see "Monitoring Gateway Command Line Reference (tibmongateway)" in TIBCOFTL Monitoring.

For file syntax, see "Password File" in TIBCO FTL Administration.


Supply the file location as the value of the --trust-file parameter on the gateway command line.


4. Connect to the InfluxDB server.Supply a URL with HTTPS as the protocol.

5. Arrange trust in the InfluxDB server.Arrange access to a copy of the InfluxDB server public certificate file.

Supply the file location as the value of the --certificate parameter on the gateway commandline.

21


Securing InfluxDBTo secure the InfluxDB server and its client connections, complete this task.

Procedure

1. Obtain and install a certificate and private key for the InfluxDB server.Ensure that the private key file is protected from unauthorized access.InfluxDB uses this certificate to identify itself to its clients, including Grafana, and the realm server.

2. Configure InfluxDB to for secure connections from its clients.a) In a text editor, open the configuration file influxdb.conf.

The script that starts the FTL monitoring components uses the file in the location FTL_HOME/monitoring/influxdb/etc/influxdb/influxdb.conf.

If you start the InfluxDB server independently, modify the corresponding configuration file inthe appropriate location.

b) Locate the http section.c) Set https-enabled=true.d) Set https-certificate to the location of the InfluxDB server's certificate.e) Set https-private-key to the location of the InfluxDB server's key file.For details see InfluxDB documentation.

3. Restart InfluxDB server.

Securing GrafanaTo secure Grafana, complete this task.

Prerequisites

InfluxDB must be configured for HTTPS connections.

Procedure

1. Obtain and install a certificate and private key for the Grafana server.Ensure that the private key file is protected from unauthorized access.Grafana uses this certificate to identify itself to its web clients.

2. Configure the Grafana server for HTTPS connections from its clients.a) In a text editor, open the configuration file FTL_HOME/monitoring/grafana/conf/

default.ini.b) Locate the server section.c) Set protocol=https.d) Set cert_file to the location of the Grafana server's certificate.e) Set cert_key to the location of the Grafana server's key file.For more detail, see Grafana documentation.

3. Restart the Grafana server.

4. In a browser, log in to the Grafana server.Supply a URL with HTTPS as the protocol.

5. In the Grafana server web GUI, modify the data source definition for FTL to use HTTPS.Supply the location of the InfluxDB server's certificate, so the Grafana server trusts the InfluxDBserver.For details, see Grafana documentation.

22


Securing Log ServicesTo secure an FTL log service (tiblogsvc process), complete this task.

Prerequisites


The enterprise authentication system must define user names and associate them with appropriate FTLauthorization groups. The monitoring data base (InfluxDB) must be secure.

Procedure

Example Command Linetiblogsvc --realmserver https://rs-host:8080 --secondary-realmserver https://rs-backup-host:8080 --realmserver-password-file logsvc-creds.txt --realmserver-trust-file ftl-trust.pem --influx-server https://influx-host:8086 --influx-password-file logsvc-influx-creds.txt --influx-trust-file influx-trust.pem --http-certificate logsvc-cert.pem --http-key logsvc-key.pem --http-password-file my_pw_file

1. Connect only to secure realm servers using HTTPS.When you supply the --realmserver parameters on the log service command line, specify URLswith HTTPS protocol.

2. Arrange authentication credentials to the realm server.Supply the location of the log service's credentials as the value of the --realmserver-password-file parameter on the log service command line. Ensure that this file is protected fromunauthorized access.


For further details, see "Log Service Command Line Reference (tiblogsvc)" in TIBCO FTL Monitoring.



Supply the file location as the value of the --realmserver-trust-file parameter on the logservice command line.


4. Connect only to a secure InfluxDB server using HTTPS.When you supply the --influx-server parameter on the log service command line, specify a URLwith HTTPS protocol.

5. Arrange authentication credentials to the InfluxDB server.Supply the location of the log service's credentials as the value of the --influx-password-fileparameter on the log service command line. Ensure that this file is protected from unauthorizedaccess.

For further details, see "Log Service Command Line Reference (tiblogsvc)" in TIBCO FTL Monitoring.


6. Arrange trust in the InfluxDB servers.Arrange access to a copy of the InfluxDB server trust file.

23


Supply the file location as the value of the --influx-trust-file parameter on the log servicecommand line.


7. Arrange TLS artifacts so the log service can authenticate itself to clients.a) Obtain a certificate identity for the log service.b) Supply the location of the certificate file as the value of the --http-certificate parameter on

the log service command line.c) Supply the location of the key file as the value of the --http-key parameter on the log service

command line.Ensure that this file is protected from unauthorized access.

d) Supply the key file password using the --http-password-file parameter.(The --http-password parameter is not sufficiently secure.)

e) Ensure that HTTPS clients trust the log service's certificate.

● Browser Client Install the certificate (or the CA certificate) in the requesting browser.

● Utility Client Supply the certificate (or the CA certificate) to the request utility. For example,curl --cacert certificate.

24


tibco ftl securityabout this product tibco® is proud to announce the latest release of tibco ftl®...

Documents