Migrating a TIBCO ActiveMatrix BusinessWorks™ 5 application configured with Basic Authentication to BW5(Containers) on TIBCO® Platform
Article ID: KB0138388
Updated On:
| Products | Versions |
|---|---|
| TIBCO Platform - Control Plane | 1.16.0 |
Description
High-level steps
- Create an htpasswd file
- Create a Kubernetes Secret from the htpasswd file
- Create an Ingress with Basic Authentication
- Remove Basic Authentication configuration from the BW application, recreate the EAR and deploy
- Make the BW application endpoint public
Create an htpasswd file
Create an htpasswd file as shown below. The name of the file must be ‘auth’.
$ htpasswd -c auth <username>
New password:
Re-type new password:
Adding password for user <username>
For example,
$ htpasswd -c auth user1
New password:
Re-type new password:
Adding password for user user1
Create a Kubernetes Secret from the htpasswd file
Create a Kubernetes Secret from the htpasswd file created in the previous step.
$ kubectl create secret generic <secret_name> --from-file=auth -n <namespace>
For example,
$ kubectl create secret generic basic-auth --from-file=auth -n k8s-auto-dp1ns
Create an Ingress with Basic Authentication
Create an Ingress with the following annotations. Set nginx.ingress.kubernetes.io/auth-secret to the secret created in the previous step.
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: Authentication Required
Remove Basic Authentication configuration from the BW application, recreate the EAR and deploy
Since authentication is enforced at ingress, the authentication configuration must be removed from the BW application. Once this is done, recreate the EAR, create an App Build and deploy.
Make the BW application endpoint public
Make the BW application endpoint public using the Ingress created in step 3.
Testing the configuration
Invocation of the service without credentials should fail.
Request:
$ curl -k <service_endpoint_public_URL>
For example,
$ curl -k https://bw5ce-ba.localhost.dataplanes.pro/tibco/apps/d6n4uurkm78s73cmtg5g/HTTPServer
Response:
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>
Invocation with valid credentials should be successful.
Request:
$ curl -ku "<username>:<password>" <service_endpoint_public_URL>
For example,
$ curl -ku "user1:user1" https://bw5ce-ba.localhost.dataplanes.pro/tibco/apps/d6n4uurkm78s73cmtg5g/HTTPServer
Response:
response
Issue/Introduction
When HTTP Basic Authentication is enabled on a service in TIBCO ActiveMatrix BusinessWorks™ 5 (BW5) environment, authentication is performed against TIBCO Administrator domain. However, a different strategy is required when transitioning that service to BW5(Containers) on TIBCO® Platform. This article examines how to implement Ingress with Basic Authentication as a viable alternative.
