Security integration between TIBCO Artifact Management Server and TIBCO Streaming
Article ID: KB0075330
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | - |
Description
We applied a security configuration to our TIBCO Streaming server. What are the configuration settings needed in the TIBCO Artifact Management Server "Deployment Descriptor" to deploy model and decision table files to our Streaming server?
Resolution
Configure a deployment user for the TIBCO® Streaming node and use those user credentials in the TIBCO® Artifact Management Server service configuration referenced by the artifact’s Deployment Descriptor.
Add to the Streaming application in src/main/configurations a RoleToPrivilegeMappings configuration like:
After installing the Streaming node, add the deployment user to the node with command:
epadmin servicename=A.X add user realm=default-realm username=deployer password=deployerpass roles=DeployUser
The "default-realm" realm is always available after a new node installation.
https://docs.tibco.com/pub/str/10.5.0/doc/ams/index.html#part-ams-admin.html
AMS Administration > Artifact Administration, Artifact Deployment Overview, Deploying the Artifact
Satisfy providing the deployment user credentials to AMS by the Service Name or Service Address record associated with the Deployment Descriptor for each artifact.
These are the two options:
A. If the TIBCO Streaming server is visible on the same subnet then deployment by Service Name is available. Configure each Service Name in the AMS.conf and restart the AMS server. This configuration looks like this:
The username and password is the TIBCO Streaming user configured in the Streaming authentication and authorization configuration with deployment permissions. The password should be encrypted in the AMS.conf file, but this is not required.
B. If the Streaming server is on a remote network, then deployment by Service Address is available. Configure each Service Address in the AMS browser application for use by the Deployment Descriptor.
A Service Address configuration includes:
$ epadmin servicename=A.X display node
[A.X] Node Name = A.X
[A.X] Host Name = sysname
[A.X] Administration Port = 60442
The Streaming server should have a known Admin Port so that re-installs of the node do not change this port. Install the node with the 'adminport' option:
epadmin install node adminport=60442 nodename=A.X application=app.zip
Use the new Service Address when defining a Deployment Descriptor.
Keystore setup:
ams-server --secret create --keystore ams-keystore.ks --keystorepassword={secret}
ams-server --secret generate --keystore ams-keystore.ks --keystorepassword={secret} --mastersecretfile AMS-MasterSecret.data
Add to AMS.conf (example using filename from the "--secret generate" command):
At next startup the ams-server command should report:
INFO (main) com.tibco.ep.ams.conf.Configuration:182 - Master secret decryption: enabled
Encrypt the password for the Streaming user:
ams-server --secret encrypt --keystore ams-keystore.ks --data deployerpass
Keystore password: {secret}
#!!uPwhLeHIKVlx2ZtzFEXAPV3GzcE0aiCJYLKGdZNxyQ==
Use the output string (#!!...==) in the Service Name or Service Address Password setting.
Configure A Deployment User
With TIBCO Streaming security enabled, the Streaming server needs a user defined in the security configuration with a known username, password, and deployment privileges. The default administrator user by default does not have a password and under most conditions should not be enabled to be used remotely.Add to the Streaming application in src/main/configurations a RoleToPrivilegeMappings configuration like:
name = "customizedrealm"
type = "com.tibco.ep.dtm.configuration.security"
version = "1.0.0"
configuration = {
RoleToPrivilegeMappings = {
privileges = {
DeployUser = [
{ resource = "artifact.load", privilege = "AdminRunCommand" }
{ resource = "artifact.activate", privilege = "AdminRunCommand" }
{ resource = "artifact.deactivate", privilege = "AdminRunCommand" }
{ resource = "artifact.register", privilege = "AdminRunCommand" }
{ resource = "artifact.remove", privilege = "AdminRunCommand" }
{ resource = "artifact.export", privilege = "AdminRunCommand" }
{ resource = "artifact.display", privilege = "AdminRunCommand" }
{ resource = "artifact.notify", privilege = "AdminRunCommand" }
]
}
}
}
After installing the Streaming node, add the deployment user to the node with command:
epadmin servicename=A.X add user realm=default-realm username=deployer password=deployerpass roles=DeployUser
The "default-realm" realm is always available after a new node installation.
Configure The Service In AMS
The configuration options are described in the TIBCO Artifact Management Server (AMS) product documentation here:https://docs.tibco.com/pub/str/10.5.0/doc/ams/index.html#part-ams-admin.html
AMS Administration > Artifact Administration, Artifact Deployment Overview, Deploying the Artifact
Satisfy providing the deployment user credentials to AMS by the Service Name or Service Address record associated with the Deployment Descriptor for each artifact.
These are the two options:
A. If the TIBCO Streaming server is visible on the same subnet then deployment by Service Name is available. Configure each Service Name in the AMS.conf and restart the AMS server. This configuration looks like this:
com.tibco.ep.ams.configuration {
DeploymentServiceNames = {
services = [
{
serviceName = "production"
userName = "newuser"
password = "newuser"
}
...
The username and password is the TIBCO Streaming user configured in the Streaming authentication and authorization configuration with deployment permissions. The password should be encrypted in the AMS.conf file, but this is not required.
B. If the Streaming server is on a remote network, then deployment by Service Address is available. Configure each Service Address in the AMS browser application for use by the Deployment Descriptor.
A Service Address configuration includes:
- User Name
- Password
- Host Name
- Admin Port
$ epadmin servicename=A.X display node
[A.X] Node Name = A.X
[A.X] Host Name = sysname
[A.X] Administration Port = 60442
The Streaming server should have a known Admin Port so that re-installs of the node do not change this port. Install the node with the 'adminport' option:
epadmin install node adminport=60442 nodename=A.X application=app.zip
Use the new Service Address when defining a Deployment Descriptor.
Encrypt the Streaming user password in AMS
The AMS Service Address password should be encrypted using the 'ams-server --secret' commands. The Service Address wil be saved with a warning if the password is not encrypted. Encrypted values must be created using the 'ams-server --secret encrypt' command after creating a keystore and a Master Secret file. The Master Secret file is used by a running AMS server to access the keystore. Create the keystore and Master Secret file and add them to the AMS.conf configuration for each AMS server only once.Keystore setup:
ams-server --secret create --keystore ams-keystore.ks --keystorepassword={secret}
ams-server --secret generate --keystore ams-keystore.ks --keystorepassword={secret} --mastersecretfile AMS-MasterSecret.data
Add to AMS.conf (example using filename from the "--secret generate" command):
com.tibco.ep.ams.configuration {
Decryption = {
masterSecretFile = "C:/tibco/sb-cep/10.5/AMS-MasterSecret.data"
}
At next startup the ams-server command should report:
INFO (main) com.tibco.ep.ams.conf.Configuration:182 - Master secret decryption: enabled
Encrypt the password for the Streaming user:
ams-server --secret encrypt --keystore ams-keystore.ks --data deployerpass
Keystore password: {secret}
#!!uPwhLeHIKVlx2ZtzFEXAPV3GzcE0aiCJYLKGdZNxyQ==
Use the output string (#!!...==) in the Service Name or Service Address Password setting.
Issue/Introduction
Configuration guidance
Feedback
Yes
No
Powered by
