Introduction

This document is meant as a guide to implementing security features for TIBCO DataSynapse GridServer. The goal of this guide is not to provide every possible feature that can be implemented with detailed instructions on how to enable them. The goal is to provide you with information on what can be done and where you can go to find information necessary to implement those solutions.

As GridServer uses third-party products, what can be done with those products will change over time. Therefore, it is necessary for you to continue to stay educated on the latest features of third-party products.

This document is specific to GridServer 7.0.0. This document assumes that the reader has a working knowledge of GridServer Components. If not, our Introducing TIBCO GridServer (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_introduction.pdf?id=5) documentation is very helpful to gain an understanding for the concepts related to GridServer.

Product Connectivity

This section describes the connectivity between GridServer components. For a general explanation of network topography, see the "Configure Your Network" section of the GridServer Installation Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_install_guide.pdf?id=3).

Director-Broker Communication

Communication between the Director and Broker uses TCP on port 5635 by default. The "Configure Your Network" section of the GridServer Installation Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_install_guide.pdf?id=3) describes how to configure this.

Manager-Reporting Database Communication

The communication between the Manager and the Reporting database is described in the "Configuring a Reporting Database" section of the GridServer Installation Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_install_guide.pdf?id=3).

Manager-Driver Communication

The ports used by the Manager for incoming communication from the Driver are covered in the GridServer Installation Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_install_guide.pdf?id=3) in Chapter 2 “Manager Installation” under section 2 “Configure Server Settings”.

Manager-Engine Communication

The ports used by the Manager for incoming communication from the Engine are the same as the ports used for the Driver. Please see the above section “Director-Driver Communication”.

Driver-Engine Communication

The Driver and Engine communicate directly when either of them have DDT enabled. If the Driver has DDT enabled, the Engine will attempt to download input data directly from the Driver’s fileserver. If the Engine has DDT enabled, the Driver will attempt to directly download output data from the Engine’s fileserver. 

An overview of DDT can be found in the GridServer Administration Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_admin_guide.pdf?id=0) in chapter 8, “Optimizing the Grid”. More detail is also available in the "Diagnosing Network Issues" section.

Driver DDT

Disabling Driver DDT can be found in the Direct Data Transfer section of Chapter 8 “Optimizing the Grid” in the GridServer Administration Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_admin_guide.pdf?id=0).  

Driver Cleaner Configuration can be found in Chapter 2, “Driver Installation” of the GridServer Developer's Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_dev_guide.pdf?id=2).

Engine DDT

Disabling Engine DDT can be found in the Direct Data Transfer section of Chapter 8 “Optimizing the Grid” in the GridServer Administration Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_admin_guide.pdf?id=0).

Specifying the Engine’s ds.DataDir value: GridServer Developer's Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_dev_guide.pdf?id=2), Chapter 3 “Creating Services” in the section titled “Invocation Variables”

DDT KB Articles

• KB Article 000008671: Using static ports in Engine and Driver DDT settings

Enabling SSL

Enabling SSL is covered in Chapter 8 of the Installation Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_install_guide.pdf?id=3), "Configuring SSL" section.

SSL KB Articles

• KB Article 000043090: How to configure GridServer to use JSSE SSL implementation instead of OpenSSL
• KB Article 000036224: Steps for creating SSL certificates to be used on a Combo GridServer Manager (Director + Broker)
• KB Article 000043569: Steps for creating SSL certificates to be used on Standalone GridServer Managers
• KB Article 000031710: Steps to enable extra logging to debug SSL connection errors

Updating Third-Party Components

Prior to updating any third-party components, it is strongly recommended that you contact TIBCO Support (support@tibco.com) to determine if a specific version of a third party component has been tested with GridServer. While service pack updates generally work, Major or Minor version updates can often result in unexpected behavior or exceptions.

Configuring Security Options

Apache Tomcat

There are many considerations related to Tomcat security. You should make themselves familiar with the options available to them. Tomcat has its own Security Guide (https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html) and we encourage customers to review it.

XSS Filter

The XSS Filter on the Manager can be enabled or disabled by modifying the associated property in the GridServer Administration Tool at Admin > Manager Configuration > Security > Misc.

To edit the whitelist, open the xss.xml file located in DS_INSTALL/manager/webapps/livecluster/WEB-INF/config/

Disabling Directory Traversal on File Server port

In order to disable directory traversal for the Engine file server, update the Engine.xml with the following:

<contexts c="PropertiesBean" n="Context">
<property n="object" v="DSDataDir" k="data"/>
<property n="object" v="DSWorkDir" k="work"/>
<property n="object" v="$DSProfileDir$/logs" k="logs"/>
</contexts>

Setting up User Authentication

This subject is covered in Chapter 3 of the GridServer Administration Guide (https://docs.tibco.com/pub/dsp_gridserver/7.0.0/doc/pdf/TIB_dsp_gridserver_7.0_grid_admin_guide.pdf?id=0) and includes items like enabling LDAP authentication.

Enabling the Encryption of Task Payloads

To further secure the data being passed between Drivers and Engines, it is possible to enable encryption for the task payload. This is done by editing the Service Type:

1. In the GridServer Administration Tool, select the Services menu.
2. Select Service Types.
3. Edit one of the Service Types.
4. The feature is listed in the Options section for the Service Type and it is called encryptionEnabled.