How node coordination services are secured with TLS

How node coordination services are secured with TLS

book

Article ID: KB0071511

calendar_today

Updated On:

Products Versions
TIBCO Streaming 10.6 and later

Description

The documentation briefly notes:

"All communication between a node management client, including epadmin, and the node always uses TLS and is not configurable."

Help Ref: Home > StreamBase Admin Guide > StreamBase Security Model > Secure Transport with TLS 

This article expands on this note to discuss the specific certificates/keys that are used by the Streaming platform to secure the communication between nodes and node management clients like epadmin.
 

Resolution

The communication between nodes and node management clients is accomplished by securing this communication layer with TLS. As the documentation notes, this configuration is enabled by default and may not be modified.

The TLS connection is enabled using the following certificates & keys:

1.) $STREAMBASE_HOME/distrib/kabira/include/kabiraNode.pem
  • Subject: CN=TIBCO StreamBase Node Coordinator Service,OU=TIBCO Event Processing,O=TIBCO Software\, Inc.,L=Palo Alto,ST=CA,C=US
  • Issuer: CN=TIBCO StreamBase Root CA,OU=TIBCO Event Processing,O=TIBCO Software\, Inc.,L=Palo Alto,ST=CA,C=US
  • Public Key: RSA 2048 bits
  • Signature Algorithm: SHA 256 with RSA
2.) $STREAMBASE_HOME/distrib/kabira/include/kabiraCA.pem
  • Subject: CN=TIBCO StreamBase Root CA,OU=TIBCO Event Processing,O=TIBCO Software\, Inc.,L=Palo Alto,ST=CA,C=US
  • Issuer: CN=TIBCO StreamBase Root CA,OU=TIBCO Event Processing,O=TIBCO Software\, Inc.,L=Palo Alto,ST=CA,C=US
  • Public Key: RSA 2048 bits
  • Signature Algorithm: SHA 256 with RSA
In some cases, you may need to add these certificates to your machine's trusted certificates location. Consult with your IT administrator to determine where your machine's trusted certificates location is.

You may increase node management security further by configuring a non-default administration realm. This can force users to authenticate in addition to having the communication layer secured with TLS. This is discussed further in our Knowledge article: "Node administration using an LDAP authentication realm".

Issue/Introduction

Discusses the Streaming Security Model with respect to TIBCO Streamingnode management services, and the usage of TLS certificates that ship with the Streaming product: kabiraNode.pem and kabiraCA.pem.