How node coordination services are secured with TLS
Article ID: KB0071511
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | 10.6 and later |
Description
The documentation briefly notes:
"All communication between a node management client, including epadmin, and the node always uses TLS and is not configurable."
Help Ref: Home > StreamBase Admin Guide > StreamBase Security Model > Secure Transport with TLS
This article expands on this note to discuss the specific certificates/keys that are used by the Streaming platform to secure the communication between nodes and node management clients like epadmin.
Resolution
The communication between nodes and node management clients is accomplished by securing this communication layer with TLS. As the documentation notes, this configuration is enabled by default and may not be modified.
The TLS connection is enabled using the following certificates & keys:
1.) $STREAMBASE_HOME/distrib/kabira/include/kabiraNode.pem
You may increase node management security further by configuring a non-default administration realm. This can force users to authenticate in addition to having the communication layer secured with TLS. This is discussed further in our Knowledge article: "Node administration using an LDAP authentication realm".
The TLS connection is enabled using the following certificates & keys:
1.) $STREAMBASE_HOME/distrib/kabira/include/kabiraNode.pem
- Subject: CN=TIBCO StreamBase Node Coordinator Service,OU=TIBCO Event Processing,O=TIBCO Software\, Inc.,L=Palo Alto,ST=CA,C=US
- Issuer: CN=TIBCO StreamBase Root CA,OU=TIBCO Event Processing,O=TIBCO Software\, Inc.,L=Palo Alto,ST=CA,C=US
- Public Key: RSA 2048 bits
- Signature Algorithm: SHA 256 with RSA
- Subject: CN=TIBCO StreamBase Root CA,OU=TIBCO Event Processing,O=TIBCO Software\, Inc.,L=Palo Alto,ST=CA,C=US
- Issuer: CN=TIBCO StreamBase Root CA,OU=TIBCO Event Processing,O=TIBCO Software\, Inc.,L=Palo Alto,ST=CA,C=US
- Public Key: RSA 2048 bits
- Signature Algorithm: SHA 256 with RSA
You may increase node management security further by configuring a non-default administration realm. This can force users to authenticate in addition to having the communication layer secured with TLS. This is discussed further in our Knowledge article: "Node administration using an LDAP authentication realm".
Issue/Introduction
Discusses the Streaming Security Model with respect to TIBCO Streamingnode management services, and the usage of TLS certificates that ship with the Streaming product: kabiraNode.pem and kabiraCA.pem.
Feedback
Yes
No
Powered by
