How to configure Transport Security for the BE Legacy ActiveSpaces Cluster Provider
Article ID: KB0072539
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessEvents Enterprise Edition | 5.6 and later |
Description
Follow the steps outlined below to configure transport security for the BE Legacy ActiveSpaces Cluster Provider. This allows you to protect data being transported within the cluster by preventing alteration of traffic, eavesdropping, and exchange of data between untrusted parties. Refer to the BE Configuration Guide > Legacy ActiveSpaces Cluster Transport Security.
Issue/Introduction
Outlines the basic steps needed to configure transport security for the BE Legacy ActiveSpaces Cluster Provider.
Environment
All Supported Platforms
Resolution
First, create a security policy file for your BE cluster using the as-admin command:
Here, we have created a policy file named 'BEpolicy.txt', where:
..where 'fdcache' is the cluster name specified in your CDD, which uses discovery port 50000.
Next, create a security token identity for any secondary (Requestor) nodes:
This token will be used by any Requestor nodes that will be joining the cluster. Again, edit this file to specify the correct value for metaspace_access, as shown above.
Next, enable security for the <cache-manger> in your CDD, and reference the above policy and token files:
For the Cache Processing Unit that you wish to designate as the Controller node, set the be.engine.cluster.as.security.mode.role property in the CDD to 'controller':
Then on any Requestor machines (whether they be Cache or Inference processing units), set the be.engine.cluster.as.security.mode.role property in the CDD to 'requestor'. For example, an Inference configuration would look like the following:
You are now configured to use transport security.
create security_policy policy_name "BE/AWSEC2" policy_file "BEpolicy.txt"
Here, we have created a policy file named 'BEpolicy.txt', where:
- Policy Name = BE
- Domain Name = AWSEC2
metaspace_access=metaspace=fdcache;discovery=tcp://172.31.31.176:50000
..where 'fdcache' is the cluster name specified in your CDD, which uses discovery port 50000.
Next, create a security token identity for any secondary (Requestor) nodes:
create security_token domain_name "AWSEC2" policy_file "BEpolicy.txt" create_identity token_file "RequestorToken.txt"
This token will be used by any Requestor nodes that will be joining the cluster. Again, edit this file to specify the correct value for metaspace_access, as shown above.
Next, enable security for the <cache-manger> in your CDD, and reference the above policy and token files:
<object-management>
<cache-manager>
<type>AS2x</type>
<class/>
<properties>
...
</properties>
<security enabled="true">
<property name="policy-file" value="/opt/tibco/as/2.4/bin/BEpolicy.txt"/>
<property name="policy-identity-password" value="#!FLPBjxBKDxw3LU4QVH9q4YcGnZtBRSTS14rZubxb16o="/>
<property name="token-file" value="/opt/tibco/as/2.4/bin/RequestorToken.txt"/>
<property name="token-identity-password" value="#!FLPBjxBKDxw3LU4QVH9q4YcGnZtBRSTS14rZubxb16o="/>
<property name="certificate-key-file" value=""/>
<property name="domain-name" value="AWSEC2"/>
<property name="user-name" value=""/>
<property name="user-password" value=""/>
</security>
For the Cache Processing Unit that you wish to designate as the Controller node, set the be.engine.cluster.as.security.mode.role property in the CDD to 'controller':
<processing-unit id="cache">
<agents>
<agent>
<ref>cache-class</ref>
<key/>
<priority/>
</agent>
</agents>
<logs>logConfig</logs>
<hot-deploy>false</hot-deploy>
<cache-storage-enabled>true</cache-storage-enabled>
<db-concepts>false</db-concepts>
<property-group>
<property name="be.engine.cluster.as.listen.url" value="tcp://172.31.31.176:50000"/>
<property name="be.engine.cluster.as.security.mode.role" value="controller"/>
Then on any Requestor machines (whether they be Cache or Inference processing units), set the be.engine.cluster.as.security.mode.role property in the CDD to 'requestor'. For example, an Inference configuration would look like the following:
<processing-unit id="default">
<agents>
<agent>
<ref>inference-class</ref>
<key/>
<priority/>
</agent>
</agents>
<logs>logConfig</logs>
<hot-deploy>false</hot-deploy>
<cache-storage-enabled>false</cache-storage-enabled>
<db-concepts>false</db-concepts>
<property-group>
<property name="be.engine.cluster.as.listen.url" value="tcp://172.31.25.148:50001"/>
<property name="be.engine.cluster.as.security.mode.role" value="requestor"/>
You are now configured to use transport security.
Feedback
Yes
No
Powered by
