How do we configure a user in AMS with privileges to deploy artifact files to a secure TIBCO Streaming server?

Configuration guidance

Deployment by "Service Name", for new Streaming users previously unknown to AMS, requires the Service Name to be configured in the AMS.conf and AMS restarted. 

Instead in this article we use a "Service Address" instead of "Service Name" to avoid restarting AMS for every new Streaming instance.
NOTE: THIS ADDRESSES THE SPECIAL CASE WHERE THE AMS SERVER MUST DEAL WITH NUMEROUS TRANSIENT STREAMING SERVERS. IN THE NORMAL CASE WHERE THE STREAMING SERVER INSTANCES ARE NOT EPHEMERAL, USE THE "SERVICE NAME" CONFIGURATION IN AMS.CONF.

This article first describes the minimum working configuration and then some optional improvements.

Minimum Configuration

This is the minimal additional configuration to allow deployment from AMS:

1. After installing the node, add a new administrator user to the Streaming node with a known password using command:

epadmin servicename=A.X add user realm=default-realm username=deployer password=deployer roles=administrator

This user may be used to deploy from AMS as well as for normal administrative commands.

Alternatively, you may install the node using the password command option:

epadmin password=mypass install node nodename=A.X application=app.zip

After install completes the installation user's password will be 'mypass' in this example, and the installation user's username and this password may be used in AMS to deploy artifacts.

2. Create in AMS a new "Service Address" using the AMS Web UI. This allows the Streaming username and password to be used for deployment. The Service Address also needs the Streaming server Hostname and Admin Port, which is displayed in the 'epadmin display node' output, as so:

epadmin servicename=A.X display node
[A.X] Node Name = A.X
[A.X] Host Name = sysname
[A.X] Administration Port = 60442

Note, by default the Admin Port is chosen randomly whenever a node is re-installed. To specify the port, see improvements below.

3. Use the new Service Address when defining a Deployment Descriptor.

Optional Improvements

A. Encypt the Streaming user password in AMS.

The AMS Service Address user password should be encrypted using the 'ams-server --secret' commands. You will see a warning if the password is not encrypted. AMS must be able to decrypt these values itself.  This means that these encrypted values must be created using the 'ams-server --secret encrypt' command after creating a keystore and a Master Secret file to be used by the running AMS server to find and access the keystore. Creating the keystore and Master Secret file and adding them to the AMS.conf configuration only needs to be done once and AMS restarted.

Keystore setup:

ams-server --secret create --keystore ams-keystore.ks --keystorepassword={secret}
ams-server --secret generate --keystore ams-keystore.ks --keystorepassword={secret} --mastersecretfile AMS-MasterSecret.data

Add to AMS.conf (example using above filename):

com.tibco.ep.ams.configuration {
    Decryption = {
        masterSecretFile = "C:/tibco/sb-cep/10.5/AMS-MasterSecret.data"
    }

At startup the ams-server command should report:
  INFO  (main) com.tibco.ep.ams.conf.Configuration:182 - Master secret decryption: enabled

Encrypt the password for the Streaming user:

ams-server --secret encrypt --keystore ams-keystore.ks --data deployerpass
Keystore password: {secret}
#!!uPwhLeHIKVlx2ZtzFEXAPV3GzcE0aiCJYLKGdZNxyQ==

Use the output string "#!!...==" in the Service Address "password" setting.

B. Use a consistent Streaming server administration port.

The Streaming server should have a known Admin Port so that re-installs of the node do not change this port. Install the node with the 'adminport' option:

epadmin install node adminport=55555 nodename=A.X application=app.zip

C. Limit the permissions of the artifact deployment user.

The new Streaming user should be assigned to a role with more limited permissions, so it cannot be used for general administration tasks.

Add to the Streaming application in src/main/configurations a RoleToPrivilegeMappings configuration like:

name = "customizedrealm"
type = "com.tibco.ep.dtm.configuration.security"
version = "1.0.0"
configuration = {
  RoleToPrivilegeMappings = {
    privileges = {
      DeployUser = [
        { resource = "artifact.load", privilege = "AdminRunCommand" }
        { resource = "artifact.activate", privilege = "AdminRunCommand" }
        { resource = "artifact.deactivate", privilege = "AdminRunCommand" }
        { resource = "artifact.register", privilege = "AdminRunCommand" }
        { resource = "artifact.remove", privilege = "AdminRunCommand" }
        { resource = "artifact.export", privilege = "AdminRunCommand" }
        { resource = "artifact.display", privilege = "AdminRunCommand" }
        { resource = "artifact.notify", privilege = "AdminRunCommand" }
      ]
    }
  }
}

Then after 'epadmin install node' run as the same user:

epadmin servicename=A.X add user realm=default-realm username=deployer password=deployerpass roles=DeployUser

Reference this user in the AMS Service Address configuration as described above.