Runtime Security Configuration

Overview

This article provides a reference for writing a StreamBase Runtime security configuration file where the HOCON type is com.tibco.ep.dtm.configuration.security.

The root objects in this configuration type are:

Local Authentication Realms
LDAP Authentication Realms
Open ID Connect Authentication Realms
Kerberos Authentication Realms
Role-to-Privileges Mappings
Secure Communication Client Profiles
Secure Communication Server Profiles
Trusted Hosts
Local Admin Authentication Realms (Deprecated)

Use the contents menu above to open the root object section of interest.

Each root object can reside in its own configuration file of this configuration type. As an alternative, each root object can be embedded in the same file of this type.

Required Header Lines

Each configuration file must contain the following header lines, typically found at the beginning of each file:

name

Specifies an arbitrary, case-sensitive string to name this configuration, which must be unique among other files with the same type, if any. Configuration files can refer to each other by this name. Select a name that reminds you of this configuration's type and purpose. For example:

name = "sbsecurity"
version

Specifies an arbitrary version number that you can use to keep track of file versions for this configuration type in your development project. The maintenance of version numbers is under user control; StreamBase does not compare versions when loading configuration files during the fragment launch process. The version number is a string value, and can contain any combination of characters and numbers. For example:

version = "1.0.0"
type

This essential setting specifies the unique HOCON configuration type described on this page.

type = "com.tibco.ep.dtm.configuration.security"

The three header lines taken together constitute a unique signature for each HOCON file in a project's configurations folder. Each project's configurations folder can contain only one file with the same signature.

The top-level configuration object defines the configuration envelope the same way for all HOCON file types.

configuration

On a line below the header lines, enter the word configuration followed by an open brace. The configuration object is a sibling of the name, version, and type identifiers, and serves to define the configuration envelope around this type's objects as described on this page. The file must end with the matching close brace.

configuration = {
...
...
}

Local Authentication Realm

The local authentication realm contains local user, password, and role information for authenticating StreamBase EventFlow and Live Datamart users.

LocalAuthenticationRealm

Defines a local authentication realm, containing one or more principals.

name

String. The name of this realm, unique across all authentication realms. This property is required. For example:

name = "my-realm"
requireTrustedHostMembership

Bool. If set to true, all incoming requests authenticated by this realm are rejected unless they come from a trusted host. This property is optional and its default value is false.

For example:

requireTrustedHostMembership = false
allowSecureCommunicationClientAuthentication

Bool. If set to true, incoming requests using secure communication with client authentication are automatically authenticated without a password required. This property is optional and its default value is false.

For example:

allowSecureCommunicationClientAuthentication = true
requirePassword

Bool. If set to true, incoming requests not automatically authenticated with secure communication client authentication always require a password. If set to false, a password is not required if the request comes from a trusted host. This property is optional and its default value is false.

For example:

requirePassword = false
principals

Deprecated. Instead, use initialPrincipals.

initialPrincipals

Initial principal set, used once to populate the realm when it is first created on a node. Ignored afterwards and in subsequent versions. This array is optional and has no default value.

userName

The name of the principal. This property is required and cannot be an empty string. For example:

userName = "SomeUser"
password

String. The principal's password, either clear text or enciphered. This required property is encryptable as part of the node-level secrecy system described in Encrypting Sensitive Configuration Data.

For example:

password ="secret2"
passwordExpirationPeriodDays

Int. Password expiration time, in days. This property is optional and its default value is 0, meaning the password never expires.

For example:

passwordExpirationPeriodDays = 180
locked

Bool. Account lock status. True means the account is locked and attempts to use it for authentication will fail. False means the account is not locked. This property is optional and its default value is false.

For example:

locked = false
roles

The roles to which this principal belongs, if any. Each role is an arbitrary text string, which can be bound to various privileges in a role-to-privileges mapping object. This property is optional. If present, the array must at least one element.

For example:

roles = [ "BasicUser" ]

Examples, Local Authentication Realm

The following is a sample local authentication configuration file for StreamBase.

name = "localrealmSB"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  LocalAuthenticationRealm = {
    name = "my-realm"
    requireTrustedHostMembership = false
    allowSecureCommunicationClientAuthentication = true
    requirePassword = false
    initialPrincipals = [
      {
        userName = "SomeUser"
        password ="secret2"
        passwordExpirationPeriodDays = 180
        locked = false
        roles = [ "BasicUser" ]
      }
    ]
  }
}

The following is a sample local authentication configuration file for Live Datamart.

name = "localRealmLDM"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  LocalAuthenticationRealm = {
    name = "authRealm"
    initialPrincipals = [
      {
        userName = "admin"
        password ="admin"
        roles = [ "LVAdmin" ]
      }
      {
        userName = "lvintern"
        password ="lvintern"
        roles = [ "LVInternal" ]
      }
      {
        userName = "guest"
        password ="guest"
        roles = [ "LVGuest" ]
      }
      {
        userName = "tester"
        password ="tester"
        roles = [ "LVUser" ]
      }
      {
        userName = "client"
        password ="client"
        roles = [ "LVUser" ]
      }     
    ]
  }
  SecureCommunicationServerProfile = {
    keyStore = "C:/Users/sbuser/Desktop/AddOns/SSL/X509/serverkeystore.jks"
    keyStorePassword = "changeit"
    keyStoreType = "JKS"
    keyPassword = "changeit"
    name = "serverprofile"
    requireClientAuthentication = true
    trustStore = "C:/Users/sbuser/Desktop/AddOns/SSL/X509/truststore.jks"
    trustStorePassword = "changeit"
    trustStoreType = "JKS"
    userNameObjectIdentifierSearchPath = [ "emailAddress", "CN", "DN" ]
  }
  SecureCommunicationClientProfile = {
    name = "clientprofile"
    keyStore = "C:/Users/sbuser/Desktop/AddOns/SSL/X509/serverkeystore.jks"
    keyStorePassword = "changeit"
    keyStoreType = "JKS"
    keyPassword = "changeit"
    requireClientAuthentication = true
    trustStore = "C:/Users/sbuser/Desktop/AddOns/SSL/X509/truststore.jks"
    trustStorePassword = "changeit"
    trustStoreType = "JKS"
  }
}

LDAP Authentication Realm

This configuration type defines a single LDAP authentication realm. The realm can contain multiple servers for redundancy to authenticate StreamBase or Live Datamart users and check the roles to which those users belong. It is separate from the base engine configuration and can therefore be managed separately without having to recreate an application archive and redeploy the application.

LDAPAuthenticationRealm

A single LDAP authentication realm. The realm can contain multiple servers for redundancy.

name

String. The name of this realm, unique across all authentication realms. This property is required. For example:

name = "my-realm"
requireTrustedHostMembership

Bool. If set to true, all incoming requests authenticated by this realm are rejected unless they come from a trusted host. This property is optional and its default value is false.

For example:

requireTrustedHostMembership = false
allowSecureCommunicationClientAuthentication

Bool. If set to true, incoming requests using secure communication with client authentication are automatically authenticated without a password required. This property is optional and its default value is false.

For example:

allowSecureCommunicationClientAuthentication = true
requirePassword

Bool. If set to true, incoming requests not automatically authenticated with secure communication client authentication always require a password. If set to false, a password is not required if the request comes from a trusted host. This property is optional and its default value is false.

For example:

requirePassword = false
servers

An array of one or more LDAP servers that authenticate principals in this LDAP realm. This array is required, and at least one server is required in the list.

host

String. The LDAP server's host name. This property is optional and its default value is localhost.

For example:

host = "ldap.example.com"
portNumber

Int between 1 and 65535. The LDAP server's portNumber number. This property is optional and its default value is 389.

For example:

portNumber = 390
principalAuthenticationAlgorithm

String. The type of principal authentication to perform.

BIND authenticates principals by connecting to the LDAP server using the principal name and credentials.

LOCAL_PASSWORD_COMPARE authenticates principals by connecting to the LDAP server using the system principal, searching for the user, retrieving its principalPasswordAttribute, and comparing locally with the principal's credentials.

REMOTE_PASSWORD_COMPARE is the same as local except that the comparison is performed at the server. This property is optional and its default value is BIND.

For example:

principalAuthenticationAlgorithm = LOCAL_PASSWORD_COMPARE
principalPasswordAttribute

String. The password attribute of this server's principals. This property is optional and its default value is userPassword.

For example:

principalPasswordAttribute = "password"
principalSearchFilter

String. The LDAP filter expression used when searching for principals. The filter permits Java pattern substitution expressions; {0} is bound to the input principal, and {1} is bound to its corresponding DN. This property is required. Default is CN={0}.

For example:

principalSearch = "CN={0}"
principalSearchRoots

A list of Distinguished Names under which principals are searched for during search-based authentication or user ID-to-DN conversion. This property is required and must contain at least one element.

For example:

principalRoots = [ "ou=users,dc=example,dc=com" ]
roleNameAttribute

String. Attribute of a role entry that is used to map to privileges. This property is optional and its default value is CN. For example:

roleAttribute = "roleID"
roleSearchFilter

String. The LDAP filter expression used when searching for roles of which a principal is a member. The filter permits Java pattern substitution expressions; {0} is bound to the input principal, and {1} is bound to its corresponding DN. This property is required.

For example:

roleSearchFilter = "membership={1}"
roleSearchRoots

A list of Distinguished Names under which roles are searched for. This property is optional and defaults to the value of the principalRoots property. For example:

roleRoots = [ "ou=roles,dc=example,dc=com" ]
secureCommunicationProfileName

String. Name of a secure communication client profile to use when configuring secure communications with an LDAP server. This property is optional and has no default value.

If present, this profile must be used when setting the ldmSecureInternalCommunicationProfileName property in Live Datamart Internal Credentials Configuration file or the secureCommunicationProfileName property in Live Datamart Client API Listener Configuration file.

If not present, LDAP connections do not use secure communication.

For example:

secureCommunicationProfileName = "my-secure-communication-client-profile"
systemPassword

String. The password used by the authentication system to log in to the LDAP server. This required property is encryptable as part of the node-level secrecy system described in Encrypting Sensitive Configuration Data.

For example:

password = "secret"
systemPrincipal

String. The principal used by the authentication system to log in to the LDAP server and query for principal or role information. This property is required. For example:

systemPrincipal = "cn=SBLDAPUser,cn=Users,dc=ldap,dc=example,dc=com"

Examples, LDAP Authentication Realm

The following is an example of the LDAP realm security configuration subtype.

name = "ldaprealm"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  LDAPAuthenticationRealm = {
    name = "ldap-authentication-realm"
    servers = [
      {
        host = "localhost"
        portNumber = 389        
        systemPrincipal = "CN=lvintern,OU=Users,dc=example,dc=com"
        systemPassword = "lvintern"
        secureCommunicationProfileName = "secure-client"
        
        principalSearchRoots = [
          "OU=Users,DC=example,DC=com",
        ]
        principalSearchFilter="cn={0}"
        roleSearchRoots = [
          "OU=Roles,DC=example,DC=com"
        ]
        roleSearchFilter = "roleOccupant={1}"
      }
    ]
  }
}

Open ID Connect Authentication Realm

OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol, which allows single sign-on for clients to verify your identity based on the authentication performed by an authorization server. This configuration file also obtains basic profile information about the users in an interoperable and REST-like manner.

The following identity providers are currently supported:

  • Google Identity Platform

  • Auth0

  • Microsoft Azure Active Directory

OIDCAuthenticationRealm

Defines an OIDC authentication realm, which contains settings that configure authentication using OIDC.

name

String. The name of this realm, unique across all authentication realms. This property is required.

For example:

name = "my-realm"
identityProviders

A map indexed by provider names. Provider names must be URL safe and non-empty. This object is required.

The following properties apply to multiple identity providers except where noted. The provider names below reflect the currently supported ones — Google Identity, Auth0, and Microsoft Azure Active Directory. Note that while each provider uses similar properties, if using Auth0 pay particular attention to the subjectProviderMappings property shown in that example.

Google

Name of the identity provider.

documentDiscoveryURL

String. The identity Provider's Document Discovery URL for obtaining Discovery information. This property is required.

For example:

documentDiscoveryUrl = "https://accounts.google.com/.well-known/openid-configuration"
clientId

String. The client's authentication ID. This property is required.

For example:

clientId = "place your client id here"
clientSecret

String. The client's authentication secret key. This required property is encryptable as part of the node-level secrecy system described in Encrypting Sensitive Configuration Data.

For example:

clientSecret = "place your client secret here"
identityAttributeName

String. The attribute in a given principal's ID Token to be used as the identity for this principal. This property is required.

For example:

identityAttributeName = "subject email firstName or other claims"
Auth0

Name of the identity provider.

documentDiscoveryURL

String. The identity Provider's Document Discovery URL for obtaining Discovery information. This property is required.

For example:

https://tibco.auth0.com/.well-known/openid-configuration
clientId

String. The client's authentication ID. This property is required.

For example:

clientId = "place your client id here"
clientSecret

String. The client's authentication secret key. Any parameter value beginning with #! is enciphered with epadmin encrypt secret command. This property is required.

For example:

clientSecret = "place your client secret here"
identityAttributeName

String. The attribute in a given principal's ID Token to be used as the identity for this principal. This property is required.

For example:

identityAttributeName = "subject email firstName or other claims"
subjectProviderMappings

Mappings from Auth0-specific identity provider prefixes to internal identity provider names. Not required for Google or Microsoft identity providers.

Auth0 identity information contains sub claims in the form of sub: google-oauth2|105569619522230371597.

Using | as the delimiter as shown above, google-oauth2 is the prefix that identifies the provider providing the identity information. 105569619522230371597 is the actual subject for the principal from the identity provider represented by google-oauth2.

Note that google-oauth2 is specified below to be interpreted as the Auth0 identifier for the identity provider Google configured above. Also note that, the same principal authenticated directly against Google would have a piece of identity information with sub field being sub: 105569619522230371597.

For example:

subjectProviderMappings = {
  "google-oauth2" = "Google"
}
Microsoft

Name of the identity provider.

documentDiscoveryURL

String. The identity Provider's Document Discovery URL for obtaining Discovery information. This property is required.

Microsoft Azure Active Directory requires a tenant name in the URL. To determine your tenant name, log into https://login.microsoftonline.com/ and look for Domain on the web page after toggling your account name there.

For example:

https://login.microsoftonline.com/tenant/.well-known/openid-configuration
clientId

String. The client's authentication ID. This property is required.

For example:

clientId = "place your client id here"
clientSecret

String. The client's authentication secret key. Any parameter value beginning with #! is enciphered with epadmin encrypt secret command. This property is required.

For example:

clientSecret = "place your client secret here"
identityAttributeName

String. The attribute in a given principal's ID Token to be used as the identity for this principal. This property is required.

For example:

identityAttributeName = "subject email firstName or other claims"
pendingAuthenticationTimeoutSeconds

Int. The amount of time that the OIDC client will wait for a provider's response before timing out. This property is optional and its default value is 300 seconds.

For example:

pendingAuthenticationTimeoutSeconds = 600
fallbackAuthenticationRealmName

String. A reference to a realm for handling non-REST and non-web authentications and all authorizations. This property is required.

For example:

fallbackAuthenticationRealmName = "my-local-or-ldap-realm"
requireTrustedHostMembership

Bool. If set to true, all incoming requests authenticated by this realm are rejected unless they come from a trusted host. This property is optional and its default value is false.

For example:

requireTrustedHostMembership = false
defaultRedirectURL

The address to redirect a user to after authentication, if no redirect URL was provided with the authentication request. This property is optional and its default value is null.

For example:

defaultRedirectUrl = "www.example.com"

Example, OIDC Authentication Realm

The following OIDC Authentication Realm configuration file contains configurations for Google, Auth0, and Microsoft.

name = "oidc-realm1"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  OIDCAuthenticationRealm = {
    name = "my-realm"
    identityProviders = {
      "Google" = {
        documentDiscoveryURL = "https://accounts.google.com/.well-known/openid-configuration"
        clientId = "place your client id here"
        clientSecret = "place your client secret here"
        identityAttributeName = "subject email firstName or other claims"
      }
      "Auth0" = {        
        documentDiscoveryURL = "https://tibco.auth0.com/.well-known/openid-configuration"
        clientId = "place your client id here"
        clientSecret = "place your client secret here"
        identityAttributeName = "subject email firstName or other claims"
        subjectProviderMappings = {
          "google-oauth2" = "Google"
          }
      }
      "Microsoft" = {        
        documentDiscoveryURL = "https://login.microsoftonline.com/tenant.well-known/
          openid-configuration"
        clientId = "place your client id here"
        clientSecret = "place your client secret here"
        identityAttributeName = "subject email firstName or other claims"
      }
    pendingAuthenticationTimeoutSeconds = 600
    fallbackAuthenticationRealmName = "my-local-or-ldap-realm"
    requireTrustedHostMembership = false
    defaultRedirectURL = "http://url1.tibco.com"
  }
}

Kerberos Authentication Realm

Kerberos is a network authentication protocol for client-server applications, and SPNEGO provides a mechanism for extending Kerberos to web applications through the HTTP protocol. LiveView can be enabled for Kerberos to verify the identity of clients (authentication) and ensure that authenticated clients have permission to access the requested resources on the LiveView server side (authorization). See LiveView Authentication and Authorization for Kerberos.

KerberosAuthenticationRealm

A Kerberos authentication realm contains the configuration required for a Live Datamart node and its engines to authenticate users with Kerberos.

name

String. Realm name, which must be unique across all authentication realms. This property is required.

For example:

name = "my-realm"
requireTrustedHostMembership

Bool. If set to true, all incoming requests authenticated by this realm are rejected unless they come from a trusted host. This property is optional and its default value is false.

For example:

requireTrustedHostMembership = false
fallbackAuthenticationRealmName

String. Kerberos realms perform SPNEGO authentication only. This property specifies the name of the (must be LDAP or local authentication) realm used for non-SPNEGO authentication and for all authorization. This property is required and must match the name defined in the corresponding realm.

For example:

fallbackAuthenticationRealmName = "sample-fallback-realm-name"
kerberosConfigurationFile

String. The location of the Kerberos system configuration file, specifying among other things the location of the KDC. This property is required and must contain an absolute file path.

Examples:

linux_x86_64 = "/a/kerberos/config/file"
osx_x86_64 = "/a/kerberos/config/file"
windows_x86_64 = "c:\\a\\kerberos\\config\\file"
serverKeytabFile

String. The server Kerberos keytab file name, used for principal login without kinit. This property is required and must contain an absolute file path.

Examples:

linux_x86_64 = "/a/keytab/file"
osx_x86_64 = "/a/keytab/file"
windows_x86_64 = "c:\\a\\keytab/file"
serverPrincipalName

String. The server Kerberos principal name, as it is known to the KDC specified in the Kerberos system configuration file. This property is required.

For example:

serverPrincipalName = "HTTP/my.host.com@example.com"
ticketCacheFile

String. The location of a Kerberos ticket cache file. This property is optional and has no default value. If not specified, then the value of the system environment variable KRB5CCNAME is used. If that is not specified, then a system default location is used. If used, it must contain an absolute file path.

For example:

ticketCacheFileName = "/a/ticket/cache/file"
jaasDebug

Bool. The JAAS debugging status. Set to true to enable JAAS debug logging, false to disable. This property is optional and its default value is false.

For example:

jaasDebug = false
internalClientKeytabFile

String. The internal client Kerberos keytab file name, used for internal client login without kinit. This property is optional and has no default value. If no file is specified, the server keytab file is used. If specified, it must contain an absolute file path.

For example:

internalClientKeytabFile = "/another/keytab/file"
internalClientPrincipalName

String. The internal client Kerberos principal name, as it is known to the KDC specified in the Kerberos system configuration file. This property is optional and has no default value. If not specified, then an internal client JAAS login configuration file containing a principal name must be specified.

For example:

internalClientPrincipalName = "myprincipal@example.com"
internalClientPrincipalName

String. The internal client Kerberos principal name, as it is known to the KDC specified in the Kerberos system configuration file. This property is optional and has no default value. If not specified, then an internal client JAAS login configuration file containing a principal name must be specified.

internalClientLoginConfigurationFile

String. The JAAS login configuration file that configures internal client use of Kerberos. This property is optional and has no default value. If no file is specified, then an internal client principal name must be specified, and the realm will generate a login file using that principal and either the client keytab file, or the server keytab file if no client keytab file is specified. If specified, it must contain an absolute file path.

Examples, Kerberos Authentication Realm

The following is an example of the Kerberos authentication realm security configuration subtype.

name = "kerbrealm1"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  KerberosAuthenticationRealm = {
    name = "my-realm"
    requireTrustedHostMembership = false
    fallbackAuthenticationRealmName = "my-ldap-realm"
    kerberosConfigurationFileName = "/a/kerberos/config/file"
    serverKeytabFileName = "/a/keytab/file"
    serverPrincipalName = "HTTP/my.host.com@example.COM"
    ticketCacheFileName = "/a/ticket/cache/file"
    jaasDebug = false
    internalClientKeytabFileName = "/another/keytab/file"
    internalClientPrincipalName = "myprincipal@example.COM"
  }
}

Role to Privilege Mappings

RoleToPrivilegeMappings

A description of general privileges associated with roles. Each privilege can have an associated resource; a privilege defines what you can do, and its associated resource defines what you can do it to.

privileges

An associative array of role-to-privilege mappings for EventFlow and LiveView engines. This object is required and must contain at least one mapping.

LVUser

String. Role name example.

privilege

Name of a privilege. Some privileges are EventFlow-specific, some are LiveView- or LiveView Web client-specific, and some are StreamBase Runtime administrator-specific. This property is required.

In the example below, the description column maps HOCON-configured privileges to their StreamBase 7 equivalents, where applicable.

Privileges can be one or more of the following:

Privilege Description
StreamBase Runtime privileges
AdminRunCommand StreamBase Runtime epadmin command privileges
API access privileges
APIConnect Maps to the Live Datamart connect privilege
Stream-related privileges, mapped to the corresponding StreamBase and Live Datamart privileges
StreamEnqueue Maps to the StreamBase Enqueue privilege and the Live Datamart tuple:send privilege
StreamDequeue Maps to the StreamBase Dequeue privilege
LiveViewSBStreamInfoRetrieve Maps to the LiveView sbinfo:get privilege
LiveView administrative privileges
LiveViewPublisherKill Maps to the LiveView publisher:kill privilege
LiveViewQueryKill Maps to the LiveView query:kill privilege
LiveViewSessionKill Maps to the LiveView session:kill privilege
LiveViewAll LiveView full privileges ("*")
LiveViewShutdown LiveView server shutdown privileges
LiveView table alert privileges
LiveViewAlertAll Maps to the LiveView alert.* privilege
LiveViewAlertDelete Maps to the LiveView alert:delete privilege. If no resource is specified, or contains *, the privilege applies to all LiveView tables.
LiveViewAlertDeleteSelf

Allows deleting alert rules that were created by the logged-in user only. If a resource is specified, then the privilege applies to alert rules associated with the specified table only.

This privilege does not have a pre-10.x equivalent.

LiveViewAlertList Maps to the LiveView alert:list privilege. If no resource is specified, or contains *, the privilege applies to all LiveView tables.
LiveViewAlertListSelf

Allows retrieving the set of configured alerts created by the logged-in user only. If a table resource is specified, this privilege applies to alert rules associated with that specific table only.

This privilege does not have a pre-10.x equivalent.

LiveViewAlertSet Maps to the LiveView alert:set privilege. If no resource is specified, or contains *, the privilege applies to all LiveView tables.
LiveViewAlertSetSelf

Allows adding or modifying alert rules on the specified tables that were created by the logged-in user only. If no resource is specified, or contains *, the privilege applies to all LiveView tables.

This privilege does not have a pre-10.x equivalent.

LiveViewAlertActionAll Maps to the LiveView alertaction:* privilege
LiveViewAlertActionDelete Maps to the LiveView alertaction:delete privilege
LiveViewAlertActionEmail Maps to the LiveView alertaction:email privilege
LiveViewAlertActionJava Maps to the LiveView alertaction:java privilege
LiveViewAlertActionOSCommand Maps to the LiveView alertaction:oscmd privilege
LiveViewAlertActionPublish Maps to the LiveView alertaction:publish privilege
LiveViewAlertActionSendTuple Maps to the LiveView alertaction:sendtuple privilege

Note

Specifying a resource called __CronAlertsOnly filters cron-based alert rules. For example, for a role called LVUser, the privilege of LiveViewAlertListSelf for resource __CronAlertsOnly would allow LVUser to list alert rules created by that role that are cron-based alert rules. Also, notice that this resource requires two underscores (__).

LiveView table management privileges
LiveViewTableAll Maps to the LiveView table:* privilege
LiveViewTableDelete Maps to the LiveView table:delete privilege
LiveViewTableList Maps to the LiveView table:list privilege
LiveViewTableManage Maps to the LiveView table:manage privilege
LiveViewTableQuery Maps to the LiveView table:query privilege
LiveViewTablePublish Maps to the LiveView table:publish privilege
LiveViewTableCCQuery Maps to the LiveView table:ccquery privilege
LiveViewTableAdd Maps to the LiveView table:add privilege
LiveViewTableRemove Maps to the LiveView table:remove privilege
LiveView tuple management privileges
LiveViewTupleAll Maps to the LiveView tuple:* privilege
LiveViewTupleInfo Maps to the LiveView tuple:info privilege
LiveViewTupleSend Maps to the LiveView tuple:send privilege
LiveView workspace management privileges
LiveViewWorkspaceAll Maps to the LiveView workspace:* privilege
LiveViewWorkspaceDelete Maps to the LiveView workspace:delete privilege
LiveViewWorkspaceGet Maps to the LiveView workspace:get privilege
LiveViewWorkspaceSet Maps to the LiveView workspace:set privilege
LiveView Web privileges
LiveViewWebDashboardCreate Maps to the LiveView Web dashboard:create privilege
LiveViewWebPageCreate Maps to the LiveView Web page:create privilege
LiveViewWebCardCreate Maps to the LiveView Web card:create privilege
LiveViewWebLinkageCreate Maps to the LiveView Web linkage:create privilege
LiveView metadata store privileges
LiveViewMetadataImport Enables importing data using lv-client into the LiveView server.
LiveViewMetadataExport Enables exporting data using lv-client from the LiveView server.
resource

String. The resource to which the privilege applies. For example, if the privilege allows writing to an EventFlow stream, the resource might be the stream name, or a regular expression that matches multiple stream names. If the privilege does not apply to a resource, this property can be left null. This property is optional and has no default value.

For example:

resource = "default.InputStream1"
LVUser

String. LiveView engine example role name.

privilege

The privilege type that maps to the role. This property is required.

The example below shows a Live Datamart user role, LVAdmin, with all Live Datamart privileges. This is equivalent to configuring the liveview.auth.properties file to role.LVAdmin = * in StreamBase 7.

LVAdmin = [
  {
  privilege = "LiveViewAll"
  }
]

For those familiar with StreamBase 7, recall that several internal LiveView components were required to make requests to access LiveView server resources, by setting LiveView properties files. When authentication was enabled, for example, these internal requests had to be made in the context of a valid LiveView user configured with the appropriate permissions. A special role, LVInternal, satisfied this requirement.

In StreamBase 10, instead of configuring LiveView properties files, create a Live Datamart user role, LVInternal, and map privileges to the role to perform internal LiveView user functions similar to those in StreamBase 7.

For example:

LVInternal = [
  {
    privilege = "APIConnect"
  }
  {
    privilege = "LiveViewShutdown"
  }
  {
    privilege = "LiveViewTableQuery"
  }
  {
    privilege = "LiveViewTablePublish"
    resource = "LVAlerts"
   }
   {
    privilege = "LiveViewTableDelete"
    resource = "ItemsSales"
   }
   {
    privilege = "LiveViewTableManage"
   }
   {
    privilege = "LiveViewWorkspaceAll"
   }
  ]

The following example shows a Live Datamart user role, LVUser, assigned LiveView engine- and LiveView Web client-specific privileges:

LVUser = [
  {
    privilege = "APIConnect"
  }
  {
    privilege = "LiveViewTableList"
  }
  {
    privilege = "LiveViewTableManage"
  }
  {
    privilege = "LiveViewTableAll"
    resource = "ItemsSales"
  }
  {
    privilege = "LiveViewTableQuery"
  }
  {
    privilege = "LiveViewAlertList"
  }
  {
    privilege = "LiveViewAlertSet"
    resource = "ItemsSales"
  }
  {
    privilege = "LiveViewAlertDelete"
  }
  {
    privilege = "LiveViewAlertActionPublish"
    resource = "ItemsSales"
  }
  {
    privilege = "LiveViewAlertActionEmail"
    resource = "ItemsSales"
  }
  {
    privilege = "LiveViewAlertActionSendTuple"
    resource = "ItemsSales"
  }
  {
    privilege = "LiveViewTupleInfo"
    resource = "ItemsSales.DataIn"
  }
  {
    privilege = "LiveViewTupleSend"
    resource = "ItemsSales.DataIn"
  }
  {
    privilege = "LiveViewWorkspaceGet"
    resource = "Auth Sample"
  }
  {
    privilege = "LiveViewWebCardCreate"
  }
  {
    privilege = "LiveViewWebDashboardCreate"
  }
  {
    privilege = "LiveViewWebLinkageCreate"
  }
  {
    privilege = "LiveViewWebPageCreate"
  }

 ]

The following example shows a Live Datamart user role, LVGuest, assigned LiveView engine-specific privileges:

LVGuest = [
  {
    privilege = "APIConnect"
  }
  {
    privilege = "LiveViewTableList"
  }
  {
    privilege = "LiveViewTableManage"
  }
  {
    privilege = "LiveViewTableAll"
    resource = "ItemsSales"
  }
  {
    privilege = "LiveViewTableQuery"
  }
  {
    privilege = "LiveViewAlertList"
  }
  {
    privilege = "LiveViewAlertSet"
    resource = "ItemsSales"
  }
  {
    privilege = "LiveViewAlertDelete"
  }
  {
    privilege = "LiveViewAlertActionPublish"
    resource = "ItemsSales"
  }
  {
    privilege = "LiveViewAlertActionEmail"
    resource = "ItemsSales"
  }
  {
    privilege = "LiveViewAlertActionSendTuple"
    resource = "ItemsSales"
  }
  {
    privilege = "LiveViewTupleInfo"
    resource = "ItemsSales.DataIn"
  }
  {
    privilege = "LiveViewTupleSend"
    resource = "ItemsSales.DataIn"
  }
  {
    privilege = "LiveViewWorkspaceGet"
    resource = "Auth Sample"
  }
 ]

The following example shows a LiveView Web user role, LVWebUser, assigned the following privileges:

LVWebUser = [
  {
    privilege = "LiveViewWebCardCreate"
  }
  {
    privilege = "LiveViewWebDashboardCreate"
  }
  {
    privilege = "LiveViewWebLinkageCreate"
  }
  {
    privilege = "LiveViewWebPageCreate"
  }
 ]

Example, Role to Privileges Mappings

The following is a general sample RoleToPrivilegeMappings configuration file. Each privilege has an associated resource; a privilege defines what you can do, and its associated resource defines what you can do it to.

name = "my-role-mappings"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  RoleToPrivilegeMappings = {
    privileges = {
      admin = [
        {
          privilege = "AdminRunCommand"
        }
      ]
      streamBaseSuperuser = [
        { 
          privilege = "StreamEnqueue"
          resource = "default.InputStream1"
        }
      ]
      basicUser = [
        {
          privilege = "StreamEnqueue"
          resource = "default.InputStream1"
        }
        {
          privilege = "StreamDequeue"
          resource = "default.OutputStream1"
        }
      ]
    }
  }
}

The following is a sample RoleToPrivilegeMappings configuration file that includes StreamBase, Live Datamart, and LiveView Web configuration.

name = "my-RoleToPrivilegeMappings"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  RoleToPrivilegeMappings = {
    privileges = {
      AdministratorSpecificCommands = [
        {
          privilege = "AdminRunCommand"
          resource = "breakpointplugin::Plugin::continueCommand"
        }
        {
          privilege = "AdminRunCommand"
          resource = "security::SecurityPlugin::display"
        }
      ]
      StreamBaseSuperuser = [
        { 
          privilege = "StreamEnqueue"
          resource = "default.InputStream1"
        }
      ]
      StreamBaseBasicUser = [
        {
          privilege = "StreamEnqueue"
          resource = "default.InputStream1"
        }
        {
          privilege = "StreamDequeue"
          resource = "default.OutputStream1"
        }
      ]
      AnotherAdminUser = [
        {
          privilege = "StreamEnqueue"
          resource = "default.InputStream1"
        }
        {
          privilege = "APIConnect"
        }
      ]
      LDMUserAll = [
        {
          privilege = "LiveViewAlertAll"
          resource = "alertName1"
        }
        {
          privilege = "LiveViewTupleAll"
          resource = "mySchema1"
        }
        {
          privilege = "LiveViewTableAll"
          resource = "myTable1"
        }
        {
          privilege = "LiveViewAlertActionAll"
          resource = "alertName2"
        }
        {
          privilege = "LiveViewWorkspaceAll"
          resource = "wsName1"
        }
      ]
      LDMUserAll2 = [
        {
          privilege = "LiveViewAll"
        }
      ]
      LDMUserEach = [
        {
          privilege = "LiveViewShutdown"
        }
        {
          privilege = "LiveViewTableList"
          resource = "myTable"
        }
        {
          privilege = "LiveViewTableDelete"
          resource = "myTable"
        }
        {
          privilege = "LiveViewTableManage"
          resource = "myTable"
        }
        {
          privilege = "LiveViewTableQuery"
          resource = "myTable"
        }
        {
          privilege = "LiveViewTablePublish"
          resource = "myTable"
        }
        {
          privilege = "LiveViewAlertDelete"
          resource = "alertName"
        }
        {
          privilege = "LiveViewAlertSet"
          resource = "alertName"
        }
        {
          privilege = "LiveViewAlertList"
          resource = "alertName"
        }
        {
          privilege = "LiveViewWorkspaceGet"
          resource = "wsName"
        }
        {
          privilege = "LiveViewWorkspaceSet"
          resource = "wsName"
        }
        {
          privilege = "LiveViewWorkspaceDelete"
          resource = "wsName"
        }
        {
          privilege = "LiveViewTupleInfo"
          resource = "stream1"
        }
        {
          privilege = "LiveViewTupleSend"
          resource = "stream2"
        }
        {
          privilege = "LiveViewAlertActionDelete"
          resource = "alert1"
        }
        {
          privilege = "LiveViewAlertActionEmail"
          resource = "alert1"
        }
        {
          privilege = "LiveViewAlertActionJava"
          resource = "alert1"
        }
        {
          privilege = "LiveViewAlertActionOSCommand"
          resource = "alert1"
        }
        {
          privilege = "LiveViewAlertActionPublish"
          resource = "alert1"
        }
        {
          privilege = "LiveViewAlertActionSendTuple"
          resource = "alert1"
        }
        {
          privilege = "LiveViewWebCardCreate"
        }
        {
          privilege = "LiveViewWebDashboardCreate"
        }
        {
          privilege = "LiveViewWebLinkageCreate"
        }
        {
          privilege = "LiveViewWebPageCreate"
        }
      ]
    }
  }
}

The following is a sample RoleToPrivilegeMappings configuration file that includes only Live Datamart and LiveView Web configuration.

name = "my-role-mappings"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  RoleToPrivilegeMappings = {
    privileges = {
      LVAdmin = [
        {
          privilege = "LiveViewAll"
        }
      ]
      LVInternal = [
        {
          privilege = "APIConnect"
        }
        {
          privilege = "LiveViewShutdown"
        }
        {
          privilege = "LiveViewTableQuery"
        }
        {
          privilege = "LiveViewTablePublish"
          resource = "LVAlerts"
        }
        {
          privilege = "LiveViewTableDelete"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewTableManage"
        }
        {
          privilege = "LiveViewWorkspaceAll"
        }
      ]
      LVUser = [
        {
          privilege = "APIConnect"
        }
        {
          privilege = "LiveViewTableList"
        }
        {
          privilege = "LiveViewTableManage"
        }
        {
          privilege = "LiveViewTableAll"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewTableQuery"
        }
        {
          privilege = "LiveViewAlertList"
        }
        {
          privilege = "LiveViewAlertSet"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewAlertDelete"
        }
        {
          privilege = "LiveViewAlertActionPublish"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewAlertActionEmail"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewAlertActionSendTuple"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewTupleInfo"
          resource = "ItemsSales.DataIn"
        }
        {
          privilege = "LiveViewTupleSend"
          resource = "ItemsSales.DataIn"
        }
        {
          privilege = "LiveViewWorkspaceGet"
          resource = "Auth Sample"
        }
        {
          privilege = "LiveViewWebCardCreate"
        }
        {
          privilege = "LiveViewWebDashboardCreate"
        }
        {
          privilege = "LiveViewWebLinkageCreate"
        }
        {
          privilege = "LiveViewWebPageCreate"
        }
      ]
      LVGuest = [
        {
          privilege = "APIConnect"
        }
        {
          privilege = "LiveViewTableList"
        }
        {
          privilege = "LiveViewTableManage"
        }
        {
          privilege = "LiveViewTableAll"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewTableQuery"
        }
        {
          privilege = "LiveViewAlertList"
        }
        {
          privilege = "LiveViewAlertSet"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewAlertDelete"
        }
        {
          privilege = "LiveViewAlertActionPublish"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewAlertActionEmail"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewAlertActionSendTuple"
          resource = "ItemsSales"
        }
        {
          privilege = "LiveViewTupleInfo"
          resource = "ItemsSales.DataIn"
        }
        {
          privilege = "LiveViewTupleSend"
          resource = "ItemsSales.DataIn"
        }
        {
          privilege = "LiveViewWorkspaceGet"
          resource = "Auth Sample"
        }
      ]
    }
  }
}

Secure Communication Client Profile

Each profile has a unique name across all server and client profile types; the name serves as a reference target from other configurations wishing to enable secure communication.

The client profile is for INTERNAL client connections, that is by the server to the server. If you enable SSL on a Live Datamart server, you need both the SecureCommunicationClientProfile and the SecureCommunicationServerProfiles configured. This is due to the server and client certificates having different attributes, and certificate authorities do not issue a single certificate appropriate for both client and server use.

SecureCommunicationClientProfile

A secure communication profile configuration object contains settings used to secure client-side transport connections, for example to external services such as LDAP. Profiles are named, and then referenced as needed by other configurations needing secure communication.

name

The name of this profile, unique across all secure communication profiles. This property is required. For example:

name = "my-profile"
keyStore

Key store that contains key materials as well as optional trust store information, depending on key store format. It must be a file. If the key store contains multiple private key entries (aliases in JKS parlance), the first is used. The path is required to be absolute, therefore the file must exist on the target node's file system. This property is optional. If present, engines acting as clients can establish secure connections to services and perform client (mutual) authentication.

Examples:

linux_x86_64 = "/a/keyStore.jks"
osx_x86_64 = "/a/keyStore.jks"
windows_x86_64 = "c:\\a\\keyStore.jks"
keyStorePassword

String. Keystore password, used to access the keystore contents. This required property is encryptable as part of the node-level secrecy system described in Encrypting Sensitive Configuration Data.

For example:

keyStorePassword = "sample-key-store-password"
keyPassword

String. The password to access the key within the keystore. This optional property is encryptable as part of the node-level secrecy system described in Encrypting Sensitive Configuration Data. If absent, the keystore password is used to access the property.

For example:

keyPassword = "anothersecret"
keyStoreType

Key store type. This property is optional and its default value is jks. For example:

keyStoreType = "jks"
trustStore

Trust store containing CAs by which client certificates must be signed to be trusted. If specified, this must be a file. The path is required to be absolute, therefore the file must exist on the target node's file system. This property is optional. If you do not specify a trust store, the default JRE default CA cert store is used instead (for example, in $STREAMBASE_HOME/jdk/jre/).

Examples:

linux_x86_64 = "/a/trustStore.jks"
osx_x86_64 = "/a/trustStore.jks"
windows_x86_64 = "c:\\a\\trustStore.jks"
trustStorePassword

The password to access the trust store. This optional property is encryptable as part of the node-level secrecy system described in Encrypting Sensitive Configuration Data.

For example:

trustStorePassword = "sample-trust-store-password"
trustStoreType

Trust store type. This property is optional and its default value is jks.

For example:

trustStoreType = "jks"
requireClientAuthentication

Bool. Enable or disable required client authentication. Enabling requires presence of a key store to sign the client side of the secure communication handshake. This property is optional, and its default value is false. If its value is true, both a key store and key store password are required.

For example:

requireClientAuthentication = true
includedCipherSuites

A list of cipher suites specifically allowed by this configuration. This array is optional and if not present defaults to the JRE's full set of supported cipher suites. Exclusive with excludedCipherSuitePatterns.

For example:

includedCipherSuites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
excludedCipherSuitePatterns

String. A list of Java regular expression patterns for cipher suites specifically excluded by this configuration. This array is optional and has no default value. A missing or empty array allows all cipher suites either explicitly included by this configuration or provided by the JRE. Exclusive with includedCipherSuites. If no excluded patterns are provided, and no included cipher suites are provided either, then a default set of excluded patterns is used that prevents cipher suites with known security flaws from being considered during negotiation.

For example:

excludedCipherSuitePatterns = [ "^.*_(MD5|SHA|SHA1)$" ]

Default:

excludedCipherSuitePatterns = [ "^SSL_.*$","^.*DH_.*$","^.*KRB5.*$","^.
  *NULL.*$","^.*anon.*$","^.*DES.*$","^.*MD5$","^.*DSS.*$","^TLS_RSA(?:
  (?!_WITH_AES_128_CBC_SHA).)*$"]

If you installed the Elliptic Curve Cryptography suites (ECC), you can exclude the non-PFS RSA suites as TIBCO recommends. In the example below, the line wraps to the next for clarity.

excludedCipherSuitePatterns = [ "^SSL_.*$","^.*DH_.*$","^.*KRB5.*$","^.
*NULL.*$","^.*anon.*$","^.*DES.*$","^.*MD5$","^.*DSS.*$","^TLS_RSA.*$"]
includedProtocols

A list of handshake protocols specifically allowed by this configuration. This array is optional and if not present defaults to the list shown in the example below. TIBCO recommends using TLS 1.1 or above. Exclusive with excludedProtocolPatterns.

For example:

includedProtocols = [ "TLSv1.1", "TLSv1.2" ]
excludedProtocolPatterns

This property is deprecated but still supported for backward compatibility.

A list of Java regular expression patterns for handshake protocols specifically excluded by this configuration. This array is optional and has no default value. A missing or empty array allows all protocols either explicitly included by this configuration or provided by the JRE. Exclusive with includedProtocols.

Examples, Secure Communication Client Profile

The following is a sample that configures a secure communication profile for a client endpoint. A secure communication profile configuration object contains settings used to secure client-side transport connections (for example, to external services such as LDAP). Profiles are named and then referenced as needed by other configurations needing secure communication.

name = "mycommunicationsettings"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  SecureCommunicationClientProfile = {
    name = "my-profile"
    keyStore = "/absolute/path/myKeyStore.jks"
    keyStorePassword = "secret"
    keyPassword = "anothersecret"
    keyStoreType = "JKS"
    trustStore = "/absolute/path/myTrustStore.jks"
    trustStorePassword = "athirdsecret"
    trustStoreType = "JKS"
    requireClientAuthentication = true
  }
}

Secure Communication Server Profile

Each profile has a unique name across all server and client profile types; the name serves as a reference target from other configurations wishing to enable secure communication.

This profile is for the Live Datamart API listener. For SSL with client certificate authentication, the profile contains a trust store used to validate incoming server certificates. Also, if you enable SSL on a Live Datamart server, you need both the Secure Communication Client Profile and the Secure Communication Server Profiles configured. This is due to the server and client certificates having different attributes, and certificate authorities do not issue a single certificate appropriate for both client and server use.

SecureCommunicationServerProfile

A secure communication profile configuration object contains settings used to secure server-side transport connections, for example from EventFlow and LiveView API clients. Profiles are named, and then referenced as needed by other configurations needing secure communication.

name

String. The name of this profile, unique across all secure communication profiles. This property is required. For example:

name = "my-profile"
keyStore

String. File path to a key store that contains the server's certificate as well as optional trust store information, depending on key store format. If the key store contains multiple private key entries (aliases in JKS parlance), the first is used. The path is required to be absolute. Therefore, the file must exist on the target node's file system. This property is required.

For example:

keyStore = {
  linux_x86_64 = "/a/keyStore.jks"
  osx_x86_64 = "/a/keyStore.jks"
  windows_x86_64 = "c:\\a\\keyStore.jks"
  }
keyStorePassword

String. Key store password, used to access the keystore contents. This required property is encryptable as part of the node-level secrecy system described in Encrypting Sensitive Configuration Data.

For example:

keyStorePassword = "sample-key-store-password"
keyPassword

String. The password to access the key within the keystore. This optional property is encryptable as part of the node-level secrecy system described in Encrypting Sensitive Configuration Data. If absent, the keystore password is used to access the property.

For example:

keyPassword = "anothersecret"
keyStoreType

Key store type. This property is optional and its default value is jks. For example:

keyStoreType = "jks"
trustStore

Trust store containing CAs by which client certificates must be signed to be trusted. If specified, this must be a file. The path must be absolute, therefore the file must exist on the target node's file system. This property is optional. If you do not specify a trust store, the default JRE default CA cert store is used instead (for example, in $STREAMBASE_HOME/jdk/jre/).

For example:

trustStore = {
  linux_x86_64 = "/a/trustStore.jks"
  osx_x86_64 = "/a/trustStore.jks"
  windows_x86_64 = "c:\\a\\trustStore.jks"
  }
trustStorePassword

String. The password to access the trust store. This optional property is encryptable as part of the node-level secrecy system described in Encrypting Sensitive Configuration Data.

For example:

trustStorePassword = "sample-trust-store-password"
trustStoreType

String. Trust store type. This property is optional and its default value is jks.

For example:

trustStoreType = "jks"
requireClientAuthentication

Bool. Enable or disable required client authentication. Enabling requires presence of a trust store to verify client trust. This property is optional, and its default value is false. If its value is true, both a key store and key store password are required.

For example:

requireClientAuthentication = true
includedCipherSuites

A list of cipher suites specifically allowed by this configuration. This array is optional and if not present defaults to the JRE's full set of supported cipher suites. Exclusive with excludedCipherSuitePatterns.

For example:

includedCipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
excludedCipherSuitePatterns

String. A list of Java regular expression patterns for cipher suites specifically excluded by this configuration. This array is optional and has no default value. A missing or empty array allows all cipher suites either explicitly included by this configuration or provided by the JRE. Exclusive with includedCipherSuites. If no excluded patterns are provided, and no included cipher suites are provided either, then a default set of excluded patterns is used that prevents cipher suites with known security flaws from being considered during negotiation.

For example:

excludedCipherSuitePatterns = [ "^.*_(MD5|SHA|SHA1)$" ]

Default:

excludedCipherSuitePatterns = [ "^SSL_.*$","^.*DH_.*$","^.*KRB5.*$","^.
  *NULL.*$","^.*anon.*$","^.*DES.*$","^.*MD5$","^.*DSS.*$","^TLS_RSA(?:
  (?!_WITH_AES_128_CBC_SHA).)*$"]

If you installed the Elliptic Curve Cryptography suites (ECC), you can exclude the non-PFS RSA suites as TIBCO recommends. In the example below, the line wraps to the next for clarity.

excludedCipherSuitePatterns = [ "^SSL_.*$","^.*DH_.*$","^.*KRB5.*$","^.
*NULL.*$","^.*anon.*$","^.*DES.*$","^.*MD5$","^.*DSS.*$","^TLS_RSA.*$"]
includedProtocols

A list of handshake protocols specifically allowed by this configuration. This array is optional and if not present defaults to the list shown in the example below. TIBCO recommends using TLS 1.1 or above. Exclusive with excludedProtocolPatterns.

For example:

includedProtocols = [ "TLSv1.1", "TLSv1.2" ]
excludedProtocolPatterns

This property is deprecated but still supported for backward compatibility.

A list of Java regular expression patterns for handshake protocols specifically excluded by this configuration. This array is optional and has no default value. A missing or empty array allows all protocols either explicitly included by this configuration or provided by the JRE. Exclusive with includedProtocols.

userNameObjectIdentifierSearchPath

An array of attribute keywords or X.509 object identifiers (OIDs), indicating the order in which the client's X.509 certificate subject Distinguished Name attributes are searched for to find a user name for authorization purposes. This property is only relevant if requireClientAuthentication is enabled. Supported attribute keywords are userID, CN, emailAddress, and DN. This property is optional and its default value is the search order emailAddress, CN, DN.

For example:

userNameObjectIdentifierSearchPath = [ "userID", "CN", "1.2.3.4", "DN" ]
subjectNameElementToUserNameMappings

An object whose values are certificate-based principal names and whose values are authorization user names. Used in cases where an incoming client certificate is used for authentication, but none of the elements of its subject name are suitable for mapping to roles during authorization. This object is optional; if not present, then no mapping can be performed, and a subject name element extracted with the userNameObjectIdentifierSearchPath must yield a valid user name for authorization purposes.

For example:

subjectNameElementToUserNameMappings = {
  "subjectNameElementFoo" = "userNameFoo"
  "subjectNameElementBar" = "userNameBar" 
} 

Examples, Secure Communication Server Profile

The following sample configures a secure communication profile for a server endpoint. A secure communication profile configuration object contains settings used to secure server-side transport connections (for example, from EventFlow and LiveView API clients). Profiles are named and then referenced as needed by other configurations needing secure communication.

name = "mycommunicationsettings"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  SecureCommunicationServerProfile = {
    name = "my-profile"
    keyStore = "/absolute/path/myKeyStore.jks"
    keyStorePassword = "secret"
    keyPassword = "anothersecret"
    keyStoreType = "JKS"
    trustStore = "/absolute/path/myTrustStore.jks"
    trustStorePassword = "athirdsecret"
    trustStoreType = "JKS"
    requireClientAuthentication = true
    userNameObjectIdentifierSearchPath = [ "userID", "CN", "1.2.3.4", "DN" ]
    subjectNameElementToUserNameMappings = {
      "subjectNameElementFoo" = "userNameFoo"
      "subjectNameElementBar" = "userNameBar" 
    } 
  }
}

Trusted Hosts

The default local authentication source in a node supports the configuration of trusted hosts, which allows for expedited authentication of principals when the authentication request originates with a network connection from a configured trusted host. Authentication from a trusted host passes without consideration for credentials. That is, if the authentication request originates from a trusted host, then the StreamBase Runtime trusts that the host-based authentication mechanism (such as a Linux login) has verified the identity of the principal.

TrustedHosts

A list of hosts from which users do not need to authenticate when executing administrative commands. Hosts must be in an array.

hosts

String. A comma-separated list of host names and/or IP addresses from which users do not need to authenticate when executing administrative commands. The array supports simple host names, fully qualified domain names, partially qualified domain names, IPv4 single addresses, IPv6 single addresses, and CIDR blocks of IPv4 and IPv6 addresses.

Examples, Trusted Hosts

The following is a sample TrustedHosts configuration file.

name = "my-hosts"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  TrustedHosts = {
    hosts = [
      "host1",
      "host2",
      "*.some.domain.org",
      "host4.tibco.com",
      "189.4.5.6",
      "192.168.2.0/24",
      "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
    ]
  }
}

The above example configuration defines these trusted hosts:

  • host1 — a simple host name.

  • host2 — another simple host name.

  • *.some.domain.org — a partially qualified domain name. Partially qualified domain names are indicated using a *. prefix. All hosts under the some.domain.org domain are trusted.

  • host4.tibco.com — a fully qualified domain name.

  • 189.4.5.6 — an IPv4 address.

  • 2601:646:4102:9184:d56c:b9bc:f9ed:1ee4%en1 — an IPv6 address.

Deprecated Security Features

The following security properties are deprecated but are still supported for backward compatibility:

com.tibco.ep.dtm.configuration.LocalAuthenticationRealm.securityprincipals

The initialPrincipals property replaces the deprecated principals property in the Local Authentication Realm.

Local Admin Authentication Realm

The entire realm configuration is deprecated. Use the local authentication realm instead.

com.tibco.ep.dtm.configuration.security.SecureCommunicationClientProfile.excludedProtocolPatterns

This property is deprecated. Use com.tibco.ep.dtm.configuration.security.SecureCommunicationClientProfile.includedProtocols.

com.tibco.ep.dtm.configuration.security.SecureCommunicationServerProfile.excludedProtocolPatterns

This property is deprecated. Use com.tibco.ep.dtm.configuration.security.SecureCommunicationServerProfile.includedProtocols.

Local Admin Authentication Realm (Deprecated)

This realm is deprecated but still supported for backward compatibility. Instead, use a local authentication realm.

This authentication realm applies to epadmin command users performing such operations as starting and stopping a StreamBase Runtime node. If you do not have admin users in your configuration, the local admin authentication realm is not required.

LocalAdminAuthenticationRealm

Defines a local authentication realm, containing one or more administrator principals.

principals

An array of administrator principals. This property is optional and has no default value.

userName

The principal name. This property is required and cannot be an empty string.

For example:

userName = "JohnDoe"
hashedPassword

Principal's password, either in clear text or enciphered. This required property is encryptable as part of the node-level secrecy system described in Encrypting Sensitive Configuration Data.

For example:

Password = "M5DSWylszg5aA9AK29MOiaDLq7SMqmTor+nW3qURTrT9E9eqJfT
  PyyUudCK34nhXHE53PXK6pregp4MW8qrueg"
roles

Roles to which the principal has access, if any. Each role is an arbitrary text string, which can be bound to various privileges in a role-to-privileges mapping object. This key is required, and at least one list member is required.

For example:

roles = [ "BasicUser"
          "StreamBaseSuperuser"
          "admin" ]
passwordExpirationPeriodDays

Password expiration time in days. This property is optional and its default value is 0, meaning the password never expires.

For example:

passwordExpirationPeriodDays = 12
passwordAlwaysRequired

Sets whether a credential is always required. If true, the principal must always present a credential during authentication, and cannot use the trusted host facility. This property is optional and its default value is false.

For example:

passwordAlwaysRequired = true
trustedHostAccessOnly

Whether the principal may only be authenticated when connecting from a trusted host.

For example:

trustedHostAccessOnly = false

Examples, Local Admin Authentication Realm

The following is a sample local admin authentication realm configuration for epadmin users.

name = "localadminrealm1"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  LocalAdminAuthenticationRealm = {
    principals = [
      {
        userName = "SBuser"
        hashedPassword = "LKJALISJDOIQUWEOIAJSLKDJALSJDL"
        roles = [
          "BasicUser"
          "StreamBaseSuperuser"
          "admin"
        ]
        passwordExpirationPeriodDays = 12
        passwordAlwaysRequired = true
        trustedHostAccessOnly = false
      }
    ]
  }
}