Security Considerations

This section highlights information relevant to secure deployment. We recommend that all administrators read this section.


Secure Environment

To ensure secure deployment, EMS administration must meet the following criteria:

Destination Security

Three interacting factors affect the security of destinations (that is, topics and queues). In a secure deployment, you must properly configure all three of these items:

Authorization Parameter

The server’s authorization parameter acts as a master switch for checking permissions for connection requests and operations on secure destinations. The default value of this parameter is disabled—the server does not check any permissions, and allows all operations. For secure deployment, you must enable this parameter.

Admin Password

For ease in installation and initial testing, the default setting for the admin password is no password at all. Until you set an actual password, the user admin can connect without a password. Once the administrator password has been set, the server always requires it.
To configure a secure deployment, the administrator must change the admin password immediately after installation; see Assign a Password to the Administrator.

Connection Security

When authorization is enabled, the server requires a name and password before users can connect. Only authenticated users can connect to the server. The form of authentication can be either an X.509 certificate or a username and password (or both).

When authorization is disabled, the server does not check user authentication; all user connections are allowed. However, even when authorization is disabled, the user admin must still supply the correct password to connect to the server.

Even when authorization is enabled, the administrator (admin) may explicitly allow anonymous user connections, which do not require password authorization. To allow these connections, create a user with the name anonymous and no password.

Creating the user anonymous does not mean that anonymous has all permissions. Individual topics and queues can still be secure, and the ability to use these destinations (either sending or receiving) is controlled by the access control list of permissions for those destinations. The user anonymous can access only non-secure destinations.
Nonetheless, this feature (anonymous user connections) is outside the tested configuration of EMS security certification.

For more information on destination security, refer to the destination property secure, and Adding the secure Property to the Topic.

Communication Security

For communication security between servers and clients, and between servers and other servers, you must explicitly configure SSL within EMS; see Using the SSL Protocol.

SSL communication requires software to implement SSL on both server and client. The EMS server includes the OpenSSL implementation. Java client programs must use either JSSE (part of the Java environment) or separately purchased SSL software from Entrust; neither of these are part of the EMS product. C client programs can use the OpenSSL library shipped with EMS.

Sources of Authentication Data

The server uses only one source of X.509 certificate authentication data, namely, the server parameter ssl_server_trusted (its value is set in EMS an configuration file). See ssl_server_trusted .

The server can use two sources of secure password authentication data:

You must safeguard the security of EMS configuration files and LDAP servers.

Timestamp

The administration tool can either include or omit a timestamp associated with the output of each command. To ensure a secure deployment, you must explicitly enable the timestamp feature. Use the following administration tool command:

 
time on 

Passwords

Passwords are a significant point of vulnerability for any enterprise. We recommend enforcing strong standards for passwords.
For security equivalent to single DES (an industry minimum), security experts recommend passwords that contain 8–14 characters, with at least one upper case character, at least one numeric character, and at least one punctuation character.

EMS software does not automatically enforce such standards for passwords. You must enforce such policies within your organization.

Audit Trace Logs

Audit information is output to log files (and stderr), and is configured by the server parameters log_trace and console_trace (see Tracing and Log File Parameters).

The DEFAULT setting includes +ADMIN, so all administrative operations produce audit output. For further details, see Table 35, Server tracing options (Sheet 1 of 2).

Audit information in log files is always timestamped.

Administrators can read and print the log files for audit review using tools (such as text editors) commonly available within all IT environments. EMS software does not include a special tool for audit review.


TIBCO Enterprise Message Service™ User’s Guide
Software Release 4.3, February 2006
Copyright © TIBCO Software Inc. All rights reserved
www.tibco.com