This article describes the steps to setup the EMS for that purpose.
We need:
- a secured topic
- an EMS user
- authorization enabled EMS
- access control list (acl)
Before you start
Start EMS server.
– simply execute tibemsd.exe in the bin folder of your TIBCO EMS installation (windows). The default EMS_HOME for win32 installation is c:\tibco\ems\5.1 for TIBCO EMS 5.1.x.
- %EMS_HOME%\bin\tibemsd.exe -config fullpath_to_your_tibemsd.conf_file
%EMS_HOME%\bin\tibemsd.exe -config fullpath_to_your_tibemsd.conf_file
Launch EMS admin console.
In the same directory of tibemsd.exe, execute the tibemsadmin.exe
- %EMS_HOME%\bin\tibemsadmin.exe
%EMS_HOME%\bin\tibemsadmin.exe
Connect to EMS server
– In the TIBCO EMS Administration console, enter the command “connect”. Assuming you have not changed the admin password, login as admin with no password.
Creating a topic and securing it
We will create a EMS topic called FGW.FILEREADY to which the FileGateway will publish its file completion events. Just to add a little security to it, we will secure this topic by allowing only authorized consumers to subscribe, effectively blocking the anonymous consumers.
Enter the following commands into the admin console.
- create topic FGW.FILEREADY secure
create topic FGW.FILEREADY secure
To see the newly created topic in the console, enter the following command.
- show topics
show topics
Note the ‘+’ sign under the column ‘S’, it indicates the topic is secured.
Enable EMS authorization
The ‘secure’ property of a EMS topic or queue will only come to effect if the server authorization is enabled. To enable authorization on EMS server, enter the following command at the admin console.
- set server authorization=enabled
set server authorization=enabled
Authorization can also be turned on via the tibemsd.conf file.
- authorization = enabled
authorization = enabled
Server restart is required if this method is used.
Creating an EMS user
To access to secured topics, the JMS consumer needs to provide credentials when subscribing. For that reason we will create a user called “fgwuser” with the password “fgwuser”.
Enter the following commands into the admin console.
- create user fgwuser “FileGateway User” password=fgwuser
create user fgwuser “FileGateway User” password=fgwuser
Use the following command to list the created user.
- show user fgwuser
show user fgwuser
Configure the access control list (acl)
The consumer of FGW.FILEREADY topic needs at least the ‘subscribe’ privilege in order to subscribe to the topic. If the consumer intends to become a durable subscriber, it also needs to be given the ‘durable’ privilege. Note that in our scenario, the consumer is not allowed to publish to this topic, hence the absence of ‘publish’ privilege.
Enter the following command into the admin console.
- grant topic FGW.FILEREADY fgwuser subscribe, durable
grant topic FGW.FILEREADY fgwuser subscribe, durable
To inspect the privileges assigned to fgwuser, use the following commands
- showacl topic FGW.FILEREADY
showacl topic FGW.FILEREADY
OR
- showacl user fgwuser
showacl user fgwuser
Summary
By now we have configured/created the following:
- A secured EMS topic called FGW.FILEREADY
- An EMS user called fgwuser
- Access control on fgwuser
- EMS server authorization = enabled
