Setting Up Access Restrictions

By default, Sybase CEP Server is installed with no access restrictions. A description of how to configure access restrictions.

1. Create an .xml access control list (ACL) file specifying one or more access rules for your Sybase CEP Server.

   See "Creating an ACL File" for more information. The SybaseC8\Server\conf directory contains a sample c8-acl.xml ACL file.

2. Set the "ACLFile" preference in the "SybaseC8/Security/AccessControl" section of the c8-server.conf file to the full path and name of the ACL file you created in the previous step, for example:

   <section name="SybaseC8/Security">
     ...
     <section name="AccessControl">
        ...
        <preference name="ACLFile" value="C:\ProgramFiles
            \SybaseC8\Server\conf\myacl.xml"/>
        ...
     </section>
     ...
   

3. In the c8-server.conf file, add (or de-comment existing) information to specify which authentication method you want to use.

   See "Sybase CEP Engine Authentication Plugins" for information about available methods.

4. Enable the shared secret functionality for any computers in your Sybase CEP Server cluster to which you want to grant connection access.

   A shared secret is a single predefined character string, which you specify for all Sybase CEP Servers in a cluster. The shared secret provides your cluster with an extra measure of security. When you enable this feature, the shared string must be exchanged between any two Sybase CEP Engine computers attempting to establish a connection.

   To enable the shared secret, set the "SharedSecret" preference of the "SybaseC8/Security/AccessControl" section of your c8-server.conf file to your desired shared secret, for example:

   <section name="SybaseC8/Security">
     ...
     <section name="AccessControl">
        ...
        <preference name="SharedSecret" value="sharedsecret123/>
        ...
     </section>
     ...
   

   The same shared secret string must be specified for all the computers in the cluster.

5. Once all the computers in your cluster have the shared secret in their c8-server.conf file, enable the shared secret feature in your ACL file by specifying a rule that includes the <SharedSecret/> subject, as explained in "Creating an ACL File".
6. If you want to change the frequency with which the access control list is reloaded by Sybase CEP Engine, change the "FileReloadIntervalSeconds" preference, located directly under the "ACLFile" preference of the c8-server.conf file, to the desired reload interval.

   The default reload frequency is 30 seconds.

   Note:

   To prevent security breaches to your access restriction policies, caused either by users tampering directly with the ACL file, or by redirecting the c8-server.conf file to point to a different ACL file, set file permissions to restrict user access to both the c8-server.conf file and the ACL file to which it points.