Managing security controls

You can secure your event endpoints by configuring security controls for your options.

Note: This topic describes how security controls are configured in Event Endpoint Management 11.7.1 and later. If you have 11.7.0, then refer to the controls topic in the 11.6.x documentation.

You specify which of the available authentication methods that you want to use for an event endpoint in the Security controls pane when you are editing an option. In the Security controls pane, you can also specify whether you want subscriptions to require approval.

The authentication methods that are available to secure endpoints are managed by users with the admin role. For more information about configuring the available security controls, see managing event endpoint security.

To access the Security controls pane for an option, follow these steps:

In the navigation pane, click Manage > Topics.
Find the event source that you want to work with in the list, and click the name of the event source.
Click the Options tab.
Click Create option or edit an existing option.
Click Security controls in the left pane. If you are creating a new option, then you must specify a name and alias for the option and click Next to access the Security controls pane.

Approval

If you want to control who can subscribe to your event endpoint, enable Manual approval in the Security controls pane when you are creating or editing the option.

When an option is set up with approval enabled, a viewer must submit a request to subscribe to the option. The request includes a reason to justify the need for a subscription along with the requester’s contact information. The option owner can then approve or reject the request as required.

The owner of an option that requires approval receives notifications in the Event Endpoint Management UI when someone requests access to the events on the topic, and can then approve or reject the request.

When a request is approved, a notification is presented in the Event Endpoint Management UI to the viewer about the approval, and the viewer can create a new subscription.

Note: A viewer can have only one request for a subscription to an option open at a time.

Viewing approval requests for a specific event source

To view approval requests for a specific event source, complete the following steps:

In the navigation pane, click Manage > Topics.
Find the event source that you want to work with in the list, and click the name of the event source.
Click the Manage tab.
Click Requests to see a list of all of the requests made against this event source.
For the request you want to review, click View request. An approval pop-up window appears. All the details about the request including the event source, option, contact details of the requester and the justification for the request are displayed.
Review the information that is provided and click Approve or Reject as required.

Viewing all approval requests

To view all your approval requests, complete the following steps:

In the navigation pane, click Access. The Access requests page is displayed.
All the requests against options that you own are displayed.
For the request you want to review, click View request. An approval pop-up window appears. All the details about the request including the event source, option, contact details of the requester, and the justification for the request are displayed.
Review the information that is provided and click Approve or Reject as required.

Mutual TLS

If you want to control access to your event endpoint with mTLS, you can select an authentication set that includes mTLS when you are configuring the option.

When an option is configured with mTLS authentication, a producer or consumer can connect to the gateway only if they present a valid client certificate.

To configure a security control to use mTLS authentication, you must provide details of valid client TLS certificates. Follow these steps to provide the requirements for the client certificate:

From the Security controls pane, select an authentication set that includes mTLS, then click Configure mutual TLS control.
Specify the requirements for mTLS client certificates in the Mutual TLS requirements pane.

Required properties:
- Trusted CA certificates. Select the box to indicate which CA certificates are trusted:
  - Certificates that you uploaded.
  - Certificates that are uploaded to your organization by admin users.
  - All uploaded certificates.
  If you do not select any box, then the control trusts only certificates that are signed by well-known external certificate authorities.
- Common name. Common name can contain a single wildcard * at any position. For example, if Common name is set to *-domainname, then the control accepts client certificates with the common names of c-domainname or andre-domainname.
Single wildcard * characters are accepted in all text fields.
In the Identifying factor pane, select the client properties that you want to uniquely identify the subscribers with..

Common name is mandatory and cannot be cleared.

Important: Every subscriber must present a unique common name. If the common name you specified in Mutual TLS requirements does not contain a wildcard character, then only a single client can subscribe to your mTLS control.

Updating CA certificates

It is your responsibility to update the CA certificates before they expire. Follow the instructions in managing CA certificates to update your CA certificates.

OAuth2

If you want to use an OAuth2 provider to authenticate a client, then specify a client authentication set that has OAuth2 control in the Security controls pane.

The details of the OAuth 2.0 provider are supplied by users with the admin role when defining an authentication set that has OAuth 2.0 control configured.

SASL credentials

If you want to use generated SASL credentials to authenticate event endpoint users, then select an authentication set that uses SASL credentials in the Security controls pane.

Unique SASL credentials are generated for each subscriber. No additional configuration is required.