TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines Version 7.0.0 November 2020
Copyright © 2020. TIBCO Software Inc. All Rights Reserved. 2 | Contents
Contents
Contents 2
TIBCO Documentation and Support Services 3
Introduction 5 Data Ingest and Ingress 5 Data Egress 6
Communication Channels and Their Security Configurations 7
Certificate Management 12 Configuring the Certificates and Keys 13 Webapp 14 Hawk Console 16 Query Node 18 Hawk Agent 20 Setting up TLS for accessing MySQL 21 Prometheus 22 Grafana 23
Other Recommendations 24
Legal and Third-Party Notices 26
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 3 | TIBCO Documentation and Support Services
TIBCO Documentation and Support Services
For information about this product, you can read the documentation, contact TIBCO Support, and join TIBCO Community.
How to Access TIBCO Documentation Documentation for TIBCO products is available on the TIBCO Product Documentation website, mainly in HTML and PDF formats. The TIBCO Product Documentation website is updated frequently and is more current than any other documentation included with the product. To access the latest documentation, visit https://docs.tibco.com.
Product-Specific Documentation The following for this product is available on the TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Product Documentation page. The following documents for this product can be found in the TIBCO Documentation site:
l TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Release Notes
l TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Concepts
l TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Installation, Configuration, and Administration
l TIBCO® Operational Intelligence Hawk® RedTail - Container Edition User Guide
l TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Microagent Reference
l TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines
How to Join TIBCO Community TIBCO Community is the official channel for TIBCO customers, partners, and employee subject matter experts to share and access their collective experience. TIBCO Community offers access to Q&A forums, product wikis, and best practices. It also offers access to extensions, adapters, solution accelerators, and tools that extend and enable
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 4 | TIBCO Documentation and Support Services customers to gain full value from TIBCO products. In addition, users can submit and vote on feature requests from within the TIBCO Ideas Portal. For a free registration, go to https://community.tibco.com.
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 5 | Introduction
Introduction
This guide provides guidelines to ensure security within the TIBCO® Operational Intelligence Hawk® RedTail - Container Edition and the channels of communication between the TIBCO® OI Hawk® RedTail - Container Edition internal components (that is, Hawk Console, Webapp, Querynode, Hawk Agent, Apache ZooKeeper, Oracle MySQL, and so on) and also the communication channels for external services (for example, LogLogic LMI, LDAP, scraping external metrics, browser users, external scripts for consuming REST API, and so on). The guide also provides additional security-related guidance and recommendations for other aspects of external communication, particularly the details of product connectivity and configuration of security options.
Secure Communication Channels TIBCO OI Hawk RedTail - Container Edition collects metrics from internal Hawk microagents or external Prometheus metric exporters. It also collects logs from internal components in Kubernetes or Docker and forwards them to TIBCO LogLogic® Log Management Intelligence (LMI) using its Universal Log Data Protocol (ULDP) proprietary protocol. TIBCO OI Hawk RedTail - Container Edition is deployed using popular container orchestration providers such as Kubernetes, OpenShift, and Istio. Most communication for the internal components is limited to Kubernetes. However, typical iPaaS deployments might use external services to connect with Kubernetes clusters as well.
Data Ingest and Ingress Ingest and ingress of data into TIBCO OI Hawk RedTail - Container Edition is limited to the following items: • External applications exposing Prometheus metrics scraped by TIBCO OI Hawk RedTail - Container Edition • Data collected by Hawk agents or microagents
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 6 | Introduction
Data Egress Data can be sent out from TIBCO OI Hawk RedTail - Container Edition in the following ways: • Universal Lossless Data Protocol (ULDP): A TIBCO proprietary protocol for forwarding logs to LogLogic® LMI • Hawk alerts, notifications, or emails
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 7 | Communication Channels and Their Security Configurations
Communication Channels and Their Security Configurations
By default, some communication channels are not secure, but they can be made secure by configuring channels and transports to use the Transfer Layer Security (TLS) protocol. A notable exception is Apache ZooKeeper, which cannot be secured. Access to ZooKeeper is not protected by any authentication and the communication cannot be secured using TLS/ SSL. This is a big security risk and TIBCO recommends that you strictly limit the access to ZooKeeper within the private cluster so that the communication is strictly internal to the RedTail components. Components such as Prometheus and Grafana are inherently nonsecure and access to their ports and APIs must be protected by configuring reverse proxy with client-side authentication certificates.
Note that failure to secure the communication with client authentication can lead to critical security risks such as unauthorized access to Prometheus time-series metrics or Grafana dashboards.
The following diagram illustrates the components and communication protocols in a typical deployment for TIBCO OI Hawk RedTail - Container Edition.
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 8 | Communication Channels and Their Security Configurations
The following table provides information about the communication channels that can be configured and additional references, where applicable.
Key Communication Connection Secure? Description and Certificates Certificate Channel References used validated
1 Hawk Console HTTPS Yes Provides the TLS v1.2 Used by REST API REST Service Key, Key Webapp
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 9 | Communication Channels and Their Security Configurations
endpoints for Password, and creating token, Cert, QueryNode and all of Cacert, with cacert standard Hawk TLS and JWT and most of the Ciphers Token auth. advanced Used by (RedTail) REST API features Clients/ scripts
2 WebApp REST HTTPS Yes User browser TLS v1.2 Depends on API communication Key, Key browser for UI Password, client Cert, Cacert, TLS Ciphers
3 Query Node HTTPS Yes Query API for TLS v1.2 Used by REST API querying time Key, Key Webapp series metrics Password, with cacert and Hawk data Cert, and JWT Cacert, Token auth. TLS Used by Ciphers REST API Clients/ scripts
4 Zookeeper API (HTTP) No Central NA NA configuration management
5 MySQL JDBC Yes Storage of TLS: Mysql query metadata Cacert, connector and Alerts cert, key client needs Username, to connect Password with username/ password and server cert
6 Prometheus* HTTP No QueryNode Not secure interacts with by default. the Prometheus Must
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 10 | Communication Channels and Their Security Configurations
via PromQL secure queries. using a reverse proxy (explained below)
7 Prometheus HTTPS Yes Prometheus TLS: CN name scraping from target for Cacert, key validation at Target scraping from with CN, Hawk HK Console cert Console side
8 Grafana HTTPS Yes Use Grafana JWT Not RedTail Datasource to Bearer validated Datasource build panels, token fetch metric data from Webapp using EQL
9 Grafana* HTTP No HTTP Not secure (access from redirection to by default. Webapp) Grafana Must secure using a reverse proxy (explained below)
10 Hawk Console TCP Yes via Hawk TLS Validated to Hawk Agent Console API Mutual communication Auth
11 Hawk Agent to TCP Yes via Hawk AMI TLS Validated Microagent API Mutual communication Auth
12 ULDP ULDP Yes Log forwarding TLS: Not using ULDP cacert validated (TLS)
13 Webapp to HTTP Yes LogLogic LMI TLS: Not LogLogic LMI v6.3.1 Web API cacert validated
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 11 | Communication Channels and Their Security Configurations
remote search
14 Grafana HTTP Yes LogLogic LMI TLS: Not LogLogic Querynode API cacert validated Datasource Username, Password
15 LDAP for users/ LDAP Yes Hawk Console TLS: Not groups support for cacert validated remote LDAP Auth
16 Scrape metrics HTTPS, Yes Hawk Bearer Validated Bearer Prometheus token, Token Microagent TLS: scrapes metrics cacert, from local/ key, cert remote Apps/ infra
17 Kubernetes HTTPS Yes Connect via Not Microagent Kubernetes API validated
18 Grafana* HTTP No HTTP Not secure (access from redirection to by default. Hawk Console) Grafana Must secure using a reverse proxy (explained below)
19 Querynode to HTTPS Yes Query the TLS: Auth using Hawk Console microagent cacert, JWT Token data JWT Token
(*): The access is not secure by default and should be secured using reverse proxy. This is described in the following sections.
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 12 | Certificate Management
Certificate Management
Certificate Generation TIBCO OI Hawk RedTail Container Edition provides the ‘build-all.sh’ script to build Docker images for each of the components. The script also generates the necessary certificates and keys at the time of building the images. The script accepts the ‘cert.conf’ configuration file, which has the following configuration properties with the given default values:
cert_validity_days=182
cert_password=changeit
output_file=certinfo.out
For security reasons, you must change the default password. For more information, see the Password Management for Certificates section.
The script generates the certificates and keys at the location:
The following generic details are included in the
Algorithm for Key generation: RSA
Key size: 2048
Key encryption: AES256
cacert key certificate (subject=/C=US/ST=California/L=Palo Alto/O=TIBCO/OU=TIBCO OI/CN=TIBCO Hawk RedTail) mysql-key mysql-client-key
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 13 | Certificate Management
mysql-client-certificate (subject=/C=US/ST=California/L=Palo Alto/O=TIBCO/OU=TIBCO OI/CN=TIBCO Hawk RedTail) querynode-client-key querynode-client-certificate (subject=/C=US/ST=California/L=Palo Alto/O=TIBCO/OU=TIBCO OI/CN=querynode) prometheus-client-key prometheus-client-certificate (subject=/C=US/ST=California/L=Palo Alto/O=TIBCO/OU=TIBCO OI/CN=prometheus) webapp-client-key webapp-client-certificate (subject=/C=US/ST=California/L=Palo Alto/O=TIBCO/OU=TIBCO OI/CN=TIBCO Hawk RedTail)
1. cacert, certificates and keys are present in all the Hawk RedTail Docker images at /loglogic/conf/certs. These can be configured for appropriate components for convenience, as mentioned in the next section. 2. The password for each of the keys is the same as that configured in the cert.conf file.
Password Management for Certificates Changing the default password is necessary to ensure security. The product displays reminders at various levels if you do not change the default value:
• A warning is displayed in the certinfo.out file: Warning: Using default password for certificate generation. Please change the cert_password property in
Configuring the Certificates and Keys You can configure the certificates and keys using environment variables on each node.
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 14 | Certificate Management
All the settings described in the following sections are required for secure deployment of TIBCO OI Hawk RedTail - Container Edition.
Webapp
Environment Mandatory Default Value Description Variable
REST_TLS_KEY_ Yes /loglogic/conf/certs/key TLS key for securing REST FILE API
REST_TLS_ Yes /loglogic/conf/certs/certificate TLS certificate for securing CERT_FILE REST API
REST_TLS_ Yes /loglogic/conf/certs/cacert TLS cacert for REST API CACERT_FILE
REST_TLS_KEY_ Yes
REST_TLS_ Yes AES128-GCM-SHA256: Ciphers for TLS REST API CIPHERS AES128-SHA256: AES256-GCM-SHA384: AES256-SHA256: ECDH-ECDSA-AES128- GCM-SHA256: ECDH-ECDSA-AES128- SHA: ECDH-ECDSA-AES128- SHA256: ECDH-ECDSA-AES256- GCM-SHA384: ECDH-ECDSA-AES256- SHA: ECDH-ECDSA-AES256- SHA384: ECDH-RSA-AES128-GCM- SHA256: ECDH-RSA-AES128-SHA: ECDH-RSA-AES128-
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 15 | Certificate Management
Environment Mandatory Default Value Description Variable
SHA256: ECDH-RSA-AES256-GCM- SHA384: ECDH-RSA-AES256-SHA: ECDH-RSA-AES256- SHA384: ECDHE-ECDSA-AES128- GCM-SHA256: ECDHE-ECDSA-AES128- SHA: ECDHE-ECDSA-AES128- SHA256: ECDHE-ECDSA-AES256- GCM-SHA384: ECDHE-ECDSA-AES256- SHA: ECDHE-ECDSA-AES256- SHA384: ECDHE-RSA-AES128-GCM- SHA256: ECDHE-RSA-AES128-SHA: ECDHE-RSA-AES128- SHA256: ECDHE-RSA-AES256-GCM- SHA384: ECDHE-RSA-AES256-SHA: ECDHE-RSA-AES256- SHA384
QUERYNODE_ No /loglogic/conf/certs/cacert Server certificate from TLS_CACERT_ querynode FILE
HAWKCONSOLE_ No /loglogic/conf/certs/cacert Server certificate from TLS_CACERT_ querynode FILE
GRAFANA_TLS_ No /loglogic/conf/certs/cacert Server certificate from CACERT_FILE Grafana (if protected by a reverse proxy)
TLS_CLIENT_ No /loglogic/conf/certs/webapp- Path for webapp client key
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 16 | Certificate Management
Environment Mandatory Default Value Description Variable
KEY_FILE client-certificate communication with Grafana (if protected by a reverse proxy)
TLS_CLIENT_ No /loglogic/conf/certs/webapp- Path of Grafana client CERT_FILE client-certificate certificate communication with Grafana (if protected by a reverse proxy)
TLS_CLIENT_ No
DATABASE_TLS_ No False Enable or disable TLS ENABLED communication with the database
DATABASE_TLS_ No /loglogic/conf/certs/cacert Server certificate from CACERT_FILE MySQL
JWT_ No Extracts out public key of the Base64 encoded text of VERIFICATION_ keypair public key of the keypair KEY /loglogic/conf/certs/key used in Hawk Console
Hawk Console
Environment Mandatory Default Value Description variable
REST_TLS_KEY_ Yes /loglogic/conf/certs/key TLS key for securing REST FILE API
REST_TLS_ Yes /loglogic/conf/certs/certificate TLS certificate for securing CERT_FILE REST API
REST_TLS_ Yes /loglogic/conf/certs/cacert TLS cacert for REST API CACERT_FILE
REST_TLS_KEY_ Yes
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 17 | Certificate Management
Environment Mandatory Default Value Description variable
REST_TLS_ Yes TLS_ECDHE_RSA_ Ciphers for TLS REST API CIPHERS WITH_AES_128_ CBC_SHA256, TLS_ECDHE_ECDSA_ WITH_AES_ 128_CBC_SHA256, TLS_ECDH_ECDSA_ WITH_AES_ 128_CBC_SHA256, TLS_ECDH_RSA_ WITH_AES_ 128_CBC_SHA256, TLS_ECDHE_ECDSA_ WITH_AES_ 128_GCM_SHA256, TLS_ECDHE_RSA_ WITH_AES_ 128_GCM_SHA256, TLS_RSA_WITH_ AES_128_ GCM_SHA256, TLS_ECDH_ECDSA_ WITH_AES_128 _GCM_SHA256, TLS_ECDH_RSA_ WITH_AES_ 128_GCM_SHA256
QUERYNODE_ No /loglogic/conf/certs/cacert Path to the cacert which TLS_CACERT_ signed querynode client FILE certificate
PROMETHEUS_ No /loglogic/conf/certs/cacert Path to the cacert which TLS_CACERT_ signed Prometheus client FILE certificate
PROMETHEUS_ No prometheus Common name defined in TLS_CN Prometheus certificate
GRAFANA_TLS_ No /loglogic/conf/certs/cacert Server certificate from CACERT_FILE Grafana (if protected by a reverse proxy)
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 18 | Certificate Management
Environment Mandatory Default Value Description variable
TLS_CLIENT_ No /loglogic/conf/certs/key Path for hawk console KEY_FILE client key to communicate with Grafana (if protected by a reverse proxy
TLS_CLIENT_ No /loglogic/conf/certs/certificate Path of hawk console client CERT_FILE certificate to communicate with Grafana (if protected by a reverse proxy)
TLS_CLIENT_ No
datasource_tls_ skip_hostname_ verification
datasource_tls_ skip_certificate_ verification
datasource_tls_ No /loglogic/conf/certs/cacert Server certificate from cacert_file MySQL
LDAP_TLS_ No - path to the certificate of CACERT_FILE LDAP server
JWT_SIGNING_ No /loglogic/conf/certs/key Key to sign the JWT token KEY_FILE
JWT_SIGNING_ No
Query Node
Environment Mandatory Default Value Description variable
REST_TLS_KEY_ Yes /loglogic/conf/certs/key TLS key for securing
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 19 | Certificate Management
Environment Mandatory Default Value Description variable
FILE REST API
REST_TLS_CERT_ Yes /loglogic/conf/certs/certificate TLS certificate for FILE securing REST API
REST_TLS_ Yes /loglogic/conf/certs/cacert TLS cacert for REST API CACERT_FILE
REST_TLS_KEY_ Yes
REST_TLS_ Yes TLS_ECDHE_RSA Ciphers for TLS REST CIPHERS _WITH_AES_ API 128_CBC_SHA256, TLS_ECDHE_ECDSA_ WITH_AES_ 128_CBC_SHA256, TLS_ECDH_ECDSA_ WITH_AES_ 128_CBC_SHA256, TLS_ECDH_RSA_ WITH_AES _128_CBC_SHA256, TLS_ECDHE_ECDSA_ WITH_AES_ 128_GCM_SHA256, TLS_ECDHE_RSA_ WITH_AES_ 128_GCM_SHA256, TLS_RSA_ WITH_AES _128_GCM_SHA256, TLS_ECDH_ECDSA _WITH_AES_ 128_GCM_SHA256, TLS_ECDH_RSA_ WITH_AES_ 128_GCM_SHA256
PROMETHEUS_ No False Enable TLS SERVER_TLS_ communication with ENABLED Prometheus (if protected
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 20 | Certificate Management
Environment Mandatory Default Value Description variable
by a reverse proxy)
PROMETHEUS_ No /loglogic/conf/certs/cacert Path to the CA cert of TLS_CACERT_ Prometheus (if protected FILE by a reverse proxy)
HAWKCONSOLE_ No /loglogic/conf/certs/cacert Path to Hawk Console TLS_CACERT_ CA certificate FILE
TLS_CLIENT_ No /loglogic/conf/certs/querynode- Path to querynode client KEY_FILE client-key key to communicate with Hawk Console
TLS_CLIENT_ No /loglogic/conf/certs/querynode- Path to querynode client CERT_FILE client-certificate certificate to communicate with Hawk Console
TLS_CLIENT_ No
JWT_ No Extracts out public key of the base64 encoded text of VERIFICATION_ keypair public key of the keypair KEY /loglogic/conf/certs/key used in Hawk Console
Hawk Agent Environment Variables for TCP Transport TLS Configuration
Environment Mandatory Default Description variable Value
tcp_key_store No None Path of the key store file
tcp_trust_ No None Path of the trust store file store
tcp_key_ No None Password for the key store file
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 21 | Certificate Management
Environment Mandatory Default Description variable Value
store_ password
tcp_key_ No None Encrypted key password password
tcp_trust_ No None Password for the trust store file store_ password
tcp_ssl_ No TLSv1.2 Protocol for a secure connection protocol
tcp_enabled_ No TLS_ Algorithm to be used for the security protocol. You algorithms RSA_ can specify multiple algorithms as comma-separated WITH list without space. _AES_ 128_ CBC_ SHA
Setting up TLS for accessing MySQL
You need to configure a "special" config file within MySql: /etc/my.cnf. You can create a new configuration with the following content and map it to /etc/my.cnf:
[mysqld] require_secure_transport=ON# Configure certificatesssl-ca=/etc/certs/my-ca.pemssl- cert=/etc/certs/my-server-cert.pemssl-key=/etc/certs/my-server-key.pem
You can configure the CA certificate and key for TLS by mapping the volume:
- ../build-images/build-context/loglogic/conf/certs/cacert:/etc/certs/my-ca.pem:ro- ../build-images/build- context/loglogic/conf/certs/certificate:/etc/certs/my-server-cert.pem:ro- ../build-images/build- context/loglogic/conf/certs/mysql-key:/etc/certs/my-server-key.pem:ro- ../config/mysql/my.cnf:/etc/my.cnf:ro
The key used for TLS must be non-passphrase protected.
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 22 | Certificate Management
Prometheus By default, Prometheus does not provide any TLS communication to access its REST API. You can configure a reverse proxy such as nginx with client authentication to provide secure access via other components like Query Node. To configure a TLS protected reverse proxy, follow these guidelines: 1. Generate self-signed certificate and private key for SSL configuration. 2. Provide the mutual authentication by configuring the generated cacert at querynode and client authentication for querynode’s client certificate. 3. Edit nginx.conf append server tag in existing http tag.
http {
server {
listen 443 ssl;
server_name mynginx;
ssl_certificate /etc/nginx/certs/mynginx.crt;
ssl_certificate_key /etc/nginx/certs/mynginx.key;
location / {
proxy_pass http://
}
}
}
Recommendations for deploying the reverse proxy (nginx) on Kubernetes along with OI Hawk RedTail Container Edition components
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 23 | Certificate Management
• Create a service for nginx. • Set nginx as a sidecar container for the Prometheus Stateful so that the communication between nginx and Prometheus can be within the pod. • Set the Prometheus server to listen on 127.0.0.1 so that it cannot be reached from outside the pod (add this as an additional argument): --web.listen-address=127.0.0.1:9090 use 127.0.0.1:9090 as the proxy pass in the nginx configuration file
• In the nginx configuration file, use 127.0.0.1:9090 as the proxy pass
Grafana By default, Grafana does not provide any TLS communication via mutual authentication to access its REST API. You can configure a reverse proxy such as nginx with client authentication to provide secure access via other components like Hawk Console and Webapp Nodes. The reverse proxy configuration should be very similar to that of Prometheus in section 6 above. It should protect the Grafana port 3000.
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 24 | Other Recommendations
Other Recommendations
This section provides some recommendations to secure other aspects of communication when using TIBCO OI Hawk RedTail - Container Edition.
General Security Environment TIBCO OI Hawk RedTail - Container Edition is expected to run within a secured, container orchestrated environment such as Kubernetes on-premises or in cloud environments (For example, AWS EKS, Azure AKS or Google Cloud GKE). Most of the communication between the components is internal within the Kubernetes or Docker cluster. The administrator has a choice to secure some of the internal communication. However, all the external communication (that is, the API, Data Ingest, Ingress and Egress channels) must be secured. The JWT validity period must be as short as possible. The default is 5 hours. You can change it by configuring the JWT_TTL environment variable in Hawk Console.
Data Persistence Zookeeper, MySQL Database, Hawk Console, Prometheus, and Grafana data should be persisted using Kubernetes Persistent Volume Claims (PVCs) or Docker Volumes depending on the choice of the deployment. Here is a list of nodes and their persistence requirements:
Component Is persistence Data path Name volume required
Zookeeper Yes /data/zk
Mysql Yes /var/lib/mysql
Hawk Yes /loglogic/logu/hawkconsolenode/repo Console
Hawk Agent Yes /loglogic/logu/hkceagent/plugin/hawkuc/data/resources/config
Query Node No -
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 25 | Other Recommendations
Prometheus Yes /prometheus
Webapp No -
Grafana Yes /var/lib/grafana
Exposing Ports via Load Balancer Webapp default port 9680 must be exposed via a load balancer. You can expose Hawk Console default port 9687 and Querynode default port 9681 for scripts and clients to access the REST API.
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 26 | Legal and Third-Party Notices
Legal and Third-Party Notices
SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.
USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME.
This document is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc.
TIBCO, the TIBCO logo, the TIBCO O logo, TIB, Information Bus, Hawk, LogLogic, Rendezvous, and TIBCO BusinessWorks are either registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or other countries.
Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle Corporation and/or its affiliates.
This document includes fonts that are licensed under the SIL Open Font License, Version 1.1, which is available at: https://scripts.sil.org/OFL Copyright (c) Paul D. Hunt, with Reserved Font Name Source Sans Pro and Source Code Pro.
All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.
This software may be available on multiple operating systems. However, not all operating system platforms for a specific software version are released at the same time. See the readme file for the availability of this software version on a specific operating system platform.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines 27 | Legal and Third-Party Notices
THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.
THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.
This and other products of TIBCO Software Inc. may be covered by registered patents. Please refer to TIBCO's Virtual Patent Marking document (https://www.tibco.com/patents) for details. Copyright © 2020. TIBCO Software Inc. All Rights Reserved.
TIBCO® Operational Intelligence Hawk® RedTail - Container Edition Security Guidelines