BigMemory 4.4.0 | Product Documentation | BigMemory Max Security Guide | Setting Up a TSA to Use the Terracotta Management Server | Restricting Clients to Specified Servers (Optional)
 
Restricting Clients to Specified Servers (Optional)
By default, clients are not restricted to authenticate a specific set of servers when responding to REST requests. However, it is possible to explicitly list the servers that a client can respond to by using the <managementRESTService> element's securityServiceLocation attribute in the Ehcache configuration.
When this attribute is empty (or missing), no such restriction exists and the client will authenticate against any server in the cluster that meets the established security requirements. This is the recommended setting because SSL connections and the mechanism for authentication and authorization provide sufficient security.
In the case where an extra layer of security is required for the client's REST service, you can configure a list of allowed servers as follows:
<managementRESTService ...
securityServiceLocation=" https://my-l2-node1/tmc/api/assertIdentity ,
https://my-l2-node2/tmc/api/assertIdentity ">
where my-l2-node1 and my-l2-node2 are the servers' hostnames. However, any of the servers in a client's cluster can forward a REST request to that client at any time. Therefore, if this feature is used, all the servers should be listed.