Table of Content:

• Prerequisites

• Configuration for Linux Systems

  • Prepare Custom Certificate
  • Locate Server Directory and Move Certificate
  • Configure local-configuration.yaml
    
    

• Start TIBCO Activation Service and Verify
  

• Test Connectivity from Client

Prerequisites

• TIBCO Activation Service (specifically the flexnetls-osp.service on Linux) must be installed.
  ---------------------------------------------
  [diksha_gosavi@gasdseudiksha02 ~]$ systemctl list-unit-files | grep flexnetls-osp
  flexnetls-osp.service                      enabled
  ---------------------------------------------
  
  
• Appropriate administrative privileges (sudo on Linux) are required for all commands and file modifications.
  ---------------------------------------------
  [diksha_gosavi@gasdseudiksha02 ~]$ sudo -l -U diksha_gosavi
  [sudo] password for diksha_gosavi:
  Matching Defaults entries for diksha_gosavi on gasdseudiksha02:
      root_sudo, !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
      env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
      LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
      env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE
      LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
  
  User diksha_gosavi may run the following commands on gasdseudiksha02:
      (root) ALL
  ---------------------------------------------
  
  
• Java 17 (OpenJDK or Oracle JDK) must be installed on the server where TIBCO Activation Service resides.
  ---------------------------------------------
  [diksha_gosavi@gasdseudiksha02 ~]$ java -version
  openjdk version "17.0.16" 2025-07-15 LTS
  OpenJDK Runtime Environment (Red_Hat-17.0.16.0.8-1) (build 17.0.16+8-LTS)
  OpenJDK 64-Bit Server VM (Red_Hat-17.0.16.0.8-1) (build 17.0.16+8-LTS, mixed mode, sharing)
  ---------------------------------------------
  
  
• Optional: For client testing, a compatible curl executable is required (e.g., curl.exe on Windows, curl on Linux/macOS). [Example for Testing on Windows]
  ---------------------------------------------
  C:\>curl --version
  curl 8.13.0 (Windows) libcurl/8.13.0 Schannel zlib/1.3.1 WinIDN
  Release-Date: 2025-04-02
  Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s smb smbs smtp smtps telnet tftp ws wss
  Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets
  ---------------------------------------------

Configuration for Linux Systems

1. Prepare Custom Certificate

This process involves generating a new PKCS#12 certificate (.p12 file) that incorporates your custom hostname. For production deployments, it is highly recommended to obtain a certificate signed by a trusted Certificate Authority (CA) and import it into a PKCS#12 format keystore.


Step (a): Stop the Service

---------------------------------------------
[diksha_gosavi@gasdseudiksha02 ~]$ sudo systemctl stop flexnetls-osp

[diksha_gosavi@gasdseudiksha02 ~]$ sudo systemctl status flexnetls-osp
● flexnetls-osp.service - FlexnetLS Local License Server for osp.
   Loaded: loaded (/etc/systemd/system/flexnetls-osp.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/flexnetls-osp.service.d
           └─flexnetls.conf, override.conf
   Active: inactive (dead) since Thu 2025-09-25 10:06:18 UTC; 10s ago
  Process: 74390 ExecStop=/usr/lib/jvm/java-17-openjdk-17.0.16.0.8-2.el8.x86_64/bin/java $DEFINES -jar fle>
  Process: 53769 ExecStart=/usr/lib/jvm/java-17-openjdk-17.0.16.0.8-2.el8.x86_64/bin/java $JVMOPTS $DEFINE>
  Process: 53767 ExecStartPre=/bin/chmod g+s ${DATA_DIR} /var/log/tibco/tib-lm (code=exited, status=0/SUCC>
  Process: 53765 ExecStartPre=/bin/chmod g+w ${DATA_DIR} /var/log/tibco/tib-lm (code=exited, status=0/SUCC>
  Process: 53763 ExecStartPre=/bin/chown -R ${FNLS_USER}:${FNLS_GROUP} ${DATA_DIR} /var/log/tibco/tib-lm (>
  Process: 53761 ExecStartPre=/bin/mkdir -p ${DATA_DIR} /var/log/tibco/tib-lm (code=exited, status=0/SUCCE>
 Main PID: 53769 (code=exited, status=143)

Sep 24 13:22:44 gasdseudiksha02 systemd[1]: Starting FlexnetLS Local License Server for osp....
Sep 24 13:22:44 gasdseudiksha02 systemd[1]: Started FlexnetLS Local License Server for osp..
Sep 25 10:06:14 gasdseudiksha02 systemd[1]: Stopping FlexnetLS Local License Server for osp....
Sep 25 10:06:17 gasdseudiksha02 flexnetls-osp[74390]: 10:06:17.679 ERROR - java.security.NoSuchAlgorithmEx>
Sep 25 10:06:17 gasdseudiksha02 flexnetls-osp[74390]: 2025-09-25T10:06:17,907Z ERROR - Required HTTP (0) o>
Sep 25 10:06:17 gasdseudiksha02 flexnetls-osp[74390]: 2025-09-25T10:06:17,907Z ERROR - Shutting down due t>
Sep 25 10:06:18 gasdseudiksha02 systemd[1]: flexnetls-osp.service: Succeeded.
Sep 25 10:06:18 gasdseudiksha02 systemd[1]: Stopped FlexnetLS Local License Server for osp..
---------------------------------------------

This ensures the service is stopped cleanly before making configuration changes.

Step (b): Navigate to a Temporary Directory for Certificate creation

----------------------------------------------
[diksha_gosavi@gasdseudiksha02 ~]$ cd /tmp

[diksha_gosavi@gasdseudiksha02 tmp]$ ls -lrt
total 4480
-r-xr--r-- 1 tibactivate tibactivate               4581312 Apr 24 14:24  llsnc-2024.11.0-2794-amd64-libconnector.so
-rwxrwxrwx 1 tibactivate tibactivate                     0 Apr 24 14:24 'fne.Q0U2NTRFQUYtMjEyMi00OTBmLUIzNTItNDBDQTE3MTgzQzQ2LW9zcA=='
-rw-r--r-- 1 root        root                           72 Sep 16 11:19  lua_5hSFjc
drwx------ 3 root        root                           17 Sep 22 12:03  systemd-private-2ea8a2b0aa894e32bda7fb2d3f4a0643-chronyd.service-Nii6jo
drwx------ 2 root        root                            6 Sep 22 12:03  pymp-4cnej4ew
srw------- 1 root        root                            0 Sep 22 12:06  nmh_msg_bus.sock
drwxrwxrwx 2 diksha_gosavi    svc_dev_seu_server_admins      22 Sep 24 12:21  tibco
drwxr-xr-x 2 diksha_gosavi    svc_dev_seu_server_admins       6 Sep 25 10:05  hsperfdata_diksha_gosavi
drwxr-xr-x 2 root        root                            6 Sep 25 10:06  hsperfdata_root
drwxr-xr-x 2 tibactivate tibactivate                     6 Sep 25 10:06  hsperfdata_tibactivate
----------------------------------------------

Step (c): Generate Self-Signed Certificate

Execute the keytool command. Replace [Custom_Hostname] with your desired hostname and [Keystore_Password] with your chosen keystore password.
keytool -genkeypair -ext san=dns:[Custom_Hostname] -storetype PKCS12 -keystore custom_server.p12 -storepass [Keystore_Password] -alias custom_alias -keyalg RSA -keysize 2048 -validity 365 -dname "CN=[Custom_Hostname], OU=IT, O=YourCompany, L=YourCity, ST=YourState, C=YourCountry"

Example for custom-hostname.com and custom_pass :
-----------------------------------------------
[diksha_gosavi@gasdseudiksha02 tmp]$ keytool -genkeypair -ext san=dns:custom-hostname.com -storetype PKCS12 -keystore custom-server.p12 -storepass custom-pass -alias custom-alias -keyalg RSA -keysize 2048 -validity 365 -dname "CN=custom-hostname.com, OU=IT, O=MyCompany, L=Anytown, ST=AnyState, C=US"
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 365 days
        for: CN=custom-hostname.com, OU=IT, O=MyCompany, L=Anytown, ST=AnyState, C=US

[diksha_gosavi@gasdseudiksha02 tmp]$ ls -lrt
total 4484
-r-xr--r-- 1 tibactivate tibactivate               4581312 Apr 24 14:24  llsnc-2024.11.0-2794-amd64-libconnector.so
-rwxrwxrwx 1 tibactivate tibactivate                     0 Apr 24 14:24 'fne.Q0U2NTRFQUYtMjEyMi00OTBmLUIzNTItNDBDQTE3MTgzQzQ2LW9zcA=='
-rw-r--r-- 1 root        root                           72 Sep 16 11:19  lua_5hSFjc
drwx------ 3 root        root                           17 Sep 22 12:03  systemd-private-2ea8a2b0aa894e32bda7fb2d3f4a0643-chronyd.service-Nii6jo
drwx------ 2 root        root                            6 Sep 22 12:03  pymp-4cnej4ew
srw------- 1 root        root                            0 Sep 22 12:06  nmh_msg_bus.sock
drwxrwxrwx 2 diksha_gosavi    svc_dev_seu_server_admins      22 Sep 24 12:21  tibco
drwxr-xr-x 2 root        root                            6 Sep 25 10:06  hsperfdata_root
drwxr-xr-x 2 tibactivate tibactivate                     6 Sep 25 10:06  hsperfdata_tibactivate
-rw-r--r-- 1 diksha_gosavi    svc_dev_seu_server_admins    2804 Sep 25 10:12  custom-server.p12
drwxr-xr-x 2 diksha_gosavi    svc_dev_seu_server_admins       6 Sep 25 10:12  hsperfdata_diksha_gosavi
[diksha_gosavi@gasdseudiksha02 tmp]$
-----------------------------------------------

2. Locate Server Directory and Move the Certificate

The local-configuration.yaml file and flexnetls.jar are typically co-located in the server's installation directory.

Step (a): Verify Server Directory

-----------------------------------------------
[diksha_gosavi@gasdseudiksha02 tmp]$ ls -l /usr/libexec/tib-lm/server/flexnetls.jar
-rwxr-xr-x 1 tibactivate tibactivate 101865067 Feb 18  2025 /usr/libexec/tib-lm/server/flexnetls.jar
-----------------------------------------------

Step (b): Move the Custom Certificate to Server Directory

sudo mv /path-to-temp/custom_server.p12 /usr/libexec/tib-lm/server/

Example for /tmp/custom_server.p12:
-----------------------------------------------
[diksha_gosavi@gasdseudiksha02 tmp]$ sudo mv /tmp/custom-server.p12 /usr/libexec/tib-lm/server/
[sudo] password for diksha_gosavi:
-----------------------------------------------

Step (c): Navigate to Server Directory

-----------------------------------------------
[diksha_gosavi@gasdseudiksha02 tmp]$ cd /usr/libexec/tib-lm/server
-----------------------------------------------

Step (d): Set Proper Ownership and Permission

-------------------------------------------------------
[diksha_gosavi@gasdseudiksha02 server]$ sudo chown tibactivate:tibactivate custom-server.p12

[diksha_gosavi@gasdseudiksha02 server]$ sudo chmod 600 custom-server.p12

[diksha_gosavi@gasdseudiksha02 server]$ ls -lrt
total 99544
-rwxr-xr-x 1 tibactivate tibactivate      5627 Feb 18  2025 install-systemd.sh
-rwxr-xr-x 1 tibactivate tibactivate     15797 Feb 18  2025 install-functions.sh
-rw-r--r-- 1 tibactivate tibactivate 101865067 Feb 18  2025 flexnetls.jar
-rw-r--r-- 1 tibactivate tibactivate     27184 Feb 18  2025 producer-settings.xml
-rw------- 1 tibactivate tibactivate      1288 Apr 24 14:23 license-server.p12
-rw-r----- 1 tibactivate tibactivate      2310 Sep 23 14:42 local-configuration.yaml
-rw------- 1 tibactivate tibactivate      2804 Sep 25 10:12 custom-server.p12
-------------------------------------------------------

Step (d): obfuscate the keystore password
$ sudo java -jar /usr/libexec/tib-lm/server/flexnetls.jar -password custom-pass
custom-pass => OBF:1vfz1z0h1v2p1y831k1t1w8v1jy51y7v1v1p1z0d1vgv
 

3. Configure local-configuration.yaml

Step (a): Edit Configuration File

-------------------------------------------------------
[diksha_gosavi@gasdseudiksha02 server]$ sudo vi local-configuration.yaml
-------------------------------------------------------

Step (b): Update the https-in Section:

Modify the configuration to enable HTTPS, specify your chosen port, link to your new certificate, and provide its password. 

Below changes are made ->
-------------------------------
https-in:
  enabled: true
  port: 7090
  keystore-path: custom-server.p12
  keystore-password: OBF:1vfz1z0h1v2p1y831k1t1w8v1jy51y7v1v1p1z0d1vgv
  tlsCipherSuites: MODERN
-------------------------------

Step (c): Save the changes

Step (d): Set Configuration File Permissions:

The TIBCO Activation Service user (e.g., tibactivate) requires ownership and strict read/write permissions (chmod 600) for security

-----------------------------------
[diksha_gosavi@gasdseudiksha02 server]$ sudo chown tibactivate:tibactivate local-configuration.yaml

[diksha_gosavi@gasdseudiksha02 server]$ sudo chmod 640 local-configuration.yaml

[diksha_gosavi@gasdseudiksha02 server]$ ls -lrt
total 99544
-rwxr-xr-x 1 tibactivate tibactivate      5627 Feb 18  2025 install-systemd.sh
-rwxr-xr-x 1 tibactivate tibactivate     15797 Feb 18  2025 install-functions.sh
-rw-r--r-- 1 tibactivate tibactivate 101865067 Feb 18  2025 flexnetls.jar
-rw-r--r-- 1 tibactivate tibactivate     27184 Feb 18  2025 producer-settings.xml
-rw------- 1 tibactivate tibactivate      1288 Apr 24 14:23 license-server.p12
-rw------- 1 tibactivate tibactivate      2804 Sep 25 10:12 custom-server.p12
-rw-r----- 1 tibactivate tibactivate      2310 Sep 25 10:20 local-configuration.yaml
-----------------------------------

Start TIBCO Activation Service and Verify

Step (a): Reload SystemD Daemon

----------------------------
[diksha_gosavi@gasdseudiksha02 server]$ sudo systemctl daemon-reload
----------------------------

Step (b): Restart the Service

----------------------------
[diksha_gosavi@gasdseudiksha02 server]$ sudo systemctl restart flexnetls-osp
----------------------------

Step (c): Check Service Status 

Confirm the service is active (running).
-------------------------------------
[diksha_gosavi@gasdseudiksha02 server]$ sudo systemctl status flexnetls-osp
● flexnetls-osp.service - FlexnetLS Local License Server for osp.
   Loaded: loaded (/etc/systemd/system/flexnetls-osp.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/flexnetls-osp.service.d
           └─flexnetls.conf, override.conf
   Active: active (running) since Thu 2025-09-25 10:23:30 UTC; 7s ago
  Process: 74705 ExecStartPre=/bin/chmod g+s ${DATA_DIR} /var/log/tibco/tib-lm (code=exited, status=0/SUCC>
  Process: 74704 ExecStartPre=/bin/chmod g+w ${DATA_DIR} /var/log/tibco/tib-lm (code=exited, status=0/SUCC>
  Process: 74702 ExecStartPre=/bin/chown -R ${FNLS_USER}:${FNLS_GROUP} ${DATA_DIR} /var/log/tibco/tib-lm (>
  Process: 74700 ExecStartPre=/bin/mkdir -p ${DATA_DIR} /var/log/tibco/tib-lm (code=exited, status=0/SUCCE>
 Main PID: 74709 (java)
    Tasks: 26 (limit: 100604)
   Memory: 316.0M
   CGroup: /system.slice/flexnetls-osp.service
           └─74709 /usr/lib/jvm/java-17-openjdk-17.0.16.0.8-2.el8.x86_64/bin/java -server -Xms1750m -Xmx17>

Sep 25 10:23:30 gasdseudiksha02 systemd[1]: Starting FlexnetLS Local License Server for osp....
Sep 25 10:23:30 gasdseudiksha02 systemd[1]: Started FlexnetLS Local License Server for osp..
-------------------------------------

Step (d): Check Detailed Logs 

Use  and for real-time monitoring, use tail -f /var/log/tibco/tib-lm/flexnetls.log
------------------------------------------------
[diksha_gosavi@gasdseudiksha02 server]$ sudo journalctl -u flexnetls-osp.service --no-pager --since "5 minutes ago"
-- Logs begin at Mon 2025-09-22 12:02:53 UTC, end at Thu 2025-09-25 10:23:57 UTC. --
Sep 25 10:23:20 gasdseudiksha02 systemd[1]: /etc/systemd/system/flexnetls-osp.service:9: Unknown lvalue 'RestartSteps' in section 'Service'
Sep 25 10:23:20 gasdseudiksha02 systemd[1]: /etc/systemd/system/flexnetls-osp.service:10: Unknown lvalue 'RestartMaxDelaySec' in section 'Service'
Sep 25 10:23:30 gasdseudiksha02 systemd[1]: Starting FlexnetLS Local License Server for osp....
Sep 25 10:23:30 gasdseudiksha02 systemd[1]: Started FlexnetLS Local License Server for osp..

[diksha_gosavi@gasdseudiksha02 server]$ sudo tail -f /var/log/tibco/tib-lm/flexnetls.log
2025-09-25T10:23:47,485Z DEBUG - Connection pool max size = 12
2025-09-25T10:23:53,686Z INFO  - Protocols [TLSv1.3, TLSv1.2], Cipher choice of MODERN yields [TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256]
2025-09-25T10:23:56,158Z DEBUG - Initializing ExecutorService
2025-09-25T10:23:56,164Z DEBUG - Initializing ExecutorService 'thrsched'
2025-09-25T10:23:56,478Z INFO  - Server hostids acquired: [[Hostid=42010AE924C9, type=ETHERNET, attribute=[Physical, Builtin]], [Hostid=8453589513928148843, type=VM_UUID]]
2025-09-25T10:24:00,820Z INFO  - Active profiles: [lls, singletenant, reservations, service]
2025-09-25T10:24:04,312Z DEBUG - 1 server instance(s) found.
2025-09-25T10:24:04,357Z INFO  - Updated license server instance FQWZQ8S7H33K is ready
2025-09-25T10:24:04,466Z DEBUG - Server has 17 feature records, 1 client records & 1 usage records
2025-09-25T10:24:04,479Z DEBUG - Scheduling capability poll
------------------------------------------------

Test Connectivity from Client

Step (a): Modify Hosts File

Map your custom hostname ([Custom_Hostname]) to the server's IP address. [In below example, the test is done using Windows system as Client]. Below entry is added in my C:/Windows/System32/driver/etc/hosts file:
---------------------------------------
10.233.36.201 custom-host.com
---------------------------------------

Step(b): Flush DNS Cache

------------------------------------
C:\>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
------------------------------------

Step (c): Test with Curl 

----------------------------------------
C:\>curl -v -k https://custom-host.com:7090/api/1.0/version
* Host custom-host.com:7090 was resolved.
* IPv6: (none)
* IPv4: 10.233.36.201
*   Trying 10.233.36.201:7090...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* Connected to custom-host.com (10.233.36.201) port 7090
* using HTTP/1.x
> GET /api/1.0/version HTTP/1.1
> Host: custom-host.com:7090
> User-Agent: curl/8.13.0
> Accept: */*
>
* Request completely sent off
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 200 OK
....
....
....
----------------------------------

With the above mentioned steps you can configure your TAS to use a custom port and self-signed certificates.