LiveView SSL Quick Start Guide
Article ID: KB0072979
Updated On:
| Products | Versions |
|---|---|
| TIBCO Live Datamart | 10.6 and later |
Description
What are the basic steps needed to configure SSL connections for LiveView clients?
Issue/Introduction
Briefly outlines the steps needed to configure SSL connections for LiveView clients.
Resolution
A successful LiveView SSL configuration requires the following:
1.) A server private key and public certificate. The public certificate's Owner (or Subject) line should include the common name (CN) for the LiveView server. In the lv-auth sample project (provided under $STREAMBASE_HOME/liveview/sample/lv_sample_auth), you can refer to the sample 'mykeystore' file under src/main/resources/ as an example. This keystore holds a private key and an associated public certificate. You can inspect this from a StreamBase command prompt using the 'keytool' command. For example..
2.) A LiveView Engine configuration. Here, we specify the 'liveview.ssl.hostname' property, which should match the CN value from the server certificate. Following the above example 'mykeystore' file, the 'liveview.ssl.hostname' should be set to 'localhost'.
5.) A secure communications profile for internal client connections. If using 1-way SSL/TLS (where clients do not identify themselves to the LV server), it is only required to configure a trust store to hold the LV server's issuer (root CA) certificate. Clients must trust that the issuer of the LV server's certificate is a known, trusted authority. If using 2-way SSL/TLS, then you will also configure a client keystore in this profile, to hold the client's identity.
1.) A server private key and public certificate. The public certificate's Owner (or Subject) line should include the common name (CN) for the LiveView server. In the lv-auth sample project (provided under $STREAMBASE_HOME/liveview/sample/lv_sample_auth), you can refer to the sample 'mykeystore' file under src/main/resources/ as an example. This keystore holds a private key and an associated public certificate. You can inspect this from a StreamBase command prompt using the 'keytool' command. For example..
> keytool -list -V -keystore mykeystore -storepass mypassword Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry Alias name: myalias Creation date: Jun 16, 2016 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=localhost, OU=liveview, O=myorganization, L=mylocality, ST=mystate, C=USHere, the CN is 'localhost'.
2.) A LiveView Engine configuration. Here, we specify the 'liveview.ssl.hostname' property, which should match the CN value from the server certificate. Following the above example 'mykeystore' file, the 'liveview.ssl.hostname' should be set to 'localhost'.
LDMEngine = {
systemProperties = {
"liveview.ssl.hostname" = "localhost"
}
}
3.) A LiveView Client API Listener configuration. Here, we set the LV port number and the 'secureCommunicationProfileName', which forces clients to connect using a secure communication profile.
ClientAPIListener = {
portNumber = 11080
secureCommunicationProfileName = "MyServerTLSProfile"
}
4.) A secure communications profile for the LV server, where details on the server's keystore are configured. If using 2-way SSL/TLS (where clients need to provide their own identity/certificate to the LV server), then this profile will also have details about the LV server's trust store (where trusted client issuer certificates are stored).
SecureCommunicationServerProfile = {
name = "MyServerTLSProfile"
keyStore = "C:/stores/mykeystore" // to hold server keys and certificates
keyStorePassword = "mypassword"
keyPassword = "mypassword"
keyStoreType = "JKS"
trustStore = "C:/stores/mytruststore" // to hold trusted client issuer (root CA) certificates (for 2-way SSL only)
trustStorePassword = "mypassword"
trustStoreType = "JKS"
requireClientAuthentication = false
}
Note that the name in the SecureCommunicationServerProfile configuration, 'MyServerTLSProfile', needs to match the name specified in the ClientAPIListener configuration above.5.) A secure communications profile for internal client connections. If using 1-way SSL/TLS (where clients do not identify themselves to the LV server), it is only required to configure a trust store to hold the LV server's issuer (root CA) certificate. Clients must trust that the issuer of the LV server's certificate is a known, trusted authority. If using 2-way SSL/TLS, then you will also configure a client keystore in this profile, to hold the client's identity.
SecureCommunicationClientProfile = {
name = "MyClientTLSProfile"
keyStore = "C:/stores/clientkeystore" // to hold client keys and certificates (for 2-way SSL only)
keyStorePassword = "mypassword"
keyPassword = "mypassword"
keyStoreType = "JKS"
trustStore = "C:/stores/clienttruststore" // to hold trusted LV server issuer (root CA) certificates
trustStorePassword = "mypassword"
trustStoreType = "JKS"
requireClientAuthentication = false
}
6.) A LiveView Internal Credentials configuration. This is required to secure LV internal connections. This contains the property 'ldmSecureInternalCommunicationProfileName', which is set to the client TLS configuration name.
InternalCredentials = {
ldmSecureInternalCommunicationProfileName = "MyClientTLSProfile"
}
Note that the name in the InternalCredentials configuration, 'MyClientTLSProfile', needs to match the name specified in the SecureCommunicationClientProfile above.Additional Information
For more in-depth guidance, refer to the Help under Home > LiveView Admin Guide > Using TLS/SSL with LiveView Server.
Feedback
Yes
No
Powered by
