How to enable SSL/TLS connections between BE and EMS over JNDI

How to enable SSL/TLS connections between BE and EMS over JNDI

book

Article ID: KB0073682

calendar_today

Updated On:

Products Versions
DO NOT USE! - TIBCO BusinessEvents - Enterprise Edition 5.6

Description

Use Case:

We are now required to make connections to EMS from BE over SSL/TLS. Until now, we've only been making insecure tcp connections. How can we configure our BE application and EMS server to connect with each other over a secure port?

Environment

All Supported Platforms

Resolution

A successful SSL/TLS connection requires the EMS server to supply its public certificate to the client.  In this case, the client is your BE application that uses the JMS channel.

To ensure the EMS server supplies its public certificate, set the following in your EMS server configuration file: 
# Turn on port for SSL connections
listen = ssl://7243
# Set the EMS server's identity
ssl_server_identity     = ../certs/server.cert.pem
ssl_server_key          = ../certs/server.key.pem
ssl_password            = $man$WjtSRCpaXu7hoTkDlcEPr6KNKRr
ssl_server_issuer       = ../certs/server_root.cert.pem
..where:
  • ssl_server_identity = the EMS server's public certificate
  • ssl_server_key = the EMS server's private key
  • ssl_password = the password for the server's private key
  • ssl_server_issuer = the issuer (CA) of the server's public certificate
In your EMS server's connection factory configuration (factories.conf), configure the 'QueueConnectionFactory' and 'TopicConnectionFactory' factories as follows: 
[TopicConnectionFactory]
  type                  = topic
  url                   = ssl://7243
  ssl_trusted           = ../certs/server_root.cert.pem
  ssl_expected_hostname = server

[QueueConnectionFactory]
  type                  = queue
  url                   = ssl://7243
  ssl_trusted           = ../certs/server_root.cert.pem
  ssl_expected_hostname = server
..where:
  • ssl_trusted = the issuer (CA) of the server's public certificate
  • ssl_expected_hostname = The name that the client expects in the common name (CN) field of the server's certificate.
In your JMSTransport configuration (typically located in your BE project under 'SharedResources'), set the EMS User Name and Password accordingly.

Then select the Use SSL check box, and click Configure SSL...

In the SSL Configuration dialog, set Expected Host Name to the value in the CN field of the server's certificate. In the example shown above, the correct CN value in the certificate should be 'server'. Also select the option to Verify Host Name. Then click 'Ok' to return the to JMSTransport configuration screen.

Select the option Use JNDI for Connection Factory, and set the following:
  • JNDI Context Factory = com.tibco.tibjms.naming.TibjmsInitialContextFactory
  • JNDI Context URL = tibjmsnaming://<ems-hostname>:7243
  • JNDI User Name = same as the EMS User Name entered earlier
  • JNDI Password = same as the EMS user's Password entered earlier
  • Connection Factory SSL Password = the password for the EMS server's connection factory
Note: Connection factory configurations cannot contain the ssl_password (for security reasons).  Instead, the EMS server will use the password that is provided in the "create connection" call for user authentication.

Now, go the Advanced configuration tab in the JMSTransport editor, and set:
  • Topic Connection Factory = TopicConnectionFactory
  • Queue Connection Factory = QueueConnectionFactory
Then set the Optional JNDI Properties:
  • com.tibco.tibjms.naming.ssl_trusted_certs = %%EmsHome%%/samples/certs/server_root.cert.pem
Again, 'server_root.cert.pem' is the EMS server's issuer (CA) certificate.

You are now configured for 1-way SSL/TLS.

For 2-way SSL/TLS, the BE client must provide a verifiable identity to the EMS server. This identity may be stored in a digital certificate file, as shown in your EMS server installation under samples/certs/client_identity.p12.  Configure the path to the client identity file in your JMSTransport by adding the optional JNDI property:
  • com.tibco.tibjms.naming.ssl_identity = %%EmsHome%%/samples/certs/client_identity.p12
Now that the BE client is configured to verify the EMS server's certificate, the EMS server must be configured to verify the client's identity.  In your EMS server configuration file, set: 
# Require clients to provide an identity
ssl_require_client_cert = true
# Trusted issuers of client certificates. Supports PEM, DER and PKCS7.
ssl_server_trusted       = ../certs/client_root.cert.pem
..where 'client_root.cert.pem' is the issuer (CA) for the client's certificate.

Finally, add the client identity to your EMS server's connection factories (i.e. [TopicConnectionFactory] and [QueueConnectionFactory] in factories.conf): 
[TopicConnectionFactory]
  type                  = topic
  url                   = ssl://7243
  ssl_trusted           = ../certs/server_root.cert.pem
  ssl_expected_hostname = server
  ssl_identity          = ../certs/client_identity.p12

[QueueConnectionFactory]
  type                  = queue
  url                   = ssl://7243
  ssl_trusted           = ../certs/server_root.cert.pem
  ssl_expected_hostname = server
  ssl_identity          = ../certs/client_identity.p12
You are now configured for 2-way SSL.
 

Issue/Introduction

How to enable 1-way and 2-way SSL/TLS connections between BE and EMS over JNDI.
Powered by Wolken Software