How to configure SSL for EMSA fault tolerance setup?
Article ID: KB0092425
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service Appliance | - |
| Not Applicable | - |
Description
Description:
How to configure SSL for EMSA fault tolerance setup?
Symptoms:
N/A
Cause:
N/A
Resolution
The following instructions assumes SSL is being enabled on instance-1. Notice that we do all the necessary configurations in one go via EMSCA connected to the active server for instance-1.
1). Make sure both servers of instance-1 (active and standby) are running so any changes done via EMSCA will be replicated from the active to the standby server.
2). SFTP the certificates to peer-B and peer-A appliances. Then import them to instance-1 using following CLI commands:
peer-B> import 1 certs
peer-A> import 1 certs
3). Start EMSCA and connect to instance-1 active server running on peer-B.
4). Add SSL listen URL (e.g. ssl://ems-B.local:7232) to the primary listens list under Server -> Properties .
5). Add SSL listen URL (e.g. ssl://ems-A.local:7232) to the secondary listens list under Server -> Fault Tolerance .
6). Add necessary SSL certificates under Security -> SSL (I used sample certs) .
7). Deploy the changes which will require a restart. Restart both active and standby servers of instance-1. Use following CLI (support) commands in the exact order listed:
peer-B> stop-instance 1
peer-A> stop-instance 1
peer-B> start-instance 1
peer-A> start-instance 1
8). Run a client with SSL to test it works. For example,
java tibjmsSSL -server ssl://<EMS IP address of peer-B>:7232 -ssl_trusted <CERTS DIR>/server_root.cert.pem
9). To failover to the standby server of instance-1, stop the active server on peer-B using following CLI (support) command:
peer-B> stop-instance 1
10). On peer-A, instance-1 should now become active-standalone. Run a client with SSL again to check all is okay on standby too:
java tibjmsSSL -server ssl://<EMS IP address of peer-A>:7232 -ssl_trusted <CERTS DIR>/server_root.cert.pem
1). Make sure both servers of instance-1 (active and standby) are running so any changes done via EMSCA will be replicated from the active to the standby server.
2). SFTP the certificates to peer-B and peer-A appliances. Then import them to instance-1 using following CLI commands:
peer-B> import 1 certs
peer-A> import 1 certs
3). Start EMSCA and connect to instance-1 active server running on peer-B.
4). Add SSL listen URL (e.g. ssl://ems-B.local:7232) to the primary listens list under Server -> Properties .
5). Add SSL listen URL (e.g. ssl://ems-A.local:7232) to the secondary listens list under Server -> Fault Tolerance .
6). Add necessary SSL certificates under Security -> SSL (I used sample certs) .
7). Deploy the changes which will require a restart. Restart both active and standby servers of instance-1. Use following CLI (support) commands in the exact order listed:
peer-B> stop-instance 1
peer-A> stop-instance 1
peer-B> start-instance 1
peer-A> start-instance 1
8). Run a client with SSL to test it works. For example,
java tibjmsSSL -server ssl://<EMS IP address of peer-B>:7232 -ssl_trusted <CERTS DIR>/server_root.cert.pem
9). To failover to the standby server of instance-1, stop the active server on peer-B using following CLI (support) command:
peer-B> stop-instance 1
10). On peer-A, instance-1 should now become active-standalone. Run a client with SSL again to check all is okay on standby too:
java tibjmsSSL -server ssl://<EMS IP address of peer-A>:7232 -ssl_trusted <CERTS DIR>/server_root.cert.pem
Issue/Introduction
How to configure SSL for EMSA fault tolerance setup?
Feedback
Yes
No
Powered by
