How to enable SSL/TLS connections between BE and EMS over JNDI
Article ID: KB0073682
Updated On:
| Products | Versions |
|---|---|
| DO NOT USE! - TIBCO BusinessEvents - Enterprise Edition | 5.6 |
Description
Use Case:
We are now required to make connections to EMS from BE over SSL/TLS. Until now, we've only been making insecure tcp connections. How can we configure our BE application and EMS server to connect with each other over a secure port?
We are now required to make connections to EMS from BE over SSL/TLS. Until now, we've only been making insecure tcp connections. How can we configure our BE application and EMS server to connect with each other over a secure port?
Issue/Introduction
How to enable 1-way and 2-way SSL/TLS connections between BE and EMS over JNDI.
Environment
All Supported Platforms
Resolution
A successful SSL/TLS connection requires the EMS server to supply its public certificate to the client. In this case, the client is your BE application that uses the JMS channel.
To ensure the EMS server supplies its public certificate, set the following in your EMS server configuration file:
Then select the Use SSL check box, and click Configure SSL...
In the SSL Configuration dialog, set Expected Host Name to the value in the CN field of the server's certificate. In the example shown above, the correct CN value in the certificate should be 'server'. Also select the option to Verify Host Name. Then click 'Ok' to return the to JMSTransport configuration screen.
Select the option Use JNDI for Connection Factory, and set the following:
Now, go the Advanced configuration tab in the JMSTransport editor, and set:
You are now configured for 1-way SSL/TLS.
For 2-way SSL/TLS, the BE client must provide a verifiable identity to the EMS server. This identity may be stored in a digital certificate file, as shown in your EMS server installation under samples/certs/client_identity.p12. Configure the path to the client identity file in your JMSTransport by adding the optional JNDI property:
Finally, add the client identity to your EMS server's connection factories (i.e. [TopicConnectionFactory] and [QueueConnectionFactory] in factories.conf):
To ensure the EMS server supplies its public certificate, set the following in your EMS server configuration file:
# Turn on port for SSL connections
listen = ssl://7243
# Set the EMS server's identity
ssl_server_identity = ../certs/server.cert.pem
ssl_server_key = ../certs/server.key.pem
ssl_password = $man$WjtSRCpaXu7hoTkDlcEPr6KNKRr
ssl_server_issuer = ../certs/server_root.cert.pem
..where:
- ssl_server_identity = the EMS server's public certificate
- ssl_server_key = the EMS server's private key
- ssl_password = the password for the server's private key
- ssl_server_issuer = the issuer (CA) of the server's public certificate
[TopicConnectionFactory]
type = topic
url = ssl://7243
ssl_trusted = ../certs/server_root.cert.pem
ssl_expected_hostname = server
[QueueConnectionFactory]
type = queue
url = ssl://7243
ssl_trusted = ../certs/server_root.cert.pem
ssl_expected_hostname = server
..where:
- ssl_trusted = the issuer (CA) of the server's public certificate
- ssl_expected_hostname = The name that the client expects in the common name (CN) field of the server's certificate.
Then select the Use SSL check box, and click Configure SSL...
In the SSL Configuration dialog, set Expected Host Name to the value in the CN field of the server's certificate. In the example shown above, the correct CN value in the certificate should be 'server'. Also select the option to Verify Host Name. Then click 'Ok' to return the to JMSTransport configuration screen.
Select the option Use JNDI for Connection Factory, and set the following:
- JNDI Context Factory = com.tibco.tibjms.naming.TibjmsInitialContextFactory
- JNDI Context URL = tibjmsnaming://<ems-hostname>:7243
- JNDI User Name = same as the EMS User Name entered earlier
- JNDI Password = same as the EMS user's Password entered earlier
- Connection Factory SSL Password = the password for the EMS server's connection factory
Now, go the Advanced configuration tab in the JMSTransport editor, and set:
- Topic Connection Factory = TopicConnectionFactory
- Queue Connection Factory = QueueConnectionFactory
- com.tibco.tibjms.naming.ssl_trusted_certs = %%EmsHome%%/samples/certs/server_root.cert.pem
You are now configured for 1-way SSL/TLS.
For 2-way SSL/TLS, the BE client must provide a verifiable identity to the EMS server. This identity may be stored in a digital certificate file, as shown in your EMS server installation under samples/certs/client_identity.p12. Configure the path to the client identity file in your JMSTransport by adding the optional JNDI property:
- com.tibco.tibjms.naming.ssl_identity = %%EmsHome%%/samples/certs/client_identity.p12
# Require clients to provide an identity
ssl_require_client_cert = true
# Trusted issuers of client certificates. Supports PEM, DER and PKCS7.
ssl_server_trusted = ../certs/client_root.cert.pem
..where 'client_root.cert.pem' is the issuer (CA) for the client's certificate.Finally, add the client identity to your EMS server's connection factories (i.e. [TopicConnectionFactory] and [QueueConnectionFactory] in factories.conf):
[TopicConnectionFactory]
type = topic
url = ssl://7243
ssl_trusted = ../certs/server_root.cert.pem
ssl_expected_hostname = server
ssl_identity = ../certs/client_identity.p12
[QueueConnectionFactory]
type = queue
url = ssl://7243
ssl_trusted = ../certs/server_root.cert.pem
ssl_expected_hostname = server
ssl_identity = ../certs/client_identity.p12
You are now configured for 2-way SSL.Feedback
Yes
No
Powered by
