How to enable TLS 1.2 with MS SQLServer/Oracle database and TIBCO ActiveMatrix Adapter for Database
Article ID: KB0081834
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks Plug-in for Database | 7.2.0 |
Description
To enable TLS 1.2 it is required to install TIBCO DB Driver 2.0.6 onwards and TIBCO ActiveMatrix Adapter for Database 7.2.0 onwards.
Issue/Introduction
How to enable TLS 1.2 for TIBCO ActiveMatrix BusinessWorks Plug-in for Database 7.x and 8.x using MS SQLServer or Oracle database
Environment
Product: TIBCO ActiveMatrix Adapter for Database
Version: 7.0 and above
OS: All Supported Operating Systems
Resolution
Resolution:
===========
Below are the steps to configure TLS 1.2 with TIBCO ActiveMatrix Adapter for Database:
1. a) While configuring a project in TIBCO Designer, it is required to add "java.property.TIBCO_SECURITY_VENDOR=j2se" property to the designer.tra file located inside 'TIBCO_HOME\designer\version\bin' directory.
b)While deploying a project in TIBCO Administrator, it is required to add "java.property.TIBCO_SECURITY_VENDOR=j2se" property to the 'application.tra' file for a deployed application.
Cause:
=====
When a TIBCO application (e.g. the adapter) establishes an SSL connection with another application system (e.g. the Database) the infrastructure behind it will interact with the TIBCO Crypto Libraries for encrypting the data to achieve the SSL.
The TIBCO Crypto library does not include encryption but provides an interface that allows pluggable support of third-party encryption libraries. The installation package includes the security vendors – Entrust(Default), IBM, Sun. The cause may be that the infrastructure behind the adapter is calling the Tibco Runtime Agent TIBCO Crypto Library which in turn is calling the third-party encryption libraries with vendor Entrust by default. This results in the SSL connection failure. You will need to explicitly specify the security vendor to be used by the TIBCO application.
TLS 1.2 is not supported by Entrust hence security provider must be set to "j2se" or "ibm" (for IBM JRE's only).
java.property.TIBCO_SECURITY_VENDOR=j2se
=====
2. The following two parameters are required to be appended to the JDBC URL:
a) 1)If you want the driver to encrypt all data, including the login request, set "EncryptionMethod=SSL" or "EncryptionMethod=requestSSL"
2)If you want the driver to encrypt only the login request, set the "EncryptionMethod=loginSSL"
b) Set CryptoProtocolVersion=TLSv1.2 to specify acceptable cryptographic protocol
e.g. JDBC URL for MS SQLServer database:
jdbc:tibcosoftwareinc:sqlserver://Hostaddress;databaseName=XXX;EncryptionMethod=SSL;CryptoProtocolVersion=TLSv1.2
JDBC URL for Oracle database:
jdbc:tibcosoftwareinc:oracle://<servername>:1521;SID=<sid>;EncryptionMethod=SSL;CryptoProtocolVersion=TLSv1.2
3. Use below command to import the certificates in the default tibco java keystore location:
keytool -import -v -trustcacerts -alias XXX -file tibco/temp/certs/ABC.cer -keystore /opt/tibco/tibcojre64/1.8.0/lib/security/cacerts
===========
Below are the steps to configure TLS 1.2 with TIBCO ActiveMatrix Adapter for Database:
1. a) While configuring a project in TIBCO Designer, it is required to add "java.property.TIBCO_SECURITY_VENDOR=j2se" property to the designer.tra file located inside 'TIBCO_HOME\designer\version\bin' directory.
b)While deploying a project in TIBCO Administrator, it is required to add "java.property.TIBCO_SECURITY_VENDOR=j2se" property to the 'application.tra' file for a deployed application.
Cause:
=====
When a TIBCO application (e.g. the adapter) establishes an SSL connection with another application system (e.g. the Database) the infrastructure behind it will interact with the TIBCO Crypto Libraries for encrypting the data to achieve the SSL.
The TIBCO Crypto library does not include encryption but provides an interface that allows pluggable support of third-party encryption libraries. The installation package includes the security vendors – Entrust(Default), IBM, Sun. The cause may be that the infrastructure behind the adapter is calling the Tibco Runtime Agent TIBCO Crypto Library which in turn is calling the third-party encryption libraries with vendor Entrust by default. This results in the SSL connection failure. You will need to explicitly specify the security vendor to be used by the TIBCO application.
TLS 1.2 is not supported by Entrust hence security provider must be set to "j2se" or "ibm" (for IBM JRE's only).
java.property.TIBCO_SECURITY_VENDOR=j2se
=====
2. The following two parameters are required to be appended to the JDBC URL:
a) 1)If you want the driver to encrypt all data, including the login request, set "EncryptionMethod=SSL" or "EncryptionMethod=requestSSL"
2)If you want the driver to encrypt only the login request, set the "EncryptionMethod=loginSSL"
b) Set CryptoProtocolVersion=TLSv1.2 to specify acceptable cryptographic protocol
e.g. JDBC URL for MS SQLServer database:
jdbc:tibcosoftwareinc:sqlserver://Hostaddress;databaseName=XXX;EncryptionMethod=SSL;CryptoProtocolVersion=TLSv1.2
JDBC URL for Oracle database:
jdbc:tibcosoftwareinc:oracle://<servername>:1521;SID=<sid>;EncryptionMethod=SSL;CryptoProtocolVersion=TLSv1.2
3. Use below command to import the certificates in the default tibco java keystore location:
keytool -import -v -trustcacerts -alias XXX -file tibco/temp/certs/ABC.cer -keystore /opt/tibco/tibcojre64/1.8.0/lib/security/cacerts
Additional Information
Url:
file:///C:/Tibco_home/tpcl/5.10/jdbc/Help/index.html#page/jdbcconnect%2Fusing-ssl-with-microsoft-sql-server.html%23
file:///C:/Tibco_home/tpcl/5.10/jdbc/Help/index.html#page/jdbcconnect%2Fusing-ssl-with-microsoft-sql-server.html%23
Feedback
Yes
No
Powered by
