Products | Versions |
---|---|
TIBCO Streaming | 7 |
What are the required configuration settings to enable JNDI lookup over SSL from the StreamBase EMS operators to and EMS server using JNDI lookup?
# Turn on port for SSL connections listen = ssl://7243 # Enable logging of SSL interaction for troubleshooting log_trace = DEFAULT,-LIMITS,-ACL,+CONNECT,+SSL,+SSL_DEBUG # Set the EMS server's identity and SSL ssl_server_identity = C:/TIBCO/ems/x.y/samples/certs/server.cert.pem ssl_server_key = C:/TIBCO/ems/x.y/samples/certs/server.key.pem ssl_password = password ssl_server_issuer = C:/TIBCO/ems/x.y/samples/certs/server_root.cert.pem..where:
[SSLConnectionFactory] type = generic url = ssl://7243 ssl_trusted = C:/TIBCO/ems/x.y/samples/certs/server_root.cert.pem ssl_expected_hostname = serverUnless otherwise specified (by adding 'ssl_verify_host=disabled' in your factory configuration) host verification is enabled by default in the EMS server. This means that the client (i.e. the EMS adapter) will inspect the common name (CN) value set in the server's public certificate, and compare it to the 'ssl_expected_hostname' value set in your factory configuration. If the 'ssl_expected_hostname' is not set, the CN value will instead be compared to the hostname in the provider url that the client uses to connect. In the example shown above, the correct common name (CN) value in the certificate should be 'server'.
<sb-jms-adapter-config> <jms-servers> <jms-server connection-factory-name="SSLConnectionFactory" jndi-initial-context-builder="com.streambase.sb.adapter.jms2.TIBCOEMSJNDIInitialContextBuilder" username="EMSUserName" password="password" jndi-security-principal="EMSUserName" jndi-security-credentials="password" jndi-security-protocol="ssl" name="EMS-SERVER-SSL" provider-context-factory="com.tibco.tibjms.naming.TibjmsInitialContextFactory" provider-name="TIBCO EMS" provider-url="ssl://server:7243" server-num-retries="1000" server-reconnect-interval="5"> <jndi-extra-properties> <extra-property name="com.tibco.tibjms.naming.security_protocol" value="ssl"/> <extra-property name="com.tibco.tibjms.naming.ssl_trusted_certs" value="C:/TIBCO/ems/x.y/samples/certs/server.cert.pem"/> <extra-property name="com.tibco.tibjms.naming.ssl_enable_verify_host" value="true"/> <extra-property name="com.tibco.tibjms.naming.ssl_expected_hostname" value="server"/> </jndi-extra-properties> <destinations> </destinations> </jms-server> </jms-servers> </sb-jms-adapter-config>
name = "sample-JMSAdapter" version = "1.0.0" type = "com.tibco.ep.streambase.configuration.adapter" configuration = { JMSAdapter = { adapterClassName = "com.streambase.sb.adapter.jms.enqueue.JMSReader" jmsServers = { "EMS-SERVER-SSL" = { connectionFactoryName = "SSLConnectionFactory" providerURL = "ssl://server:7243" jndiInitialContextBuilderClassName = "com.streambase.sb.adapter.jms2.TIBCOEMSJNDIInitialContextBuilder" username="EMSUserName" password="password" jndiSecurityPrincipal = "EMSUserName" jndiSecurityCredentials = "password" jndiSecurityProtocol = "ssl" providerContextFactoryClassName = "com.tibco.tibjms.naming.TibjmsInitialContextFactory" providerName = "TIBCO EMS" maxReconnectAttempts = "1000" reconnectSleepSeconds = "5" jndiExtraProperties = { "com.tibco.tibjms.naming.security_protocol" = "ssl" "com.tibco.tibjms.naming.ssl_trusted_certs" = "C:/TIBCO/ems/x.y/samples/certs/server.cert.pem" "com.tibco.tibjms.naming.ssl_enable_verify_host" = "true" "com.tibco.tibjms.naming.ssl_expected_hostname" = "server" } destinations = { } } } } }The provider-url may also begin with "tibjmsnaming://" instead of "ssl://". Also note that the EMS username and password need to be set TWICE in the configuration. The 'EMSUserName' can be added to the EMS server's users.conf configuration using the tibemsadmin utility:
C:\TIBCO\ems\8.5\bin>tibemsadmin.exe TIBCO Enterprise Message Service Administration Tool. Copyright 2003-2019 by TIBCO Software Inc. All rights reserved. Version 8.5.1 V4 9/12/2019 Type 'help' for commands help, 'exit' to exit: > connect Login name (admin): Password: Connected to: tcp://localhost:7222 tcp://localhost:7222> create user EMSUserName password=password User 'EMSUserName has been created
<extra-property name="com.tibco.tibjms.naming.ssl_identity" value="C:/TIBCO/ems/x.y/samples/certs/client_identity.p12"/>or in TIBCO Streaming "jndiExtraProperties" shown above:
"com.tibco.tibjms.naming.ssl_identity" = "C:/TIBCO/ems/x.y/samples/certs/client_identity.p12"which the EMS server will need to validate using the following settings in the EMS server configuration:
ssl_require_client_cert=true ssl_server_trusted=C:/TIBCO/ems/x.y/samples/certs/client_root.cert.pem..where 'client_root.cert.pem' is the client's issuer certificate.
[SSLConnectionFactory] type = generic url = ssl://7243 ssl_trusted = C:/TIBCO/ems/x.y/samples/certs/server_root.cert.pem ssl_expected_hostname = server ssl_identity = C:/TIBCO/ems/x.y/samples/certs/client_identity.p12