What are the required configuration settings to enable JNDI lookup over SSL from the StreamBase EMS operators to and EMS server using JNDI lookup?

Set the following in the EMS server's configuration file:

# Turn on port for SSL connections
listen = ssl://7243
# Enable logging of SSL interaction for troubleshooting
log_trace = DEFAULT,-LIMITS,-ACL,+CONNECT,+SSL,+SSL_DEBUG
# Set the EMS server's identity and SSL 
ssl_server_identity = C:/TIBCO/ems/x.y/samples/certs/server.cert.pem
ssl_server_key = C:/TIBCO/ems/x.y/samples/certs/server.key.pem
ssl_password = password
ssl_server_issuer = C:/TIBCO/ems/x.y/samples/certs/server_root.cert.pem

..where:

• 'server.cert.pem' is the EMS server's public certificate
• 'server.key.pem' is the EMS server's private key
• 'password' is the password for the EMS server's private key. 
• 'ssl_server_issuer' is the certificate which identifies the certificate authority who issued 'server.cert.pem'

In your EMS server's connection factory configuration (factories.conf), set:

[SSLConnectionFactory]
  type = generic
  url = ssl://7243
  ssl_trusted = C:/TIBCO/ems/x.y/samples/certs/server_root.cert.pem
  ssl_expected_hostname = server 

Unless otherwise specified (by adding 'ssl_verify_host=disabled' in your factory configuration) host verification is enabled by default in the EMS server.  This means that the client (i.e. the EMS adapter) will inspect the common name (CN) value set in the server's public certificate, and compare it to the 'ssl_expected_hostname' value set in your factory configuration.  If the 'ssl_expected_hostname' is not set, the CN value will instead be compared to the hostname in the provider url that the client uses to connect. In the example shown above, the correct common name (CN) value in the certificate should be 'server'.

Note: Connection factory configurations cannot contain the ssl_password (for security reasons).  Instead, the EMS server will use the password that is provided in the "create connection" call for user authentication. This means that the EMS user's password must be the same as the ssl_password set in the EMS server's configuration. Otherwise, the connection will fail.

For the StreamBase EMS adapter client, set in sbd.sbconf:

<sb-jms-adapter-config>
 <jms-servers>
 <jms-server 
 connection-factory-name="SSLConnectionFactory"
 jndi-initial-context-builder="com.streambase.sb.adapter.jms2.TIBCOEMSJNDIInitialContextBuilder" 
 username="EMSUserName"
 password="password"
 jndi-security-principal="EMSUserName" 
 jndi-security-credentials="password" 
 jndi-security-protocol="ssl" 
 name="EMS-SERVER-SSL" 
 provider-context-factory="com.tibco.tibjms.naming.TibjmsInitialContextFactory" 
 provider-name="TIBCO EMS" 
 provider-url="ssl://server:7243" 
 server-num-retries="1000" 
 server-reconnect-interval="5">
 <jndi-extra-properties>
 <extra-property name="com.tibco.tibjms.naming.security_protocol" value="ssl"/>
 <extra-property name="com.tibco.tibjms.naming.ssl_trusted_certs" value="C:/TIBCO/ems/x.y/samples/certs/server.cert.pem"/>
 <extra-property name="com.tibco.tibjms.naming.ssl_enable_verify_host" value="true"/>
 <extra-property name="com.tibco.tibjms.naming.ssl_expected_hostname" value="server"/>
 </jndi-extra-properties>
 <destinations>
 </destinations>
 </jms-server>
 </jms-servers>
</sb-jms-adapter-config>

The equivalent TIBCO Streaming 10.3 and newer JMSAdapter HOCON configuration is:

name = "sample-JMSAdapter"
version = "1.0.0"
type = "com.tibco.ep.streambase.configuration.adapter"
configuration = {
  JMSAdapter = {
    adapterClassName = "com.streambase.sb.adapter.jms.enqueue.JMSReader"
    jmsServers = {
      "EMS-SERVER-SSL" = {
        connectionFactoryName = "SSLConnectionFactory"
        providerURL = "ssl://server:7243"
        jndiInitialContextBuilderClassName = "com.streambase.sb.adapter.jms2.TIBCOEMSJNDIInitialContextBuilder"
        username="EMSUserName"
        password="password"
        jndiSecurityPrincipal = "EMSUserName"
        jndiSecurityCredentials = "password" 
        jndiSecurityProtocol = "ssl"
        providerContextFactoryClassName = "com.tibco.tibjms.naming.TibjmsInitialContextFactory"
        providerName = "TIBCO EMS"
        maxReconnectAttempts = "1000"
        reconnectSleepSeconds = "5"
        jndiExtraProperties = {
          "com.tibco.tibjms.naming.security_protocol" = "ssl"
          "com.tibco.tibjms.naming.ssl_trusted_certs" = "C:/TIBCO/ems/x.y/samples/certs/server.cert.pem"
          "com.tibco.tibjms.naming.ssl_enable_verify_host" = "true"
          "com.tibco.tibjms.naming.ssl_expected_hostname" = "server"
        }
        destinations = {
        }
      }
    }
  }
}

The provider-url may also begin with "tibjmsnaming://" instead of "ssl://".  Also note that the EMS username and password need to be set TWICE in the configuration.  The 'EMSUserName' can be added to the EMS server's users.conf configuration using the tibemsadmin utility:
 

C:\TIBCO\ems\8.5\bin>tibemsadmin.exe

TIBCO Enterprise Message Service Administration Tool.
Copyright 2003-2019 by TIBCO Software Inc.
All rights reserved.

Version 8.5.1 V4 9/12/2019

Type 'help' for commands help, 'exit' to exit:
> connect
Login name (admin):
Password:
Connected to: tcp://localhost:7222
tcp://localhost:7222> create user EMSUserName password=password
User 'EMSUserName has been created

If you only verify the EMS host, but do not supply trusted certs, then the connection will fail and you will see error:

2016-08-16 16:01:04.654-0400 [Connection Thread for SendEMSMsg] ERROR SendEMSMsg - Could not start connection for JMS server EMS-SERVER-SSL
com.streambase.sb.StreamBaseException: Could not create javax.jms.Connection object: Could not find JNDI object SSLConnectionFactory using settings configured for JMS server EMS-SERVER-SSL: Not permitted: Can not initialize SSL client: no trusted certificates are set

The above settings provide one-way SSL, where the client is configured to trust specific EMS servers.

Without client certificates supplied, you will see in the EMS server "logfile":

2016-08-16 15:51:11.589 Peer has no certificate
2016-08-16 15:51:11.589 SSL accepted cipher=AES128-SHA
2016-08-16 15:51:11.609 [anonymous@SYSTEM]: Connected, connection id=3, type: generic, UTC offset=5

In order to configure the EMS server to trust specific clients, you will need to set in the sbd.sbconf:

<extra-property name="com.tibco.tibjms.naming.ssl_identity" value="C:/TIBCO/ems/x.y/samples/certs/client_identity.p12"/>

or in TIBCO Streaming "jndiExtraProperties" shown above:

  "com.tibco.tibjms.naming.ssl_identity" = "C:/TIBCO/ems/x.y/samples/certs/client_identity.p12"

which the EMS server will need to validate using the following settings in the EMS server configuration:

ssl_require_client_cert=true
ssl_server_trusted=C:/TIBCO/ems/x.y/samples/certs/client_root.cert.pem

..where 'client_root.cert.pem' is the client's issuer certificate.

Finally, add the 'ssl_identity' to your connection factory configuration:

[SSLConnectionFactory]   
  type = generic   
  url = ssl://7243   
  ssl_trusted = C:/TIBCO/ems/x.y/samples/certs/server_root.cert.pem   
  ssl_expected_hostname = server
  ssl_identity = C:/TIBCO/ems/x.y/samples/certs/client_identity.p12

Once these are set you will have enabled two-way SSL.

Required configuration settings to enable JNDI lookup over SSL from the StreamBase EMS operators.