Resolution:
Although we provide the password in clear text in the createConnection call, the password is actually mangled when sent to the server. Therefore, a capture of the tcp traffic between the client application and the EMS Server would not see the password as a clear text.

Mangled passwords are produced via proprietary algorithm. The algorithm is not cryptographically secure and does not use keys; those who know the algorithm can recover the original password from mangled text. The main purpose of mangling is to provide basic protection, such that people who accidentally see mangled text do not see the password.

For more security, SSL can be used. From EMS 4.2 was introduced the "authentication only" feature that uses SSL channel to complete the connection phase (so the password is encrypted) and then falls back to a regular TCP connection.

When ssl_auth_only is enabled, the server allows clients to request the use of SSL only for authentication (to protect user passwords).  When this parameter is disabled, the server ignores client requests for this feature.  When absent, the default value is disabled.

For an overview of this feature, please refer to the section "SSL Authentication Only" in Chapter 12 of the TIBCO Enterprise Message Service User's Guide.