Explain how and when public keys of server and clients get interchanged?
Article ID: KB0087453
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Resolution:
Public keys of server and client will get exchanged to each other during the SSL connection establishment.
That is a part of SSL connection establishment.
For that, we need to just specify the private and public key of the EMS server in the server side;
And in the client side specify the private and public key of the client. Exchange will happen automatically.
Please note that The parameter, ssl_require_client_cert, in the tibemsd.conf will decide whether client has to give its certificate
to the server or not. If this parameter is set, all the clients are expected to present their certificate during the
connection establishment. But if it is not set, client does not need to provide. But always, the server has provide
its certificate during the connection establishment.
Assuming ssl_require_client_cert is set in the server side, the following are the parameters in server side to specify its public
and private keys and password to encrypt the private key.
ssl_server_identity = mycerts/server.cert.pem ---> Server's public key.
ssl_server_key = mycerts/server.key.pem ----> Server's private key.
ssl_password = $man$WjtSRCpaXu7hoTkDlcEPr6KNKRr ----> Password to encrypt the private key.
While connection establishment, server will exchange the public key set in the ssl_server_identity to the client.
We should set the root certificate of the client's public key using "ssl_server_trusted = mycerts/client_root.cert.pem"
In the client side, we should give the root certificate of the public key of the server side.
This will ensure that client and server can trust each other's certificate when it gets exchanged during connection
establishment.
Similarly, in the client side, we must provide the public key and private key and password to encrypt the private
key. For example. Please look at the following command line for client to connect with the server.
C:\tibco\ems\samples\java>java tibjmsSSL -ssl_trace -ssl_trusted ../certs/server_root.cert.pem -ssl_hostname "server" -ssl_identity ../certs/client_identity.p12 -ssl_password password
In the above command line, client_identity.p12 contains the public key and private key of the client. This .p12 format has public key
and private key in the same file. -ssl_password is the password of the client side private key. Note that we specify the root certificate
of the EMS server in the above command line using -ssl_trusted to make sure that public certificates exchanged from EMS server is a
trusted one.
Public keys of server and client will get exchanged to each other during the SSL connection establishment.
That is a part of SSL connection establishment.
For that, we need to just specify the private and public key of the EMS server in the server side;
And in the client side specify the private and public key of the client. Exchange will happen automatically.
Please note that The parameter, ssl_require_client_cert, in the tibemsd.conf will decide whether client has to give its certificate
to the server or not. If this parameter is set, all the clients are expected to present their certificate during the
connection establishment. But if it is not set, client does not need to provide. But always, the server has provide
its certificate during the connection establishment.
Assuming ssl_require_client_cert is set in the server side, the following are the parameters in server side to specify its public
and private keys and password to encrypt the private key.
ssl_server_identity = mycerts/server.cert.pem ---> Server's public key.
ssl_server_key = mycerts/server.key.pem ----> Server's private key.
ssl_password = $man$WjtSRCpaXu7hoTkDlcEPr6KNKRr ----> Password to encrypt the private key.
While connection establishment, server will exchange the public key set in the ssl_server_identity to the client.
We should set the root certificate of the client's public key using "ssl_server_trusted = mycerts/client_root.cert.pem"
In the client side, we should give the root certificate of the public key of the server side.
This will ensure that client and server can trust each other's certificate when it gets exchanged during connection
establishment.
Similarly, in the client side, we must provide the public key and private key and password to encrypt the private
key. For example. Please look at the following command line for client to connect with the server.
C:\tibco\ems\samples\java>java tibjmsSSL -ssl_trace -ssl_trusted ../certs/server_root.cert.pem -ssl_hostname "server" -ssl_identity ../certs/client_identity.p12 -ssl_password password
In the above command line, client_identity.p12 contains the public key and private key of the client. This .p12 format has public key
and private key in the same file. -ssl_password is the password of the client side private key. Note that we specify the root certificate
of the EMS server in the above command line using -ssl_trusted to make sure that public certificates exchanged from EMS server is a
trusted one.
Issue/Introduction
Explain how and when public keys of server and clients get interchanged?
Feedback
Yes
No
Powered by
