If set "authorization = enabled" and "ssl_use_cert_name = yes", how should I set password?
Article ID: KB0088489
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Resolution:
When authorization is enabled, the server requires a name and password before users can connect.
Only authenticated users can connect to the server. customer have to config "client" name in the users.conf file. The password can be an empty string or a "none empty" string. If the password is empty, the client do not have to provide an empty password, the default is empty. This will match the configuration in the users.conf.
"ssl_use_cert_name = yes" enforces the policy that the connection username is always extracted from the certificate, if the certificate was presented by the client.
This does not affect users who have no certificate.
In our client_identity.p12, the name is "client". in server, the name is "server".
The following description is based on my test's configuration.
A. If you only want to use empty password, you could create a user of no/empty password.
Actually, the server does ssl authentication, and user/<empty password> authentication.
However, you do not have to provide a password, by default, it is an empty password.
1. For a normal "client":
-- create user client (no password)
-- run: java tibjmsSSL -server ssl://localhost:7243 -ssl_trace -ssl_trusted ../certs/server_root.cert.pem -ssl_hostname server -ssl_identity ../certs/client_identity.p12 -ssl_password password
2. For a FT Backup server, which acts as a client when it connects to the Active server.
--create "server" user (the name in the server certificate.) But it has no/empty password.
--do not run "set server password" to set a server password
When the Backup FT server tries to connect to the Active server, the Backup server sends username/password information related of itself, that is, the username is the server name, the password is the server password set by using "set server password <password>". As "ssl_use_cert_name = yes", the Active server uses the username from the server certificate, which is "server".
B. If you want to use both X.509 certificate and username and password, you could
1. For a normal "client":
a. create user client "myPassword"
b. java tibjmsSSL -server ssl://localhost:7243 -password "myPassword" -ssl_trace -ssl_trusted ../certs/server_root.cert.pem -ssl_hostname server -ssl_identity ../certs/client_identity.p12 -ssl_password password
2. For a FT server client, you could create server user (the username is the name in the server certificate), and the password is the server password you set by using "set server password".
When authorization is enabled, the server requires a name and password before users can connect.
Only authenticated users can connect to the server. customer have to config "client" name in the users.conf file. The password can be an empty string or a "none empty" string. If the password is empty, the client do not have to provide an empty password, the default is empty. This will match the configuration in the users.conf.
"ssl_use_cert_name = yes" enforces the policy that the connection username is always extracted from the certificate, if the certificate was presented by the client.
This does not affect users who have no certificate.
In our client_identity.p12, the name is "client". in server, the name is "server".
The following description is based on my test's configuration.
A. If you only want to use empty password, you could create a user of no/empty password.
Actually, the server does ssl authentication, and user/<empty password> authentication.
However, you do not have to provide a password, by default, it is an empty password.
1. For a normal "client":
-- create user client (no password)
-- run: java tibjmsSSL -server ssl://localhost:7243 -ssl_trace -ssl_trusted ../certs/server_root.cert.pem -ssl_hostname server -ssl_identity ../certs/client_identity.p12 -ssl_password password
2. For a FT Backup server, which acts as a client when it connects to the Active server.
--create "server" user (the name in the server certificate.) But it has no/empty password.
--do not run "set server password" to set a server password
When the Backup FT server tries to connect to the Active server, the Backup server sends username/password information related of itself, that is, the username is the server name, the password is the server password set by using "set server password <password>". As "ssl_use_cert_name = yes", the Active server uses the username from the server certificate, which is "server".
B. If you want to use both X.509 certificate and username and password, you could
1. For a normal "client":
a. create user client "myPassword"
b. java tibjmsSSL -server ssl://localhost:7243 -password "myPassword" -ssl_trace -ssl_trusted ../certs/server_root.cert.pem -ssl_hostname server -ssl_identity ../certs/client_identity.p12 -ssl_password password
2. For a FT server client, you could create server user (the username is the name in the server certificate), and the password is the server password you set by using "set server password".
Issue/Introduction
If set "authorization = enabled" and "ssl_use_cert_name = yes", how should I set password?
Feedback
Yes
No
Powered by
