Using Subject Alternative Names (SAN) certificate with TIBCO Web Messaging for TIBCO EMS (TWM).
Article ID: KB0090344
Updated On:
| Products | Versions |
|---|---|
| TIBCO Web Messaging for TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Resolution:
Description:
==========
Using Subject Alternative Names (SAN) certificate with TIBCO Web Messaging for TIBCO EMS (TWM).
Environment:
===========
ALL
Resolution:
==========
TIBCO Web Messaging for TIBCO EMS (TWM) has very strict SSL certificate verification rules on both server side and client side. This is probably related to the fact that TWM service is usually exposed to the public INTERNET which is far more vulnerable than within a local network.
Generally, the common name(cn) field of server certificate should equal to the hostname string. If the cn field is different than hostname, subject alternative name(SAN) extension should contain the hostname entry.
Otherwise, the server will complain "Keystore does not have a certificate entry for <hostname>" and fail to start.
As an example, use hostname of "liyan-t520" in the accept URL of service with protocol as wss or https.
In the following certificate, the SAN extension contains the DNS entry for "liyan-t520".
-------------------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=us, ST=ca, L=palo alto, O=support, OU=tibco, CN=ylf/emailAddress=liyan@tibco.com
Validity
Not Before: Feb 13 23:56:00 2013 GMT
Not After : Feb 13 23:56:00 2014 GMT
Subject: C=us, ST=ca, L=palo alto, O=support, OU=tibco, CN=ylf/emailAddress=liyan@tibco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c9:e5:ac:37:81:21:6b:fd:c4:12:3e:2f:37:56:
dd:7a:c7:b5:c7:30:f2:54:14:f9:8e:03:b3:46:d0:
c6:ae:4c:2a:3b:52:a9:0f:e3:46:f1:0f:28:73:e8:
23:a1:23:cf:8b:a1:d2:78:b0:6b:d3:64:1b:22:ae:
0b:91:1a:59:73:4c:e7:4a:ef:52:42:06:3a:88:65:
06:19:71:ab:39:c2:83:9d:12:27:fc:76:25:0a:1e:
14:a9:72:90:58:12:57:07:12:77:fc:2d:a4:69:2b:
29:c1:b3:30:c7:ec:8e:1c:ec:ea:5a:d0:a0:c4:7a:
82:7a:ed:b6:fd:8e:90:0b:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:liyan-t520, DNS:intih
-------------------------------------------------------------------
The existence of SAN makes it possible that a single keystore can be used on TWM service running on different machines, provided that the hostname of each machine are added into the SAN DNS entries.
To generate a new keystore including SAN entry, you can use the keytool command from JDK7. (keytool in earlier versions of JDK do not accept the -ext option).
keytool -genkeypair -alias test_host -ext san=dns:testhost.jpmorgan.com -keysize 2048 -keyalg RSA -keystore keystore.db -storetype jceks
Description:
==========
Using Subject Alternative Names (SAN) certificate with TIBCO Web Messaging for TIBCO EMS (TWM).
Environment:
===========
ALL
Resolution:
==========
TIBCO Web Messaging for TIBCO EMS (TWM) has very strict SSL certificate verification rules on both server side and client side. This is probably related to the fact that TWM service is usually exposed to the public INTERNET which is far more vulnerable than within a local network.
Generally, the common name(cn) field of server certificate should equal to the hostname string. If the cn field is different than hostname, subject alternative name(SAN) extension should contain the hostname entry.
Otherwise, the server will complain "Keystore does not have a certificate entry for <hostname>" and fail to start.
As an example, use hostname of "liyan-t520" in the accept URL of service with protocol as wss or https.
In the following certificate, the SAN extension contains the DNS entry for "liyan-t520".
-------------------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=us, ST=ca, L=palo alto, O=support, OU=tibco, CN=ylf/emailAddress=liyan@tibco.com
Validity
Not Before: Feb 13 23:56:00 2013 GMT
Not After : Feb 13 23:56:00 2014 GMT
Subject: C=us, ST=ca, L=palo alto, O=support, OU=tibco, CN=ylf/emailAddress=liyan@tibco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c9:e5:ac:37:81:21:6b:fd:c4:12:3e:2f:37:56:
dd:7a:c7:b5:c7:30:f2:54:14:f9:8e:03:b3:46:d0:
c6:ae:4c:2a:3b:52:a9:0f:e3:46:f1:0f:28:73:e8:
23:a1:23:cf:8b:a1:d2:78:b0:6b:d3:64:1b:22:ae:
0b:91:1a:59:73:4c:e7:4a:ef:52:42:06:3a:88:65:
06:19:71:ab:39:c2:83:9d:12:27:fc:76:25:0a:1e:
14:a9:72:90:58:12:57:07:12:77:fc:2d:a4:69:2b:
29:c1:b3:30:c7:ec:8e:1c:ec:ea:5a:d0:a0:c4:7a:
82:7a:ed:b6:fd:8e:90:0b:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:liyan-t520, DNS:intih
-------------------------------------------------------------------
The existence of SAN makes it possible that a single keystore can be used on TWM service running on different machines, provided that the hostname of each machine are added into the SAN DNS entries.
To generate a new keystore including SAN entry, you can use the keytool command from JDK7. (keytool in earlier versions of JDK do not accept the -ext option).
keytool -genkeypair -alias test_host -ext san=dns:testhost.jpmorgan.com -keysize 2048 -keyalg RSA -keystore keystore.db -storetype jceks
Issue/Introduction
Using Subject Alternative Names (SAN) certificate with TIBCO Web Messaging for TIBCO EMS (TWM).
Feedback
Yes
No
Powered by
