JMS Appender does not work with secured EMS.
Article ID: KB0089532
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix Service Grid | - |
| TIBCO BPM Enterprise (formerly TIBCO ActiveMatrix BPM) | - |
| TIBCO ActiveMatrix BusinessWorks Service Engine | - |
Description
Description:
JMS Appender failed to initialize while using the advanced JNDI properties such as security_protocol, ssl_enable_verify_host in case of an SSL enabled (EMS).
JMS Appender failed to initialize while using the advanced JNDI properties such as security_protocol, ssl_enable_verify_host in case of an SSL enabled (EMS).
Issue/Introduction
JMS Appender does not work with secured EMS.
Resolution
Analysis
*************
JMS Appender fails to get initialized while using the advanced JNDI properties such as security_protocol, ssl_enable_verify_host in case of an SSL enabled EMS. Here the "SSL enabled" option is not enabled in the JNDI Resource Template configuration used for the Appender. Instead, the security_protocol and ssl_enable_verify_host options are set under the Advanced properties tab of the JNDI Resource Template as shown below. This configuration works fine for JMS connection RT (Resource Template) used by applications where as the same configuration does not work for JMS appender.
JNDI RT (Advanced properties):
com.tibco.tibjms.naming.security_protocol = ssl
com.tibco.tibjms.naming.ssl_enable_verify_host = false
EMS Configuration:
[SSLConnectionFactory]
type = generic
url = ssl://<host>:<port>
ssl_verify_host = disabled
Cause
*********
The JMS Appender is not making use of any resource instances unlike the JMS/JNDI Resource Instances used by applications. While applying the log configuration, it actually extracts predefined parameters from resource templates configuration and solidify them in a runtime log4j file (node-log4j.xml for example). Neither security_protocol or ssl_enable_verify_host is part of the predefined parameters and therefore it tries to connect in non-ssl mode during the appender initialization.
Resolution
************
The following approach should be used to make the JMS appender work with an SSL enabled EMS server (having ssl_verify_host in disabled mode).
1). Configure EMS with EMS SSL-Enabled. The EMS configuration:
[SSLQueueConnectionFactory]
type = queue
url = ssl://7333
ssl_verify_host = disabled
[SSLTopicConnectionFactory]
type = topic
url = ssl://7333
ssl_verify_host = disabled
2). Bring up the ssl-enabled EMS server.
3). Retrieve keystore of EMS using Tibco Configuration Tool (TCT). Using TCT under the EMS configuration page, enter the correct EMS SSL information. TCT will save one keystore located in the TCT data file, e.g., “admin-emsconfig-2014-04-02-09-35-15.jks”.
4). Create JMSConnection Factory /JNDI ConnectionFactory Resource Template with a SSL URL(ssl://<host>:<port>) / ssl-enabled and then create JMS Destination. For using an ssl-enabled URL, check the ssl-enabled options. You will need to create keystore related RTs:
i). SSL-Client provider:
ii). Keystore Provider Resource Templates.Note, keystore file – we are using the retrieved keystore file (admin-emsconfig-2014-04-02-09-35-15.jks) from Step 3.
5). Create JMSAppender which is using the ssl-enabled Resource Templates in step 4 above.
*************
JMS Appender fails to get initialized while using the advanced JNDI properties such as security_protocol, ssl_enable_verify_host in case of an SSL enabled EMS. Here the "SSL enabled" option is not enabled in the JNDI Resource Template configuration used for the Appender. Instead, the security_protocol and ssl_enable_verify_host options are set under the Advanced properties tab of the JNDI Resource Template as shown below. This configuration works fine for JMS connection RT (Resource Template) used by applications where as the same configuration does not work for JMS appender.
JNDI RT (Advanced properties):
com.tibco.tibjms.naming.security_protocol = ssl
com.tibco.tibjms.naming.ssl_enable_verify_host = false
EMS Configuration:
[SSLConnectionFactory]
type = generic
url = ssl://<host>:<port>
ssl_verify_host = disabled
Cause
*********
The JMS Appender is not making use of any resource instances unlike the JMS/JNDI Resource Instances used by applications. While applying the log configuration, it actually extracts predefined parameters from resource templates configuration and solidify them in a runtime log4j file (node-log4j.xml for example). Neither security_protocol or ssl_enable_verify_host is part of the predefined parameters and therefore it tries to connect in non-ssl mode during the appender initialization.
Resolution
************
The following approach should be used to make the JMS appender work with an SSL enabled EMS server (having ssl_verify_host in disabled mode).
1). Configure EMS with EMS SSL-Enabled. The EMS configuration:
[SSLQueueConnectionFactory]
type = queue
url = ssl://7333
ssl_verify_host = disabled
[SSLTopicConnectionFactory]
type = topic
url = ssl://7333
ssl_verify_host = disabled
2). Bring up the ssl-enabled EMS server.
3). Retrieve keystore of EMS using Tibco Configuration Tool (TCT). Using TCT under the EMS configuration page, enter the correct EMS SSL information. TCT will save one keystore located in the TCT data file, e.g., “admin-emsconfig-2014-04-02-09-35-15.jks”.
4). Create JMSConnection Factory /JNDI ConnectionFactory Resource Template with a SSL URL(ssl://<host>:<port>) / ssl-enabled and then create JMS Destination. For using an ssl-enabled URL, check the ssl-enabled options. You will need to create keystore related RTs:
i). SSL-Client provider:
ii). Keystore Provider Resource Templates.Note, keystore file – we are using the retrieved keystore file (admin-emsconfig-2014-04-02-09-35-15.jks) from Step 3.
5). Create JMSAppender which is using the ssl-enabled Resource Templates in step 4 above.
6). Configure the application to use this JMSAppender.
Feedback
Yes
No
Powered by
