How to enable an SSL connection when integrating JBOSS EAP 6.2 with EMS?
Article ID: KB0085271
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Description:
How to enable an SSL connection when integrating JBOSS EAP 6.2 with EMS?
Symptoms:
Failed to enable an SSL connection when integrating JBOSS EAP 6.2 with EMS.
Cause:
Detailed steps to an enable SSL connection when integrating JBOSS EAP 6.2 with EMS.
How to enable an SSL connection when integrating JBOSS EAP 6.2 with EMS?
Symptoms:
Failed to enable an SSL connection when integrating JBOSS EAP 6.2 with EMS.
Cause:
Detailed steps to an enable SSL connection when integrating JBOSS EAP 6.2 with EMS.
Issue/Introduction
How to enable an SSL connection when integrating JBOSS EAP 6.2 with EMS?
Resolution
To enable an SSL connection, you need to do following:
1. Copy over following jar files from EMS installation lib directory to following directory: EAP_HOME/modules/system/layers/base/org/jboss/genericjms/provider/main slf4j-api-1.4.2.jar, slf4j-simple-1.4.2.jar. You also need to copy over Java security socket extension jar file: jsse.jar to this directory.
Modify the module.xml file in EAP_HOME/modules/system/layers/base/org/jboss/genericjms/provider/main as following:
===================
<module xmlns="urn:jboss:module:1.1" name="org.jboss.genericjms.provider">
<resources>
<resource-root path="tibjms.jar"/>
<resource-root path="tibcrypt.jar"/>
<resource-root path="slf4j-api-1.4.2.jar"/>
<resource-root path="slf4j-simple-1.4.2.jar"/>
<resource-root path="remoteJMSObjectFactory.jar"/>
<resource-root path="jsse.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.jms.api"/>
<system export="false">
<paths>
<path name="sun/net/www/protocol/http"/>
<path name="sun/net/www/protocol/https"/>
</paths>
</system>
</dependencies>
</module>
==================
2. Define the corresponding SSL JNDI properties in the ActivationConfigProperty within the MDB code:
com.tibco.tibjms.naming.security_protocol
com.tibco.tibjms.naming.ssl_identity
com.tibco.tibjms.naming.ssl_password
com.tibco.tibjms.naming.ssl_trusted
com.tibco.tibjms.naming.ssl_enable_verify_host
com.tibco.tibjms.naming.ssl_enable_verify_hostname
For example:
====
@MessageDriven(name = "HelloWorldMDB",activationConfig = {
@ActivationConfigProperty(propertyName = "destinationType", propertyValue = "javax.jms.Queue"),
@ActivationConfigProperty(propertyName = "destination", propertyValue = "HELLOWORLDMDBQueue"),
@ActivationConfigProperty(propertyName = "connectionFactory", propertyValue = "SSLConnectionFactory"),
@ActivationConfigProperty(propertyName = "user", propertyValue = "MDBuser"),
@ActivationConfigProperty(propertyName = "password", propertyValue = "password"),
@ActivationConfigProperty(propertyName = "jndiParameters", propertyValue =" java.naming.factory.url.pkgs=com.tibco.tibjms.naming;java.naming.factory.initial=com.tibco.tibjms.naming.TibjmsInitialContextFactory;java.naming.provider.url=localhost:7243;java.naming.security.principal=JBOSSEAP62JNDI;java.naming.security.credentials=password;com.tibco.tibjms.naming.security_protocol=ssl;com.tibco.tibjms.naming.ssl_identity=c:\\tibco\\ems\\8.0\\samples\\certs\\client_identity.p12;com.tibco.tibjms.naming.ssl_password=password;com.tibco.tibjms.naming.ssl_enable_verify_host=false;com.tibco.tibjms.naming.ssl_enable_verify_hostname=false"),
})
======
3. Define the connection factory being looked up with SSL parameters within the EMS server. For example, if the connection factory is called SSLConnectionFactory:
[SSLConnectionFactory]
type = xaqueue
url = ssl://lwang-t430:7243
ssl_identity = C:\TIBCO\ems\8.0\samples\certs\client_identity.p12
ssl_verify_host = disabled
ssl_verify_hostname = disabled
Note: You can not configure the SSL password in the ConnectionFactory because of security reason. EMS will attempt to use the password that is provided in the createConnection() call, which is the the user's password. You need to set the password of the user who logs in to the EMS server using the SSL connection factory to the same password as the client certificate. Per the ActivationConfigProperty sample listed above, the user "MDBuser" is set to the same password as the client certificate.
Now the SSL connection is enabled when integrating JBOSS EAP 6.2 with EMS
1. Copy over following jar files from EMS installation lib directory to following directory: EAP_HOME/modules/system/layers/base/org/jboss/genericjms/provider/main slf4j-api-1.4.2.jar, slf4j-simple-1.4.2.jar. You also need to copy over Java security socket extension jar file: jsse.jar to this directory.
Modify the module.xml file in EAP_HOME/modules/system/layers/base/org/jboss/genericjms/provider/main as following:
===================
<module xmlns="urn:jboss:module:1.1" name="org.jboss.genericjms.provider">
<resources>
<resource-root path="tibjms.jar"/>
<resource-root path="tibcrypt.jar"/>
<resource-root path="slf4j-api-1.4.2.jar"/>
<resource-root path="slf4j-simple-1.4.2.jar"/>
<resource-root path="remoteJMSObjectFactory.jar"/>
<resource-root path="jsse.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.jms.api"/>
<system export="false">
<paths>
<path name="sun/net/www/protocol/http"/>
<path name="sun/net/www/protocol/https"/>
</paths>
</system>
</dependencies>
</module>
==================
2. Define the corresponding SSL JNDI properties in the ActivationConfigProperty within the MDB code:
com.tibco.tibjms.naming.security_protocol
com.tibco.tibjms.naming.ssl_identity
com.tibco.tibjms.naming.ssl_password
com.tibco.tibjms.naming.ssl_trusted
com.tibco.tibjms.naming.ssl_enable_verify_host
com.tibco.tibjms.naming.ssl_enable_verify_hostname
For example:
====
@MessageDriven(name = "HelloWorldMDB",activationConfig = {
@ActivationConfigProperty(propertyName = "destinationType", propertyValue = "javax.jms.Queue"),
@ActivationConfigProperty(propertyName = "destination", propertyValue = "HELLOWORLDMDBQueue"),
@ActivationConfigProperty(propertyName = "connectionFactory", propertyValue = "SSLConnectionFactory"),
@ActivationConfigProperty(propertyName = "user", propertyValue = "MDBuser"),
@ActivationConfigProperty(propertyName = "password", propertyValue = "password"),
@ActivationConfigProperty(propertyName = "jndiParameters", propertyValue =" java.naming.factory.url.pkgs=com.tibco.tibjms.naming;java.naming.factory.initial=com.tibco.tibjms.naming.TibjmsInitialContextFactory;java.naming.provider.url=localhost:7243;java.naming.security.principal=JBOSSEAP62JNDI;java.naming.security.credentials=password;com.tibco.tibjms.naming.security_protocol=ssl;com.tibco.tibjms.naming.ssl_identity=c:\\tibco\\ems\\8.0\\samples\\certs\\client_identity.p12;com.tibco.tibjms.naming.ssl_password=password;com.tibco.tibjms.naming.ssl_enable_verify_host=false;com.tibco.tibjms.naming.ssl_enable_verify_hostname=false"),
})
======
3. Define the connection factory being looked up with SSL parameters within the EMS server. For example, if the connection factory is called SSLConnectionFactory:
[SSLConnectionFactory]
type = xaqueue
url = ssl://lwang-t430:7243
ssl_identity = C:\TIBCO\ems\8.0\samples\certs\client_identity.p12
ssl_verify_host = disabled
ssl_verify_hostname = disabled
Note: You can not configure the SSL password in the ConnectionFactory because of security reason. EMS will attempt to use the password that is provided in the createConnection() call, which is the the user's password. You need to set the password of the user who logs in to the EMS server using the SSL connection factory to the same password as the client certificate. Per the ActivationConfigProperty sample listed above, the user "MDBuser" is set to the same password as the client certificate.
Now the SSL connection is enabled when integrating JBOSS EAP 6.2 with EMS
Additional Information
See KB article: 39516 for instructions regarding how to integrate JBOSS EAP 6.2 with EMS.
Feedback
Yes
No
Powered by
