Steps for enabling SSL on Silver Fabric broker 5.6.x and above
Article ID: KB0092787
Updated On:
| Products | Versions |
|---|---|
| TIBCO Silver Fabric | - |
| Not Applicable | - |
Description
Description:
Follow the steps below for enabling SSL on Silver Fabric 5.6.x and above
Follow the steps below for enabling SSL on Silver Fabric 5.6.x and above
Issue/Introduction
Steps for enabling SSL on Silver Fabric broker 5.6.x and above
Resolution
Run the following commands under some new directory such as /opt/mycerts:-
1) cp $JAVA_HOME/jre/lib/security/cacerts ssl.keystore
1.1) If you have a signed certificate from a well known CA whose root certificate is already in $JAVA_HOME/jre/lib/security/cacerts then it will now be in ssl.keystore if not then you need to add
your CA's root certificate to the ssl.keystore with: keytool -importcert -file CA_ROOT.crt -keystore ssl.keystore -alias CA_ROOT
1.2) If you already have a signed certificate .pem file and the private .key file used to generate the certificate request you can use those files directly. Just copy or rename them to
server.crt and server.key respectively.
1.3) If you need a self-signed certificate because you don't have a CA signed certificate you can generate one (and its associated private key) with this command:
openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout server.key -out server.crt
1.4) If you are using a self-signed certificate, import the new cert into ssl.keystore with this command:
keytool -importcert -file server.crt -keystore ssl.keystore -alias MySelfSigned
2) cp server.crt ssl.pem
2.1) openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore server.keystore -deststoretype jks -deststorepass changeit
3) cp ssl.keystore ssl.pem <fabric home>/webapps/livecluster/engineUpdate/shared
4) cp server.crt server.key ssl.keystore server.keystore <fabric home>/webapps/livecluster/WEB-INF/certs
5) cd <fabric home>/conf
vi server.xml
-- comment out or remove 8000 and 8080 connectors
-- uncomment 8043 and 8443 connectors
-- add SSLPassword="changeit" to 8043 and 8443 connectors
-- save and exit
6) cd <fabric home>/webapps/livecluster/WEB-INF/config
vi installation.properties
-- set DSConfigureOnStartup=true
-- save and exit
7) cd <fabric home>
./server.sh stop
./server.sh start
8) Connect to your server with a browser on HTTPS port and complete reinstallation. Make sure to enable SSL. Then restart the server again:
cd <fabric home>
./server.sh stop
./server.sh start
9) Set all the SSl parameters to True on Admin UI (under Config>Broker>Security). Set the port to 8043 from 0. Restart the manager
10) Download a new Linux64 engine install (that is what I used for this test but any engine install should work). Unzip the Linux64 engine installation zip file that was dowanloaded from the manager under a directory (say for example, /opt/DSEngine)
11) cd /opt/DSEngine
-- copy ssl.keystore and ssl.pem file from under <fabric home>/webapps/livecluster/engineUpdate/shared and copy them under your engine's root directory
-- run ./configure.sh -l y -s hostname:port (please note that the port here will be 8443 since this is an SSL enabled broker)
-- run ./engine.sh start command and you should be able to see your engines connecting to your SSL enabled broker without any issues
1) cp $JAVA_HOME/jre/lib/security/cacerts ssl.keystore
1.1) If you have a signed certificate from a well known CA whose root certificate is already in $JAVA_HOME/jre/lib/security/cacerts then it will now be in ssl.keystore if not then you need to add
your CA's root certificate to the ssl.keystore with: keytool -importcert -file CA_ROOT.crt -keystore ssl.keystore -alias CA_ROOT
1.2) If you already have a signed certificate .pem file and the private .key file used to generate the certificate request you can use those files directly. Just copy or rename them to
server.crt and server.key respectively.
1.3) If you need a self-signed certificate because you don't have a CA signed certificate you can generate one (and its associated private key) with this command:
openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout server.key -out server.crt
1.4) If you are using a self-signed certificate, import the new cert into ssl.keystore with this command:
keytool -importcert -file server.crt -keystore ssl.keystore -alias MySelfSigned
2) cp server.crt ssl.pem
2.1) openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore server.keystore -deststoretype jks -deststorepass changeit
3) cp ssl.keystore ssl.pem <fabric home>/webapps/livecluster/engineUpdate/shared
4) cp server.crt server.key ssl.keystore server.keystore <fabric home>/webapps/livecluster/WEB-INF/certs
5) cd <fabric home>/conf
vi server.xml
-- comment out or remove 8000 and 8080 connectors
-- uncomment 8043 and 8443 connectors
-- add SSLPassword="changeit" to 8043 and 8443 connectors
-- save and exit
6) cd <fabric home>/webapps/livecluster/WEB-INF/config
vi installation.properties
-- set DSConfigureOnStartup=true
-- save and exit
7) cd <fabric home>
./server.sh stop
./server.sh start
8) Connect to your server with a browser on HTTPS port and complete reinstallation. Make sure to enable SSL. Then restart the server again:
cd <fabric home>
./server.sh stop
./server.sh start
9) Set all the SSl parameters to True on Admin UI (under Config>Broker>Security). Set the port to 8043 from 0. Restart the manager
10) Download a new Linux64 engine install (that is what I used for this test but any engine install should work). Unzip the Linux64 engine installation zip file that was dowanloaded from the manager under a directory (say for example, /opt/DSEngine)
11) cd /opt/DSEngine
-- copy ssl.keystore and ssl.pem file from under <fabric home>/webapps/livecluster/engineUpdate/shared and copy them under your engine's root directory
-- run ./configure.sh -l y -s hostname:port (please note that the port here will be 8443 since this is an SSL enabled broker)
-- run ./engine.sh start command and you should be able to see your engines connecting to your SSL enabled broker without any issues
Feedback
Yes
No
Powered by
