TIBCO—SSL for JMS Capture Point

In general, configuring an SSL connection consists of the following major steps:

Prepare the certificates.
Configure the JMS provider to operate in SSL mode.
Configure the options in Interaction Server's jvm-options section and add required JARs to the class path.
Configure the JMS Capture Point.

Configuring a capture point to use SSL (TIBCO example)

Important

This example assumes that:

An instance of TIBCO Enterprise Message Service is configured and operating with a JMS Capture Point, without SSL.
TIBCO EMS 6.0 is running on a host named tibcohost.
OpenSSL is present.

The first several steps involve configuring the TIBCO EMS:

Use OpenSSL to generate the following certificates:
1. Generate a server certificate: openssl req -x509 -days 365 -subj "/C=US/ST=California/L=Daly City/CN=tibcohost.genesyslab.com" -newkey rsa:2048 -keyout tibcoserver.key.pem -out tibcoserver.pem
2. Generate a client certificate: openssl req -x509 -days 365 -subj "/C=US/ST=California/L=Daly City/CN=tibcohost.genesyslab.com" -newkey rsa:2048 -keyout tibcoclient.key.pem -out tibcoclient.pem
3. Export the generated certificate and the key into a client identity: openssl pkcs12 -export -in tibcoclient.pem -inkey tibcoclient.key.pem -out tibcoclient.p12
Configure TIBCO properties:
1. New configuration file: this example assumes that the relevant certificates are copied into the folder /opt/tibco/ems/6.0/samples/certs/. Prepare a new TIBCO configuration file tibemsd_ssl.conf based on tibemsd.conf by adding or modifying the following lines:
```
listen = ssl://7243
ssl_require_client_cert = enabled
ssl_server_identity = /opt/tibco/ems/6.0/samples/certs/tibcoserver.pem
ssl_server_key = /opt/tibco/ems/6.0/samples/certs/tibcoserver.key.pem
ssl_password = tibcoserver
ssl_server_trusted = /opt/tibco/ems/6.0/samples/certs/tibcoclient.pem
```
2. Update factories configuration: In factories.conf, configure the following factory (or add a factory with a new name):
```
[SSLQueueConnectionFactory]
type = queue
url = ssl://tibcohost.genesyslab.com:7243
ssl_identity = //opt/tibco/ems/6.0/samples/certs/tibcoclient.p12
ssl_trusted = //opt/tibco/ems/6.0/samples/certs/tibcoserver.pem
```
3. Use the TIBCO EMS Administration tool to create a new user: tcp://localhost:7222> create user genesys password=tibcoclient
4. Restart TIBCO with the new configuration: tibemsd -config "{Path to tibemsd_ssl.conf}/tibemsd_ssl.conf"
Configure Interaction Server options: Add the following TIBCO EMS jars to the -Djava.class.path option in the jvm-options section: jms.jar, tibjms.jar, tibcrypt.jar, slf4j-simple-1.4.2.jar, slf4j-api-1.4.2.jar.
Configure the JMS Capture Point:
1. In the settings section, set options as follows:
  - jms-connection-factory-lookup-name=SSLQueueConnectionFactory
    This option points to a new connection factory.
  - jms-provider-url=ssl://tibcohost.genesyslab.com:7243
    The provider URL now points to a secure port.
  - password=tibcoclient
  - username=genesys
    The username and password correspond to those of the newly created TIBCO client.
2. In the jms-additional-context-attributes section, set options as follows:
  - com.tibco.tibjms.naming.security_protocol=ssl
  - com.tibco.tibjms.naming.ssl_enable_verify_host=true
  - com.tibco.tibjms.naming.ssl_enable_verify_hostname=false
  - com.tibco.tibjms.naming.ssl_identity={Local path to certificates}\tibcoclient.p12
  - com.tibco.tibjms.naming.ssl_password=tibcoclient
  - com.tibco.tibjms.naming.ssl_trusted_certs={Local path to certificates}\tibcoserver.pem
  - java.naming.security.credentials=tibcoclient
  - java.naming.security.principal=genesys
  - com.tibco.tibjms.naming.ssl_debug_trace=true
  - com.tibco.tibjms.naming.ssl_trace=true

TIBCO—SSL for JMS Capture Point

Configuring a capture point to use SSL (TIBCO example)

Contact

Genesys

Customer Care

Legal