Jump to: navigation, search

TIBCO—SSL for JMS Capture Point

Outline

In general, configuring an SSL connection consists of the following major steps:

  1. Prepare the certificates.
  2. Configure the JMS provider to operate in SSL mode.
  3. Configure the options in Interaction Server's jvm-options section and add required JARs to the class path.
  4. Configure the JMS Capture Point.

Configure Capture Point to use SSL (TIBCO example)

Prerequisites This example assumes that:

  • An instance of TIBCO Enterprise Message Service is configured and operating with a JMS Capture Point, without SSL.
  • TIBCO EMS 6.0 is running on a host named tibcohost.
  • OpenSSL is present.

Start The first several steps involve configuring the TIBCO EMS:

  1. Use OpenSSL to generate the following certificates:
    1. Generate a server certificate:
    2. openssl req -x509 -days 365 -subj "/C=US/ST=California/L=Daly City/CN=tibcohost.genesyslab.com"
       -newkey rsa:2048 -keyout tibcoserver.key.pem -out tibcoserver.pem

      Note that the PEM password in this example is tibcoserver.

    3. Generate a client certificate:
    4. openssl req -x509 -days 365 -subj "/C=US/ST=California/L=Daly City/CN=tibcohost.genesyslab.com"
       -newkey rsa:2048 -keyout tibcoclient.key.pem -out tibcoclient.pem

      Note that the PEM password in this example certificate is tibcoclient.

    5. Export the generated certificate and the key into a client identity:
    6. openssl pkcs12 -export -in tibcoclient.pem -inkey tibcoclient.key.pem -out tibcoclient.p12

  2. Configure TIBCO properties:
    1. New configuration file: this example assumes that the relevant certificates are copied into the folder /opt/tibco/ems/6.0/samples/certs/. Prepare a new TIBCO configuration file tibemsd_ssl.conf based on tibemsd.conf by adding or modifying the following lines:
    2. <tt>listen = ssl://7243</tt>
      <tt>ssl_require_client_cert = enabled</tt>
      <tt>ssl_server_identity = /opt/tibco/ems/6.0/samples/certs/tibcoserver.pem</tt>
      <tt>ssl_server_key = /opt/tibco/ems/6.0/samples/certs/tibcoserver.key.pem</tt>
      <tt>ssl_password = tibcoserver</tt>
      <tt>ssl_server_trusted = /opt/tibco/ems/6.0/samples/certs/tibcoclient.pem</tt>
    3. Update factories configuration: In factories.conf, configure the following factory (or add a factory with a new name):
    4. [<tt>SSLQueueConnectionFactory]</tt>
      <tt>type = queue</tt>
      <tt>url = ssl://tibcohost.genesyslab.com:7243</tt>
      <tt>ssl_identity = //opt/tibco/ems/6.0/samples/certs/tibcoclient.p12</tt>
      <tt>ssl_trusted = //opt/tibco/ems/6.0/samples/certs/tibcoserver.pem</tt>
    5. Use the TIBCO EMS Administration tool to create a new user:
    6. tcp://localhost:7222> create user genesys password=tibcoclient The user password must be exactly the same as the PEM password for the example client certificate. Note the following excerpt from the TIBCO EMS User's Guide (Chapter 18): "Because connection factories do not contain the ssl_password (for security reasons), the EMS server uses the password that is provided in the create connection call for user authentication. If the create connection password is different from the ssl_password, the connection creation will fail."

    7. Restart TIBCO with the new configuration:
    8. tibemsd -config "{Path to tibemsd_ssl.conf}/tibemsd_ssl.conf"

  3. Configure Interaction Server options: Add the following TIBCO EMS jars to the -Djava.class.path option in the jvm-options section: jms.jar, tibjms.jar, tibcrypt.jar, slf4j-simple-1.4.2.jar, slf4j-api-1.4.2.jar.
  4. Configure the JMS Capture Point:
    1. In the settings section, set options as follows:
  • jms-connection-factory-lookup-name=SSLQueueConnectionFactory
  • This option points to a new connection factory.

  • jms-provider-url=ssl://tibcohost.genesyslab.com:7243
  • The provider URL now points to a secure port.

  • password=tibcoclient
  • username=genesys
  • The username and password correspond to those of the newly created TIBCO client.

  • In the jms-additional-context-attributes section, set options as follows:
    • com.tibco.tibjms.naming.security_protocol=ssl
    • com.tibco.tibjms.naming.ssl_enable_verify_host=true
    • com.tibco.tibjms.naming.ssl_enable_verify_hostname=false
    • com.tibco.tibjms.naming.ssl_identity={Local path to certificates}\tibcoclient.p12
    • com.tibco.tibjms.naming.ssl_password=tibcoclient
    • com.tibco.tibjms.naming.ssl_trusted_certs={Local path to certificates}\tibcoserver.pem
    • java.naming.security.credentials=tibcoclient
    • java.naming.security.principal=genesys
    • The following two options can be added for debugging:

    • com.tibco.tibjms.naming.ssl_debug_trace=true
    • com.tibco.tibjms.naming.ssl_trace=true

    End

    This page was last edited on June 18, 2020, at 10:43.
    blog comments powered by Disqus