TIBCO EMS and SSL
Article ID: 48355
Updated On:
Products
Issue/Introduction
Configuring TIBCO EMS and SSL
Environment
All supported DevTest releases and platforms.
Cause
N/A
Resolution
Server-side SSL is the most common type. The EMS server provides a signed certificate that verifies its identity to each client.
Finding the EMS server's SSL certificate
On the TIBCO machine, view EMS_HOME/bin/tibemsd.conf. Find the following lines:
ssl_server_identity = <full path>\<server certificate.pem> ssl_server_issuer = <full path>\<CA certificate.pem>
These two lines will give the full paths to the EMS server's SSL certificate and SSL Certificate Authority, respectively. If your EMS server is using a self-signed certificate then the second line may be missing, or may contain the same file path as the first.
Copy the CA Certificate, or if missing, the server certificate, to the LISA install directory. If LISA is running on the same machine as TIBCO then you can probably skip this and use the certificate file where it is.
Make a note of the absolute path of the certificate file.
Open the advanced tab on the TIBCO EMS step and add the following properties:
| Name | Value |
| com.tibco.tibjms.naming.ssl_trusted_certs | <absolute path to certificate.pem> |
| com.tibco.tibjms.naming.security_protocol | ssl |
| com.tibco.tibjms.naming.ssl_enable_verify_host | true |
| com.tibco.tibjms.naming.ssl_enable_verify_hostname | false |
Client-side SSL is less common. Each client has a private key and public certificate that it uses to verify its identity with the EMS server.
The client keystore, in .p12 format, must be provided by your EMS administrator. It's assumed that your EMS server is also using a server-side SSL certificate, and that both the client-side and server-side certificates are signed by the same Certificate Authority.
In the Advanced Tab, add the following property:
| Name | Value |
| com.tibco.tibjms.naming.ssl_identity |
<absolute path to clientkeystore.p12> |
In the Connection Info -> Password field, enter the keystore pass phrase.
Note: If there is already a connection password then it must be exactly the same as the keystore password.
Changing a keystore's pass phrase
The login password has to be the same as the keystore pass phrase in order for both to work at the same time with the EMS Java client libraries. It may be necessary to change one of them so that they're the same. Changing the keystore pass phrase can be done with OpenSSL:
Assuming the original keystore is named original.p12:
openssl pkcs12 -in original.p12 > temp.pem
- Enter the original pass phrase, then enter the new pass phrase twice for the new temporary .pem keystore
openssl pkcs12 -in temp.pem -export > original-new-passphrase.p12
- Enter the new pass phrase to read the .pem, then the new pass phrase twice again for the new .p12 keystore
Get rid of the temporary .pem file:
rm temp.pem
The new keystore, named original-new-passphrase.p12, contains the same certificates and keys as the old keystore but with a different pass phrase.
Additional Information
To debug the SSL connection handshake, see:
How to collect SSL debug information to help debugging SSL handshake issue
Do not configure a .jks but instead configure a .cer/.pem or .p12
Feedback
