TIBCO EMS and SSL

Document ID : KB000048355
Last Modified Date : 14/02/2018
Show Technical Document Details

TIBCO EMS and SSL

Server-side SSL

Server-side SSL is the most common type. The EMS server provides a signed certificate that verifies its identity to each client.

Finding the EMS server's SSL certificate

On the TIBCO machine, view EMS_HOME/bin/tibemsd.conf. Find the following lines:


ssl_server_identity     = <full path>\<server certificate.pem>
ssl_server_issuer       = <full path>\<CA certificate.pem>

These two lines will give the full paths to the EMS server's SSL certificate and SSL Certificate Authority, respectively. If your EMS server is using a self-signed certificate then the second line may be missing, or may contain the same file path as the first.

Copy the CA Certificate, or if missing, the server certificate, to the LISA install directory. If LISA is running on the same machine as TIBCO then you can probably skip this and use the certificate file where it is.

Make a note of the absolute path of the certificate file.

Configuring LISA

Open the advanced tab on the TIBCO EMS step and add the following properties:

NameValue
com.tibco.tibjms.naming.ssl_trusted_certs<absolute path to certificate.pem>
com.tibco.tibjms.naming.security_protocolssl
com.tibco.tibjms.naming.ssl_enable_verify_hosttrue
com.tibco.tibjms.naming.ssl_enable_verify_hostnamefalse

Client-side SSL

Client-side SSL is less common. Each client has a private key and public certificate that it uses to verify its identity with the EMS server.

Getting the client keystore

The client keystore, in .p12 format, must be provided by your EMS administrator. It's assumed that your EMS server is also using a server-side SSL certificate, and that both the client-side and server-side certificates are signed by the same Certificate Authority.

Configuring LISA

In the Advanced Tab, add the following property:

NameValue
com.tibco.tibjms.naming.ssl_identity

<absolute path to clientkeystore.p12>

In the Connection Info -> Password field, enter the keystore pass phrase.

Note: If there is already a connection password then it must be exactly the same as the keystore password.

Changing a keystore's pass phrase

The login password has to be the same as the keystore pass phrase in order for both to work at the same time with the EMS Java client libraries. It may be necessary to change one of them so that they're the same. Changing the keystore pass phrase can be done with OpenSSL:

Assuming the original keystore is named original.p12:


openssl pkcs12 -in original.p12 > temp.pem

  • Enter the original pass phrase, then enter the new pass phrase twice for the new temporary .pem keystore
openssl pkcs12 -in temp.pem -export > original-new-passphrase.p12
  • Enter the new pass phrase to read the .pem, then the new pass phrase twice again for the new .p12 keystore

Get rid of the temporary .pem file:

rm temp.pem

The new keystore, named original-new-passphrase.p12, contains the same certificates and keys as the old keystore but with a different pass phrase.