Introducing the all-new TIBCO Community site!

For current users, please click "Sign In" to reset your password and access the enhanced features. If you're a first-time visitor, we extend a warm welcome—click "Sign Up" to become a part of the TIBCO Community!

If you're seeking alternative community sites, explore ibi, Jaspersoft, and Spotfire.

Jump to content
  • BW5.X - How to connect to an email server using TLSv1.2 from BusinessWorks 5.X


    Security is more and more a concern in integration projects and this includes securing the connections to the enterprise email server.

    This article explains how to connect to an SMTP email server using TLS 1.2 from BusinessWorks 5.X, this is illustrated in the article by the set-up of a connection to the Microsoft outlook.com email cloud service that is using TLSv1.2.

    Pre-requisites

    At minimum you must use BusinessWorks 5.13.1 with TRA 5.10.2 and Administrator 5.10.2. It is not possible to connect to an SMTP server using TLS 1.2 with BusinessWorks 5.13.0.

    You need to have the public certificates of the target SMTP server in PEM format (.pem files).

    You need to know the hostname and port used by the target email server.

    For outlook.com the host and port to use are the following: smtp-mail.outlook.com:587

    Reference elements are available on the Microsoft support site:

    https://support.microsoft.com/fr-fr/office/param%C3%A8tres-pop-imap-et-smtp-pour-outlook-com-d088b986-291d-42b8-9564-9c414e2aa040

    Downloading the outlook.com public certificates

    To do this you need to use opensll, the Windows version of this open source tool can be downloaded from the following URL:

    https://slproweb.com/products/Win32OpenSSL.html

    Once installed you have to use the following command to get the certificates:
    openssl s_client -starttls smtp -showcerts -connect smtp-mail.outlook.com:587

    1*P0mK8oADTg0aWtMzqt0MtA.png

    From the output of the command you can just copy / paste certificates to a text file using the .pem extension one by one (make sure to have one text file per certificate and to include the ‘BEGIN CERTIFICATE’ and ‘END CERTIFICATE’ tags as shown below).

    1*jq4D6fPw9vCcqjWFL-zVMA.png

    Keep the certificate files in a local folder on your machine.

    Example on how the certificates folder content should look like:

    1*Zq2iDjLH9DuEMvn_66xBiA.png

    Updating the application

    You have to do the following:

    . Create a folder in the project to be used in the SSL configuration (for example a ‘Certs’ folder)

    . Create a Global Variable named BW_GLOBAL_TRUSTED_CA_STORE under the root level of the Global Variables definitions

    . Set the value of the Global Variable to the name of the local folder where the certificates are stored with files:/// in front (there are three slashes)

    For example: file:///C:\Tests\Certs

    1*MxNGXW6MkFSggUijRTavdw.png

    Then the ‘Send Mail’ activity must be configured with the following:

    . Check the ‘Use SSL’ option
    . Check the ‘Authenticate’ option
    . Set the User Name and Password
    . Configure the ‘SSL Configuration’ with the following:

    . The ‘Trusted Certificates Folder’ must point to the folder created before in your project (it can be empty while the BW_GLOBAL_TRUSTED_CA_STORE takes precedence over this configuration)

    . It is a generally a good practice to check the ‘Strong Cypher Suites only’ option

    1*zb3NLOME6k8IcIkn_IaUYA.png

    . Then map the ‘Input’ of the Send Mail activity as needed

    1*u9ajpZdFB-vVKA-fvfi1Pw.png

    Testing the application in the Debugger

    Edit the designer.tra file from the directory <TIBCO_HOME>/designer/5.X/bin to add the following properties:

    java.property.TIBCO_SECURITY_VENDOR=j2se
    java.property.com.tibco.security.NoExplicitCAChain=true
    java.property.mail.smtp.starttls.enable=true
    java.property.mail.smtp.ssl.protocols=TLSv1.2

    1*RNa5avUSMIbj_eEAqWHOoA.png

    Restart Designer and test your applications.

    In case of problems you can add the following property in the designer.tra file to debug the SSL/TLS negociation:

    java.property.javax.net.debug=ssl,handshake,plaintext,record

    With this option the SSL/TLS negociation messages will be logged in the Designer Console Window.

    You may also have a look the following TIBCO support KB article:
    https://community.tibco.com/s/article/common-errors-tibco-activematrix-businessworkstm-related-ssl-communication

    Using the certificates in deployed mode

    You have to do the following:

    . Copy the certificate files on all BusinessWorks servers

    . Edit the bwengine.tra file from the directory <TIBCO_HOME>/bw/5.X/bin to add the following properties (same as for Designer):

    java.property.TIBCO_SECURITY_VENDOR=j2se
    java.property.com.tibco.security.NoExplicitCAChain=true
    java.property.mail.smtp.starttls.enable=true
    java.property.mail.smtp.ssl.protocols=TLSv1.2

    1*RNa5avUSMIbj_eEAqWHOoA.png

    . Upload the application archive

    . Set the value of the BW_GLOBAL_TRUSTED_CA_STORE Global Variable and of other Global Variables as needed.
    Note that the BW_GLOBAL_TRUSTED_CA_STORE Global Variable value should be set with the name of the target directory prefixed with file:/// (3 slashes), for example:

    • Windows : file:///c:\mycerts
    • Linux : file:////opt/etc/config/mycerts

    . Deploy the application

    Integration with a Microsoft Exchange server

    With the elements above you should be able to connect to an on-premises Microsoft Exchange Server. In such configuration you need to use the public certificates of the target Microsoft Exchange Server.

    It might also not be needed to use the following property:
    java.property.com.tibco.security.NoExplicitCAChain=true

    Reference elements

    The list of all properties supported by the Java email client library used by BusinessWorks 5.X is available at the following URL:
    https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...