Jump to content
We have recently updated our Privacy Statement, available here ×
  • BW6.X - BWCE - Security - How to connect to an email server using TLSv1.2 from BusinessWorks and BusinessWorks Container Edition


    Security is more and more a concern in integration projects and this includes securing the connections to the enterprise email server.

    This article explains how to connect to an SMTP email server using TLS 1.2 from BusinessWorks and BusinessWorks Container Edition, this is illustrated in the article by the set-up of a connection to the Microsoft outlook.com email cloud service that is using TLSv1.2.

    Pre-requisites

    You need to have the public certificates of the target SMTP server in a common format (for example .crt or .cer files).

    You need to know the hostname and port used by the target email server.

    For outlook.com the host and port to use are the following: smtp-mail.outlook.com:587

    Reference elements are available on the Microsoft support site:

    https://support.microsoft.com/fr-fr/office/param%C3%A8tres-pop-imap-et-smtp-pour-outlook-com-d088b986-291d-42b8-9564-9c414e2aa040

    Downloading the outlook.com public certificates

    To do this you need to use opensll, the Windows version of this open source tool can be downloaded from the following URL:

    https://slproweb.com/products/Win32OpenSSL.html

    Once installed you have to use the following command to get the certificates:

    openssl s_client -starttls smtp -showcerts -connect smtp-mail.outlook.com:587

    1*P0mK8oADTg0aWtMzqt0MtA.png

    From the output of the command you can just copy / paste certificates to a text file using the .crt extension one by one (make sure to have one text file per certificate and to include the ‘BEGIN CERTIFICATE’ and ‘END CERTIFICATE’ tags as shown below).

    1*jq4D6fPw9vCcqjWFL-zVMA.png

    Keep the certificate files in a local folder on your machine.

    Example on how the certificates folder content should look like:

    1*Zq2iDjLH9DuEMvn_66xBiA.png

    Creating a keystore file

    This can be done with the Key Store Explorer tool available at the following URL: https://keystore-explorer.org/

    With Key Store Explorer you have to do the following:

    . Import the certificates, this can be done with the ‘Examine -> Examine File’ menu

    1*jHqMApSICMqTuFADEQ57rQ.png

    . Once a file is opened the corresponding certificate can be imported, using the ‘Import’ button

    1*pSU9nAldh9qUJDfHmypMQw.png

    When asked to create a new KeyStore select the Key Store type and click OK

    1*nJDrlL-F-yPyumVf6PxEyw.png

    Then accept the default certificate alias:

    1*BEhdb8skoV_6moxuvq-FUw.png

    . Once done with all the certificates save the KeyStore file

    1*QW9c0c-QZyYqDnQz9G9o6Q.png

    You will have to set a password and enter the target file name.

    Keep the keystore file path and password for later use.

    Updating the application

    You have to do the following:

    . Create the properties needed to configure an SMTP Connection resource

    1*igtIdbxJ_jAjZXgASRbQfQ.png

    . Create properties needed to configure a Key Store Configuration resource

    1*1mtEOckoacU31lNjcr-0mw.png

    . Create a Key Store Configuration resource

    The resource has to be configured with:

    • The path to the target keystore file
    • The type of the keystore file
    • The password of the target keystore file
    1*DeA9KWNHooENLX_nlgpbig.png

    . Create an SSL Client Configuration resource

    The resource has to be configured with:

    • The reference to the Trust Store resource
    • The target encryption protocol (it is generally recommended to use TLS 1.2 at a minimum)

    It is a good practice to use ciphers using at least 256 bit encryption.

    1*vDaM52JWurV91m5ViMk94g.png

    . Create an SMTP Connection shared resource

    The following configuration parameters can be set using the properties previously created:

    • Machine Name
    • Port
    • Username
    • Password

    When connecting to outlook.com or a Microsoft Exchange server make sure to check the ‘Enable STARTTLS’ option.

    Then check the ‘Confidentiality’ option and select the SSL Client Configuration resource previously created.

    1*-oMItroyge-d8_isdGO8ig.png

    . Then the ‘Send Mail’ activity must be configured with the following:

    • In the ‘General’ tab select the SMTP Configuration resource previously created:
    1*kyBxKnI05uXfHeYmZsrCTw.png
    • In the ‘Input’ tab map the input fields as needed :
    1*Fk1mmcjsgpLEkBmelSiHaQ.png

    Testing the application in the Debugger

    The application can then be tested in the Studio Debugger.

    In case of problems you can add the following property in the JVM Arguments:

    -Djavax.net.debug=ssl,handshake,plaintext,record

    This can be done in the ‘Arguments’ tab of the Run -> Debug Configuration panel :

    1*fuIe4-j7tInFqywNwccaqA.png

    With this option the SSL/TLS negociation messages will be logged in the Designer Console Window.

    You may also have a look the following TIBCO support KB article:
    https://community.tibco.com/s/article/common-errors-tibco-activematrix-businessworkstm-related-ssl-communication

    Using the certificates in deployed mode

    You have to do the following:

    . Copy the certificate files to the target BusinessWorks servers

    . Set the application properties according to the target environment

    Integration with a Microsoft Exchange server

    With the elements above you should be able to connect to an on-premises Microsoft Exchange Server. In such configuration you need to use the public certificates of the target Microsoft Exchange Server.


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...