Introducing the all-new TIBCO Community site!

For current users, please click "Sign In" to reset your password and access the enhanced features. If you're a first-time visitor, we extend a warm welcome—click "Sign Up" to become a part of the TIBCO Community!

If you're seeking alternative community sites, explore ibi, Jaspersoft, and Spotfire.

Jump to content
  • Certificate trust behavior in TIBCO ActiveMatrix BusinessWorks? 5 (BW)


    Manoj Chaurasia

    This article discusses the default certificate trust behavior and configuration options.

    Default behavior

    By default, BW trusts an entity?s certificate only if any intermediate CA certificates and the root CA certificate in the certificate chain are placed in the Trusted Certificates folder in the project or in the location specified in the global variable BW_GLOBAL_TRUSTED_CA_STORE.

    For example, consider the following server certificate chain. For BW to trust the server certificate, both the intermediate CA certificate and the root CA certificate must be placed in the Trusted Certificates folder.

     Server certificate - Subject: CN=Server Issuer: CN=IntermediateCA  

     Intermediate CA certificate - Subject: CN=IntermediateCA Issuer: CN=RootCA  

     Root CA certificate - Subject: CN=RootCA Issuer: CN=RootCA  

    Sample SSL debug log -

    Successful validation when having both the certificates in the Trusted Certificates folder

     validating certificate chain looking in datastore for certificate with DN CN=IntermediateCA match found looking in datastore for certificate with DN CN=RootCA match found chain length: 3 chain verifies ok  

    Failed validation when having only the root CA certificate in the Trusted Certificates folder

     validating certificate chain looking in datastore for certificate with DN CN=IntermediateCA No match found CA certificate with issuer CN=RootCA and serial number 1A43 CF9E is not a trusted certificate server chain validation failed: com.tibco.security.AXSecurityException: CA certificate with issuer CN=RootCA and serial number 1A43 CF9E is not a trusted certificate  

    Failed validation when having only the intermediate CA certificate in the Trusted Certificates folder

     validating certificate chain looking in datastore for certificate with DN CN=IntermediateCA match found looking in datastore for certificate with DN CN=RootCA No match found CA certificate with issuer CN=RootCA and serial number 7565 AF8F is not a trusted certificate server chain validation failed: com.tibco.security.AXSecurityException: CA certificate with issuer CN=RootCA and serial number 7565 AF8F is not a trusted certificate  

    Configuring BW to not require that every CA certificate in the chain be trusted

    The property com.tibco.security.NoExplicitCAChain can be used to control the certificate trust behavior in BW. When the property is set to true, BW trusts an entity?s certificate if the entity?s certificate or any of the intermediate certificates or the root CA certificate in the server certificate chain is placed in the Trusted Certificates folder.

    With reference to the aforementioned certificate chain, when the property is set to true, BW trusts the server certificate if any one of the three certificates is available in the Trusted Certificates folder.

    How to add the property

    Add the property as follows to the deployed application .tra file/designer.tra file.

     java.property.com.tibco.security.NoExplicitCAChain=true


    User Feedback

    Recommended Comments

    There are no comments to display.


×
×
  • Create New...