Jump to content
  • How to Install SSL certificates in TIBCO ActiveMatrix BusinessWorks? HTTP client/Server?

    Manoj Chaurasia

    Table of Contents

    Step 1: Server Certificate.

    1.1 Generate Key

    As you own the server, you will have to create a certificate that will uniquely identify your server. To create the certificate you can use a command line utility called 'keytool' which is shipped with the java jdk and jre. The command we'll use is

     keytool -genkey -alias server-alias -keyalg RSA -keypass yourpassword -storepass yourpassword -keystore keystore.jks

    short summary of the keytool options used:
    -aliasUsed to give a name to your key - should be unique for its purpose.
    -keyalgEncryption algorithm type
    -keypassPassword affiliated to key
    -storepassPassword affiliated to keystore.jks
    keystore.jksName of the file which acts as key repository.

    After typing in this command, you will be asked questions, and answer accordingly. In the end, your key, called server-alias, will be stored in the repository file, keystore.jks. This entry in keystore.jks will have a public as well as a private key. You now need to publish the public key to the world. Use the following command to extract the public key from the entry which you created earlier.


    keytool -export -alias server-alias -storepass yourpassword -file server.cer -keystore keystore.jks


    The public key, aka certificate, will be stored in the file named server.cer. You can give this file to anyone who wants to connect to your server.

    1.2 Install key at server side.

    1.2.1 Identity

    You have your public/private key pair with you.

    Create an Identity in your TIBCO ActiveMatrix BusinessWorks? project.

    Choose type Identity file. Provide URL as path_to your_keystore.jks.

    The path "file://X:..." is not valid. You need to add an extra / to make it "file:///X:..".

    Give the filetype 'JKS' and password.

    Save the identity.

    1.2.2 HTTP Connection.

    Create an HTTP Connection and use SSL.

    Configure SSL with the identity you have created above.

    This step does not include instructions to enable client authentication. This is enough for the server side.

    Step 2: Import the certificate and install it on the client side.

    2.1 Import the key

    Get the server.cer from the server authority which is publicly available.

    Import the public key into your trust store.

    The Trust store is a repository of all trusted certificates at the client side.

    Use the command:


    keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass yourkeypass -storepass yourstorepass


    Here all the values .. ie:  -alias, -keypass, -storepass are local.

    You need not have to worry about which values the server authority used while creating the key pair.

    As this command succeeds, you will have a public key imported in the local keystore, cacerts.jks.

    2.2 Install in ActiveMatrix BusinessWorks

    2.2.1 Identity

    Create an identity using file cacerts.jks.

    2.2.2 Certificate in PEM format

    In the BusinessWorks project, import the public certificate using the menu option:

    Tools>Trusted Certificates>Import into PEM format.

    It is advisable to keep this certificate in a separate folder to skip unnecessary processing.

    Create 'HTTP send Request' and use SSL.

    In the configuration, provide client identity 2.2.1 and folder name where you saved the certificate in PEM format 2.2.2.

    Hope this helps

    Refer this link for more details on keytool.

    Keytool Tutorial


    In addition to using 'keytool', We can use openssl commands. The openssl program is available for both indows and Linux platforms.

    To create identities using openssl you can refer commands below.

    Create a private key and certificate signing request attached to that private key.

     openssl req -new -newkey rsa:des3:1024 -keyout (hostkey).pem -out (hostcsr).pem 


    This will create a private key file, (hostkey).pem, and its corresponding certificate request file, (hostcsr).pem.

    To export the private key to pkcs8 format, the following command will do:

     openssl pkcs8 -topk8 -inform PER -outform DER -in (private.key) -out (private).p8


    To create the certificate chain, you need to get the file, (hostcsr).pem, signed by a certification authority. Here we will create our own certification authority and get (hostcsr).pem signed by it. To get an idea of how to create your own Certificate Authority, please refer to the steps at the end of this document. Assuming that we have created our own certification authority, the following command will sign (hostcsr).pem with ca certificate.

     openssl ca -in (hostcsr).pem -out (host_signed.x509).pem


    There are various formats available for the publication of certificates. We will use PKCS#12 and PKCS#7.

    • PKCS#12 contains information about certificate chains as well as private keys.
    • PKCS#7 contains information only about public certificate chains.

    To convert (host_signed.x509).pem to PKCS#12 format, use the command:


     openssl pkcs12 -export -in (host_signed.x509).pem -inkey (privkey).pem -out cred.p12


    To convert (host_signed.x509).pem to PKCS#7 format, the following command will do.




    openssl crl2pkcs7 -nocrl -certfile (host_signed.x509).pem -out (host_signed.x509).p7b






    Entities obtained using above commands can be used in installing client and server ssl.






    My own certification authority


    details of ca are in file /usr/lib/ssl/openssl.cnf


    Assume that we want to setup our own ca in directory /home/me/workspace/myca.


    create this directory structure.


    go to myca - cd /home/me/workspace/myca


    create following files and directories in myca




    mkdir newcerts


    mkdir private (CA private key resides here)


    echo 00 > serial (this file keeps sequence number of certificates signed by your CA, the number is incremented every time your CA signs a new certificate)


    cat > demoCA/index.txt (database of sign activities, contains information about previously signed certificates by your CA)




    create a self signed privatekey and certificate.




    openssl req -x509 -days 999 -newkey rsa:des3:1024 -keyout private/cakey.pem -out cacart.pem




    Use this ca to sign other certificates.


    Every time you want to sign a new certificate you need to come to this directory and issue ca command.




    openssl ca -in (path to hostcsr.pem) -out (path to host_signed.x509.pem)


    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...