Ramakrushna Dash Posted July 8, 2010 Share Posted July 8, 2010 Could nayone help me out by citing an example showing how to do SSL configuration in TIBCO EMS server. Thanks Rama Link to comment Share on other sites More sharing options...
Manoj Chaurasia Posted July 9, 2010 Share Posted July 9, 2010 Thanks for your help Carlo. I have another doubt related to SSL configuration. Lets say we are doing FT mode for two ems servers.So for that what we can do is..We just interchange the parameter of ft_active and ft_listen in tibemsd.conf of two ems servers. Similarly,Is it possible to configure the two ems servers in SSLIf yes,Could you please cite an example Waiting for the reply.. Thanks.. Link to comment Share on other sites More sharing options...
Manoj Chaurasia Posted July 9, 2010 Share Posted July 9, 2010 There are also SSL properties for FT heartbeats: ft_ssl_identity =ft_ssl_issuer =ft_ssl_private_key =ft_ssl_password = ft_ssl_trusted =ft_ssl_verify_host =ft_ssl_verify_hostname =ft_ssl_expected_hostname=ft_ssl_ciphers = As for Clients, if the machines fail-over their IP addresses/names, the FT URL will be the same for both systems and the hostname will also be the same (you would re-use the server certificate). If the IP address/name does NOT fail-over, you can have two different hostnames in the FT URL and two different server certificates (or you could keep a single certificate and instruct the clients NOT to verify the hostname or to explicitly set the expected hostname). Link to comment Share on other sites More sharing options...
Manoj Chaurasia Posted July 9, 2010 Share Posted July 9, 2010 Hi Carlo, Here is my doubt: How to make two servers in SSL mode Any example can be helpful for me.. Thanks Ramakrushna Link to comment Share on other sites More sharing options...
Manoj Chaurasia Posted July 9, 2010 Share Posted July 9, 2010 I'm not sure how to help you. Perhaps if you make a few configurations, then run them with SSL_DEBUG set, we can figure out what is happening or not happening. You configure each server individually, each with its own 'conf' file, and if you want FT, then you configure that as well. You would (essentially) combine the sample tibemsdssl.conf into the tibemsd-FT1 and FT2 files (optionally setting up SSL for the FT heartbeat). SSL is fairly simple: Servers MUST present an identity (which requires a private key). Clients MAY present an identity (which requires a private key). Certificates come in multiple 'flavors', with a PKCS#12 certificate actually containing a cert and a private key and optionally the "chain-of-trust" up to and including the Root Certificate Authority. Clients may choose to ignore the trust, may choose to ignore the hostname. Servers may choose to ignore the trust, SubjectDN may be used as an Identity along with a password (in lieu of an ID). Both may specify ciphers (must agree on at least one in common, else it fails). Link to comment Share on other sites More sharing options...
Manoj Chaurasia Posted July 14, 2010 Share Posted July 14, 2010 hi, Set the server to listen for SSL connections from clients by using the listen parameter in tibemsd.conf. To specify that a port accept SSL connections, specify the SSL protocol in the listen parameter as follows: listen = ssl://localhost:7243 Link to comment Share on other sites More sharing options...
Carlo Milono 2 Posted October 23, 2015 Share Posted October 23, 2015 There is a sample SSL configuration you should start with in /ems//samples/config called tibemsdssl.conf. Start it with "tibemsd -config tibemsdssl.conf". Take a look at the properties. The EMS Server is using the certificate "server.cert.pem" as its identity, adn it will trust certificates that were signed by client_root.cert.pem. ssl_server_identity = ../certs/server.cert.pemssl_server_key = ../certs/server.key.pemssl_password = $man$WjtSRCpaXu7hoTkDlcEPr6KNKRr # Server Issuer certificate(s).# Supports PEM, DER and PKCS#12.# This may be a part of PKCS12 specified by ssl_server_identity ssl_server_issuer = # Trusted issuers of client certificates. Supports PEM, DER and PKCS7. ssl_server_trusted = ../certs/client_root.cert.pem So...you can use client_identity.p12 in your BW project as an Identity (there is a README in the certs directory explaining the relationships), and use server_root.cert.pem so you can trust the server.cert.pem by importing it into a Trusted Certificates folder in your BW project. Link to comment Share on other sites More sharing options...
praveen raja Posted October 23, 2015 Share Posted October 23, 2015 I have tried SSL connection according to your comments but the connection is not established. Could you please attach if there is any working example........please Link to comment Share on other sites More sharing options...
Lamb Liu Posted August 5, 2019 Share Posted August 5, 2019 I am facing some connect issue and the error is Failed connect to 'ssl://7243': error=153, message=Invalid certificate data or password. I would like to know how to resolve Link to comment Share on other sites More sharing options...
Lamb Liu Posted August 8, 2019 Share Posted August 8, 2019 When I run sample tibjmsSSL.java with instruction on page https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-45678, it would get error :SSL handshake failed: ret=-1, reason=<unknown> [OpenSSL Error]: file=ossl.c, line=1767.Any help from you Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now