Introducing the all-new TIBCO Community site!

For current users, please click "Sign In" to reset your password and access the enhanced features. If you're a first-time visitor, we extend a warm welcome—click "Sign Up" to become a part of the TIBCO Community!

If you're seeking alternative community sites, explore ibi, Jaspersoft, and Spotfire.

Jump to content

SSL Configuration in EMS SERVER


Recommended Posts

Thanks for your help Carlo.

I have another doubt related to SSL configuration.

Lets say we are doing FT mode for two ems servers.So for that what we can do is..We just interchange the parameter of ft_active and ft_listen in tibemsd.conf of two ems servers.

Similarly,Is it possible to configure the two ems servers in SSLIf yes,Could you please cite an example

Waiting for the reply..

 

Thanks..

Link to comment
Share on other sites

There are also SSL properties for FT heartbeats:

ft_ssl_identity =ft_ssl_issuer =ft_ssl_private_key =ft_ssl_password = ft_ssl_trusted =ft_ssl_verify_host =ft_ssl_verify_hostname =ft_ssl_expected_hostname=ft_ssl_ciphers =

As for Clients, if the machines fail-over their IP addresses/names, the FT URL will be the same for both systems and the hostname will also be the same (you would re-use the server certificate). If the IP address/name does NOT fail-over, you can have two different hostnames in the FT URL and two different server certificates (or you could keep a single certificate and instruct the clients NOT to verify the hostname or to explicitly set the expected hostname).

Link to comment
Share on other sites

I'm not sure how to help you. Perhaps if you make a few configurations, then run them with SSL_DEBUG set, we can figure out what is happening or not happening.

 

You configure each server individually, each with its own 'conf' file, and if you want FT, then you configure that as well. You would (essentially) combine the sample tibemsdssl.conf into the tibemsd-FT1 and FT2 files (optionally setting up SSL for the FT heartbeat).

 

SSL is fairly simple:

Servers MUST present an identity (which requires a private key).

Clients MAY present an identity (which requires a private key).

Certificates come in multiple 'flavors', with a PKCS#12 certificate actually containing a cert and a private key and optionally the "chain-of-trust" up to and including the Root Certificate Authority.

Clients may choose to ignore the trust, may choose to ignore the hostname.

Servers may choose to ignore the trust, SubjectDN may be used as an Identity along with a password (in lieu of an ID).

Both may specify ciphers (must agree on at least one in common, else it fails).

Link to comment
Share on other sites

  • 5 years later...

There is a sample SSL configuration you should start with in /ems//samples/config called tibemsdssl.conf. Start it with "tibemsd -config tibemsdssl.conf". Take a look at the properties.

 

The EMS Server is using the certificate "server.cert.pem" as its identity, adn it will trust certificates that were signed by client_root.cert.pem.

 

ssl_server_identity = ../certs/server.cert.pemssl_server_key = ../certs/server.key.pemssl_password = $man$WjtSRCpaXu7hoTkDlcEPr6KNKRr

# Server Issuer certificate(s).# Supports PEM, DER and PKCS#12.# This may be a part of PKCS12 specified by ssl_server_identity

ssl_server_issuer =

# Trusted issuers of client certificates. Supports PEM, DER and PKCS7.

ssl_server_trusted = ../certs/client_root.cert.pem

 

So...you can use client_identity.p12 in your BW project as an Identity (there is a README in the certs directory explaining the relationships), and use server_root.cert.pem so you can trust the server.cert.pem by importing it into a Trusted Certificates folder in your BW project.

Link to comment
Share on other sites

  • 3 years later...
×
×
  • Create New...