SSL Configuration in EMS SERVER

[Ramakrushna Dash]

Could nayone help me out by citing an example showing how to do SSL configuration in TIBCO EMS server.

 

Thanks

Rama

[Manoj Chaurasia]

Thanks for your help Carlo.

I have another doubt related to SSL configuration.

Lets say we are doing FT mode for two ems servers.So for that what we can do is..We just interchange the parameter of ft_active and ft_listen in tibemsd.conf of two ems servers.

Similarly,Is it possible to configure the two ems servers in SSLIf yes,Could you please cite an example

Waiting for the reply..

 

Thanks..

[Manoj Chaurasia]

There are also SSL properties for FT heartbeats:

ft_ssl_identity =ft_ssl_issuer =ft_ssl_private_key =ft_ssl_password = ft_ssl_trusted =ft_ssl_verify_host =ft_ssl_verify_hostname =ft_ssl_expected_hostname=ft_ssl_ciphers =

As for Clients, if the machines fail-over their IP addresses/names, the FT URL will be the same for both systems and the hostname will also be the same (you would re-use the server certificate). If the IP address/name does NOT fail-over, you can have two different hostnames in the FT URL and two different server certificates (or you could keep a single certificate and instruct the clients NOT to verify the hostname or to explicitly set the expected hostname).

[Manoj Chaurasia]

Hi Carlo,

 

Here is my doubt: How to make two servers in SSL mode

Any example can be helpful for me..

 

Thanks

Ramakrushna

[Manoj Chaurasia]

I'm not sure how to help you. Perhaps if you make a few configurations, then run them with SSL_DEBUG set, we can figure out what is happening or not happening.

 

You configure each server individually, each with its own 'conf' file, and if you want FT, then you configure that as well. You would (essentially) combine the sample tibemsdssl.conf into the tibemsd-FT1 and FT2 files (optionally setting up SSL for the FT heartbeat).

 

SSL is fairly simple:

Servers MUST present an identity (which requires a private key).

Clients MAY present an identity (which requires a private key).

Certificates come in multiple 'flavors', with a PKCS#12 certificate actually containing a cert and a private key and optionally the "chain-of-trust" up to and including the Root Certificate Authority.

Clients may choose to ignore the trust, may choose to ignore the hostname.

Servers may choose to ignore the trust, SubjectDN may be used as an Identity along with a password (in lieu of an ID).

Both may specify ciphers (must agree on at least one in common, else it fails).

[Manoj Chaurasia]

hi,

Set the server to listen for SSL connections from clients by using the listen

parameter in tibemsd.conf. To specify that a port accept SSL connections,

specify the SSL protocol in the listen parameter as follows:

listen = ssl://localhost:7243

[Carlo Milono 2]

There is a sample SSL configuration you should start with in /ems//samples/config called tibemsdssl.conf. Start it with "tibemsd -config tibemsdssl.conf". Take a look at the properties.

 

The EMS Server is using the certificate "server.cert.pem" as its identity, adn it will trust certificates that were signed by client_root.cert.pem.

 

ssl_server_identity = ../certs/server.cert.pemssl_server_key = ../certs/server.key.pemssl_password = $man$WjtSRCpaXu7hoTkDlcEPr6KNKRr

# Server Issuer certificate(s).# Supports PEM, DER and PKCS#12.# This may be a part of PKCS12 specified by ssl_server_identity

ssl_server_issuer =

# Trusted issuers of client certificates. Supports PEM, DER and PKCS7.

ssl_server_trusted = ../certs/client_root.cert.pem

 

So...you can use client_identity.p12 in your BW project as an Identity (there is a README in the certs directory explaining the relationships), and use server_root.cert.pem so you can trust the server.cert.pem by importing it into a Trusted Certificates folder in your BW project.

[praveen raja]

I have tried SSL connection according to your comments but the connection is not established. Could you please attach if there is any working example........please

[Lamb Liu]

I am facing some connect issue and the error is Failed connect to 'ssl://7243': error=153, message=Invalid certificate data or password.

 

I would like to know how to resolve

 

 

[Lamb Liu]

When I run sample tibjmsSSL.java with instruction on page https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-45678, it would get error :SSL handshake failed: ret=-1, reason=<unknown>

[OpenSSL Error]: file=ossl.c, line=1767.Any help from you