configurating tibemsd to use SSL & SSL sample client

[Manoj Chaurasia]

I have tibemsd configured to use SSL on port 14012. The configuration from tibemsd.conf is this:

#######################################################################

# Copyright 2001-2008 TIBCO Software Inc.

# All Rights Reserved.

# For more information, please contact:

# TIBCO Software Inc.

# Palo Alto, California, USA

#

# Server Configuration Properties

########################################################################

 

########################################################################

# All parameters follow 'name = value' syntax. Each parameter must

# be in one line, line breaks not supported. If value is empty then

# parameter is ignored. It is a good idea to keep all parameters listed

# using empty value when no value is required.

# Lines starting with # or ; as well as empty lines are ignored.

########################################################################

 

########################################################################

# Server Identification Information.

########################################################################

server = EMS-SERVER

password =

 

########################################################################

# Other Configuration files

########################################################################

users = users.conf

groups = groups.conf

topics = topics.conf

queues = queues.conf

acl_list = acl.conf

factories = factories.conf

routes = routes.conf

bridges = bridges.conf

transports = transports.conf

tibrvcm = tibrvcm.conf

durables = durables.conf

channels = channels.conf

stores = stores.conf

 

########################################################################

# Persistent Storage

########################################################################

store = datastore

 

########################################################################

# Maximum number of connections

########################################################################

max_connections = 0

 

########################################################################

# Maximum message memory

########################################################################

max_msg_memory = 512MB

msg_swapping = enabled

 

########################################################################

# Listen ports. May be tcp or ssl, can specify any number.

# Form is tcp://hostname:port. If the hostname is not present then

# the default host and interface will be used.

########################################################################

listen = tcp://localhost:7222

listen = ssl://localhost:14012

 

########################################################################

# Authorization.

########################################################################

authorization = disabled

 

########################################################################

# Routing.

########################################################################

routing = disabled

 

########################################################################

# Multicast.

########################################################################

multicast = disabled

 

########################################################################

# Producer flow control.

########################################################################

flow_control = disabled

 

########################################################################

# Transports.

########################################################################

tibrv_transports =

 

########################################################################

# Fault-tolerant setup.

########################################################################

ft_active =

ft_heartbeat =

ft_activation =

 

# SSL setup for connection to another FT server. Only required if

# the FT connection has to be secure.

ft_ssl_identity =

ft_ssl_issuer =

ft_ssl_private_key =

ft_ssl_password =

ft_ssl_trusted =

ft_ssl_verify_host =

ft_ssl_verify_hostname =

ft_ssl_expected_hostname=

ft_ssl_ciphers =

 

########################################################################

# Message tracking.

########################################################################

track_message_ids =

track_correlation_ids =

 

########################################################################

# Log file and tracing setup.

########################################################################

logfile = ../log/logfile.txt

log_trace = DEFAULT,+MSG,+SSL,+SSL_DEBUG

console_trace = DEFAULT,+MSG,+SSL,+SSL_DEBUG

 

########################################################################

# SSL Server Setup Information.

#

# These parameters define server-side certificate, private key, issuers

# of client certificates and miscellaneous parameters used by this EMS

# server when handling SSL connections from the clients and other EMS

# servers.

 

########################################################################

# specify Diffie-Hellman key size, valid values are 512, 768, 1024, 2048.

# Default is 1024. Not used for export grade cipher suites.

ssl_dh_size =

 

# can be used to disable specific ciphers or change the

# priority order. This is used in the format accepted

# by OpenSSL, refer to OpenSSL documentation for more info.

# Example: ssl_ciphers = +RC4-MD5:+RC4-SHA

ssl_server_ciphers =

 

# The following is set if all clients must preset the certificate.

# If disabled the client may or may not have the certificate.

ssl_require_client_cert =

 

# This enforces the policy when the connection username is always

# extracted from the certificate, if the certificate was presented

# by the client. This does not affect users who have no certificate.

ssl_use_cert_username =

 

# This specifies a special username, when presented as connection user

# name, the actual username is extracted from the client certificate

# if client has the certificate. This does not affect users who have

# no certificate.

ssl_cert_user_specname = CERTIFICATE_USER

 

# Server certificate, key and private key password. If password not

# specified it is prompted for at start up time. The key and server

# certificate issuers may be included into specified PKCS12 file.

# Supports PEM, DER and PKCS12.

ssl_server_identity = ../certs/server.cert.pem

ssl_server_key = ../certs/server.key.pem

ssl_password = $man$WjtSRCpaXu7hoTkDlcEPr6KNKRr

 

# Server Issuer certificate(s).

# Supports PEM, DER and PKCS#12.

# This may be a part of PKCS12 specified by ssl_server_identity

ssl_server_issuer =

 

# Trusted issuers of client certificates. Supports PEM, DER and PKCS7.

ssl_server_trusted = ../certs/client_root.cert.pem

 

# Path to installed Enthropy Gathering Daemon

ssl_rand_egd =

 

# File containing random data. If specified, used by the server

# at start up time.

 

########################################################################

# DO NOT USE FOR PRODUCTION!

# This is to allow samples to run on machines without a /dev/random

# such as solaris 2.6-2.8.

########################################################################

 

ssl_rand_file = tibemsd

When I attempt to connect to the above-configured tibemsd using one of the sample clients with:

EMSSSLGlobal -server "ssl://localhost:14012" -user testuser1 -password xyzzy! -topic sample.topic -ssl_target_hostname localhost "testing 1 2 3"

 

I get the following error:

 

C:tibcoems5.1samplescs>EMSSSLGlobal -server "ssl://localhost:14012" -user testuser1 -password xyzzy! -topic sample.topic -ssl_target_hostname localhost

 

Global SSL parameters sample.

 

##### Exception:Failed to connect via SSL to [ssl://localhost:14012]: Failed to connect via SSL to [ssl://localhost:14012]: The remote certificate is invalid according to the validation procedure.

 

at TIBCO.EMS.CFImpl._CreateConnection(String userName, String password, Boolean xa)

at TIBCO.EMS.TopicConnectionFactory.CreateTopicConnection(String userName, String password)

at emsSSLGlobal..ctor(String[] args)

 

##### Linked Exception error msg:Failed to connect via SSL to [ssl://localhost:14012]: The remote certificate is invalid according to the validation procedure.

 

##### Linked Exception:

 

at TIBCO.EMS.LinkSSL.Connect(URL url)

 

So what is the reason for this "The remote certificate is invalid according to the validation procedure." error

Could any of you tell me what I'm doing wrong!

[Manoj Chaurasia]

Another way of asking the same question is this:

Could any of you give me an example of a tibemsd configuration using SSL and then the sample application EMSSSLGlobal command line that successfully transmits to the given SSL-enabled tibemsd

[Manoj Chaurasia]

Hi Joel,

 

You find the solution How did you do it to solve the problem I have the same problem and I can't to solve it... could you help me please

 

kind regards

[Randy Sutton]

I too have the same problem. Any updates

[Duber Guevara-Millan]

Hi, do you require to validate the EMS certificate at the application end, if you do I guess you need to tell the client application which certs to trust can I get a copy of EMSSSLGlobal so I can tell you how this is done

[Habib Qureshi]

Anybody gone through and solve the same problem in 2018/2019TIBCO EMS's own c# sample is not working.

Same problem mentioned in this tibco's sample code:

https://github.com/craignicholson/tibcoems-tutorials/blob/master/6_tibemsSSL/Program.cs#TIBCO cares to respond