Kurian Kuruvilla

This article explains how to configure JDBC Connection shared resource in TIBCO ActiveMatrix BusinessWorks™ 5 to connect to MariaDB database server over TLS. Prerequisite The JDBC driver JAR file (MariaDB Connector/J - mariadb-java-client-x.x.x.jar) must be available in bwengine classpath. JDBC Driver Do not select a driver from the Select driver dropdown. In the JDBC Driver field, type in org.mariadb.jdbc.Driver Database URL To enable TLS with mutual authentication, specify the URL as follows - jdbc:mariadb://host:port/database?useSSL=true&trustStore=path_to_truststore_file&trustStorePassword=truststore_password&keyStore=path_to_keystore_file&keyStorePassword=keystore_password For example, jdbc:mariadb://dbserver:3306/bwdb?useSSL=true&trustStore=D:/PKI/trust.jks&trustStorePassword=password&keyStore=D:/PKI/key.jks&keyStorePassword=password useSSL - Set this property to true to enable TLS trustStore - Full path to the trust store containing the DB server certificate trustStorePassword - Trust store password keyStore - Full path to the keystore containing the client certificate and private key keyStorePassword - Keystore password Using system properties to specify the trust store and keystore files The trust store and keystore can be specified using the system properties javax.net.ssl.trustStore and javax.net.ssl.keyStore respectively. When using these system properties, specify the URL as follows - jdbc:mariadb://host:port/database?useSSL=true Add the following properties to designer.tra/bwengine.tra - javax.net.ssl.trustStore=path_to_truststore_file javax.net.ssl.trustStorePassword=truststore_password javax.net.ssl.keyStore=path_to_keystore_file javax.net.ssl.keyStorePassword=keystore_password References - https://mariadb.com/kb/en/using-tls-ssl-with-mariadb-java-connector/

Wireshark is a convenient tool for capturing network packets on Windows machines but it is generally not installed on Production machines. This article lists a couple of alternatives. Packet Monitor (pktmon) Documentation - https://docs.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon To start packet capture - pktmon start -c -f E:\temp\PktMon.etl To stop packet capture - pktmon stop To convert the output file to pcapng format so that it can be opened in Wireshark - pktmon etl2pcap <output file from the previous step> Netsh Documentation - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129382(v=ws.11) To start packet capture - netsh trace start capture=yes tracefile=E:\temp\PktMon.etl To stop packet capture - netsh trace stop To convert the output file to pcapng format so that it can be opened in Wireshark, use etl2pcapng.exe from https://github.com/microsoft/etl2pcapng. etl2pcapng.exe Netsh.etl Netsh.pcapng

If JMX is enabled, Java VisualVM can be used to take thread dumps of local and remote TIBCO ActiveMatrix BusinessWorks™ 5 (BW) engine processes. But JMX is usually not enabled in Production environments. This article lists a few other options for various Operating Systems. Red Hat Linux, Solaris, Windows If JDK is installed on the machine where BW application is running, ‘jstack’ utility may be used to generate thread dump on Red Hat Linux, Solaris or Windows. Steps: 1. Go to JDK_HOME/bin (JDK_HOME is the directory where JDK is installed) 2. Run the following command jstack -l pid_of_bwengine > threaddump.txt Red Hat Linux, Solaris, HP-Ux If the BW application is running on Red Hat Linux, Solaris or HP-Ux, ‘kill’ command may be used to generate thread dump. Steps: 1. Go to TIBCO_HOME/tra/domain/<domain_name>/application/<application_name> 2. Run the following command from the command line. This is to start the application redirecting standard output to file. <application_name>.sh > bwapplication.out 2>&1 3. Run the following command to generate thread dump kill -3 pid_of_bwengine The thread dump will be written to the file bwapplication.out Windows On WIndows, a thread dump can be generated by pressing Ctrl+Break. Steps: 1. Go to TIBCO_HOME/tra/domain/<domain_name>/application/<application_name> 2. Run the following command from the command prompt. This is to start the application redirecting standard output to file. <application_name>.cmd > bwapplication.out 2>&1 3. Press Ctrl+Break to generate thread dump The thread dump will be written to the file bwapplication.out AIX On AIX, run the following command to generate thread dump. The thread dump (along with some additional information) will be written to a file named javacore*.txt under TIBCO_HOME/bw/5.x/bin. kill -3 pid_of_bwengine Solaris On Solaris platform, a thread dump can be generated using the ‘kill’ command or by pressing Ctrl+\. Steps: 1. Go to TIBCO_HOME/tra/domain/<domain_name>/application/<application_name> 2. Run the following command from the command line. This is to start the application redirecting standard output to file. <application_name>.sh > bwapplication.out 2>&1 3. Run the following command or press Ctrl+\ to generate thread dump kill -QUIT pid_of_bwengine The thread dump will be written to the file bwapplication.out

This article discusses the default certificate trust behavior and configuration options. Default behavior By default, BW trusts an entity’s certificate only if any intermediate CA certificates and the root CA certificate in the certificate chain are placed in the Trusted Certificates folder in the project or in the location specified in the global variable BW_GLOBAL_TRUSTED_CA_STORE. For example, consider the following server certificate chain. Server certificate - Subject: CN=Server Issuer: CN=IntermediateCA Intermediate CA certificate - Subject: CN=IntermediateCA Issuer: CN=RootCA Root CA certificate - Subject: CN=RootCA Issuer: CN=RootCA For BW to trust the server certificate, both the intermediate CA certificate and the root CA certificate must be placed in the Trusted Certificates folder. Sample SSL debug log - Successful validation when having both the certificates in the Trusted Certificates folder validating certificate chain looking in datastore for certificate with DN CN=IntermediateCA match found looking in datastore for certificate with DN CN=RootCA match found chain length: 3 chain verifies ok Failed validation when having only the root CA certificate in the Trusted Certificates folder validating certificate chain looking in datastore for certificate with DN CN=IntermediateCA No match found CA certificate with issuer CN=RootCA and serial number 1A43 CF9E is not a trusted certificate server chain validation failed: com.tibco.security.AXSecurityException: CA certificate with issuer CN=RootCA and serial number 1A43 CF9E is not a trusted certificate Failed validation when having only the intermediate CA certificate in the Trusted Certificates folder validating certificate chain looking in datastore for certificate with DN CN=IntermediateCA match found looking in datastore for certificate with DN CN=RootCA No match found CA certificate with issuer CN=RootCA and serial number 7565 AF8F is not a trusted certificate server chain validation failed: com.tibco.security.AXSecurityException: CA certificate with issuer CN=RootCA and serial number 7565 AF8F is not a trusted certificate Configuring BW to not require that every CA certificate in the chain be trusted The property com.tibco.security.NoExplicitCAChain can be used to control the certificate trust behavior in BW. When the property is set to true, BW trusts an entity’s certificate if the entity’s certificate or any of the intermediate certificates or the root CA certificate in the server certificate chain is placed in the Trusted Certificates folder. With reference to the aforementioned certificate chain, when the property is set to true, BW trusts the server certificate if any one of the three certificates is available in the Trusted Certificates folder. How to add the property Add the property as follows to the deployed application .tra file/designer.tra file. java.property.com.tibco.security.NoExplicitCAChain=true

This article explains how to configure JDBC Connection shared resource in TIBCO ActiveMatrix BusinessWorks™ 5 to connect to Microsoft SQL Server database over TLS. Microsoft JDBC Driver for SQL Server - mssql-jdbc-x.x.x.jrex.jar JDBC Driver Select the following driver from the Select driver dropdown. com.microsoft.sqlserver.jdbc.SQLServerDriver Database URL To enable TLS with server certificate validation, specify the URL as follows - jdbc:sqlserver://host:port;databaseName=database;encrypt=true;trustStore=path_to_trust_store;trustStorePassword=password For example, jdbc:sqlserver://dbserver:1433;databaseName=bwdb;encrypt=true;trustStore=D:\wa\PKI\trust.jks;trustStorePassword=password encrypt - Set this property to true to enable TLS trustStore - Full path to the trust store containing the DB server certificate trustStorePassword - Trust store password TIBCO Database Driver Supplement Software (TDDS) - TIsqlserver.jar JDBC Driver Select the following driver from the Select driver dropdown. tibcosoftwareinc.jdbc.sqlserver.SQLServerDriver Database URL To enable TLS with server certificate validation, specify the URL as follows - jdbc:tibcosoftwareinc:sqlserver://host:port;;databaseName=database;EncryptionMethod=SSL;TrustStore=path_to_trust_store;TrustStorePassword=password;ValidateServerCertificate=true For example, jdbc:tibcosoftwareinc:sqlserver://na1devspekk301:1433;databaseName=bwdb;EncryptionMethod=SSL;TrustStore=D:\wa\PKI\trust.jks;TrustStorePassword=password;ValidateServerCertificate=true EncryptionMethod - Set this property to true to enable TLS ValidateServerCertificate - Set this property to true to validate the server certificate TrustStore - Full path to the trust store containing the DB server certificate TrustStorePassword -Trust store password References - Microsoft JDBC Driver for SQL Server - TLS configuration and properties https://learn.microsoft.com/en-us/sql/connect/jdbc/using-ssl-encryption?view=sql-server-2016 TDDS driver - TLS configuration and properties https://docs.progress.com/bundle/datadirect-microsoft-sql-server-jdbc-60/page/Data-encryption.html

When the Integrity option is selected in an outbound security policy, TIBCO ActiveMatrix BusinessWorks™ 5 (BW) signs the SOAP Body element only. It is a common requirement to sign WS-Security elements along with the SOAP Body element. This article explains how to configure BW to sign WS-Security elements in a SOAP message. First, let’s take a look at a sample outbound SOAP message that is generated when the Security Policy shared resource is configured with Integrity and Timeout options. Only the SOAP Body element SOAP-ENV:Body is signed. Now, let’s say, the requirement is to have the signature include the Timestamp element along with the SOAP Body element. To sign additional elements along with SOAP Body, specify the elements along with the SOAP Body element in the Message Elements for Signature field under the Outbound tab of Security Policy Association shared resource. In this case, it would be SOAP-ENV:Body and wsu:TImestamp. Steps below. 1. Select the Security Policy Association shared resource. 2. Go to the Outbound tab and add the following to the Message Elements for Signature field SOAP-ENV:Body and wsu:Timestamp 3. Under Prefix Namespace Pair, add the prefixes SOAP-ENV and wsu and select the corresponding namespaces. The signature in the outbound request should now include the Timestamp element in addition to the SOAP Body element. A sample project is available here. To get the signed SOAP message logged to the Designer console or application log file, set the logger com.tibco.spin to DEBUG. 5.14.0 Add the following to TIBCO_HOME/bw/5.x/lib/log4j.xml <logger name="com.tibco.spin"> <level value="DEBUG"/> <appender-ref ref="tibco_bw_log"/> </logger> 5.14.1, 5.15.x Add the following to TIBCO_HOME/bw/5.x/lib/log4j2.properties logger.spin.name = com.tibco.spin logger.spin.level = DEBUG logger.spin.additivity = false logger.spin.appenderRef.bw_log.ref = tibco_bw_log

This article explains how to configure JDBC Connection shared resource in TIBCO ActiveMatrix BusinessWorks™ 5 to connect to IBM DB2 database server over TLS. IBM Data Server Driver for JDBC and SQLJ - db2jcc4.jar JDBC Driver Select the following driver from the Select driver dropdown. com.ibm.db2.jcc.DB2Driver Database URL To enable TLS with server certificate validation, specify the URL as follows - jdbc:db2://host:port/database:sslConnection=true;sslTrustStoreLocation=path_to_truststore_file;sslTrustStorePassword=password; For example, jdbc:db2://dbserver:25001/sample:sslConnection=true;sslTrustStoreLocation=D:/PKI/trust.jks;sslTrustStorePassword=password; sslConnection - Set this property to true to enable TLS sslTrustStoreLocation - Path to the truststore file containing trusted certificates sslTrustStorePassword - Truststore password TIBCO Database Driver Supplement Software (TDDS) - TIdb2.jar JDBC Driver Select the following driver from the Select driver dropdown. tibcosoftwareinc.jdbc.db2.DB2Driver Database URL To enable TLS with server certificate validation, specify the URL as follows - jdbc:tibcosoftwareinc:db2://host:port;databaseName=database;EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=path_to_truststore_file;TrustStorePassword=password For example, jdbc:tibcosoftwareinc:db2://dbserver:25001;databaseName=sample;EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=D:/PKI/trust.jks;TrustStorePassword=password EncryptionMethod - Set this property to SSL to enable TLS ValidateServerCertificate - Set this property to true to validate the server certificate TrustStore - Path to the truststore file containing trusted certificates TrustStorePassword -Truststore password Using system properties to specify the truststore file The system property javax.net.ssl.trustStore may be used to specify the truststore file. When using the system property, specify the URL as follows - IBM Data Server Driver for JDBC and SQLJ jdbc:db2://host:port/database:sslConnection=true; TDDS driver jdbc:tibcosoftwareinc:db2://host:port;databaseName=database;EncryptionMethod=SSL;ValidateServerCertificate=true Add the following properties to designer.tra/bwengine.tra java.property.javax.net.ssl.trustStore=path_to_truststore_file java.property.javax.net.ssl.trustStorePassword=truststore_password For example, java.property.javax.net.ssl.trustStore=D:/PKI/trust.jks java.property.javax.net.ssl.trustStorePassword=password References - IBM DB2 database server - TLS configuration https://www.ibm.com/docs/en/db2/11.5?topic=transit-tls-configuration-db2 IBM Data Server Driver for JDBC and SQLJ - TLS configuration and properties https://www.ibm.com/docs/en/db2/11.5?topic=dsdjsss-configuring-connections-under-data-server-driver-jdbc-sqlj-use-ssl TDDS driver - TLS configuration and properties https://docs.progress.com/bundle/datadirect-connect-jdbc-51/page/Data-Encryption_5.html

This article explains how to configure JDBC Connection shared resource in TIBCO ActiveMatrix BusinessWorks™ 5 to connect to Oracle database server over TLS. Oracle JDBC driver - ojdbc8.jar JDBC Driver Select the following driver from the Select driver dropdown. oracle.jdbc.driver.OracleDriver (thin) Database URL To connect over TLS with mutual authentication, specify the URL as follows - jdbc:oracle:thin:@tcps://host:port/service?wallet_location=path_to_wallet_directory For example, jdbc:oracle:thin:@tcps://dbserver:2484/orcl19.tibco.com?wallet_location=D:/PKI/wallet wallet_location - Path to the directory where the wallet file containing the trusted certificates, client’s certificate and client’s private key is present. Note - When using Oracle wallet file, make sure that the JAR files oraclepki.jar, osdt_core.jar and osdt_cert.jar are in designer/bwengine classpath. TIBCO Database Driver Supplement Software (TDDS) - TIOracle.jar JDBC Driver Select the following driver from the Select driver dropdown. tibcosoftwareinc.jdbc.oracle.OracleDriver Database URL To connect over TLS with mutual authentication, specify the URL as follows - jdbc:tibcosoftwareinc:oracle://host:port;SID=sid;EncryptionMethod=ssl;TrustStore=path_to_wallet_file For example, jdbc:tibcosoftwareinc:oracle://dbserver:2484;SID=orcl19;EncryptionMethod=ssl;TrustStore=D:/PKI/wallet/cwallet.sso encryptionMethod - Set this property to SSL to enable TLS trustStore - Path to the wallet file containing the trusted certificates, client’s certificate and client’s private key With TDDS driver, it is also possible to specify JKS-format keystore and truststore files using connection properties. jdbc:tibcosoftwareinc:oracle://host:port;SID=sid;EncryptionMethod=ssl;TrustStore=path_to_truststore_file;TrustStorePassword=truststore_password;KeyStore=path_to_keystore_file;KeyStorePassword=keystore_password For example, jdbc:tibcosoftwareinc:oracle://dbserver:2484;SID=orcl19;EncryptionMethod=ssl;TrustStore=D:/PKI/clienttrust.jks;TrustStorePassword=password;KeyStore=D:/PKI/clientkey.jks;KeyStorePassword=password TrustStore - Path to the truststore file containing trusted certificates TrustStorePassword - Truststore password KeyStore - Path to the keystore file containing client’s certificate and private key KeyStorePassword - Keystore password Using system properties to specify wallet or keystore/truststore files The system properties javax.net.ssl.trustStore and javax.net.ssl.keyStore may be used to specify wallet or keystore and truststore files. A wallet file or JKS-format keystore may be used. When using these system properties, specify the URL as follows - Oracle JDBC driver jdbc:oracle:thin:@tcps://host:port/service TDDS driver jdbc:tibcosoftwareinc:oracle://host:port;SID=sid;EncryptionMethod=ssl Add the following properties to designer.tra/bwengine.tra Wallet java.property.javax.net.ssl.trustStore=path_to_wallet_file java.property.javax.net.ssl.trustStoreType=SSO java.property.javax.net.ssl.keyStore=path_to_wallet_file java.property.javax.net.ssl.keyStoreType=SSO For example, java.property.javax.net.ssl.trustStore=D:/PKI/wallet/cwallet.sso java.property.javax.net.ssl.trustStoreType=SSO java.property.javax.net.ssl.keyStore=D:/PKI/wallet/cwallet.sso java.property.javax.net.ssl.keyStoreType=SSO JKS-format keystore java.property.javax.net.ssl.trustStore=path_to_truststore_file java.property.javax.net.ssl.trustStorePassword=truststore_password java.property.javax.net.ssl.keyStore=path_to_keystore_file java.property.javax.net.ssl.keyStorePassword=keystore_password For example, java.property.javax.net.ssl.trustStore=D:/PKI/clienttrust.jks java.property.javax.net.ssl.trustStorePassword=password java.property.javax.net.ssl.keyStore=D:/PKI/clientkey.jks java.property.javax.net.ssl.keyStorePassword=password Certificate-based authentication If the Oracle database server is configured to support TCPS authentication, the driver can authenticate to the database using a certificate. Note - When authenticating using a certificate, do not specify User Name and Password in JDBC Connection shared resource configuration. To use certificate-based authentication with Oracle JDBC driver, add the following property to designer.tra/bwengine.tra java.property.oracle.net.authentication_services=(TCPS) With the TDDS driver, set the property AuthenticationMethod to SSL as shown below. jdbc:tibcosoftwareinc:oracle://host:port;SID=sid;EncryptionMethod=ssl;AuthenticationMethod=ssl;TrustStore=path_to_wallet_file References Oracle database server - TLS configuration https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/configuring-secure-sockets-layer-authentication.html#GUID-6AD89576-526F-4D6B-A539-ADF4B840819F Oracle JDBC driver - TLS configuration and properties https://docs.oracle.com/en/database/oracle/oracle-database/19/jjdbc/client-side-security.html#GUID-2BD2F189-A58C-4A85-8524-CFD9BB9AC575 TDDS driver - TLS configuration and properties https://docs.progress.com/bundle/datadirect-oracle-jdbc-60/page/Data-encryption.html

This article explains how to manage SSL/TLS protocol versions in TIBCO ActiveMatrix BusinessWorks™ 5 (BW). TLS protocol versions enabled by default in BW environments The TLS protocol versions enabled by default in a BW environment vary based on the JRE version. Let’s take the case of BW 5.15.0, which uses Java 11. The property jdk.tls.disabledAlgorithms in the security properties file (TIBCO_HOME/tibcojre64/11/conf/security/java.security) shows which protocol versions are disabled. jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves By default, SSLv3, TLS 1.0 and TLS 1.1 are disabled on JRE level and only TLS 1.2 and TLS 1.3 are enabled. So, by default, BW 5.15.0 can use TLS 1.2 or TLS 1.3. TLS protocol version used in a TLS session The TLS protocol version that is used in a TLS session depends on what protocol versions are supported by the two sides of the connection. Let’s say, BW (Send HTTP Request activity) is connecting to a web server over TLS in a BW 5.15 environment where TLS 1.2 and TLS 1.3 are enabled. If the web server supports TLS 1.3, it will be used for the connection. On the other hand, if TLS 1.2 is the highest version supported by the web server, TLS 1.2 will be used. How to check the enabled TLS protocol versions and the version used in a TLS session If BW is the client, to identify enabled TLS protocol versions, check TLS debug logs. The ClientHello handshake message shows the enabled TLS protocol versions. The sample log given below shows that TLS 1.3 and TLS 1.2 are enabled. "ClientHello": { ..... ..... "supported_versions (43)": { "versions": [TLSv1.3, TLSv1.2] }, ..... ..... } If BW is the server, the utility sslscan (https://github.com/rbsec/sslscan/releases) can be used to check the enabled TLS protocol versions. The sample output given below shows that TLS 1.2 and TLS 1.3 are enabled. $sslscan localhost:9191 Version: 2.1.3 Windows 64-bit (Mingw) OpenSSL 3.0.9 30 May 2023 Connected to ::1 Testing SSL server localhost on port 9191 using SNI name localhost SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 enabled ..... ..... To identify the TLS protocol version that is used in a TLS session where BW is the client or server, check TLS debug logs. The ServerHello handshake message shows the selected TLS protocol version. The sample log given below shows that the selected version is TLS 1.3. "ServerHello": { ..... ..... "supported_versions (43)": { "selected version": [TLSv1.3] }, ..... ..... } Disabling a TLS protocol version that is enabled by default A TLS protocol version may be disabled on JRE level or application level. JRE level To disable a specific TLS protocol, add it to the property jdk.tls.disabledAlgorithms in the security properties file. For example, to disable TLS 1.2, update the property as follows. jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, TLSv1.2, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Application level In cases where TLS is handled by BW, it is possible to disable TLS protocols separately on client side and server side using the following properties. com.tibco.security.ssl.server.EnableTLSv1 com.tibco.security.ssl.server.EnableTLSv11 com.tibco.security.ssl.server.EnableTLSv12 com.tibco.security.ssl.server.EnableTLSv13 com.tibco.security.ssl.client.EnableTLSv1 com.tibco.security.ssl.client.EnableTLSv11 com.tibco.security.ssl.client.EnableTLSv12 com.tibco.security.ssl.client.EnableTLSv13 For example, the following property can be used to disable TLSv1.2 on client side in a BW version where TLSv1.2 is enabled by default. java.property.com.tibco.security.ssl.client.EnableTLSv12=false Sample log that shows the TLS protocol versions that are enabled by default in BW 5.15 environment. "ClientHello": { ..... ..... "supported_versions (43)": { "versions": [TLSv1.3, TLSv1.2] }, ..... ..... } Sample log with the property com.tibco.security.ssl.client.EnableTLSv12 set to false. Only TLSv1.3 is enabled. "ClientHello": { ..... ..... "supported_versions (43)": { "versions": [TLSv1.3] }, ..... ..... } In cases where TLS is handled by a third-party library, use the setting provided by the third-party library. For example, when using MySQL Connector/J JDBC driver version 8.x to connect to MySQL server over TLS, the TLS protocol versions TLS 1.2 and TLS 1.3 are enabled by default. The driver configuration property tlsVersions can be used to restrict TLS protocol versions. To disable TLS 1.2 and use only TLS 1.3, set the property to TLSv1.3 in the JDBC URL as shown below. jdbc:mysql://host:port/database?sslMode=VERIFY_CA&tlsVersions=TLSv1.3 Enabling a TLS protocol version that is disabled by default Sometimes, it may be necessary to enable a specific TLS protocol version that is disabled by default. To enable a specific TLS protocol, remove it from the property jdk.tls.disabledAlgorithms in the security properties file. For example, to enable TLS 1.1, update the property as follows. jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Sample log with the property updated to enable TLSv1.1. TLS 1.3, TLS 1.2 and TLS 1.1 are enabled. "ClientHello": { ..... ..... "supported_versions (43)": { "versions": [TLSv1.3, TLSv1.2, TLSv1.1] }, ..... ..... } Note that any changes made to the default security properties file affect all the BW applications running under the TIBCO_HOME. If the requirement to enable a TLS protocol version is specific to an application, a better option would be to make a copy of the security properties file, make the change in the new file and configure the application to use the new file. More information on specifying an alternate security properties file can be found in the comments section of the security properties file.

This article explains how to configure JDBC Connection shared resource in TIBCO ActiveMatrix BusinessWorks™ 5 (BW) when the Oracle DB server connection information is stored in LDAP. The first step is to identify the LDAP entry that contains the connection information. For this, run ldapsearch with the Oracle Context DN as the base. For example, In the above example, the Oracle Context DN is cn=OracleContext,dc=example,dc=com and the DN of the entry that contains the connection information is cn=orcl19tw2012,cn=OracleContext,dc=example,dc=com (see the attribute orclNetDescString) With the above setup, the URLs would be as follows - Oracle JDBC driver jdbc:oracle:thin:@ldap://ldaphost:389/cn=OracleContext,dc=example,dc=com/orcl19tw2012 OR jdbc:oracle:thin:@ldap://ldaphost:389/orcl19tw2012,cn=OracleContext,dc=example,dc=com TIBCO Database Driver Supplement Software jdbc:tibcosoftwareinc:oracle://ldaphost:389;LDAPDistinguishedName="cn=orcl19tw2012,cn=OracleContext,dc=example,dc=com"