Copyright © Cloud Software Group, Inc. All Rights Reserved

Trusted Certificates

Certificates are typically issued by a trusted third party, such as a certificate authority. There are several commercial certificate authorities, such as Entrust or VeriSign.

Both clients and servers can also store a list of trusted certificates. When a connection is requested, each party presents their certificate and that certificate is checked against the list of trusted certificates. If the certificate is not found, the connection is refused. Checking trusted certificates allows clients to ensure that they are connecting to the correct server. For servers, trusted certificates are used to ensure only the authorized clients can connect to the server.

Checking a certificate involves checking the certificate of the party that signed the certificate. There can be a hierarchy of intermediate certificates, also known as a certificate chain, that must be checked up to the root certificate to ensure that a certificate is authentic. TIBCO ActiveMatrix BusinessWorks requires that all intermediate certificates are stored in the trusted certificate location so that certificates can be properly verified.

Figure 67 illustrates a certificate chain. In this chain, Alice has a certificate signed by the OASIS Interop Test CA (the Issuer DN in the certificate). To verify Alice’s identity, the issuer of Alice’s certificate must be checked. The OASIS Interop Test CA certificate was issued by OASIS Interop Test Root. You can see that the OASIS Interop Test Root certificate is a self-signed root certificate because the Issuer DN is the same as the Subject DN in the certificate.

Figure 67 An example of a certificate chain

You can use a variety of methods and external tools to obtain certificates for your trusted certificate list or creating self-signed root certificates. For example, OpenSSL at www.openssl.org provides a toolkit for working with certificates and SSL. Portcle at http://portecle.sourceforge.net/ provides a GUI tool for managing certificates.

TIBCO ActiveMatrix BusinessWorks can import and store certificates in Privacy-enhanced Electronic Mail (PEM) format in a folder within the project. You can also store trusted certificates outside of your project and use a global variable to point to the certificate storage location. The following sections describe each method of storing trusted certificates.

Adding Certificates to Your Project

TIBCO Designer projects store trusted certificates in PEM storage format.

To add a certificate in PEM format to your project, perform the following procedure:

1.	Select a folder into which you wish to import the certificate.

2.	From the menu bar, choose Tools> Trusted Certificates > Import into PEM Format.

3.	Provide the certificate URL when prompted.

You can import certificates that are in PKCS7 and PEM formats (these formats do not store keys). A new certificate copy is created when the import is done. If the certificate to be imported is already in PEM format, a new copy is created as is.

You cannot import certificates from storage formats that require a password, such as PKCS12 and KeyStore.

Storing Trusted Certificates Outside of Your Project

Storing trusted certificates in the project requires you to import any new certificates into the project, re-create the enterprise archive file, and re-deploy your project when certificates change or expire. To avoid this problem, you may wish to store your certificates in a folder outside of your project. When certificates change or expire, you can replace certificates or add new certificates and then restart the process engine to load the changes.

To store trusted certificates outside of your project, perform the following procedure:

1.	Create a folder in your file system in the location where you wish to store the trusted certificates. You must copy this folder to each machine where your process engines are deployed, or the location can be a shared network area accessible by all process engines.

2.	In your TIBCO ActiveMatrix BusinessWorks project, create a global variable named BW_GLOBAL_TRUSTED_CA_STORE. See Global Variables for more information about global variables.

3.

Set the value of BW_GLOBAL_TRUSTED_CA_STORE to the location of the trusted certificates folder on your file system. The location can either be the same for all deployed engines (that is, you copied it to the same location on each machine or it is a shared network drive), or you can change the value of the global variable when you deploy the project to the location on the machine where you place the trusted certificates.

The value you set for BW_GLOBAL_TRUSTED_CA_STORE must be a file URL, for example, file:///c:/tibco/certs.

4.	Specify a value in the Trusted Certificates field in the SSL Configuration dialog. When the project runs, the value of BW_GLOBAL_CA_STORE overrides the value you specify with the location you provided.

Copyright © Cloud Software Group, Inc. All Rights Reserved