SSL Configuration

For connections and activities that allow you to use SSL, there is a checkbox on the configuration that, when checked, allows you to click the Configure SSL button. The Configure SSL button brings up an SSL configuration dialog with specific options for the type of activity or connection that you are configuring. The following table describes the potential configuration fields in the SSL configuration dialog for each type of connection.

SSL configuration dialog fields

Field

Description

FTP Connection

FTP Connection resources are used to specify the FTP server that FTP activities will connect to. In this case, ActiveMatrix BusinessWorks acts an initiator of SSL connection requests.

Trusted Certificates Folder

Specifies a folder in the project containing one or more trusted certificates. This folder is checked when an FTP activity connects to ensure that the responder’s certificate is from a trusted certificate authority. This prevents connections to rogue servers.

Identity

An Identity resource that contains the client’s digital certificate and private key.

This field is optional, because clients are typically not required to present their identity to servers.

Verify Host Name

Specifies to check that the host name of the FTP server against the host name listed in the server’s digital certificate. This provides additional verification that the host name you believe you are connecting to is in fact the desired host.

If the host name specified in the Host field on the Configuration tab is not an exact match to the host name specified in the server’s digital certificate, the connection is refused.

Note: If you specify an equivalent hostname (for example, an IP address) in the Host field, but the name is not an exact match of the hostname in the host’s digital certificate, the connection is refused.

Strong Cipher Suites Only

When checked, this field specifies that the minimum strength of the cipher suites used can be specified with the bw.plugin.security.strongcipher.
minstrength
custom engine property. See TIBCO Administrator User’s Guide for more information about this property. The default value of the property disables cipher suites with an effective key length below 128 bits.

When this field is unchecked, only cipher suites with an effective key length of up to 128 bits can be used.

HTTP Connection

HTTP connection resources are used when ActiveMatrix BusinessWorks acts as an HTTP server. In this case, ActiveMatrix BusinessWorks is the responder to SSL connection requests.

Requires Client Authentication

Checking this field requires initiators to present their digital certificate before connecting to the HTTP server.

When this field is checked, the Trusted Certificates Folder becomes enabled so that you can specify a location containing the list of trusted certificates.

Trusted Certificates Folder

This field is only applicable when the Requires Client Authentication field is checked.

This field specifies a folder in the project containing one or more certificates from trusted certificate authorities. This folder is checked when a client connects to ensure that the client is trusted. This prevents connections from rogue clients.

Identity

This is an Identity resource that contains the HTTP server’s digital certificate and private key.

Strong Cipher Suites Only

When checked, this field specifies that the minimum strength of the cipher suites used can be specified with the bw.plugin.security.strongcipher.
minstrength
custom engine property. See TIBCO Administrator User’s Guide for more information about this property. The default value of the property disables cipher suites with an effective key length below 128 bits.

When this field is unchecked, only cipher suites with an effective key length of up to 128 bits can be used.

JMS Connection

ActiveMatrix BusinessWorks can act as either an initiator or a responder in an SSL connection with the JMS Connection resource.

Basic Tab

Trusted Certificates Folder

Location of the trusted certificates on this machine. The trusted certificates are a collection of certificates from initiators or responders to whom you will establish connections. If a party presents a certificate that does not match one of your trusted certificates, the connection is refused.

Basic Tab

Identity

This is an Identity resource containing the initiator’s or responder’s certificate. The Browse button allows you to select from a list of appropriately configured Identity resources.

Advanced Tab

Trace

Specifies whether SSL tracing should be enabled during the connection. If checked, the SSL connection messages are logged and sent to the console.

Advanced Tab

Debug Trace

Specifies whether SSL debug tracing should be enabled during the connection. Debug tracing provides more detailed messages than standard tracing.

Advance Tab

Verify Host Name

This field specifies that the host name of the responder should be checked against the host name listed in the responder’s digital certificate. This provides additional verification that the host name you believe you are connecting to is in fact the desired host.

If the specified host name is not an exact match to the host name specified in the responder’s digital certificate, the connection is refused. If you specify an equivalent hostname (for example, an IP address), but the name is not an exact match of the hostname in the host’s digital certificate, the connection is refused.

Note: The default context factories for TIBCO Enterprise Message Service automatically determine if host name verification is necessary. If you are using a custom implementation of the context factories, your custom implementation must explicitly set the verify host property to the correct value. For example:
com.tibco.tibjms.TibjmsSSL.setVerifyHost(false)

Advanced Tab

Expected Host Name

This name provided in this field must match the name in the responder’s certificate.

Advanced Tab

Strong Cipher Suites Only

When checked, this field specifies that the minimum strength of the cipher suites used can be specified with the bw.plugin.security.strongcipher.
minstrength
custom engine property. See TIBCO Administrator User’s Guide for more information about this property. The default value of the property disables cipher suites with an effective key length below 128 bits.

When this field is unchecked, only cipher suites with an effective key length of up to 128 bits can be used.

Rendezvous Connection

ActiveMatrix BusinessWorks can act as either an initiator or a responder in an SSL connection with the Rendezvous Connection resource.

Daemon Certificate

Folder containing one or more certificates from trusted certificate authorities. The certificates in this folder are checked when connecting to a daemon to ensure that the connection is to a daemon that is trusted. This prevents connections to rogue TIBCO Rendezvous daemons that attempt to impersonate trusted daemons.

You can retrieve a daemon’s certificate using the administration interface in TIBCO Rendezvous. See the TIBCO Rendezvous documentation for more information about obtaining certificates through the administration interface. Once retrieved, you can select a folder in your project and import this certificate into the folder using the Tools >Trusted Certificates >Import Into PEM Format menu item.

Identity

An Identity resource used to authenticate to the TIBCO Rendezvous daemon. The Browse button allows you to select from a list of appropriately configured Identity resources.

Only Identity resources whose Type field is set to Identity File or Username/Password are listed.