Setting up Two-way SSL Between TIBCO BusinessEvents and TIBCO StreamBase

In two-way SSL connection, the StreamBase proxy server sends X.509 certificate to BusinessEvents (client) for verification and also verifies the X.509 certificate sent by BusinessEvents.

Procedure

Server Configurations

  1. Generate required server and client certificates using the keytool utility (included in the Sun Java JDK) with keystore and truststore parameters. For example,
    //For server
    keytool -genkeypair -dname "cn=localhost" -alias "serveruser" -keypass tibco2017 -keystore server.keystore -storepass tibco2017 -validity 3650
    keytool -export -keystore server.keystore -alias "serveruser" -file server.cer -storepass tibco2017
    
    //For client
    keytool -genkeypair -dname "cn=localhost" -alias "clientuser" -keypass tibco2017 -keystore client.keystore -storepass tibco2017 -validity 3650
    keytool -export -keystore client.keystore -alias "clientuser" -file client.cer -storepass tibco2017
    
    //Import client certificate to server keystore
    keytool -import -alias "clientuser" -file client.cer -keystore server.keystore -keypass tibco2017 -storepass tibco2017
    
    //Import server certificate to client keystore
    keytool -import -alias "serveruser" -file server.cer -keystore client.keystore -keypass tibco2017 -storepass tibco2017
  2. Edit the sbd.sbconf file in the TIBCO StreamBase Studio and add <security> element for activating SSL authentication through StreamBase proxy server.
    For two-way SSL, set the require-client-authentication attribute of the <client-ssl-connections> element to true. For more details about the <security> elements, refer to the TIBCO StreamBase Documentation.
    For example, add the following elements in the sbd.sbconf file:
    <security>
      <ssl-authentication>
        <param name="keystore" value="F:/Users/tibcoUser/541/SB_cert_new_20032017/server.keystore"/>
        <param name="keystore-password" value="tibco2017"/>
        <param name="key-password" value="tibco2017"/>
        <param name="enabled" value="true"/>
      </ssl-authentication>
      <client-ssl-connections>
      	<param name="require-client-authentication" value="true"/>
      </client-ssl-connections>
      <param name="perform-authentication" value="false"/>
    </security>
  3. Start the StreamBase server using above the sbd.sbconf file with SSL configuration from workspace where the StreamBase project is located. For example,
    C:\TIBCO\sb-cep\7.6\bin64\sbd.exe BusinessEventsFraudDetection.sbapp -f sbd.sbconf
  4. Start the StreamBase proxy server with SSL from workspace where the StreamBase project is located. For example,
    C:\TIBCO\sb-cep\7.6\bin\sbproxy.exe -J-Djavax.net.ssl.trustStore=F:/Users/tibcoUser/541/SB_cert_new_20032017/server.keystore -J-Djavax.net.ssl.trustStorePassword=tibco2017 -J-Djavax.net.ssl.keyStore=F:/Users/tibcoUser/541/SB_cert_new_20032017/client.keystore -J-Djavax.net.ssl.keyStorePassword=tibco2017  14500 localhost 14000 -f sbd.sbconf
    where,
    • 14500 is the SSL port in the StreamBase proxy server.
    • 14000 is I/O port specified in the StreamBase server configuration file:
      <server>
      <param name="tcp-port" value="14000"/>
      </server>

Client Configurations

  1. In BusinessEvents application, create a StreamBase shared resource or use the StreamBase channel properties to specify connection parameters.
    • Specify the StreamBase Server URI as sbs://localhost:14500.
    • Provide server truststore location and truststore password in the SSL Trust Store File and SSL Trust Store Password fields, respectively.
    • Provide client keystore location, keystore password, and key password in the SSL Key Store File, SSL Key Store Password, and SSL Key Password fields, respectively.
    See Configuration for StreamBase Channels for details about StreamBase channel connection properties.
  2. Save the project and restart the BusinessEvents engine.
    The BusinessEvents now is securely connected to the StreamBase server.