Setting up Two-way SSL with Enhanced Authentication Between TIBCO BusinessEvents and TIBCO StreamBase
In two-way SSL connection with enhanced authentication, the StreamBase proxy server sends X.509 certificate to BusinessEvents (client) as well as BusinessEvents sends X.509 certificate to StreamBase proxy server for verification. StreamBase server also verifies the provided user name and password with credentials configured in the StreamBase server configuration file.
Procedure
Server Configurations
-
Generate required server and client certificates using the
keytool utility (included in the Sun Java JDK) with keystore and truststore parameters.
For example,
//For server keytool -genkeypair -dname "cn=localhost" -alias "serveruser" -keypass tibco2017 -keystore server.keystore -storepass tibco2017 -validity 3650 keytool -export -keystore server.keystore -alias "serveruser" -file server.cer -storepass tibco2017 //For client keytool -genkeypair -dname "cn=localhost" -alias "clientuser" -keypass tibco2017 -keystore client.keystore -storepass tibco2017 -validity 3650 keytool -export -keystore client.keystore -alias "clientuser" -file client.cer -storepass tibco2017 //Import client certificate to server keystore keytool -import -alias "clientuser" -file client.cer -keystore server.keystore -keypass tibco2017 -storepass tibco2017 //Import server certificate to client keystore keytool -import -alias "serveruser" -file server.cer -keystore client.keystore -keypass tibco2017 -storepass tibco2017
-
Edit the
sbd.sbconf file in the TIBCO StreamBase Studio and add
<security> element for activating SSL authentication through StreamBase proxy server.
For two-way SSL, set the require-client-authentication attribute of the <client-ssl-connections> element to true. For enhanced authentication set the perform-authentication attribute of the <security> element to true.For more details about the <security> elements, refer to the TIBCO StreamBase Documentation.For example, add the following elements in the sbd.sbconf file:
<security> <ssl-authentication> <param name="keystore" value="F:/Users/Jayshri/541/SB_cert_new_20032017/server.keystore"/> <param name="keystore-password" value="tibco2017"/> <param name="key-password" value="tibco2017"/> <param name="enabled" value="true"/> </ssl-authentication> <client-ssl-connections> <param name="require-client-authentication" value="true"/> //false in case of one-way ssl </client-ssl-connections> <param name="perform-authentication" value="true"/> <role name="adminrole"> <param name="action" value="Administrate"/> <param name="action" value="Status"/> <param name="action" value="Enqueue default.NewDebit"/> <param name="action" value="Dequeue default.FraudDetected"/> </role> <user-data> <user> <param name="cn" value="cn=sbadmin"/> <param name="role" value="adminrole"/> <param name="role" value="StreamBaseSuperuser"/> <param name="password" value="secret"/> </user> </user-data> </security>
-
Start the StreamBase server using above the
sbd.sbconf file with SSL configuration from workspace where the StreamBase project is located.
For example,
C:\TIBCO\sb-cep\7.6\bin64\sbd.exe BusinessEventsFraudDetection.sbapp -f sbd.sbconf
-
Start the StreamBase proxy server with SSL from workspace where the StreamBase project is located.
For example,
C:\TIBCO\sb-cep\7.6\bin\sbproxy.exe -J-Djavax.net.ssl.trustStore=F:/Users/tibcoUser/541/SB_cert_new_20032017/server.keystore -J-Djavax.net.ssl.trustStorePassword=tibco2017 -J-Djavax.net.ssl.keyStore=F:/Users/tibcoUser/541/SB_cert_new_20032017/client.keystore -J-Djavax.net.ssl.keyStorePassword=tibco2017 14500 localhost 14000 -f sbd.sbconf
Client Configurations
-
In BusinessEvents application, create a StreamBase shared resource or use the StreamBase channel properties to specify connection parameters.
- Specify the StreamBase Server URI as sbs://localhost:14500.
- Provide user name and password for the StreamBase server in the UserName and Password fields, respectively. For example, cn=sbadmin as UserName and secret as Password.
- Provide server truststore location and truststore password in the SSL Trust Store File and SSL Trust Store Password fields, respectively.
- Provide client keystore location, keystore password, and key password in the SSL Key Store File, SSL Key Store Password, and SSL Key Password fields, respectively.
See StreamBase Channel Configuration Properties for details about StreamBase channel connection properties. -
Save the project and restart the BusinessEvents engine.
The BusinessEvents now is securely connected to the StreamBase server.
Copyright © Cloud Software Group, Inc. All rights reserved.