Setting up Two-way SSL Between TIBCO BusinessEvents and TIBCO StreamBase
In two-way SSL connection, the StreamBase proxy server sends X.509 certificate to BusinessEvents (client) for verification and also verifies the X.509 certificate sent by BusinessEvents.
- Procedure
- Generate required server and client certificates using the
keytool
utility (included in the Sun Java JDK) with keystore and truststore parameters.For example,//For server keytool -genkeypair -dname "cn=localhost" -alias "serveruser" -keypass tibco2017 -keystore server.keystore -storepass tibco2017 -validity 3650 keytool -export -keystore server.keystore -alias "serveruser" -file server.cer -storepass tibco2017 //For client keytool -genkeypair -dname "cn=localhost" -alias "clientuser" -keypass tibco2017 -keystore client.keystore -storepass tibco2017 -validity 3650 keytool -export -keystore client.keystore -alias "clientuser" -file client.cer -storepass tibco2017 //Import client certificate to server keystore keytool -import -alias "clientuser" -file client.cer -keystore server.keystore -keypass tibco2017 -storepass tibco2017 //Import server certificate to client keystore keytool -import -alias "serveruser" -file server.cer -keystore client.keystore -keypass tibco2017 -storepass tibco2017
- Edit the
sbd.sbconf file in the TIBCO StreamBase Studio and add
<security>
element for activating SSL authentication through StreamBase proxy server.For two-way SSL, set therequire-client-authentication
attribute of the<client-ssl-connections>
element totrue
. For more details about the<security>
elements, refer to the TIBCO Streaming Documentation.For example, add the following elements in thesbd.sbconf
file:<security> <ssl-authentication> <param name="keystore" value="F:/Users/tibcoUser/541/SB_cert_new_20032017/server.keystore"/> <param name="keystore-password" value="tibco2017"/> <param name="key-password" value="tibco2017"/> <param name="enabled" value="true"/> </ssl-authentication> <client-ssl-connections> <param name="require-client-authentication" value="true"/> </client-ssl-connections> <param name="perform-authentication" value="false"/> </security>
- Start the StreamBase server using above the
sbd.sbconf
file with SSL configuration from workspace where the StreamBase project is located.For example,C:\TIBCO\sb-cep\7.6\bin64\sbd.exe BusinessEventsFraudDetection.sbapp -f sbd.sbconf
- Start the StreamBase proxy server with SSL from workspace where the StreamBase project is located.
For example,
C:\TIBCO\sb-cep\7.6\bin\sbproxy.exe 14500 localhost 14000 -f sbd.sbconf
where,
14500
is the SSL port in the StreamBase proxy server.14000
is I/O port specified in the StreamBase server configuration file:<server> <param name="tcp-port" value="14000"/> </server>
- Start the StreamBase proxy server with SSL from workspace where the StreamBase project is located.
For example,
C:\TIBCO\sb-cep\7.6\bin\sbproxy.exe -J-Djavax.net.ssl.trustStore=F:/Users/tibcoUser/541/SB_cert_new_20032017/server.keystore -J-Djavax.net.ssl.trustStorePassword=tibco2017 -J-Djavax.net.ssl.keyStore=F:/Users/tibcoUser/541/SB_cert_new_20032017/client.keystore -J-Djavax.net.ssl.keyStorePassword=tibco2017 14500 localhost 14000 -f sbd.sbconf
where,
14500
is the SSL port in the StreamBase proxy server.14000
is I/O port specified in the StreamBase server configuration file:<server> <param name="tcp-port" value="14000"/> </server>
- In BusinessEvents application, create a StreamBase shared resource or use the StreamBase channel properties to specify connection parameters.
Specify the StreamBase Server URI as
sbs://localhost:14500
.Provide server truststore location and truststore password in the SSL Trust Store File and SSL Trust Store Password fields, respectively.Provide client keystore location, keystore password, and key password in the SSL Key Store File, SSL Key Store Password, and SSL Key Password fields, respectively.See StreamBase Channel Configuration Properties for details about StreamBase channel connection properties. - Save the project and restart the BusinessEvents engine.
The BusinessEvents now is securely connected to the StreamBase server.
Server Configurations
Client Configurations