Setting up One-way SSL with Enhanced Authentication Between TIBCO BusinessEvents and TIBCO StreamBase
In one-way SSL connection with enhanced authentication, the StreamBase proxy server sends X.509 certificate to BusinessEvents (client) for verification. StreamBase server also verifies the provided username and password with credentials configured in the StreamBase server configuration file.
Procedure
Server Configurations
-
Generate required server and client certificates using the
keytool utility (included in the Sun Java JDK) with keytore and truststore parameters.
For example,
//For server keytool -genkeypair -dname "cn=localhost" -alias "serveruser" -keypass tibco2017 -keystore server.keystore -storepass tibco2017 -validity 3650 keytool -export -keystore server.keystore -alias "serveruser" -file server.cer -storepass tibco2017 //For client keytool -genkeypair -dname "cn=localhost" -alias "clientuser" -keypass tibco2017 -keystore client.keystore -storepass tibco2017 -validity 3650 keytool -export -keystore client.keystore -alias "clientuser" -file client.cer -storepass tibco2017 //Import client certificate to server keystore keytool -import -alias "clientuser" -file client.cer -keystore server.keystore -keypass tibco2017 -storepass tibco2017 //Import server certificate to client keystore keytool -import -alias "serveruser" -file server.cer -keystore client.keystore -keypass tibco2017 -storepass tibco2017
-
Edit the
sbd.sbconf file in the TIBCO StreamBase Studio and add
<security> element for activating SSL authentication through StreamBase proxy server.
For one-way SSL, set the require-client-authentication attribute of the <client-ssl-connections> element to false. For enhanced authentication set the perform-authentication attribute of the <security> element to true.For more details on the <security> elements, refer to the TIBCO StreamBase Documentation.For example, add the following elements in the sbd.sbconf file:
<security> <ssl-authentication> <param name="keystore" value="F:/Users/Jayshri/541/SB_cert_new_20032017/server.keystore"/> <param name="keystore-password" value="tibco2017"/> <param name="key-password" value="tibco2017"/> <param name="enabled" value="true"/> </ssl-authentication> <client-ssl-connections> <param name="require-client-authentication" value="false"/> //true in case of two-way ssl </client-ssl-connections> <param name="perform-authentication" value="true"/> <role name="adminrole"> <param name="action" value="Administrate"/> <param name="action" value="Status"/> <param name="action" value="Enqueue default.NewDebit"/> <param name="action" value="Dequeue default.FraudDetected"/> </role> <user-data> <user> <param name="cn" value="cn=sbadmin"/> <param name="role" value="adminrole"/> <param name="role" value="StreamBaseSuperuser"/> <param name="password" value="secret"/> </user> </user-data> </security>
-
Start the StreamBase server using above the
sbd.sbconf file with SSL configuration from workspace where the StreamBase project is located.
For example,
C:\TIBCO\sb-cep\7.6\bin64\sbd.exe BusinessEventsFraudDetection.sbapp -f sbd.sbconf
-
Start the StreamBase proxy server with SSL from workspace where the StreamBase project is located.
For example,
C:\TIBCO\sb-cep\7.6\bin\sbproxy.exe 14500 localhost 14000 -f sbd.sbconf
Client Configurations
-
In BusinessEvents application, create a StreamBase shared resource or use the StreamBase channel properties to specify connection parameters.
- Specify the StreamBase Server URI as sbs://localhost:14500.
- Provide username and password for the StreamBase server in the UserName and Password fields, respectively. For example, cn=sbadmin as UserName and secret as Password.
- Provide server truststore location and truststore password in the Trust Store File and Trust Store Password fields, respectively.
See Configuration for StreamBase Channels for details on StreamBase channel connection properties. -
Save the project and restart the BusinessEvent engine.
The BusinessEvents now is securely connected to the StreamBase server.
Copyright © TIBCO Software Inc. All rights reserved.