Configuring SSL on the TIBCO Enterprise Message Service Server

To enable SSL, each instance of tibemsd must have a digital certificate and a private key. The server can optionally require a certificate chain or trusted certificate.

1. Go to the TIBCO_HOME\ems\version_number directory, and open the tibemsd.conf file with a text editor.
2. Set the server to listen to SSL connections from clients by using the listen parameter. For example: listen = ssl://7243.
   Note: This port number must be consistent with the SSL Connection Factory URL set in the factories.conf configuration file.
3. Set the ssl_server_identity, ssl_server_key, and ssl_password parameters to specify the digital certificate of the server, private key and the password for the private key.

   ssl_server_identity = C:\tibco\ems\8.2\samples\certs\server.cert.pem
   
   ssl_server_key = C:\tibco\ems\8.2\samples\certs\server.key.pem
   
   ssl_password = password
   
   ssl_server_trusted =C:\tibco\ems\8.2\samples\certs\client_root.cert.pem

   Note: Leave other parameters as defaults, and then restart the TIBCO Enterprise Message Service server after you configure the previous parameters.
4. On a command line, navigate to the TIBCO_HOME\ems\version_number directory.
5. Enter the tibemsd –config tibems.conf command or directly enter the tibemsd command on the command line to start SSL for the server.

[SSLQueueConnectionFactory]

type = queue

url = ssl://7243

ssl_verify_host = disabled

ssl_trusted = C:\tibco\ems\8.2\samples\certs\server_root.cert.pem

ssl_expected_hostname = server

ssl_identity = C:\tibco\ems\8.2\samples\certs\client_identity.p12

[SSLTopicConnectionFactory]

type = topic

url = ssl://7243

ssl_verify_host = disabled

ssl_trusted = C:\tibco\ems\8.2\samples\certs\server_root.cert.pem

ssl_expected_hostname = server

ssl_identity = C:\tibco\ems\8.2\samples\certs\client_identity.p12