Configuration of SSL Connections with EMS Servers

You can configure the Central Administration server to use SSL when connecting to EMS servers.

Note: The Central Administration server does not verify hostnames or hosts.

There are two supported configuration scenarios: when the EMS server requires an identity certificate from the Central Administration server, and when the EMS server does not require an identity. All EMS servers managed by Central Administration should use the same SSL configuration scenario.

The SSL scenario is determined by EMS server requirements. Depending on these requirements, further SSL settings are configured either through command line options when the Central Administration server is started, or by setting configuration parameters in the Central Administration configuration file:

  • SSL without Central Administration Identity

    The Central Administration server uses SSL to connect to the EMS server. This option is only available if EMS servers do not require an identity from connecting services.

    This SSL configuration is determined entirely by the EMS server. No options or parameters are set in the Central Administration server.

  • SSL with Central Administration Identity

    If the EMS server requires an identity, the Central Administration server can be configured to supply an identity certificate and certificate password.

    The syntax and use of these SSL configuration options are further documented in Central Administration Server Options:

    • Enable SSL using the --ems-ssl-identity command line option, or through the related setting in the Central Administration configuration file. This option sets the path to the identity certificate and private key that the Central Administration server uses when identifying itself to the EMS servers.
    • Provide the SSL password associated with the private key by setting the com.tibco.ems.ssl.password parameter. The command line option --ems-ssl-password is also available, but providing a password on the command line is not recommended and may pose a security risk. Use tibemsadmin -mangle to generate an obfuscated version before providing the password in either configuration file or command line.

      If you do not provide the password using the parameter or flag, the Central Administration server requires the SSL decryption password when you log in. Note that this option is only available if JAAS is configured.

    • Specify an SSL policy using the --ssl-policy command line option, or through the related setting in the Central Administration configuration file. By default, the Central Administration server attempts to connect through any of the listens defined in the EMS server configuration, regardless of whether they are SSL connections or not. Alternately, you can either "require" or "prefer" an SSL connection. If you require SSL, the server will not communicate with the EMS through a non-SSL connection. If you prefer SSL, SSL connections are attempted first.

The reference to the section in the user's guide is no longer a link as crossbook links are not allowed.

For more information on using SSL in TIBCO Enterprise Message Service, see "Using the SSL Protocol" in the TIBCO Enterprise Message Service User’s Guide.