![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |
When client authentication with a digital certificate is required by the EMS server (see the description of the ssl_require_client_cert parameter in tibemsd.conf), the client may combine its client certificate and private key in a single file in one of the following formats:
•
•
• A preconfigured connection factory is the preferred mechanism in many situations. See Creating Connection Factories for Secure Connections and Performing Secure Lookups for details on how to create a connection factory with SSL parameters in EMS.
• Dynamically create a connection factory, as described in Dynamically Creating Connection Factories and set the global SSL parameters locally using the TibjmsSSL class (Java), tibemsSSLParams type (C), or EMSSSL class (C#).Specifying any SSL parameters within a connection factory causes all global SSL parameters set with the TibjmsSSL class to be ignored.You can configure a connection factory using the administration tool or the EMS Administration APIs. See Chapter 6, Using the EMS Administration Tool.When configuring a connection factory, you can specify several SSL parameters, similar to the server parameters that you can configure in tibemsd.conf.
Because connection factories do not contain the ssl_password (for security reasons), the EMS server uses the password that is provided in the "create connection" call for user authentication. If the create connection password is different from the ssl_password, the connection creation will fail.Table 84 briefly describes the parameters you can set in a connection factory, and refers to additional information about each parameter. For more information about each parameter, see the description of the equivalent parameter in tibemsd.conf on page 189.
Table 84 ConnectionFactory SSL parameters ssl_issuer = certs\CA_root.pemssl_issuer = certs\CA_child1.pemssl_issuer = certs\CA_child2.pem The client’s private key. If the key is included in the digital certificate in ssl_identity, then you may omit this parameter. Specifies whether the client should verify the server’s certificate. The values for this parameter are enabled or disabled. By default, this parameter is enabled, signifying the client should verify the server’s certificate.When disabled, the client establishes secure communication with the server, but does not verify the server’s identity. Specifies whether the client should verify the name in the CN field of the server’s certificate. The values for this parameter are enabled and disabled. By default, this parameter is enabled, signifying the client should verify the name of the connected host or the name specified in the ssl_expected_hostname parameter against the value in the server’s certificate. If the names do not match, the client rejects the connection.When disabled, the client establishes secure communication with the server, but does not verify the server’s name. When enabled, the client requests SSL be used only for authentication. The server then uses TCP communications for further data exchange. When disabled or absent, all communication between the client and server must be SSL encrypted.
![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |