Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 7 Using the Configuration Files : tibemsd.conf

tibemsd.conf
The main configuration file controls the characteristics of the EMS server. This file is usually named tibemsd.conf, but you can specify another file name when starting the server. You can find more information about starting the server in Running the EMS Server.
An example of the tibemsd.conf file is included in the config-file-directory/cfmgmt/ems/data/ directory, where config-file-directory is specified during TIBCO Enterprise Message Service installation. You can edit this configuration file with a text editor. There are a few configuration items in this file that can be altered using the administration tool, but most configuration parameters must be set by editing the file (that is, the server does not accept changes to those parameters). See Chapter 6, Using the EMS Administration Tool for more information about using the administration tool.
Several parameters accept boolean values. In the description of the parameter, one specific set of values is given (for example, enable and disable), but all parameters that accept booleans can have the following values:
enable, enabled, true, yes, on
disable, disabled, false, no, off
Parameters that take multiple elements cannot contain spaces between the elements, unless the elements are enclosed in starting and ending double quotes. Parameters are limited to line lengths no greater than 256,000 characters in length.
The following table summarizes the parameters in tibemsd.conf according to category. The sections that follow provide more detail on each parameter.
Overrides ssl_require_client_cert to restrict requiring digital certificates to SSL connections only from routes.
Global System Parameters
authorization
authorization = enabled | disabled
Enable or disable server authorization.
Authorization is disabled by default. If you require that the server verify user credentials and permissions on secure destinations, you must enable this parameter.
See Enabling Access Control for more information.
For example:
authorization = enabled
See Chapter 8, Authentication and Permissions for more information about these parameters.
compliant_queue_ack
compliant_queue_ack = enable | disable
Guarantees that, once a client successfully acknowledges a message received from a routed queue, the message will not be redelivered. This is accomplished by the EMS server waiting until the message has been successfully acknowledged by the queue’s home EMS server before sending the response to the client.
The compliant_queue_ack parameter is enabled by default. Because of the extra overhead incurred with compliant queue acknowledgments, you can disable this feature when performance is an issue. If compliant queue acknowledgement is disabled and a message is redelivered, the message’s JMSRedelivered indicator will be set.
disconnect_non_acking_consumers
disconnect_non_acking_consumers = enabled | disabled
This parameter works in conjunction with the maxbytes and maxmsgs destination properties. In situations where consumers consume messages but do not acknowledge them, the messages are held in the server until they are confirmed. This can push the server above the set limits.
When enabled, disconnect_non_acking_consumers causes the server to check the number and size of pending messages sent to a consumer. If the maxbytes or maxmsgs limit is reached and the consumer has not acknowledged its messages, the server discards the messages sent to the consumer and disconnects the consumer’s connection. This protects the server against applications that consume messages without ever acknowledging them.
Before enabling this property, ensure that the maxbytes and maxmsgs limits are set with reference to the prefetch setting, the size of the transaction (if transacted receive), or number of messages acknowledged when using client or explicit client acknowledgment mode. Otherwise the server may disconnect the consumer before it has a chance to acknowledge the messages.
When routes are deployed, all routed servers should use the same disconnect_non_acking_consumers setting. Additionally, if maxbytes or maxmsgs is set for a global destination, the same setting should be applied on all servers. The server does not discard or disconnect a routed consumer, since disconnecting the route may impact other well-behaved applications. Servers discard and disconnect their local consumers, which other servers involved are made aware of and discard messages for those remote consumers accordingly.
This parameter is disabled by default.
flow_control
flow_control = enable | disable
Specifies whether flow control for destinations is enabled or disabled.
By default, flow control is disabled. When flow control is enabled, the flowControl property on each destination specifies the target maximum storage for pending messages on the destination.
See Flow Control for more information about flow control.
flow_control_only_with_active_consumer
flow_control_only_with_active_consumer = enable | disable
Restores the flow control behavior that was enforced before release 8.4. This property and the corresponding behavior are deprecated and will be removed in a future release.
By default, this parameter is disabled. For more information, see Flow Control in the Absence of Consumers.
listen
listen=protocol://servername:port
Specifies the port on which the server is to listen for connections from clients.
For example:
listen=tcp://localhost:7222
If you are enabling SSL, for example:
listen=ssl://localhost:7222
You can use multiple listen entries if you have computers with multiple interfaces. For example:
listen=tcp://localhost:7222
listen=tcp://localhost:7224
If localhost is specified, or if the servername is not present, then the server uses every available interface. For example:
listen=tcp://7222
listen=ssl://7243
You can use an IP address instead of a host name. For example:
listen=tcp://192.168.10.107:7222
When specifying an IPv6 address, use square brackets around the address specification. For example:
listen=tcp://[2001:cafe::107]:7222
max_msg_field_print_size
max_msg_field_print_size = size [KB|MB|GB]
Limits the size of string fields in tracing messages. If a string field is larger than size, the field is truncated in the tracing message.
Specify signed 32-bit integer values as KB, MB or GB. The minimum permitted size is 1 KB. By default, the field limit is 1 KB.
max_msg_print_size
max_msg_print_size = size [KB|MB|GB]
Limits the size of the printed message of traced messages. If the message is larger than size, the message is truncated.
Specify signed 32-bit integer values as KB, MB or GB. The minimum permitted size is 8 KB. By default, the field limit is 8 KB.
module_path
module_path = shared-library-directory
where shared-library-directory is the absolute path to the directory containing any library the server is dependent on. This may include TIBCO FTL, Rendezvous, or SmartSockets libraries, as well as OpenSSL or the JVM.
You can specify multiple directories (for example, to load both TIBCO FTL and Rendezvous libraries). Separate paths using a colon (:) on UNIX platforms, or semicolon (;) on Windows platforms.
For example:
module_path = c:\tibco\ss\bin\i86_w32\amd64
 
When deploying EMS 8.3.0 and 8.4.0 transports for older versions of TIBCO FTL or Rendezvous, you must configure the module_path parameter to include the path to the EMS libraries before the FTL and Rendezvous libraries. This is the case when working with transports for:
The module_path parameter is also used on AIX platform installations to load the IBM JVM. Specify the directories containing the libjvm.so and its dependent libraries.
network_thread_count
network_thread_count threads
Specifies the number of network threads used by the EMS server.
The threads count can be any positive integer. The default value is 1.
When set, this parameter allows the EMS server to control the number of threads while still allowing the system administrator to control the thread affinity externally (for example, by using the Linux taskset command).
If you intend to set the thread affinity externally, we recommend that you avoid setting any thread affinity in the EMS server for either network traffic of stores.
The EMS server ignores this parameter if the processor_ids parameter is also specified.
npsend_check_mode
npsend_check_mode = [always | never | temp_dest | auth | temp_auth]
Specifies when the server is to provide confirmation upon receiving a NON_PERSISTENT message from a producer.
The npsend_check_mode parameter applies only to producers sending messages using NON_PERSISTENT delivery mode and non-transactional sessions.
Message confirmation has a great deal of impact on performance and should only be enabled when necessary. The circumstances in which a producer might want the server to send confirmation a NON_PERSISTENT message are:
When authorization is enabled, so the producer can take action if permission to send the message is denied by the server.
The possible npsend_check_mode parameter modes are:
default (no mode specified) - this means the server only provides confirmation of a NON_PERSISTENT message if authorization is enabled.
always - the server always provides confirmation of a NON_PERSISTENT message.
never - the server never provides confirmation of NON_PERSISTENT messages.
temp_dest - the server provides confirmation of a NON_PERSISTENT message only when sending to a temporary destination.
auth - the server provides confirmation of a NON_PERSISTENT message only if authorization was enabled when the connection was created.
temp_auth - the server provides confirmation of a NON_PERSISTENT message if sending to a temporary destination or if authorization was enabled when the connection was created.
password
password = password
The password used when connecting to another EMS server that has authorization enabled.
For information on authorization between routed servers, see Routing and Authorization.
For information on authorization between fault tolerant server pairs, see Authorization and Fault-Tolerant Servers.
processor_ids
processor_ids = processor-id1,processor-id2,...
Setting this parameter causes the EMS Server to start as many network I/O threads as there are processor IDs specified in the list. Each network I/O thread is bound to the given processor ID, which means that the thread can execute only on that processor.
Specify the processor-id as an integer. Ask your system administrator for the valid processor IDs on the EMS Server host. Note that the IDs can be listed in any order. List IDs in a comma-separated list, with no spaces separating list items. For example:
processor_ids = 0,1,3,6
On startup, the parameter is parsed and the server refuses to start (regardless of the presence of the startup_abort_list parameter) if:
1.
2.
The server is unable to bind a network I/O thread to a given processor ID. This can happen when the processor ID has been disabled, or the tibemsd process has been restricted by the system administrator to a set of processors that does not contain this processor ID. Additionally, the server cannot correctly bind the network I/O thread to the process ID if spaces are included in the parameter definition.
 
This parameter can be used in conjunction with the stores.conf parameter processor_id. For more information, see Performance Tuning.
routing
routing = enabled | disabled
Enables or disables routing functionality for this server.
For example:
routing = enabled
See Chapter 20, Working With Routes for more information about routing.
selector_logical_operator_limit
selector_logical_operator_limit = number
Limit the number of operators that the server reviews during selector evaluation.
The server evaluates operators until reaching the specified number of false conditions. The server then stops evaluating further to protect itself from too many recursive evaluations. A very long selector clause, such as one including many OR conditions, can cause recursive selector evaluation and lead to a stack overflow in the EMS server.
number may be any positive integer. The default value is 5000. Zero is a special value, indicating no limit.
For example, if selector_logical_operator_limit = 10 and the selector is:
a=1 or b=2 or c=3 or d=4 or e=5 or f=6 or g=7 or h=8 or i=9 or j=10 or k=11 or l=12 or m=13 or n=14 or o=15 or p=16 or q=17 or r=18 or s=19 or t=20 or u=21 or v=22 or w=23 or x=24 or y=25 or z=26
if the first 10 conditions are false, the server stops further evaluation.
server
server = serverName
Name of server.
Server names are limited to at most 64 characters, and may not include the dot character (.).
startup_abort_list
startup_abort_list=[SSL,TRANSPORTS,CONFIG_FILES,CONFIG_ERRORS,
DB_FILES]
Specifies conditions that cause the server to exit during its initialization sequence.
You may specify any subset of the conditions in a comma-separated list. The list cannot contain spaces between the elements, unless the elements are enclosed in starting and ending double quotes. If a space is included but not enclosed in quotation marks, the server ignores any conditions following the space.
Conditions that do not appear in the list are ignored by the server. The default is an empty list.
The conditions are:
SSL—If SSL initialization fails, then it exits.
TRANSPORTS—If any of the transports cannot be created as specified in the configuration files, then it exits.
CONFIG_FILES—If any configuration file listed in tibemsd.conf does not exist, then it exits.
CONFIG_ERRORS—If the server detects any errors while reading the config files, then it exits.
Note that the tibemsd silently ignores any unknown parameters when it is started using the JSON configuration. For example, no configuration errors are thrown if the tibemsd.json file contains an obsolete parameter.
DB_FILES—If the server cannot find one or more of its stores, then it exits. Stores include the default store files as well as any file or database stores configured in the stores.conf configuration file.
Note that if DB_FILES is not included in the startup_abort_list and the server cannot find a store, the server will create the missing file or database. For best results, do not include DB_FILES the first time a server is started, allowing it to create the files. After after initial startup or a major store configuration change (such as the addition of a new store), include DB_FILES in the list so that on restart the server will only start if all the configured files are present.
 
user_auth
user_auth = [local, ldap, jaas]
Specifies the source of user authentication information.
This parameter can have one or more of the following values (separated by comma characters):
local—obtain user authentication information from the local EMS server user configuration.
ldap—obtain user authentication information from an LDAP directory server (see the LDAP-specific configuration parameters).
jaas—obtain user authentication information from a custom authentication module (see Extensible Authentication and Chapter 10, JAAS Authentication Modules).
Each time a user attempts to authenticate, the server seeks corresponding authentication information from each of the specified locations in the order that this parameter specifies. The EMS server accepts successful authentication using any of the specified sources.
The user_auth setting does not affect authentication of the default administrator. The server always authenticates the admin user from the local configuration file. See Assign a Password to the Administrator for more information.
xa_default_timeout
xa_default_timeout = seconds
Specifies the default TX timeout, in seconds, for XA transactions. The default is 0, which specifies no timeout.
The default timeout setting cannot be changed dynamically. However, you can specify a different transaction timeout for each individual XA resource using the API.
always_exit_on_disk_error
always_exit_on_disk_error = enable | disable
Enable or disable the server behavior to exit on any disk error. Defaults to disable.
Storage File Parameters
The parameter described here configures file-based and mstores. For information about database stores, see Chapter 11, Using Database Stores.
store
store = directory
Directory in which the server stores data files. For example:
store = /usr/tmp
Connection and Memory Parameters
destination_backlog_swapout
destination_backlog_swapout = number
Specifies the number of messages that may be stored in the server's memory before message swapping is enabled. The limit given is for each destination. For example, if the limit is 10,000 and you have three queues, the server can store up to 30,000 unswapped messages in memory.
The specified number may be any positive value. When destination_backlog_swapout is 0, the server attempts to immediately swap out the message.
By default, the limit for each destination is 1024 messages.
handshake_timeout
handshake_timeout = seconds
The amount of time that the EMS server waits for a connection to complete depends on the server_timeout_server_connection and server_timeout_client_connection properties.
If either is specified, the connection handshake times out only after the duration mentioned in one of these properties. If both are specified, the largest of the two values is used. If neither is specified, you can set the period (in seconds) using handshake_timeout. The period specified must be a positive integer. If absent, the timeout defaults to 3 seconds. When the timeout is reached, the EMS server closes the connection and continues handling other clients.
large_destination_count
large_destination_count = number
Specifies the number of messages that an unbounded destination (a destination without either of its maxbytes or maxmsgs properties set) can gather before the server starts logging warnings about that destination’s message count. By default, large_destination_count is not set and the server establishes its own message count threshold. It can be set dynamically. Zero is a special value that disables the logging of the corresponding warning.
large_destination_memory
large_destination_memory = size [KB|MB|GB]
Specifies the size in memory that an unbounded destination (a destination without either of its maxbytes or maxmsgs properties set) can grow to before the server starts logging warnings about that destination’s size. By default, large_destination_memory is not set and the server establishes its own size threshold. It can be set dynamically. Zero is a special value that disables the logging of the corresponding warning.
max_client_msg_size
max_client_msg_size = size [KB|MB|GB]
Maximum size allowed for an incoming message.
This parameter setting instructs the server to reject incoming messages that are larger than the specified size limit.
Specify whole numbers as KB, MB or GB. The maximum value is 2 GB.
When omitted or zero, the EMS server accepts and attempts to process messages of any size.
max_connections
max_connections = number
Maximum number of simultaneous client connections.
Set to 0 to allow unlimited simultaneous connections.
max_msg_memory
max_msg_memory = size [KB|MB|GB]
Maximum memory the server can use for messages.
This parameter lets you limit the memory that the server uses for messages, so server memory usage cannot grow beyond the system’s memory capacity.
When msg_swapping is enabled, and messages overflow this limit, the server begins to swap messages from process memory to disk. Swapping allows the server to free process memory for incoming messages, and to process message volume in excess of this limit.
When the server swaps a message to disk, a small record of the swapped message remains in memory. If all messages are swapped out to disk, and their remains still exceed this memory limit, then the server has no room for new incoming messages. The server stops accepting new messages, and send calls in message producers result in an error. (This situation probably indicates either a very low value for this parameter, or a very high message volume.)
Specify units as KB, MB or GB. The minimum value is 8 MB. The default value of 0 (zero) indicates no limit.
For example:
max_msg_memory = 512MB
msg_pool_block_size
msg_pool_block_size size
 
To lessen the overhead costs associated with malloc and free, the server pre-allocates pools of storage for messages. This parameter determines the behavior of these pools. Performance varies depending on operating system platform and usage patterns.
The size argument determines the approximate number of internal message structs that a block or pool can accommodate (not the number of bytes).
msg_pool_block_size instructs the server to allocate an expandable pool. Each time the server exhausts the pool, the server increases the pool by this size, as long as additional storage is available. The value may be in the range 32 to 65536.
When this parameter is not present, the default is msg_pool_block_size 128.
msg_swapping
msg_swapping = enable | disable
This parameter enables and disables the message swapping feature (described above for max_msg_memory).
The default value is enabled, unless you explicitly set it to disabled.
reserve_memory
reserve_memory = size
When reserve_memory is non-zero, the EMS server allocates a block of memory for use in emergency situations to prevent the EMS server from being unstable in low memory situations. When the server process exhausts memory resources, it disables clients and routes from producing new messages, and frees this block of memory to allow consumers to continue operation (which tends to free memory).
The EMS server attempts to reallocate its reserve memory once the number of pending messages in the server has dropped to 10% of the number of pending messages that were in the server when it experienced the allocation error. If the server successfully reallocates memory, it begins accepting new messages.
The reserve_memory parameter only triggers when the EMS server has run out of memory and therefore is a reactive mechanism. The appropriate administrative action when an EMS server has triggered release of reserve memory is to drain the majority of the messages by consuming them and then to stop and restart the EMS server. This allows the operating system to reclaim all the virtual memory resources that have been consumed by the EMS server. A trace option, MEMORY, is also available to help show what the server is doing during the period when it is not accepting messages.
Specify size in units of MB. When non-zero, the minimum block is 16MB. When absent, the default is zero.
 
socket_send_buffer_size
socket_send_buffer_size = size [KB|MB|GB]
Sets the size (in bytes) of the send buffer used by clients when connecting to the EMS server.
The specified size may be:
0   to use the default buffer size
-1   to skip the call for the specified buffer
Optionally, specify units of KB, MB, or GB for units. If no units are specified, the file size is assumed to be in bytes.
When omitted, the server skips the call for the specified buffer. In this case, the operating system's auto-tuning controls buffering.
socket_receive_buffer_size
socket_receive_buffer_size = size [KB|MB|GB]
Sets the size (in bytes) of the receive buffer used by clients when connecting to the EMS server.
The specified size may be:
0   to use the default buffer size
-1   to skip the call for the specified buffer
Optionally, specify units of KB, MB, or GB for units. If no units are specified, the file size is assumed to be in bytes.
When omitted, the server skips the call for the specified buffer. In this case, the operating system's auto-tuning controls buffering.
Detecting Network Connection Failure Parameters
This feature lets servers and clients detect network connection failures quickly. When these parameters are absent, or this feature is disabled, tibemsd closes a connection only upon the operating system notification.
active_route_connect_time
active_route_connect_time = interval
Specifies the interval (in seconds) at which an EMS server attempts to connect or reconnect a route to the another server. The default is 2 seconds.
client_heartbeat_server
client_heartbeat_server = interval
In a server-to-client connection, clients send heartbeats to the server at this interval (in seconds).
The client_heartbeat_server parameter must be specified when a server_timeout_client_connection is set. The client_heartbeat_server interval should be no greater than one third of the server_timeout_client_connection limit.
This setting also ensures that garbage collection occurs on the connection. Collection is triggered by incoming messages and heartbeats. If the size of messages can vary widely or there is not a steady stream of message traffic, can use this parameter to ensure that collection occurs.
When omitted or zero, client_heartbeat_server is disabled.
clock_sync_interval
clock_sync_interval = seconds
Periodically send the EMS server’s Coordinated Universal Time (UTC) time to clients. This allows EMS clients to update their offset.
The time specified, in seconds, determines the interval at which clock sync commands are sent from the server to its clients.
When omitted or zero, the EMS server sends the offset time only when the EMS client connects to the server. If clock_sync_interval is -1, the offset is never sent, not even on connect. Clients do not adjust their time values to match the server time.
server_timeout_client_connection
server_timeout_client_connection = limit
In a server-to-client connection, if the server does not receive a heartbeat for a period exceeding this limit (in seconds), it closes the connection.
We recommend setting this value to approximately 3 times the heartbeat interval, as it is specified in client_heartbeat_server.
If you do not set the client_heartbeat_server parameter when a server_timeout_client_connection is specified, a configuration error is generated during startup. If CONFIG_ERRORS is part of the startup_abort_list, the server will not start. If not, the error is printed but the server starts, and clients will be disconnected after server_timeout_client_connection seconds.
Zero is a special value, which disables heartbeat detection in the server (although clients still send heartbeats).
server_heartbeat_server
server_heartbeat_server = interval
In a server-to-server connection, this server sends heartbeats at this interval (in seconds). The two servers can be connected either by a route, or as a fault-tolerant pair.
server_timeout_server_connection
server_timeout_server_connection = limit
In a server-to-server connection, if this server does not receive a heartbeat for a period exceeding this limit (in seconds), it closes the connection. This parameter applies to connections from other routes and to the standby server connection.
We recommend setting this value to approximately 3.5 times the heartbeat interval of the other server. When the other server or the network are heavily loaded, or when client programs send very large messages, we recommend a larger multiple.
 
In a fault-tolerant configuration, the server_timeout_server_connection parameter has no effect on the standby server following a failover. The standby server activates only after the timeout set by the ft_activation parameter.
server_heartbeat_client
server_heartbeat_client = interval
In a server-to-client connection, the server sends heartbeats to all clients at this interval (in seconds).
When omitted or zero, the default is 5 seconds.
client_timeout_server_connection
client_timeout_server_connection = limit
In a server-to-client connection, if a client does not receive a heartbeat for a period exceeding this limit (in seconds), it closes the connection.
We recommend setting this value to approximately 3.5 times the heartbeat interval.
Zero is a special value, which disables heartbeat detection in the client (although the server still sends heartbeats).
Fault Tolerance Parameters
See Chapter 19, Fault Tolerance for more information about these parameters.
The fault tolerance parameters that begin with the prefix ft_ssl are used to secure communications between pairs of fault tolerant servers. See SSL for additional information about this process.
ft_active
ft_active = URL
Specifies the URL of the active server. If this server can connect to the active server, it will act as a standby server. If this server cannot connect to the active server, it will become the active server.
ft_heartbeat
ft_heartbeat = seconds
Specifies the interval (in seconds) the server is to send a heartbeat signal to its peer to indicate that it is still operating. Default is 3 seconds.
ft_activation
ft_activation = seconds
Activation interval (maximum length of time between heartbeat signals) which indicates that server has failed. Set in seconds: default is 10. This interval should be set to at least twice the heartbeat interval.
For example:
ft_activation = 60
See the server_timeout_server_connection parameter for more information on heartbeats.
ft_reconnect_timeout
ft_reconnect_timeout = seconds
The amount of time (in seconds) that a standby server waits for clients to reconnect (after it becomes the active server in a failover situation). If a client does not reconnect within this time period, the server removes its state from the shared state files. The ft_reconnect_timeout time starts once the server has fully recovered the shared state, so this value does not account for the time it takes to recover the store files.
The default value of this parameter is 60.
ft_ssl_identity
ft_ssl_identity = pathname
The path to a file that contains the certificate in one of the supported formats. The supported formats are PEM, DER, or PKCS#12.
See File Names for Certificates and Keys for more information on file types for digital certificates.
ft_ssl_issuer
ft_ssl_issuer = chain_member
Certificate chain member for the server. Supply the entire chain, including the CA root certificate. The server reads the certificates in the chain in the order they are presented in this parameter.
The certificates must be in PEM, DER, PKCS#7, or PKCS#12 format. See File Names for Certificates and Keys for more information on file types for digital certificates.
ft_ssl_private_key
ft_ssl_private_key = key
The server’s private key. If it is included in the digital certificate in ft_ssl_identity, then this parameter is not needed.
This parameter supports private keys in the following formats: PEM, DER, PKCS#12.
You can specify the actual key in this parameter, or you can specify a path to a file that contains the key. See File Names for Certificates and Keys for more information on file types for digital certificates.
ft_ssl_password
ft_ssl_password = password
Private key or password for private keys.
You can set passwords by way of the tibemsadmin tool. When passwords are set with this tool, the password is obfuscated in the configuration file. See Chapter 6, Using the EMS Administration Tool for more information about using tibemsadmin to set passwords.
ft_ssl_trusted
ft_ssl_trusted = trusted_certificates
List of trusted certificates. This sets which Certificate Authority certificates should be trusted as issuers of the client certificates.
The certificates must be in PEM, DER, or PKCS#7 format. You can either provide the actual certificates, or you can specify a path to a file containing the certificate chain.
See File Names for Certificates and Keys for more information on file types for digital certificates.
ft_ssl_rand_egd
ft_ssl_rand_egd = pathname
The path for the installed entropy gathering daemon (EGD), if one is installed. This daemon is used to generate random numbers for the EMS server.
ft_ssl_verify_host
ft_ssl_verify_host = enabled | disabled
Specifies whether the fault-tolerant server should verify the other server’s certificate. The values for this parameter are enabled or disabled. By default, this parameter is enabled, signifying the server should verify the other server’s certificate.
When this parameter is set to disabled, the server establishes secure communication with the other fault-tolerant server, but does not verify the server’s identity.
ft_ssl_verify_hostname
ft_ssl_verify_hostname = enabled | disabled
Specifies whether the fault-tolerant server should verify the name in the CN field of the other server’s certificate. The values for this parameter are enabled and disabled. By default, this parameter is enabled, signifying the fault-tolerant server should verify the name of the connected host or the name specified in the ft_ssl_expected_hostname parameter against the value in the server’s certificate. If the names do not match, the connection is rejected.
When this parameter is set to disabled, the fault-tolerant server establishes secure communication with the other server, but does not verify the server’s name.
ft_ssl_expected_hostname
ft_ssl_expected_hostname = serverName
Specifies the name the server is expected to have in the CN field of the fault-tolerant server’s certificate. If this parameter is not set, the expected name is the hostname of the server.
This parameter is used when the ft_ssl_verify_hostname parameter is set to enabled.
ft_ssl_ciphers
ft_ssl_ciphers = cipherSuite
Specifies the cipher suites used by the server; each suite in the list is separated by a colon (:). This parameter can use the OpenSSL name for cipher suites or the longer, more descriptive names.
See Specifying Cipher Suites for more information about the cipher suites available in EMS and the OpenSSL names and longer names for the cipher suites.
Message Tracking Parameters
track_message_ids
track_message_ids = enabled | disabled
Tracks messages by message ID. Default is disabled.
Enabling this parameter allows you to display messages using the show message messageID command in the administration tool.
track_correlation_ids
track_correlation_ids = enabled | disabled
Tracks messages by correlation ID. Disabled by default.
Enabling this parameter allows you to display messages using the show messages correlationID command in the administration tool.
 
TIBCO FTL Transport Parameters
The parameters listed here enable the EMS server to connect to a TIBCO FTL realm server using transports configured in the transports.conf file.
For more information, see Chapter 14, Working with TIBCO FTL.
ftl_discard_amount
ftl_discard_amount = integer
Optional. Specifies the number of messages (events) that should be discarded from the TIBCO FTL event queue when the limit specified by ftl_discard_max_events is reached.
When absent, ftl_discard_amount defaults to 5000.
Sets the com.tibco.ftl.client.discard.amount property. For more details, see the TIBCO FTL documentation on event queues.
ftl_discard_max_events
ftl_discard_max_events = integer
Optional. Specifies the maximum number of messages (events) that a TIBCO FTL queue can hold.
When absent, ftl_discard_max_events defaults to 100000.
Sets the com.tibco.ftl.client.discard.max_events property. For more details, see the TIBCO FTL documentation on event queues.
ftl_discard_policy
ftl_discard_policy = none | old | new
Optional. Determines the behavior of the TIBCO FTL queue when the maximum number of messages (events) that the queue can hold is reached.
When absent, ftl_discard_policy is old.
Sets the com.tibco.ftl.client.discard.policy property. For more details, see the TIBCO FTL documentation on event queues.
ftl_log_level
ftl_log_level = level
Optional. Determines the trace level of FTL messages logged in the server when the EMS Server FTL trace item is enabled. When absent, the ftl_log_level defaults to warn.
For more details, see the TIBCO FTL documentation on logging.
ftl_password
ftl_password = password
Optional. The password that the EMS server should use to authenticate itself when connecting to the TIBCO FTL realm server. Note that the password can be stored in a mangled form.
Sets the com.tibco.ftl.client.userpassword property. For more details, see the TIBCO FTL documentation on realms.
ftl_url
ftl_url = URL
Required. Specifies the URL at which the EMS server can connect to the TIBCO FTL realm server.
For example, ftl_url=http://localhost:5633.
For more details, see the TIBCO FTL documentation on realms.
ftl_url_secondary
ftl_url_secondary = URL
Optional. Specifies the URL for a backup realm server. If the EMS server cannot connect to the realm server at the URL specified by ftl_url, it attempts to connect using the URL specified here.
Sets the com.tibco.ftl.client.secondary property. For more details, see the TIBCO FTL documentation on realms.
ftl_username
ftl_username = user
Optional. The username that the EMS server should use to authenticate itself when connecting to the TIBCO FTL realm server.
Sets the com.tibco.ftl.client.username property. For more details, see the TIBCO FTL documentation on realms.
tibftl_transports
tibftl_transports = enabled | disabled
Specifies whether the TIBCO FTL transports defined in transports.conf are enabled or disabled.
Unless you explicitly set this parameter to enabled, the default value is disabled—that is, all transports are disabled and will neither send messages to external systems nor receive messages from them.
Rendezvous Transport Parameters
For more information, see Chapter 15, Working With TIBCO Rendezvous.
tibrv_transports
tibrv_transports = enabled | disabled
Specifies whether TIBCO Rendezvous transports defined in transports.conf are enabled or disabled.
Unless you explicitly set this parameter to enabled, the default value is disabled—that is, all transports are disabled and will neither send messages to external systems nor receive message from them.
SmartSockets Transport Parameters
For more information, see Chapter 16, Working With TIBCO SmartSockets.
tibss_transports
tibss_transports = enabled | disabled
Specifies whether TIBCO SmartSockets transports defined in transports.conf are enabled or disabled.
Unless you explicitly set this parameter to enabled, the default value is disabled—that is, all transports are disabled and will neither send messages to external systems nor receive message from them.
tibss_config_dir
tibss_config_dir = pathname
Specifies the directory for SmartSockets configuration files and message files:
tal_ss.cat is a required file of messages. If it is missing, tibemsd outputs a warning message.
tibems_ss.cm is an optional file of SmartSockets RTclient configuration options.
When this parameter is absent, tibemsd searches for these files in its current working directory.
For more information about these files, see TIBCO SmartSockets User’s Guide.
Tracing and Log File Parameters
See Chapter 17, Monitoring Server Activity for more information about these parameters.
client_trace
client_trace = {enabled|disabled} [target=location]
               [user|connid|clientid=value]
Administrators can trace a connection or group of connections. When this property is enabled, the server instructs each client to generate trace output for opening or closing a connection, message activity, and transaction activity. This type of tracing does not require restarting the client program.
Each client sends trace output to location, which may be either stderr (the default) or stdout.
 
The default behavior is to trace all connections. You can specify either user, connid or clientid to selectively trace specific connections. The value can be a user name or ID (as appropriate).
Setting this parameter using the administration tool does not change its value in the configuration file tibemsd.conf; that is, the value does not persist across server restarts unless you set it in the configuration file.
console_trace
console_trace = traceOptions
Sets trace options for output to stderr. The possible values are the same as for log_trace. However, console tracing is independent of log file tracing.
If logfile is defined, you can stop console output by specifying:
console_trace=-DEFAULT
Note that important error messages (and some other messages) are always output, overriding the trace settings.
This example sends a trace message to the console when a TIBCO Rendezvous advisory message arrives.
console_trace=RVADV
logfile
logfile = pathname
Name and location of the server log file.
If the pathname contains spaces, it must be enclosed in double quotes.
By default, the logfile specified here is used by both servers in fault tolerant pair. Optionally, a JSON-configured server pair can set the secondary_logfile parameter to direct the server designated as secondary to write to a different file.
log_trace
log_trace = traceOptions
Sets the trace preference on the file defined by the logfile parameter. If logfile is not set, the values have no effect.
The value of this parameter is a comma-separated list of trace options. For a list of trace options and their meanings, see Table 81, Server Tracing Options.
You may specify trace options in three forms:
+  A trace option preceded by + adds the option to the current set of trace options.
-  A trace option preceded by - removes the option from the current set of trace options.
The following example sets the trace log to only show messages about access control violations.
log_trace=ACL
The next example sets the trace log to show all default trace messages, in addition to SSL messages, but ADMIN messages are not shown.
log_trace=DEFAULT,-ADMIN,+SSL
logfile_max_count
logfile_max_count = integer
Specifies the maximum number of log files to be kept. Specify any number greater than 2.
When 0 or not specified, there is no limit to the number of log files kept.
logfile_max_size
logfile_max_size = size [KB|MB|GB]
Specifies the recommended maximum log file size before the log file is rotated. Set to 0 to specify no limit. Use KB, MB, or GB for units (if no units are specified, the file size is assumed to be in bytes).
The server periodically checks the size of the current log file. If it is greater than the specified size, the file is copied to a backup and then emptied. The server then begins writing to the empty log file until it reaches the specified size again.
Backup log files are named sequentially and stored in the same directory as the current log.
secondary_logfile
secondary_logfile = pathname
Name and location of the server log file used by the secondary EMS server in a fault tolerant pair. The EMS server designated as primary in the pair writes to the file specified by the logfile parameter.
If the secondary_logfile parameter is not set, the secondary server assumes the value of logfile.
If the pathname contains spaces, it must be enclosed in double quotes.
trace_client_host
trace_client_host = [hostname|address|both|both_with_port]
Trace statements related to connections can identify the host by its hostname, its IP address, or both. When absent, the default is hostname. The both_with_port option displays the ephemeral port used on the host as well as the IP address and hostname.
Statistic Gathering Parameters
See Chapter 17, Monitoring Server Activity for more information about these parameters.
server_rate_interval
server_rate_interval = seconds
Sets the interval (in seconds) over which overall server statistics are averaged. This parameter can be set to any positive integer greater than zero.
Overall server statistics are always gathered, so this parameter cannot be set to zero. By default, this parameter is set to 1.
Setting this parameter allows you to average message rates and message size over the specified interval.
statistics
statistics = enabled | disabled
Enables or disables statistic gathering for producers, consumers, destinations, and routes. By default this parameter is set to disabled.
Disabling statistic gathering resets the total statistics for each object to zero.
rate_interval
rate_interval = seconds
Sets the interval (in seconds) over which statistics for routes, destinations, producers, and consumers are averaged. By default, this parameter is set to 3 seconds. Setting this parameter to zero disables the average calculation.
detailed_statistics
detailed_statistics = NONE | [PRODUCERS,CONSUMERS,ROUTES]
Specifies which objects should have detailed statistic tracking. Detailed statistic tracking is only appropriate for routes, producers that specify no destination, or consumers that specify wildcard destinations. When detailed tracking is enabled, statistics for each destination are kept for the object.
Setting this parameter to NONE disabled detailed statistic tracking. You can specify any combination of PRODUCERS, CONSUMERS, or ROUTES to enable tracking for each object. If you specify more than one type of detailed tracking, separate each item with a comma.
For example:
detailed_statistics = NONE
Turns off detailed statistic tracking.
detailed_statistics = PRODUCERS,ROUTES
Specifies detailed statistics should be gathered for producers and routes.
statistics_cleanup_interval
statistics_cleanup_interval = seconds
Specifies how long (in seconds) the server should keep detailed statistics if the destination has no activity. This is useful for controlling the amount of memory used by detailed statistic tracking. When the specified interval is reached, statistics for destinations with no activity are deleted.
max_stat_memory
max_stat_memory = size [KB|MB|GB]
Specifies the maximum amount of memory to use for detailed statistic gathering. If no units are specified, the amount is in bytes, otherwise you can specify the amount using KB, MB, or GB as the units.
Once the maximum memory limit is reached, the server stops collecting detailed statistics. If statistics are deleted and memory becomes available, the server resumes detailed statistic gathering.
SSL Server Parameters
See Chapter 18, Using the SSL Protocol for more information about these parameters.
ssl_dh_size
ssl_dh_size = [512 | 768 | 1024 | 2048]
Size of the Diffie-Hellman key. Can be 512, 768, 1024, or 2048 bits. The default value is 1024.
This key is not used for cipher suites available for export.
ssl_server_ciphers
ssl_server_ciphers = cipherSuites
Specifies the cipher suites used by the server; each suite in the list is separated by a colon (:). This parameter must follow the OpenSSL cipher string syntax.
For example, you can enable two cipher suites with the following setting:
ssl_server_ciphers = DES-CBC3-SHA:AES128-SHA
See Specifying Cipher Suites for more information about the cipher suites available in EMS and the syntax for specifying them in this parameter.
ssl_require_client_cert
ssl_require_client_cert = enable | disable
If this parameter is set to enable, the server only accepts SSL connections from clients that have digital certificates. Connections from clients without certificates are denied.
If this parameter is set to disable, then connections are accepted from clients that do not have a digital certificate.
Whether this parameter is set to enable or disable, clients that do have digital certificates are always authenticated against the certificates supplied to the ssl_server_trusted parameter.
The default value is disable.
ssl_require_route_cert_only
ssl_require_route_cert_only = enable | disable
This parameter overrides the ssl_require_client_cert parameter.
If ssl_require_route_cert_only is set to enable, the server requires a digital certificate only for SSL connections coming from routes, regardless of the value of ssl_require_client_cert. In this case, the server does not require a digital certificate for SSL connections coming from clients and from its fault-tolerant peer.
If ssl_require_route_cert_only is set to disable, whether the server requires a digital certificate for SSL connections coming from all sources (routes, clients, and fault-tolerant peer) still depends on the value of ssl_require_client_cert.
The default value is disable.
ssl_use_cert_username
ssl_use_cert_username = enable | disable
If this parameter is set to enable, a client’s user name is always extracted from the CN field of the client’s digital certificate, if the digital certificate is specified. If a different username is provided through the connection factory or API calls, then that username is discarded. Only the username from the CN is used.
The CN field is either a username, an email address, or a web address.
When ssl_use_cert_username is enabled, the username given by the CN becomes the only valid username. Any permissions associated with a different username, for example one assigned with an API call, are ignored.
ssl_cert_user_specname
ssl_cert_user_specname = username
This parameter is useful if clients are required to supply a username, but you wish to designate a special username to use when the client’s username should be taken from the client’s digital certificate.
For example, you may wish all clients to specify their username when logging in. This means the ssl_use_cert_username parameter would be set to disable. The username is supplied by the user, and not taken from the digital certificate. However, you may wish one username to signify that the client logging in with that name should have the name taken from the certificate. A good example of this username would be anonymous. All clients logging in as anonymous will have their user names taken from their digital certificates.
The value specified by this parameter is the username that clients will use to log in when the username should be taken from their digital certificate. A good example of the value of this parameter would be anonymous.
Also, the value of this parameter is ignored if ssl_use_cert_username is set to enable, in which case all client usernames are taken from their certificates. This parameter has no effect for users that have no certificate.
ssl_server_identity
ssl_server_identity = certificate
The server’s digital certificate in PEM, DER, or PKCS#12 format. You can specify the path to a file that contains the certificate in one of the supported formats.
This parameter must be specified if any SSL ports are listed in the listen parameter.
PEM and PKCS#12 formats allow the digital certificate to include the private key. If these formats are used and the private key is part of the digital certificate, then setting ssl_server_key is optional.
For example:
ssl_server_identity = certs/server.cert.pem
ssl_server_key
ssl_server_key = private_key
The server’s private key. If it is included in the digital certificate in ssl_server_identity, then this parameter is not needed.
This parameter supports private keys in the following formats: PEM, DER, PKCS#12.
You must specify a path to a file that contains the key.
ssl_password
ssl_password = password
Private key or password for private keys.
This password can optionally be specified on the command line when tibemsd is started.
If SSL is enabled, and the password is not specified with this parameter or on the command line, tibemsd will ask for the password upon startup.
You can set passwords by way of the tibemsadmin tool. When passwords are set with this tool, the password is obfuscated in the configuration file. See Chapter 6, Using the EMS Administration Tool for more information about using tibemsadmin to set passwords.
 
Because connection factories do not contain the ssl_password (for security reasons), the EMS server uses the password that is provided in the "create connection" call for user authentication. If the create connection password is different from the ssl_password, the connection creation will fail.
ssl_server_issuer
ssl_server_issuer = chain_member
Certificate chain member for the server. The server reads the certificates in the chain in the order they are presented in this parameter.
The same certificate can appear in multiple places in the certificate chain.
The certificates must be in PEM, DER, PKCS#7, or PKCS#12 format.
See File Names for Certificates and Keys for more information on file types for digital certificates.
ssl_server_trusted
ssl_server_trusted = certificates
List of CA root certificates the server trusts as issuers of client certificates.
Specify only CA root certificates. Do not include intermediate CA certificates.
The certificates must be in PEM, DER, or PKCS#7 format. You can either provide the actual certificates, or you can specify a path to a file containing the certificate chain.
For example:
ssl_server_trusted = certs\CA1_root.pem
ssl_server_trusted = certs\CA2_root.pem
See File Names for Certificates and Keys for more information on file types for digital certificates.
ssl_rand_egd
ssl_rand_egd = pathname
The path for the installed entropy gathering daemon (EGD), if one is installed. This daemon is used to generate random numbers for C clients and the EMS server. Java clients do not use this parameter.
ssl_crl_path
ssl_crl_path = pathname
A non-null value for this parameter activates the server’s certificate revocation list (CRL) feature.
The server reads CRL files from this directory. The directory should contain only CRL files. If other files are located in the pathname directory, SSL initialization will fail.
ssl_crl_update_interval
ssl_crl_update_interval = hours
The server automatically updates its CRLs at this interval (in hours).
When this parameter is absent, the default is 24 hours.
ssl_auth_only
ssl_auth_only = enable | disable
When enabled, the server allows clients to request the use of SSL only for authentication (to protect user passwords). For an overview of this feature, see SSL Authentication Only.
When disabled, the server ignores client requests for this feature. When absent, the default value is disabled.
fips140-2
fips140-2 = true | false
When true, the EMS server is enabled to run in FIPS 140-2 compliant mode. When false or excluded, the server is not FIPS compliant. For more information, see Enabling FIPS Compliance.
LDAP Parameters
See Chapter 8, Authentication and Permissions for more information about these parameters.
ldap_url
URL of the external directory server. This can take the following forms:
LDAP://host:tcp_port
or
LDAPS://host:ssl_port
For example:
LDAP://myLdapServer:1855
ldap_principal
ldap_principal = DN
The distinguished name (DN) of the LDAP user that the EMS sever uses to bind to the LDAP server. This user must have privileges that allow it to bind and browse group users, but does not necessarily need to have administrative privileges.
For example:
ldap_principal = "cn=Manager"
ldap_credential
ldap_credential = password
The password associated with the user defined in the ldap_principal property. This value must be specified and cannot be an empty string.
ldap_cache_enabled
ldap_cache_enabled = enable | disable
Enables caching of LDAP data.
ldap_cache_ttl
ldap_cache_ttl = seconds
Specifies the maximum time (in seconds) that cached LDAP data is retained before it is refreshed.
ldap_conn_type
ldap_conn_type = [ldaps | startTLS]
Specifies the type of connection that the server uses to get LDAP information.
ldaps—Use SSL on the LDAP connection (secure).
startTLS—Use the startTLS extension to the LDAP version 3 protocol (secure).
ldap_tls_cacert_file
ldap_tls_cacert_file = pathname
This file contains the CA certificate that the EMS server trusts to sign the LDAP server’s certificate.
You must provide ldap_tls_cacert_file in order to create secure connections. Optionally, ldap_tls_cacert_dir can be used in addition to ldap_tls_cacert_file in order to specify a directory with additional individual CA certificates.
ldap_tls_cacert_dir
ldap_tls_cacert_dir = pathname
When there are two or more CA certificates in the verify chain, the server scans this directory for CA certificates.
You must also provide ldap_tls_cacert_file in order to create secure connections. ldap_tls_cacert_dir is an optional parameter that can be used in addition to ldap_tls_cacert_file in order to specify a directory with additional individual CA certificates.
ldap_tls_cipher_suite
ldap_tls_cipher_suite = cipher_suite
Optional. You can specify the cipher suite to use for encryption on secure LDAP connections.
This parameter must follow the OpenSSL cipher string syntax; see Specifying Cipher Suites. You must use OpenSSL names when specifying the suite. For example, use AES128-SHA rather than TLS_RSA_WITH_AES_128_CBC_SHA. Using Java names results in an authorization error when connecting to a client.
In addition to the actual cipher names, you may specify cipher quality; for example:
ldap_tls_rand_file
ldap_tls_rand_file = pathname
When the operating system does not include a random data feature, this file is the source of random data for encryption.
ldap_tls_cert_file
ldap_tls_cert_file = pathname
When the LDAP server requires client authentication, use the certificate in this file to identify the EMS server.
ldap_tls_key_file
ldap_tls_key_file = pathname
When the LDAP server requires client authentication, use the private key in this file.
When you plan to start the server remotely, we recommend that you do not password-encrypt the key file.
See Chapter 8, Authentication and Permissions for more information about these parameters.
ldap_user_class
ldap_user_class = class_name
Name of the LDAP object class that stores users.
For example:
ldap_user_class = person
ldap_user_attribute
ldap_user_attribute = attribute
Name of the attribute on the user object class that holds the name of the user.
For example:
ldap_user_attribute = uid
ldap_user_base_dn
ldap_user_base_dn = DN
Base distinguished name (DN) of the LDAP tree that contains the users.
For example:
ldap_user_base_dn = "ou=People,dc=Corp"
ldap_user_scope
ldap_user_scope = onelevel | subtree
Specifies how deeply under the base DN to search for users. You can specify onelevel and subtree for this parameter. onelevel specifies to search only one level below the DN, subtree specifies to search all sub-trees.
For example:
ldap_user_scope = subtree
ldap_user_filter
ldap_user_filter = filter
Optional LDAP search filter for finding a given user name. Use %s as the placeholder for the user name in the filter. For example:
uid=%s
The full LDAP search grammar is specified in RFC 2254 and RFC 2251.
If unspecified, then a default search filter is generated based on the user object class and user name attribute.
ldap_all_users_filter
ldap_all_users_filter = filter
An optional LDAP search filter for finding all users beneath the user base DN.
If not specified, then a default search filter is generated based on the user object class and user name attribute.
See Chapter 8, Authentication and Permissions for more information about these parameters.
ldap_group_base_dn
ldap_group_base_dn = DN
Base distinguished name (DN) of the LDAP tree that contains groups.
For example:
ldap_group_base_dn = "ou=Groups,dc=Corp"
ldap_group_scope
ldap_group_scope = onelevel | subtree
Specifies how deeply under the base DN to search for groups. You can specify onelevel and subtree for this parameter. onelevel specifies to search only one level below the DN, subtree specifies to search all sub-trees.
For example:
ldap_group_scope = subtree
ldap_group_filter
ldap_group_filter = filter
Optional LDAP search filter for finding a group with a given group name. Use %s as the placeholder for the group name in the filter.
The full LDAP search grammar is specified in RFC 2254 and RFC 2251.
If unspecified, then a default search filter is generated based on the group object class and group attribute.
For example:
ldap_group_filter = "(|(&(cn=%s)(objectClass=groupofUniqueNames))(&(cn=%s)
(objectClass=groupOfURLs)))"
ldap_all_groups_filter
ldap_all_groups_filter = filter
Optional LDAP search filter for finding all groups beneath the group base DN.
If unspecified, then a default search filter is generated based on the group object class and group attribute.
ldap_static_group_class
ldap_static_group_class = name
Name of the LDAP object class that stores static groups.
For example:
ldap_static_group_class = groupofuniquenames
ldap_static_group_attribute
ldap_static_group_attribute = class
Name of the attribute on the static group object class that holds the name of the group.
For example:
ldap_static_group_attribute = cn
ldap_static_group_member_filter
ldap_static_group_member_filter = filter
Optional LDAP search filter for finding all static members of a group. Use %s as the placeholder for the group name in the filter.
The full LDAP search grammar is specified in RFC 2254 and RFC 2251.
If unspecified, then the following default search filter is generated based on the group object class and group attribute:
ldap_static_group_member_filter = "(&(<ldap_static_member_attribute>=<user DN>)(objectClass=<ldap_static_group_class))"
ldap_static_member_attribute
ldap_static_member_attribute = attribute
Attribute of an LDAP static group object that specifies the distinguished names (DNs) of the members of the group.
For example:
ldap_static_member_attribute = uniquemember
ldap_dynamic_group_class
ldap_dynamic_group_class = class
Name of the LDAP object class that stores dynamic groups.
For example:
ldap_dynamic_group_class = groupofURLs
ldap_dynamic_group_attribute
ldap_dynamic_group_attribute = attribute
Name of the attribute on the dynamic group object class that holds the name of the group. For example:
ldap_dynamic_group_attribute = cn
ldap_dynamic_member_url_attribute
ldap_dynamic_member_url_attribute = attribute
Attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group. For example:
ldap_dynamic_member_url_attribute = memberURL
Extensible Security Parameters
The extensible security feature allows you to write your own authentication and permissions modules for the server. For more information on this feature, see Chapter 9, Extensible Security.
jaas_classpath
jaas_classpath = classpath
Includes the JAR files and dependent classes used by the JAAS LoginModule. This parameter is required to enable the extensible security feature for authentication.
For example:
jaas_classpath = .:/usr/local/custom/user_jaas_plugin.jar
jaas_config_file
jaas_config_file = file-name
Specifies the location of the JAAS configuration file used by the EMS server to run a custom authentication LoginModule. For more information, see Loading the LoginModule in the EMS Server.
This parameter is required to enable the extensible security feature for authentication.
For example:
jaas_config_file = jaas.conf
jaas_login_timeout
jaas_login_timeout = milliseconds
Specifies the length of time, in milliseconds, that the EMS server will wait for the JAAS authentication module to execute and respond. This timeout is used each time the server passes a username and password to the LoginModule. If the module does not return a response, the server denies authentication.
This parameter is optional. If it is not included, the default timeout is 500 milliseconds. For example:
jaas_login_timeout = 250
jaci_classpath
jaci_classpath = classpath
Includes the JAR files and dependent classes used by the JACI custom permissions module. This parameter is required to enable the extensible security feature for granting permissions.
For example:
jaci_classpath = .:/usr/local/custom/user_jaci_plugin.jar
jaci_class
jaci_class = class-name
Specifies the name of the class that implements the extensible permissions interface. The class must be written using the Java Access Control Interface (JACI). For more information about writing a custom application using JACI to grant permissions, see Writing a Permissions Module.
For example:
jaci_class = com.userco.auth.CustomAuthorizer
jaci_timeout
jaci_timeout = milliseconds
Specifies the length of time, in milliseconds, that the EMS server will wait for the JACI permissions module to execute and respond. This timeout is used each time the server passes a destination, username, and action to the permissions module. If the module does not return a response, the server denies authorization.
This parameter is optional. If it is not included, the default timeout is 500 milliseconds.
For example:
jaci_timeout = 250
security_classpath
security_classpath = classpath
Includes the JAR files and dependent classes used by the JAAS LoginModules and JACI modules. This parameter is required to enable the extensible security feature for authentication and the extensible security feature for granting permissions.
For example:
security_classpath = .:/usr/local/custom/user_jaci_plugin.jar
JVM Parameters
These parameters enable and configure the Java virtual machine (JVM) in the EMS server. For more information on how the JVM works in EMS, see Enabling the JVM.
jre_library
jre_library = path
Enables the JVM in the EMS server, where path is the absolute path to the JRE shared library file that is installed with the JRE. Depending on your platform, this could be jvm.dll, libjvm.so, libjvm.dylib, and so forth. Note that tibemsd must point to a 64-bit JVM.
If this parameter is not included, the JVM is disabled by default.
If the path contains any spaces, the path must be enclosed in quotation marks.
For example:
jre_library = "C:\Program Files\Java\jdk1.8.0_121\jre\bin\server\jvm.dll"
jre_option
jre_option = JVMoption
Passes command line options to the JVM at start-up. The jre_option parameter can be used to define Java system properties, which are used by applications running in the JVM, such as extensible security modules.
You can use multiple jre_option entries in order to pass more than one options to the JVM. Permitted values for JVMoption include most JVM options that are defined by Sun Microsystems.
For example, this restricts the maximum heap size of the JVM to 256 megabytes:
jre_option = -Xmx256m

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved