![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |
• If JAAS authentication is not configured, the Central Administration server uses the admin user, with no password, to authenticate with all the EMS servers.
• If JAAS authentication is configured, the Central Administration server presents the user ID and password presented when the current user logged on. If the user is attempting to deploy configuration changes but does not have the necessary administrative privileges for the EMS server, the deployment fails.
− emsca-admin — Grants administrative privileges to members. Administrators may lock and edit an EMS server in Central Administration, and deploy an updated server configuration. However, note that the user must also have administrative privileges for the EMS server before deploying.
− emsca-guest — Grants read-only privileges to members. Guest users are not able to make changes or deploy configurations through Central Administration.
To enable JAAS authentication, set the --jaas option at the command line, or through the related setting in the Central Administration configuration file.For more information on JAAS security, see the sample configuration files in EMS_HOME\samples\emsca\jaas.
The Central Administration server does not verify hostnames or hosts.The syntax and use of these SSL configuration options are further documented in Table 3, Central Administration Server Options:
− Enable SSL using the --ems-ssl-identity command line option, or through the related setting in the Central Administration configuration file. This option sets the path to the identity certificate and private key that the Central Administration server uses when identifying itself to the EMS servers.
− Provide the SSL password associated with the private key by setting the com.tibco.ems.ssl.password parameter. The command line option --ems-ssl-password is also available, but providing a password on the command line is not recommended and may pose a security risk. Use tibemsadmin -mangle to generate an obfuscated version before providing the password in either configuration file or command line.If you do not provide the password using the parameter or flag, the Central Administration server requires the SSL decryption password when you log in. Note that this option is only available if JAAS is configured.
− Specify an SSL policy using the --ssl-policy command line option, or through the related setting in the Central Administration configuration file. By default, the Central Administration server attempts to connect through any of the listens defined in the EMS server configuration, regardless of whether they are SSL connections or not. Alternately, you can either "require" or "prefer" an SSL connection. If you require SSL, the server will not communicate with the EMS through a non-SSL connection. If you prefer SSL, SSL connections are attempted first.For more information on using SSL in TIBCO Enterprise Message Service, see Using the SSL Protocol in the TIBCO Enterprise Message Service User’s Guide.The syntax and use of these SSL configuration options are documented in Table 3, Central Administration Server Options:
• Enable HTTPS using the --https-identity command line option, or through the related setting in the Central Administration configuration file. This option sets the path to a PKCS12 file or Java KeyStore providing the identity of the Central Administration server to browsers. When HTTPS is enabled, it replaces HTTP on the same port number.
• Provide the SSL password associated with the private key by setting the com.tibco.emsca.https.password parameter. The command line option --https-password is also available, but providing a password on the command line is not recommended and may pose a security risk. Use tibemsadmin -mangle to generate an obfuscated version before providing the password in either configuration file or command line.For testing purposes, you can configure Central Administration with the identity file emsca_https_identity.p12 that is provided in the samples/certs directory and use the corresponding self-signed root certificate with your web browser. For restrictions and details, see the readme.txt file in the same directory.To configure this feature, you can either provide a cipher suite specification with the --ssl-ciphers command line option when the Central Administration server is started, or set a configuration parameter in the Central Administration configuration file. Both methods accept the Java Client Syntax described in the TIBCO Enterprise Message Service User’s Guide. This is further documented in Table 3, Central Administration Server Options.
![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |