Configure a Connection Factory
You can configure a connection factory using the administration tool or the administration APIs.
When configuring a connection factory, you can specify several TLS parameters, similar to the server parameters that you can configure in tibemsd.conf.
The following table describes the TLS parameters that can be set in a connection factory.
For more information about each parameter, see the description of the equivalent parameter in tibemsd.conf.
| Parameter | Description |
|---|---|
| ssl_vendor | The vendor name of the TLS implementation that the client uses. Since software release 8.4.0, only one vendor (JSSE) is supported for the Java client, so use of this parameter is optional in that context. |
| ssl_identity | The client’s digital certificate.
For more information on file types for digital certificates, see File Names for Certificates and Keys. |
| ssl_issuer | Issuer’s certificate chain for the client’s certificate. Supply the entire chain, including the CA root certificate. The client reads the certificates in the chain in the order they are presented in this parameter.
Example ssl_issuer = certs\CA_root.pem ssl_issuer = certs\CA_child1.pem ssl_issuer = certs\CA_child2.pem For more information on file types for digital certificates, see File Names for Certificates and Keys. |
| ssl_private_key | The client’s private key. If the key is included in the digital certificate in
ssl_identity, then you may omit this parameter.
For more information on file types for digital certificates, see File Names for Certificates and Keys. |
| ssl_trusted | List of CA certificates to trust as issuers of server certificates. Supply only CA root certificates.
For more information on file types for digital certificates, see File Names for Certificates and Keys. |
| ssl_verify_host | Specifies whether the client should verify the server’s certificate. The values for this parameter are
enabled or
disabled. By default, this parameter is enabled, signifying the client should verify the server’s certificate.
When disabled, the client establishes secure communication with the server, but does not verify the server’s identity. |
| ssl_verify_hostname | Specifies whether the client should verify the name in the CN field of the server’s certificate. The values for this parameter are
enabled and
disabled. By default, this parameter is enabled, signifying the client should verify the name of the connected host or the name specified in the
ssl_expected_hostname parameter against the value in the server’s certificate. If the names do not match, the client rejects the connection.
When disabled, the client establishes secure communication with the server, but does not verify the server’s name. |
| ssl_expected_hostname | The name the client expects in the CN field of the server’s certificate. If this parameter is not set, the expected name is the hostname of the server.
The value of this parameter is used when the ssl_verify_hostname parameter is enabled. |
| ssl_ciphers | Specifies the cipher suites that the client can use.
Supply a colon-separated list of cipher names. Names may be either OpenSSL names, or longer descriptive names. For more information, see Specify Cipher Suites. |
| ssl_auth_only | Specifies whether TLS should be used to encrypt all server-client communications, or only client authentication.
When enabled, the client requests TLS be used only for authentication. The server then uses TCP communications for further data exchange. When disabled or absent, all communication between the client and server must be TLS encrypted. For an overview of this feature, see TLS Authentication Only. |