Configure a Connection Factory

You can configure a connection factory using the administration tool or the administration APIs.

When configuring a connection factory, you can specify several TLS parameters, similar to the server parameters that you can configure in tibemsd.conf.

Note: When configuring a connection factory, EMS does not verify any file names specified in the TLS parameters. At the time the factory is retrieved using JNDI, the EMS server attempts to resolve any file references. If the files do not match the supported types or the files are not found, the JNDI lookup fails with a ConfigurationException.

Note: Because connection factories do not contain the ssl_password (for security reasons), the EMS server uses the password that is provided in the "create connection" call for user authentication. If the create connection password is different from the ssl_password, the connection creation will fail.

The following table describes the TLS parameters that can be set in a connection factory.

For more information about each parameter, see the description of the equivalent parameter in tibemsd.conf.

Parameter	Description
`ssl_vendor`	The vendor name of the TLS implementation that the client uses. Since software release 8.4.0, only one vendor (JSSE) is supported for the Java client, so use of this parameter is optional in that context.
`ssl_identity`	The client’s digital certificate. For more information on file types for digital certificates, see File Names for Certificates and Keys.
`ssl_issuer`	Issuer’s certificate chain for the client’s certificate. Supply the entire chain, including the CA root certificate. The client reads the certificates in the chain in the order they are presented in this parameter. Example ssl_issuer = certs\CA_root.pem ssl_issuer = certs\CA_child1.pem ssl_issuer = certs\CA_child2.pem For more information on file types for digital certificates, see File Names for Certificates and Keys.
`ssl_private_key`	The client’s private key. If the key is included in the digital certificate in `ssl_identity`, then you may omit this parameter. For more information on file types for digital certificates, see File Names for Certificates and Keys.
`ssl_trusted`	List of CA certificates to trust as issuers of server certificates. Supply only CA root certificates. For more information on file types for digital certificates, see File Names for Certificates and Keys.
`ssl_verify_host`	Specifies whether the client should verify the server’s certificate. The values for this parameter are `enabled` or `disabled`. By default, this parameter is enabled, signifying the client should verify the server’s certificate. When `disabled`, the client establishes secure communication with the server, but does not verify the server’s identity.
`ssl_verify_hostname`	Specifies whether the client should verify the name in the CN field of the server’s certificate. The values for this parameter are `enabled` and `disabled`. By default, this parameter is enabled, signifying the client should verify the name of the connected host or the name specified in the `ssl_expected_hostname` parameter against the value in the server’s certificate. If the names do not match, the client rejects the connection. When `disabled`, the client establishes secure communication with the server, but does not verify the server’s name.
`ssl_expected_hostname`	The name the client expects in the CN field of the server’s certificate. If this parameter is not set, the expected name is the hostname of the server. The value of this parameter is used when the `ssl_verify_hostname` parameter is enabled.
`ssl_ciphers`	Specifies the cipher suites that the client can use. Supply a colon-separated list of cipher names. Names may be either OpenSSL names, or longer descriptive names. For more information, see Specify Cipher Suites.
`ssl_auth_only`	Specifies whether TLS should be used to encrypt all server-client communications, or only client authentication. When `enabled`, the client requests TLS be used only for authentication. The server then uses TCP communications for further data exchange. When `disabled` or absent, all communication between the client and server must be TLS encrypted. For an overview of this feature, see TLS Authentication Only.

Did you find this helpful?

Yes No