Enable EMS Clients
Java and C client applications can operate in FIPS compliance:
-
Java Clients
Java clients that use the Bouncy Castle FIPS provider can operate in FIPS 140-2 compliant mode. To do so, perform both of the following:
- Set the TLS vendor to
bcfips
before calling any other EMS methods; refer to the EMS Java documentation for details. - Start the JVM with
-Dorg.bouncycastle.fips.approved_only=true
For backward compatibility reasons, an alternative to setting the TLS vendor to
bcfips
consists of setting thecom.tibco.security.FIPS
property totrue
.If the
tibco.tibjms.ssl.debug.trace
property has been set totrue
and the Java client set to operate in FIPS 140-2 compliant mode, upon initializing the TLS infrastructure the client prints a message listingBCFIPS
as the FIPS Provider. - Set the TLS vendor to
-
C Clients
To enable FIPS 140-2 operations in the C client, load the required FIPS and base OpenSSL providers before calling any EMS functions. This can be done by setting the
OPENSSL_CONF
andOPENSSL_MODULES
environment variables, as per the OpenSSL 3.0 documentation.For example:
export OPENSSL_CONF=/opt/tibco/ems/10.3/lib/openssl-client.cnf export OPENSSL_MODULES=/opt/tibco/ems/10.3/lib
If
tibemsSSL_SetDebugTrace(TIBEMS_TRUE)
has been called and FIPS 140-2 operations have been successfully enabled, upon establishing a new TLS connection the C client prints a message indicating thatfips
is among the OpenSSL providers that have been loaded.