Enable EMS Clients

Java and C client applications can operate in FIPS compliance:

  • Java Clients

    Java clients that use the Bouncy Castle FIPS provider can operate in FIPS 140-2 compliant mode. To do so, perform both of the following:

    • Set the TLS vendor to bcfips before calling any other EMS methods; refer to the EMS Java documentation for details.
    • Start the JVM with -Dorg.bouncycastle.fips.approved_only=true

    For backward compatibility reasons, an alternative to setting the TLS vendor to bcfips consists of setting the com.tibco.security.FIPS property to true.

    If the tibco.tibjms.ssl.debug.trace property has been set to true and the Java client set to operate in FIPS 140-2 compliant mode, upon initializing the TLS infrastructure the client prints a message listing BCFIPS as the FIPS Provider.

  • C Clients

    To enable FIPS 140-2 operations in the C client, load the required FIPS and base OpenSSL providers before calling any EMS functions. This can be done by setting the OPENSSL_CONF and OPENSSL_MODULES environment variables, as per the OpenSSL 3.0 documentation.

    For example:

    export OPENSSL_CONF=/opt/tibco/ems/10.3/lib/openssl-client.cnf
    export OPENSSL_MODULES=/opt/tibco/ems/10.3/lib
    

    If tibemsSSL_SetDebugTrace(TIBEMS_TRUE) has been called and FIPS 140-2 operations have been successfully enabled, upon establishing a new TLS connection the C client prints a message indicating that fips is among the OpenSSL providers that have been loaded.

Note: The Java and C clients support FIPS compliance only on the Linux and Windows platforms.