Configure a Connection Factory

You can configure a connection factory using the administration tool or the administration APIs.

See EMS Administration Tool.

When configuring a connection factory, you can specify several SSL parameters, similar to the server parameters that you can configure in tibemsd.conf.

Note: When configuring a connection factory, EMS does not verify any file names specified in the SSL parameters. At the time the factory is retrieved using JNDI, the EMS server attempts to resolve any file references. If the files do not match the supported types or the files are not found, the JNDI lookup fails with a ConfigurationException.
Note: Because connection factories do not contain the ssl_password (for security reasons), the EMS server uses the password that is provided in the "create connection" call for user authentication. If the create connection password is different from the ssl_password, the connection creation will fail.

The following table describes the SSL parameters that can be set in a connection factory.

For more information about each parameter, see the description of the equivalent parameter in tibemsd.conf.

Parameter Description
ssl_vendor The vendor name of the SSL implementation that the client uses. Since software release 8.4.0, only one vendor (JSSE) is supported for the Java client, so use of this parameter is optional in that context.
ssl_identity The client’s digital certificate.

For more information on file types for digital certificates, see File Names for Certificates and Keys.

ssl_issuer Issuer’s certificate chain for the client’s certificate. Supply the entire chain, including the CA root certificate. The client reads the certificates in the chain in the order they are presented in this parameter.

Example

ssl_issuer = certs\CA_root.pem
ssl_issuer = certs\CA_child1.pem
ssl_issuer = certs\CA_child2.pem

For more information on file types for digital certificates, see File Names for Certificates and Keys.

ssl_private_key The client’s private key. If the key is included in the digital certificate in ssl_identity, then you may omit this parameter.

For more information on file types for digital certificates, see File Names for Certificates and Keys.

ssl_trusted List of CA certificates to trust as issuers of server certificates. Supply only CA root certificates.

For more information on file types for digital certificates, see File Names for Certificates and Keys.

ssl_verify_host Specifies whether the client should verify the server’s certificate. The values for this parameter are enabled or disabled. By default, this parameter is enabled, signifying the client should verify the server’s certificate.

When disabled, the client establishes secure communication with the server, but does not verify the server’s identity.

ssl_verify_hostname Specifies whether the client should verify the name in the CN field of the server’s certificate. The values for this parameter are enabled and disabled. By default, this parameter is enabled, signifying the client should verify the name of the connected host or the name specified in the ssl_expected_hostname parameter against the value in the server’s certificate. If the names do not match, the client rejects the connection.

When disabled, the client establishes secure communication with the server, but does not verify the server’s name.

ssl_expected_hostname The name the client expects in the CN field of the server’s certificate. If this parameter is not set, the expected name is the hostname of the server.

The value of this parameter is used when the ssl_verify_hostname parameter is enabled.

ssl_ciphers Specifies the cipher suites that the client can use.

Supply a colon-separated list of cipher names. Names may be either OpenSSL names, or longer descriptive names.

For more information, see Specify Cipher Suites.

ssl_auth_only Specifies whether SSL should be used to encrypt all server-client communications, or only client authentication.

When enabled, the client requests SSL be used only for authentication. The server then uses TCP communications for further data exchange. When disabled or absent, all communication between the client and server must be SSL encrypted.

For an overview of this feature, see SSL Authentication Only.