Chapter 3 Integrating With JBoss 4.0.2 : Modify the Example to use SSL Communications

Modify the Example to use SSL Communications
This section describes how to modify the above example to use SSL communications between the TIBCO Enterprise Message Service server, JBoss, and the client program. This section assumes you have already set up and run the example detailed in the previous sections.
Adding the SSL JAR Files to the CLASSPATH for the JBoss Server
Add the TIBCO tibcrypt.jar file to the CLASSPATH of the JBoss server by modifying the file %JBOSS_CONF%\jboss-service.xml as described below. Substitute an appropriate JAR file CLASSPATH for your installation.
Add the following line under the <server> element in %JBOSS_CONF%\jboss-service.xml:
<classpath codebase="file:/EMS_HOME\lib"
archives="tibcrypt.jar" />
Configuring the TIBCO Enterprise Message Service Server for SSL
1.
Start tibemsd in the working directory EMS_HOME\bin as follows:
   tibemsd -config tibemsdssl.conf
When tibemsd starts you should see messages like the following in the console window, confirming SSL is enabled:
17:09:03 Secure Socket Layer is enabled, using OpenSSL 0.9.7c.
17:09:03 Accepting connections on tcp://localhost:7222.
17:09:03 Accepting connections on ssl://localhost:7243.
17:09:03 Server is active.
2.
Start tibemsadmin (administration tool) and enter the following commands.
First, create a new XAQueueConnectionFactory that establishes SSL connections:
create factory SSLXAQueueConnectionFactory xaqueue url=ssl://7243
Second, disable host verification for connections that this connection factory creates:
setprop factory SSLXAQueueConnectionFactory ssl_verify_host=disabled
This is the simplest SSL configuration.
Configuring JBoss for SSL-based JMS Communications
There are two aspects to SSL communications between JBoss and the TIBCO EMS server. The first is for messaging between the JBoss and TIBCO servers to occur over SSL. The second is for JNDI lookups from JBoss to the TIBCO JNDI provider to occur over SSL. The following two sections separately describe the required steps for each.
JMS Messaging over SSL
Modify the line you added to %JBOSS_DEPLOY%\jms\jms-ds.xml in the previous section (which specifies the QueueFactoryRef attribute of the JMS ProviderLoader) to be the be the new connection factory you just created (which establishes SSL connections):
<attribute name="QueueFactoryRef">
  SSLXAQueueConnectionFactory
</attribute>
JNDI Lookups over SSL
1.
In the file %JBOSS_CONF%\jndi.properties, add the following lines:
com.tibco.tibjms.naming.security_protocol=ssl
com.tibco.tibjms.naming.ssl_enable_verify_host=false
These properties specify the SSL protocol for JNDI lookups, and disable host verification.
2.
Add the following line in the JMSProviderLoader mbean in %JBOSS_DEPLOY%\jms\jms-ds.xml:
   <attribute name="ProviderUrl">
      tibjmsnaming://localhost:7243</attribute>
The new line creates an additional attribute ProviderUrl, that explicitly states the JNDI provider URL (rather than using the default built into the TIBCO Enterprise Message Service JBoss adapter class) with a port number of 7243 for SSL. Note that attribute names are case sensitive and must be entered exactly as shown above.
Stop and restart the JBoss server
You should see the same messages in the JBoss console during startup that you saw in the previous section.
Adding the SSL JAR File to the CLASSPATH for the Client Program
The following JAR file, distributed with TIBCO Enterprise Message Service, must be added to the CLASSPATH of the client program, in the same manner that you added the non-SSL jar files to the CLASSPATH in the previous example:
tibcrypt.jar
Adding the SSL JNDI Properties for the Client Program
The following changes must be made to the file %JBOSS_CLIENT%\jndi.properties that you modified in the previous section for the client:
1.
Modify the provider url property to specify the SSL port number, as follows:
java.naming.provider.url=tibjmsnaming://localhost:7243
2.
   com.tibco.tibjms.naming.security_protocol=ssl
   com.tibco.tibjms.naming.ssl_enable_verify_host=false
These properties specify that the "SSL" protocol should be used for JNDI lookups, and that host verification is turned off (the client will trust any host).
Modify and Rebuild the Client
Modify the client program (SendRecvClient) to look up SSLXAQueueConnectionFactory instead of QueueConnectionFactory. Rebuild the program.
Re-Run the Client Program
Run the client program as you did in the previous section. You should see the same output.
To prove that SSL communications are occurring, stop the EMS server, then restart it without SSL:
    tibemsd -config tibemsd.conf
Then stop JBoss, then restart it. You should see the following exception in the JBoss console:
javax.jms.JMSException: Failed to connect to the server at
ssl://localhost:7243
If you now run the test program again, you should see that it throws the same exception. This shows that when the TIBCO Enterprise Message Service server was set up to accept SSL connections, both clients successfully connected and communicated using SSL.
Alternatively, you could start the TIBCO Enterprise Message Service server from a command prompt window and turn SSL debug tracing on, as follows:
> tibemsd -ssl_debug_trace
Then when you restart JBoss and re-run the client program, you will see SSL debugging output on the tibemsd console window.