Eliminating the TIBCO FTL Keystore (Authentication Only)

For TIBCO FTL 6.x configurations that used authentication, but did not use TLS, you had to generate an TIBCO FTL keystore by using tibftlserver --init-auth-only. Then, you had to distribute the TIBCO FTL keystore and trust files to the data directory of each TIBCO FTL server.

To continue running TIBCO FTL as you did for TIBCO FTL 6.x, do not take any action after upgrading.

When using version TIBCO FTL 7.x, the TIBCO FTL keystore is no longer necessary for authentication. Users that want to enable oauth2 authentication may optionally eliminate the TIBCO FTL keystore after upgrading to TIBCO FTL 7.x. For example, this will allow TIBCO FTL server to enforce oauth2 token expirations.

To eliminate the TIBCO FTL keystore, you must follow this procedure because TIBCO FTL servers that have the TIBCO FTL keystore cannot communicate with TIBCO FTL servers that do not have the TIBCO FTL keystore. This procedure requires a period of time where all TIBCO FTL servers are shut down.

    Procedure

  1. Upgrade all TIBCO FTL servers to TIBCO FTL 7.x. For more information, see Upgrading from Release 6.x

  2. Upgrade all TIBCO FTL clients to TIBCO FTL 7.x. For more information, see Upgrading from Release 6.x

  3. Save the state of all in-memory persistence clusters to preserve pending messages. For more information, see Saving and Loading Persistence State. If all persistence clusters use disk persistence, no action is needed.

  4. Shut down all TIBCO FTL servers, including TIBCO FTL servers at satellite or DR sites.

  5. For each TIBCO FTL server, remove ftl-tport.p12 and ftl-trust.pem from the data directory of the server.

  6. Restart all TIBCO FTL servers. Clients reconnect automatically.

Eliminating FTL-Generated Certificates (Authentication and TLS)

For TIBCO FTL 6.x configurations that used both authentication and TLS, you had to generate TIBCO FTL certificates by using tibftlserver --init-security. Then, you had to distribute the TIBCO FTL keystore and trust files to the data directory of each TIBCO FTL server.

To continue running TIBCO FTL as you did for TIBCO FTL 6.x, do not take any action after upgrading.

When using version TIBCO FTL 7.x, FTL-generated certificates are no longer necessary for TLS. Users that want to control TLS certificates or enable oauth2 authentication may optionally eliminate FTL-generated certificates after upgrading to TIBCO FTL 7.x. For example, this will allow TIBCO FTL server to enforce oauth2 token expirations.

However, to eliminate FTL-generated certificates, and provide their own certificates, you must follow the procedure in this section because TIBCO FTL servers that use FTL-generated certificates cannot communicate with TIBCO FTL servers that do not use the FTL-generated certificates. This procedure requires a period of time where all TIBCO FTL servers are shut down. Also note that when using user-defined certificates, secure peer-to-peer transports are not permitted. Only secure server-based transports are permitted (for example, persistence service or group service transports).

    Procedure

  1. Ensure that no client applications are using secure peer-to-peer transports.

  2. Upgrade all TIBCO FTL servers to TIBCO FTL 7.x. For more information, see Upgrading from Release 6.x

  3. Upgrade all TIBCO FTL clients to TIBCO FTL 7.x. For more information, see Upgrading from Release 6.x.When you restart the TIBCO FTL client at version 7.x, provide the trust certificates that correspond to the user-defined certificates that you plan to use later.

    1. If the trust certificates are installed in the system trust store, install them before restarting the client.

    2. If the trust certificates are passed to the client API as a PEM file, concatenate the trust certificates with the FTL-generated trust file (ftl-trust.pem). Pass the resulting combined PEM file to the client API.

  4. Save the state of all in-memory persistence clusters to preserve pending messages. For more information, see Configuring Persistence. If all persistence clusters use disk persistence, no action is needed.

  5. Shut down all TIBCO FTL servers, including TIBCO FTL servers at satellite or DR sites.

  6. For each TIBCO FTL server, remove ftl-tport.p12 and ftl-trust.pem from the data directory of the server. Make the following changes to the TIBCO FTL server yaml configuration file.

    1. Remove tls.secure.
    2. Add the user-defined certificates (tls.server.cert, tls.server.private.key, tls.server.private.key.password). Ensure that each certificate is appropriate for the specific TIBCO FTL server’s hostname.
    3. Add the trust certificates corresponding to the user-defined certificates (tls.client.trust.file). Alternatively, install them in the system trust store. For more information, see the Enabling TLS for FTL Server

  7. Restart all TIBCO FTL servers. Clients reconnect automatically by using the trust information provided earlier.