Configuring EMS over SSL on Application Servers

To configure EMS over SSL, configure the application servers and then specify the values for the TIBCO EMS configuration properties in Configurator.

Procedure

  1. Configuring WebSphere Application Server
    1. Stop the application server.
    2. Copy the following JAR files from $EMS_HOME/lib to $WAS_HOME/lib/ext folder:
    • slf4j-api-1.4.2.jar
    • slf4j-simple-1.4.2.jar
    • tibcrypt.jar
  2. Configuring JBoss WildFly Application Server
    1. Create a module with name as com.tibco.mdm in JBoss WildFly application server - 10.1.x version. For more information on creating module, see Module Creation.
    2. Copy the following JAR files in this module (inside main directory) from $EMS_HOME/lib
      • slf4j-api-1.4.2.jar
      • slf4j-simple-1.4.2.jar
      • tibcrypt.jar
    3. Copy the following JAR files in this module. The JAR files are available in the classpath of the JBoss WildFly application server or in JAVA_HOME\jre\lib directory:
      • jsse.jar
      • jce.jar
    4. Update the module.xml file as follows:
      <module xmlns="urn:jboss:module:1.3" name="com.tibco.mdm">
        <resources>
          <resource-root path="tibcrypt.jar"/>
          <resource-root path="slf4j-api-1.4.2.jar"/>
          <resource-root path="slf4j-simple-1.4.2.jar"/>
          <!--  if these 2 JARS copied in the module then add -->
          <resource-root path="jsse.jar"/>
          <resource-root path="jce.jar"/>
        </resources>
      <dependencies>
         <module name="javax.api" />
         <module name="javax.jms.api" />
         <module name="javax.resource.api" />
         <!-- These are required for EMS with SSL -->
         <system export="true">
            <paths>
               <path name="sun/security/ssl" />
               <path name="com/sun/net/ssl/internal/ssl" />
               <path name="sun/security/util" />
               <path name="sun/security/validator" />
               <path name="sun/security/provider" />
               <path name="javax/net/ssl" />
               <path name="sun/net/www/protocol/https" />
            </paths>
         </system>
      </dependencies>
    5. Add the global module in subsystem section <subsystem xmlns="urn:jboss:domain:ee:4.0"> in JBOSS_HOME/standalone/configuration/standalone.xml.
      <subsystem xmlns="urn:jboss:domain:ee:4.0">
        <global-modules>
          <module name="com.tibco.mdm" slot="main"/>
        </global-modules>
      </subsystem>

      OR

      Add a dependency in jboss-deployment-structure.xml in ECM.ear/META-INF in dependency section:

      <dependencies>
        <system export="true">
          <paths>
            <path name="com/sun/net/ssl/internal/ssl" />
          </paths>
        </system>
        <module name="com.tibco.mdm"/>
      </dependencies>
    6. Add the following in the JVM arguments in $JBOSS_HOME/bin/standalone.conf.bat
      Dcom.tibco.tibjms.ssl.enable_verify_host_name=false
      Dcom.tibco.tibjms.ssl.enable_verify_host=true
      Dcom.tibco.tibjms.ssl.expected_hostname=server
      Dcom.tibco.tibjms.ssl.trusted=$EMS_HOME/samples/certs/server_
root.cert.pem
  3. Configuring TIBCO MDM
    1. Log on to Configurator.
    2. Navigate to Queue Setup > Messaging Cluster > TIBCO EMS.
      Change the value of Localhost Server Connection String property to ssl://hostname:portno
    3. Navigate to Bus Setup > Cluster > TIBCO EMS.
      Change the value of Localhost Server Connection String property to ssl://hostname:portno
    4. Navigate to InitialConfig > Member1 > Security Provider > IBM
      • change the value of SSL Protocol Handler Package property from:
com.ibm.net.ssl.internal.www.protocolto com.ibm.net.ssl.www2.protocol
      • change the value of SSL Provider property from:
com.ibm.jsse.JSSEProvider to com.ibm.jsse2.IBMJSSEProvider2
    5. Add the following in the JVM arguments:
      Dcom.tibco.tibjms.naming.security_protocol=ssl 
      Djsse.providerClass=com.ibm.jsse2.IBMJSSEProvider2 
      Dcom.tibco.tibjms.ssl.expected_hostname=server 
      Dcom.tibco.tibjms.ssl.enable_verify_host_name=false 
      Dcom.tibco.tibjms.ssl.enable_verify_host=false 
      Dcom.tibco.tibjms.ssl.trusted=/local/vsadmin/server_root.cert.pem (you can copy this out-of-box certificate from $EMS_HOME/samples/certs folder)
  4. Start the application server.
  5. Log on to TIBCO MDM.

    TIBCO MDM starts running on SSL.