Server SSL Communications Parameters

The following table lists parameters only used when performing SSL or tunnel transactions.

Parameter Name Description
SSLPort Defines an IP port on which TIBCO MFT Platform Server listens on for incoming SSL requests.

The valid values are from 1024 to 65535, because lower ports are usually reserved for standard applications. The default value is 56565.

If the parameter is not defined, TIBCO MFT Platform Server does not listen for incoming SSL requests.

SSLPortIPv6 Defines an IPv6 port on which TIBCO MFT Platform Server listens on for incoming SSL requests.

The valid values are N or any number ranging from 1024 to 65535, because lower ports are usually reserved for standard applications. If this parameter is not defined, then responder IPv6 SSL processing is disabled.

If non-SSL requests are received on this port, then an error message is sent to the initiator and the request is terminated.

This field must be different than the PortIPv6 parameter.

TunnelPort Defines an IP port on which TIBCO MFT Platform Server listens on for incoming tunnel requests.

The valid values are from 1024 to 65535, because lower ports are usually reserved for standard applications. The default value is 58585.

TunnelPortIPv6 Defines an IPv6 port on which TIBCO MFT Platform Server listens on for incoming tunnel requests.

The valid values are N or any number ranging from 1024 to 65535, because lower ports are usually reserved for standard applications. If this parameter is not defined, then responder IPv6 tunnel processing is disabled.

This field must be different than the PortIPv6 parameter.

ClientVerification Defines whether TIBCO MFT Platform Server performs SSL client authentication.
The valid values are:
  • N: the client certificate is not authenticated.
  • Y: the client certificate is authenticated. This is the default value.

For more information, see SSL Certificates Setup.

CertificateFileName Defines the path to the certificate file used for an SSL transfer.
Note: It has no default value. There are separate parameters for server and client, but the same file name can be used for both.

For more information, see SSL Certificates Setup.

PrivateKeyFileName Defines the path to the file with the private key that is associated with the SSL certificate.
Note: It has no default value. There are separate parameters for server and client, but the same file name can be used for both.

For more information, see SSL Certificates Setup.

PrivateKeyPwdFileName Defines the path to the file with the private key password.
It has no default value. To create this file, use the createPwd.exe file in the $CFROOT/util directory.
Note: If the same certificate is used for a TIBCO MFT Platform Server server and a TIBCO MFT Platform Server client, the same private key password can be used for the server and client as well.

For more information, see SSL Certificates Setup.

TrustedAuthorityFileName Defines the path to the file with trusted authority certificates.
It has no default value. Use this parameter to define all the certificate authorities that are accepted by both a TIBCO MFT Platform Server and a TIBCO MFT Platform Server client.
Note: There are separate parameters for server and client, but the same file name can be used for both.

For more information, see SSL Certificates Setup.

AuthorizationFileName Defines the path to the authorization file to be used with SSL transfers.

If this parameter is not defined or is set to N, TIBCO MFT Platform Server does not perform additional authentication to the client certificate. This parameter is only valid when ClientVerification is set to Y. You can find a sample authorization file that can be used called SSLAuth.cfg located in the $CFROOT/config directory.

For more information on configuring this file, see Configured SSL Authorization.

SSLTraceLevel Defines whether tracing is turned on for an SSL transfer.
Usually tracing has only to be turned on at the request of TIBCO Support for troubleshooting purpose.
Note:
  • This parameter cannot be used within a transfer template.
  • When the SSLTraceLevel is used, the TraceSizeServer parameter must be defined.
SSLTracePath Defines the path to the SSL trace file.
The path of the SSL trace file is $CFROOT/trace/ResponderSSL under the SERVER section. Normally these files are only used when debugging SSL related problems with TIBCO Support.
Note: This parameter cannot be used within a transfer template.
CheckCRL Defines whether TIBCO MFT Platform Server checks the CAPath field for the hashed CRL files.

For more information, see CRL Support.

CAPath Defines the path where the CRL checking looks for the hashed file names.

For more information, see CRL Support.

SSLEnabledProtocols

Defines which SSL protocols are supported when the platform server runs as a responder.

The valid values are any combination of the following options:

TLSV1,TLSV1.1,TLSV1.2. The default value is TLSV1,TLSV1.1,TLSV1.2. The comma means and.

Ciphers Defines the cipher suites that can be used for TLS negotiation between the server and the client.

The default value is HIGH, which means those ciphers suites with key lengths larger than 128 bits, and some cipher suites with 128-bit keys can be used.

In addition, you can list all supported cipher suites separated by colons. You can list the OPENSSL supported ciphers by using the openssl command.

Examples:

List TLS Ciphers:

$CFROOT/util/openssl ciphers -tls1

List 'high" encryption TLS Cipher suites:

$CFROOT/util/openssl ciphers -tls1 HIGH