Configured SSL Authorization

TIBCO MFT Platform Server supports a proprietary extension to standard SSL or tunnel processing so that a system administrator can determine that certificates are either accepted or rejected.

You can configure SSL authorization using the sample authorization configuration file called SSLAuth.cfg. The SSLAuth.cfg file is by default located in the $CFROOT/config/ directory.

Note: The authorization configuration file checking is in addition to authorization SSL checking. This checking is performed only if a certificate is accepted by SSL.
Note: The SSLAuth.cfg file is compared against certificates received by TIBCO MFT Platform Server. The SSLAuth.cfg file is not used on an TIBCO MFT Platform Server client.
The components of a distinguished name (DN) of a certificate are compared to the parameters in the SSLAuth.cfg file to determine if a certificate is accepted or rejected.

If no SSLAuth.cfg file is defined, or a match is not found in the SSLAuth.cfg file, the request is then accepted. All requests contain a variety of parameters. If a parameter is not defined, then it is assumed that the parameter is a match.

The authorization file checking is performed in sequence. For example, if a certificate matches an early entry in the SSLAuth.cfg file, the authorization file checking stops matching any later entries.

Because the authorization file checking is processed with a "first-in, first-out" (FIFO) method, if you want to reject all checking requests unless all the certificates are defined by the SSLAuth.cfg file, insert the following statements as the last entry in the SSLAuth.cfg file:
ACCEPT
Accept an SSL request
REVOKE | REJECT
Do not accept an SSL request