Server SSL Communications Parameters

The following table lists parameters (in alphabetical order) that are only used when performing SSL or Tunnel transfers.

Parameter Name Description
AuthorizationFileName Defines the path to the authorization file to be used with SSL transfers.

If this parameter is not defined or is set to N, TIBCO MFT Platform Server does not perform additional authentication to the client certificate. This parameter is only valid when ClientVerification is set to Y. You can find a sample authorization file that can be used called SSLAuth.cfg located in the $CFROOT/config directory.

For more information on configuring this file, see Configured SSL Authorization.

CAPath Defines the path where the CRL checking looks for the hashed file names.

For more information, see CRL Support.

CertificateFileName Defines the path to the certificate file used for an SSL or Tunnel transfer.

Note: It has no default value. There are separate parameters for server and client, but the same file name can be used for both.

For more information, see SSL Certificates Setup.

CheckCRL Defines whether incoming TIBCO MFT Platform Server SSL or Tunnel checks the CAPath field for the hashed CRL files.

For more information, see CRL Support.

Ciphers Defines the cipher suites that can be used for TLS negotiation between the server and the client.

The default value is HIGH, which means those ciphers suites with key lengths larger than 128 bits, and some cipher suites with 128-bit keys can be used.

In addition, you can list all supported cipher suites separated by colons. You can list the OPENSSL supported ciphers by using the openssl command.

Examples:

List TLS Ciphers:

$CFROOT/util/openssl ciphers -tls1

List 'high" encryption TLS Cipher suites:

$CFROOT/util/openssl ciphers -tls1 HIGH
ClientVerification Defines whether TIBCO MFT Platform Server performs SSL client authentication.

The valid values are:

  • N: the client certificate is not authenticated.
  • Y: the client certificate is authenticated. This is the default value.

For more information, see SSL Certificates Setup.

PrivateKeyFileName Defines the path to the file with the private key that is associated with the SSL certificate.

Note: It has no default value. There are separate parameters for server and client, but the same file name can be used for both.

For more information, see SSL Certificates Setup.

PrivateKeyPwdFileName Defines the path to the file with the private key password.

It has no default value. To create this file, use the createPwd.exe file in the $CFROOT/util directory.

Note: If the same certificate is used for a TIBCO MFT Platform Server server and a TIBCO MFT Platform Server client, the same private key password can be used for the server and client as well.

For more information, see SSL Certificates Setup.

SSLEnabledProtocols

Defines which SSL protocols are supported when the platform server runs as a responder.

The valid values are any combination of the following options:

TLSV1,TLSV1.1,TLSV1.2. The default value is TLSV1,TLSV1.1,TLSV1.2. The comma means "and".

SSLPort Defines the IP port on which TIBCO MFT Platform Server listens on for incoming SSL requests.

The valid values are from 1024 to 65535, because lower ports are usually reserved for standard applications. The default value is 56565.

SSLPortIPv6 Defines the IPv6 port on which TIBCO MFT Platform Server listens on for incoming SSL requests.

The valid values are N or any number ranging from 1024 to 65535, because lower ports are usually reserved for standard applications. If this parameter is not defined, then responder IPv6 SSL processing is disabled.

If non-SSL requests are received on this port, then an error message is sent to the initiator and the request is terminated.

This field must be different than the PortIPv6 parameter.

SSLTraceLevel Defines whether tracing is turned on for an SSL transfer.

Usually tracing has only to be turned on at the request of TIBCO Support for troubleshooting purpose.

SSLTracePath Defines the path to the SSL trace file.

The path of the SSL trace file is $CFROOT/trace/ResponderSSL under the SERVER section. Normally these files are only used when debugging SSL related problems.

TrustedAuthorityFileName Defines the path to the file with trusted authority certificates.

It has no default value. Use this parameter to define all the certificate authorities that are accepted by both a TIBCO MFT Platform Server server and a TIBCO MFT Platform Server client.

Note: There are separate parameters for server and client, but the same file name can be used for both.

For more information, see SSL Certificates Setup.

TunnelPort Defines the IP port on which listens on for incoming tunnel requests.

The valid values are from 1024 to 65535, because lower ports are usually reserved for standard applications. The default value is 58585.

TunnelPortIPv6 Defines the IPv6 port on which TIBCO MFT Platform Server listens on for incoming tunnel requests.

The valid values are N or any number ranging from 1024 to 65535 because lower ports are usually reserved for standard applications. If this parameter is not defined, then responder IPv6 tunnel processing is disabled.

This field must be different than the PortIPv6 parameter.