Enabling SSL for a TIBCO Enterprise Message Service Domain

Copyright © Cloud Software Group, Inc. All Rights Reserved.

Chapter 2 Machine Management and Domain Configuration : Enabling SSL for a TIBCO Enterprise Message Service Domain

Enabling SSL for a TIBCO Enterprise Message Service Domain

SSL is a protocol for transmitting encrypted data over the Internet or an internal network. SSL works by using public and private keys to encrypt data that is transferred over the SSL connection. See the TIBCO Enterprise Message Service User Guide for general information about the SSL protocol and specific information about file types for digital certificates.

For information about the properties required to use BouncyCastle as a security provider, see Creating a Domain that Uses a Database.

The following parameters are set when configuring SSL for a domain that uses an Enterprise Message Service server.

Table 10 Parameter Set for Configuring SSL

Do Not Verify Host

Specifies whether the client should verify the server’s certificate.

When cleared, the client should verify the server’s certificate. This is recommended.

When selected, the client establishes secure communication with the server, but does not verify the server’s identity.

Note: The value of this parameter is cleared for bcfips security vendor.

Trusted

List of CA certificates to trust as issuers of server certificates. Supply only CA root certificates.

Note: Trusted certificate is required for bcfips security vendor.

Identity

The client’s digital certificate. Supply a certificate in either PEM or PKCS#12 format.

You must also supply a private key file in the Private Key field if you supply a PEM-formatted certificate here.

Note: Identity file is required for bcfips security vendor.

Private Key

The name and location of the client’s private key file. This key must be in PKCS#8 format.

Password

Password for client’s private key.

Do Not Verify Hostname

Specifies whether the client should verify the name in the CN field of the server’s certificate.

When cleared, the client should verify the name of the connected host or the name specified in the Expected Hostname field against the value in the server’s certificate. If the names do not match, the connection is rejected.

When selected, the client establishes secure communication with the server, but does not verify the server’s name.

Note: The value of this parameter is cleared for bcfips security vendor.

Expected Hostname

The name the client expects in the CN field of the server’s certificate. If this parameter is not set, the expected name is the hostname of the server.

The value of this parameter must be provided when the Do Not Verify Hostname parameter is cleared.

Note: With bcfips as security vendor, since Do Not Verify Hostname is cleared, we must have to provide the Expected Hostname value.

Cipher Suite Names

Specifies the cipher suites that the client can use.

Supply a list of cipher names by clicking Add and selecting from the pull down menu that appears.

Remove an entry from the list by selecting the entry and clicking Remove.

Make an in place change to the list by selecting an entry and clicking Edit. Select a replacement entry from the pull down menu that appears.

For more information, see Specifying Cipher Suites in the TIBCO Enterprise Message Service User Guide.

Do Not Verify Host	Specifies whether the client should verify the server’s certificate. When cleared, the client should verify the server’s certificate. This is recommended. When selected, the client establishes secure communication with the server, but does not verify the server’s identity. Note: The value of this parameter is cleared for bcfips security vendor.
Trusted	List of CA certificates to trust as issuers of server certificates. Supply only CA root certificates. Note: Trusted certificate is required for bcfips security vendor.
Identity	The client’s digital certificate. Supply a certificate in either PEM or PKCS#12 format. You must also supply a private key file in the Private Key field if you supply a PEM-formatted certificate here. Note: Identity file is required for bcfips security vendor.
Private Key	The name and location of the client’s private key file. This key must be in PKCS#8 format.
Password	Password for client’s private key.
Do Not Verify Hostname	Specifies whether the client should verify the name in the CN field of the server’s certificate. When cleared, the client should verify the name of the connected host or the name specified in the Expected Hostname field against the value in the server’s certificate. If the names do not match, the connection is rejected. When selected, the client establishes secure communication with the server, but does not verify the server’s name. Note: The value of this parameter is cleared for bcfips security vendor.
Expected Hostname	The name the client expects in the CN field of the server’s certificate. If this parameter is not set, the expected name is the hostname of the server. The value of this parameter must be provided when the Do Not Verify Hostname parameter is cleared. Note: With bcfips as security vendor, since Do Not Verify Hostname is cleared, we must have to provide the Expected Hostname value.
Cipher Suite Names	Specifies the cipher suites that the client can use. Supply a list of cipher names by clicking Add and selecting from the pull down menu that appears. Remove an entry from the list by selecting the entry and clicking Remove. Make an in place change to the list by selecting an entry and clicking Edit. Select a replacement entry from the pull down menu that appears. For more information, see Specifying Cipher Suites in the TIBCO Enterprise Message Service User Guide.