Configuring SSL for JBoss EAP Components
You can configure SSL on your component to specify whether the JBoss Server listens on HTTP or HTTPS. The JBoss enabler included with Silver Fabric uses a default keystore with certificates that have been signed by the TIBCO certificates. Since the certificates are in the same certificate chain, they are trusted by the Engines without modification
SSL can be enabled for communication between specific Silver Fabric components as follows:
By default, the locations of the server keystore and server trust store is the same.
${CONTAINER_WORK_DIR}/sfjb6.keystore
Here, ${CONTAINER_WORK_DIR} is the Enabler's work directory, which by default is ${ENGINE_WORK_DIR}/fabric, but can be overridden by setting the workDir property in container.xml.
This allows for all Silver Fabric components to trust the application server as well.
When broker-engine communication is over SSL, provide Java SSL properties before the engine starts. Go to Config > Engines to specify Engine JVM command-line arguments. For example:
-Djavax.net.ssl.keyStore=yourKeystoreFile.
- Configuring One-Way SSL
One-way SSL is the most common, standard implementation of SSL in client/server connections. In this mode, when a client attempts to connect with the server, the server offers the client a signed certificate. This certificate can be self signed or signed by a Certificate Authority (CA). The connection succeeds if the client configuration accepts self-signed certificates or when the client trusts the CA in its local trust store and validates the certificate. - Configuring Two-Way SSL
In two-way SSL, the JBoss EAP server additionally tries to establish trust with the connecting client by requesting a certificate from the client, and either accepting or rejecting it based on its own trust settings.
Copyright © Cloud Software Group, Inc. All rights reserved.