Configuring SSL for Tomcat Components
You can configure SSL on your component to specify whether the Tomcat Server listens on HTTP or HTTPS. The Tomcat enabler included with Silver Fabric uses a default keystore with certificates that have been signed by the TIBCO certificate. Since the certificates are in the same certificate chain, they are trusted by the Engines without modification.
By default, the location of the server keystore and server trust store are in the files, at
${CATALINA_HOME}/conf/tomcat.keystore and ${CATALINA_HOME}/conf/tomcat.truststore. This allows for all Silver Fabric components to trust the application server as well.
When broker-engine communication is over SSL, provide Java SSL properties before the engine starts. Go to Config > Engines to specify engine JVM command-line arguments. For example,
-Djavax.net.ssl.keyStore=yourKeystoreFile.
- Configuring One-Way SSL
One-way SSL is the most common, standard implementation of SSL in client / server connections. In this mode, when a client attempts to connect with the server, the server offers the client a signed certificate. This certificate can be self-signed or signed by a Certificate Authority (CA). If the CA is trusted by the client in its local trust store, and the certificate is validated, or if the client is configured to accept the self-signed certificate, the connection is established. - Configuring Two-Way SSL
In two-way SSL, the Tomcat server additionally tries to establish trust with the connecting client by requesting a certificate from the client, and either accepting or rejecting it based on its own trust settings.