ESB Endpoint SSL Extensions Panel

You can create or modify ESB endpoint SSL extensions in the ESB Endpoint SSL Extensions panel.

Panel Layout

SXTP07S --------------- ESB Endpoint EMS SSL Extensions -----------------------
Command ===>

 ESB Id             ===> New-ESB1
 Use SSL            ===> N  (N/Y - Use SSL)
 Authorization Only ===> N  (N/Y - SSL Authorization only)

 Key Ring File      ===>
 Key Ring Label     ===>
 Cipher             ===>
 LDAP URL           ===>
   LDAP USERID      ===>
   LDAP PASSWORD    ===>
 Enable FIPS 140-2  ===> N  (N/Y)
 Enable Trace       ===> N  (N/Y)      Enable Debug Trace ===> N (N/Y)
 Enable TLS1.1      ===>    (N/Y)      Enable TLS1.2      ===>    (N/Y)
 Expected Host Name ===>
 Verify Host Name   ===> N  (Y/N)

Field Description

The following table lists the fields in the ESB Endpoint SSL Extensions panel:

Field Description
ESB Id The name of an ESB endpoint.
Use SSL You can specify whether this ESB uses an SSL connection to Data Server.

Default value: N.

Authorization Only You can specify whether this ESB connection uses SSL only for authentication. If the field is set to Y, after establishing the EMS Server's identity through SSL, the data transfer is not encrypted.

Default value: N.

Key Ring File The Resource Access Control Facility (RACF) ring name.
Key Ring Label The RACF identity name.
Cipher The IBM cipher codes for encryption. For example: 35363738392F303132
LDAP URL The URL used to access the LDAP server.
LDAP USERID The user ID used to access the LDAP server.
LDAP PASSWORD If LDAP requires a password, enter the password.
Enable FIPS 140-2 You can specify Y(es) to use FIPS 140-2, or N(o) not to use FIPS 140-2.

Default value: N.

Enable Trace You can specify Y(es) to turn on SSL Trace, or N(o) to disable SSL Trace.

Default value: N.

Enable Debug Trace You can specify Y(es) to turn on SSL Debug Trace, or N(o) to disable SSL Debug Trace.

Default value: N.

Enable TLS1.1 You can specify Y(es) to turn on TLS 1.1, or N(o) to disable TLS 1.1.

Default value: Y.

Enable TLS1.2

You can specify Y(es) to turn on TLS 1.2, or N(o) to disable TLS 1.2.

Default value: Y.

Expected Host Name The name of the TIBCO Enterprise Message Service server name that is being interfaced with.
Verify Host Name If you specify Y(es), the name of the TIBCO Enterprise Message Service server is matched against the value specified in the Exp. EMS Host Name field.
Note: While OpenSSL may work when connecting with the EMS server, Substation ES uses IBM SSl (GSK), which can be more restrictive. In the EMS Server Configuration, add the following to the "trusted list" to allow the connection to be made
"ssl": {
"ssl_server_identity": "_public.pem",
"ssl_issuer_list":
[
{ "issuer": "_Root_CA2.pem" },
{ "issuer": "_Services_CA2.pem" }
],
"ssl_use_cert_username": false,
"ssl_rand_egd": null,
"ssl_trusted_list": [
{ "trusted": "_Root_CA2.pem" }
],
"ssl_auth_only": true,
"ssl_dh_size": 2048, "ssl_require_client_cert": false, 
"ssl_password": "XXXXXXX", 
"ssl_server_key": "XXXX_private.pem", 
"ssl_cert_user_specname": null 
},