Setting SSL Properties on the Agent

To enable SSL, you must set the SSL system properties on both the TIBCO Enterprise Administrator server and the Agent.

1. On the Agent, you can set the SSL system properties in one of the following ways:
   • Set the properties using the API.

     For example,

     server.setKeystorePath(
     “/tea/keystore/httpserversslkeys.jceks”
     server.setKeyStorePath("/tea/keystore/httpserversslkeys.jceks");
     server.setKeyStorePassword("password");
     server.setCertAlias("httpserver");
     server.setTrustStorePath("/tea/keystore/httpserverssltrusts.jceks");
     server.setTrustStorePassword("password");
     server.setKeyManagerPassword("password");
     server.setWantClientAuth(true);
     server.setNeedClientAuth(true);
       
     server.setHttpClientKeyStorePath("/tea/keystore/httpclientsslkeys.jceks");
     server.setHttpClientKeyStorePassword("password");
     server.setHttpClientCertAlias("httpclient");
     server.setHttpClientTrustStorePath("/tea/keystore/httpclientssltrusts.jceks");
     server.setHttpClientTrustStorePassword("password");
     server.setHttpClientKeyManagerPassword("password");
     

   • Create an SSLContext and inject it into the TIBCO Enterprise Administrator server using the Agent API.

     To do so:

     1. Create an SSLContext object. Follow the JDK documentation on the Oracle web site for instructions on how to do so.
     2. Use the SSLContext API to set the configuration properties into the SSLContext instance. Follow the JDK documentation on the Oracle web site for instructions on how to do so.
     3. Inject the SSLContext instance into the TEA Agent's HttpServer and HttpClient using one of the following APIs:

        public TeaAgentServer(final String name, final String version, final String agentinfo, final int port, final String contextPath, 
        final Boolean enableMetrics, final SSLContext sslContextForHttpServer, final SSLContext sslContextForHttpClient)

        or

        public TeaAgentServer(final String name, final String version, final String agentinfo, final String hostname, final int port, 
        final String contextPath, final Boolean enableMetrics, final SSLContext sslContextForHttpServer, final SSLContext sslContextForHttpClient)

        Note: If you choose not to specify the hostname parameter as shown in the first interface above, a default value of localhost will be used for the hostname.

        An example of using the first API above:

        final TeaAgentServer server = new TeaAgentServer("SSLTestAgent","1.1","Agent for SSL test",port,"/ssltestagent",true, 
        sslContextForServer, sslContextForClient);
        

   • Set the properties from the command line using these System.properties when running the Agent.

     For example,

     -Dtea.agent.http.keystore="/Users/<username>/tea/keystore/httpserversslkeys.jceks" 
     -Dtea.agent.http.truststore="/Users/<username>/tea/keystore/httpserverssltrusts.jceks"
     -Dtea.agent.http.keystore.password="password"
     -Dtea.agent.http.truststore.password="password"
     -Dtea.agent.http.keymanager.password="password"
     -Dtea.agent.http.cert-alias="httpserver"
     -Dtea.agent.http.want.client.auth=true
     -Dtea.agent.http.need.client.auth=true
     -Dtea.agent.http.client.keystore="/Users/<username>/tea/keystore/httpclientsslkeys.jceks"
     -Dtea.agent.http.client.truststore="/Users/<username>/tea/keystore/httpclientssltrusts.jceks"
     -Dtea.agent.http.client.keystore.password="password"
     -Dtea.agent.http.client.truststore.password="password"
     -Dtea.agent.http.client.keymanager.password="password"
     -Dtea.agent.http.client.cert-alias="httpclient"
     

2. Start the Agent. If you did not set the system properties using the API or create and inject an SSLContext, then make sure to start the Agent in SSL mode by setting the properties through the command line as shown in the example in the last bullet item above.