Creating Subject Identity Resources

The Subject Identity Provider is used for obtaining and using private credentials obtained from a credential store.

The Subject Identity Provider needs the following:
  • Requires a trust store for SSL client connections and signature verification.
  • Requires a credential store for SSL server and SSL mutual authentication and for creating digital signature.
  • Requires a private keystore for creating digital signature.

Prerequisites

Ensure that the TIBCO Enterprise Administrator server and the agent are running. Ensure that the agent is registered with the server. Ensure that the Keystore Credential Resource and Login Credential resource is configured.

Procedure

  1. Log in to TIBCO Enterprise Administrator.
  2. From the landing page, click TIBCOSecurityServer card.
  3. Click Resource Manager Service.
  4. From the Subject Identity Resources pane, click create.
    Note: Alternatively, click Subject Identity Resources, and in the following page, click create.
  5. Provide the following details:
    Property Description
    name Required. Name of the Subject Identity Provider.
    sslProtocol Optional. The name of the SSL Protocol such as TLSv1.
    sslProvider Optional. The name of the SSL Provider.
    sslCipherStrength Optional. The cipher strength is the number of bits in the key used to encrypt data. The greater the number of bits in the key ( cipher strength), the more possible key combinations and the longer it would take to break the encryption. The cipher strength should be at least 128 bits.
    sslExplicitCiphers Optional. Explicit Ciphers are enabled when SSL Cipher Class is set to Explicit Ciphers.
    sslHostName Optional. Name of the SSL Host.
    sslVerifyHost Optional. Select this option to verify SSL Host.
    sslVendor Optional. Name of the SSL vendor.
    kerberosServiceProvider Optional. Name of the Kerberos Service Provider.
    kerberosServicePrincipalName Optional. The name of a Kerberos client principal . Specify this information to gain access to the private key of the client principal.
    wssEncryptionAlgorithm Optional. The WSS encryption algorithm. By default it is AES_128.
    wsskeyEncryptionAlgorithm Optional. The WSS key encryption algorithm. By default it is RSAOEP.
    wssBspCompliant Optional. Select this option to make the resource wssbsp compliant.
    wssStrictTimestamp Optional. Select this option to enable WSS strict timestamp.
    wssTimeStampTimeToLive Optional. The time to live in seconds.
    wssTimeStampFutureTimeToLive Optional. The future time to live in seconds.
    wssCertificateRevocationURL Optional. The WSS Certificate revocation URL.
    trustStoreServiceProvider Required. The name of the keystore credential resource.
    enableTrustStoreAccess Required. By default this option is enabled.
    sslExplicitlyTrustAllCAs Optional. By default this option is enabled.
    sslCertificateRevocationURL Optional. The SSL Certificate revocation URL.
    sslCertificateRevocationReloadInterval Optional the reload interval for revoking the SSL certificate.
    IdentityServiceProvider Required. The name of the keystore credential resource.
    keyAlias Required. Name of the key alias. You can use the information captured by the Login Credential Resource.
    keyPassword Required. The Key password. You can use the information captured by the Login Credential Resource.
    enableCredentialStoreAccess Optional. Select this option to enable credential store access.
    sslClientAuth Optional. The SSL client authentication.
    wssEnableProtectToken Optional. This option enables protected tokens. By default, this option is selected.
    kerberosPrincipal Optional. The name of a Kerberos client principal. Specify this information to gain access to the private key of the client principal.
    kerberosPrincipalPassword Optional. The principal password for Kerberos.
    wssSignatureAlgorithm Optional. The WSS signature algorithm. By default, it is RSA_SHA256.
    wssDigestAlgorithm Optional. The WSS digest algorithm. By default, it is SHA256.
    wssCanonAlgorithm Optional. The WSS canon algorithm. By default, it is XML_EXC_C14N.
    wssTimetoLive Optional. The time to live in seconds.
  6. Click create to create a Subject Identity resource.
    Note: You can create a Subject Identity resource using python scripts available under TIBCO_HOME\tea\agents\tss\<version>\samples\resourceManagerService\subject.