SSL Properties
When configuring SSL on the TIBCO Enterprise Administrator, you need to set some properties on both the TIBCO Enterprise Administrator server as well as the Agent.
Property | Description |
---|---|
Properties for the HttpServer on the TIBCO Enterprise Administrator server | |
tea.http.keystore |
The file name or URL of the key store location For example: tea.http.keystore = "/Users/<username>/tea/keystore/httpserversslkeys.jceks" |
tea.http.keystore-password |
Password for the key store residing on the TIBCO Enterprise Administrator server. This is the password that was set when the key store was created For example: tea.http.keystore-password = "MyPassword" |
tea.http.cert-alias |
Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store For example: tea.http.cert-alias = "httpserver" |
tea.http.key-manager-password |
The password for the specific key within the key store. This is the password that was set when the key pair was created For example: tea.http.key-manager-password = "password" |
tea.http.truststore |
The file name or URL of the trust store location For example: tea.http.truststore = "/Users/<username>/tea/keystore/httpserverssltrusts.jceks" |
tea.http.truststore-password |
The password for the trust store For example: tea.http.truststore-password = "password" |
tea.http.want.client.auth |
See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication For example: tea.http.want.client.auth = true |
tea.http.need.client.auth |
See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication For example: tea.http.need.client.auth = true |
tea.http.exclude.protocols | The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter.
For example, tea.http.exclude.protocols="SSLv3,TLS1" If the property is not mentioned, the SSLV3 protocol is excluded. If TIBCO Enterprise Administrator server must support all protocols including SSLV3, set the property to be empty.For example,
tea.http.exclude.protocols=""
Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.
|
Properties for the HttpClient on the TIBCO Enterprise Administrator server
Only required if you want to set up a two-way SSL configuration |
|
tea.http.client.keystore |
The file name or URL of the key store location For example: tea.http.client.keystore = "/Users/<username>/tea/keystore/httpclientsslkeys.jceks" |
tea.http.client.keystore-password |
The password for the key store residing on the client (Agent) For example: tea.http.client.keystore-password = "password" |
tea.http.client.cert-alias |
Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store For example: tea.http.client.cert-alias = "httpclient" |
tea.http.client.key-manager-password |
The password for the specific key within the key store For example: tea.http.client.key-manager-password = "password" |
tea.http.client.truststore |
The file name or URL of the trust store location For example: tea.http.client.truststore = "/Users/<username>/tea/keystore/httpclientssltrusts.jceks" |
tea.http.client.truststore-password |
The password for the trust store For example: tea.http.client.truststore-password = "password" |
tea.http.client.exclude.protocols | The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter.
For example, tea.http.exclude.protocols="SSLv3,TLS1" If the property is not mentioned, the SSLV3 protocol is excluded. If TIBCO Enterprise Administrator server must support all protocols including SSLV3, set the property to be empty.For example,
tea.http.exclude.protocols=""
Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.
|
Property | Description |
---|---|
Properties for the HttpServer on the Agent | |
tea.agent.http.keystore |
The file name or URL of the key store location For example: tea.agent.http.keystore = "/Users/<username>/tea/keystore/httpserversslkeys.jceks" |
tea.agent.http.keystore.password |
Password for the key store residing on the Agent. This is the password that was set when the key store was created For example: tea.agent.http.keystore.password = "MyPassword" |
tea.agent.http.cert.alias |
Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store For example: tea.agent.http.cert.alias = "httpserver" |
tea.agent.http.keymanager.password |
The password for the specific key within the key store. This is the password that was set when the key pair was created For example: tea.agent.http.keymanager.password = "password" |
tea.agent.http.truststore |
The file name or URL of the trust store location For example: tea.agent.http.truststore = "/Users/<username>/tea/keystore/httpserverssltrusts.jceks" |
tea.agent.http.truststore.password |
The password for the trust store For example: tea.agent.http.truststore.password = "password" |
tea.agent.http.want.client.auth |
See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication For example: tea.agent.http.want.client.auth = true |
tea.agent.http.need.client.auth |
See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication For example: tea.agent.http.need.client.auth = true |
tea.agent.http.exclude.protocols | The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter.
For example, tea.http.exclude.protocols="SSLv3,TLS1" If the property is not set either using system properties or using Agent Server API, the SSLV3 protocol is excluded. If TIBCO Enterprise Administrator Agent must support all protocols including SSLV3, set the property to be empty.For example,
tea.http.exclude.protocols=""
Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.
|
Properties for the HttpClient on the Agent
Only required if you want to set up a two-way SSL configuration |
|
tea.agent.http.client.keystore |
The file name or URL of the key store location For example: tea.agent.http.client.keystore = "/Users/<username>/tea/keystore/httpclientsslkeys.jceks" |
tea.agent.http.client.keystore.password |
The password for the key store residing on the client (Agent) For example: tea.agent.http.client.keystore.password = "password" |
tea.agent.http.client.cert.alias |
Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store For example: tea.agent.http.client.cert.alias = "httpclient" |
tea.agent.http.client.keymanager.password |
The password for the specific key within the key store For example: tea.agent.http.client.keymanager.password = "password" |
tea.agent.http.client.truststore |
The file name or URL of the trust store location For example: tea.agent.http.client.truststore = "/Users/<username>/tea/keystore/httpclientssltrusts.jceks" |
tea.agent.http.client.truststore.password |
The password for the trust store For example: tea.agent.http.client.truststore.password = "password" |
tea.agent.http.client.exclude.protocols | The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter.
For example, tea.http.exclude.protocols="SSLv3,TLS1" If the property is not set either using system properties or using Agent Server API, the SSLV3 protocol is excluded. If TIBCO Enterprise Administrator Agent must support all protocols including SSLV3, set the property to be empty.For example,
tea.http.exclude.protocols=""
Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.
|
Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters
Here are some guidelines for setting these parameters depending on the scenario you want to implement:
For this type of authentication... | setting the parameters in this combination... | will result in... |
---|---|---|
Certification-based two-way authentication |
http.want.client.auth = true http.need.client.auth = false |
The TEA server asks the client (web browser or Agent) to provide its client certificate while handshaking. But the client chooses not to provide authentication information about itself, but the authentication process will continue. So that would mean that the client certification is optional which in turn means that no certificate needs to be generated on the client. End Result The authentication process is successful. |
http.want.client.auth = false http.need.client.auth = true |
The TEA server asks the client (web browser or Agent) to provide its client certificate while handshaking, but the client chooses not to provide authentication information about itself, the authentication process will stop. So that would mean that the client certification is required which in turn means that a keypair and certificate must be generated on the client (Agent). End Result The authentication process fails |
|
http.want.client.auth = true http.need.client.auth = true |
Same as the above case where the client certification is required and a keypair and certificate must be generated on the client (Agent). End Result The authentication process fails |
|
Certification-based one-way authentication |
http.want.client.auth = false http.need.client.auth = false |
Both of the parameters set to 'false' which means that it is a One-way Authentication, where only the client (web browser or Agent) will verify the TEA server but the TEA server trusts all the clients without verification. No need to generate any certificates at all. End Result The authentication process is successful, as long as the user name and password provided by the agent are both correct. |