SSL Properties

When configuring SSL on the TIBCO Enterprise Administrator, you need to set some properties on both the TIBCO Enterprise Administrator server as well as the Agent.

Note: Setting the HttpClient properties on both the Agent and the TIBCO Enterprise Administrator server is mandatory only if you want to set up a two-way SSL configuration. You do not need to set the HttpClient properties if you want to set up a one-way SSL configuration or do not want to set up SSL at all. If you do not set the HttpClient properties on the Agent and the TIBCO Enterprise Administrator server, the HttpClients residing on both of them will be configured to "Trust All".

To enable SSL on the TIBCO Enterprise Administrator server, set these properties for the HttpServer and HttpClient residing on the TIBCO Enterprise Administrator server:

TIBCO Enterprise Administrator Server Properties
Property	Description
Properties for the HttpServer on the TIBCO Enterprise Administrator server
tea.http.keystore	The file name or URL of the key store location For example: `tea.http.keystore =` "/Users/`<username>`/tea/keystore/httpserversslkeys.jceks"
tea.http.keystore-password	Password for the key store residing on the TIBCO Enterprise Administrator server. This is the password that was set when the key store was created For example: `tea.http.keystore-password = "MyPassword"`
tea.http.cert-alias	Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store For example: `tea.http.cert-alias = "httpserver"`
tea.http.key-manager-password	The password for the specific key within the key store. This is the password that was set when the key pair was created For example: `tea.http.key-manager-password = "password"`
tea.http.truststore	The file name or URL of the trust store location For example: `tea.http.truststore =` "/Users/`<username>`/tea/keystore/httpserverssltrusts.jceks"
tea.http.truststore-password	The password for the trust store For example: `tea.http.truststore-password = "password"`
tea.http.want.client.auth	See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication For example: `tea.http.want.client.auth = true`
tea.http.need.client.auth	See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication For example: `tea.http.need.client.auth = true`
tea.http.exclude.protocols	The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter. For example, `tea.http.exclude.protocols="SSLv3,TLS1"` If the property is not mentioned, the SSLV3 protocol is excluded. If TIBCO Enterprise Administrator server must support all protocols including SSLV3, set the property to be empty. For example, `tea.http.exclude.protocols=""` Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.
Properties for the HttpClient on the TIBCO Enterprise Administrator server Only required if you want to set up a two-way SSL configuration
tea.http.client.keystore	The file name or URL of the key store location For example: `tea.http.client.keystore = "/Users/<username>/tea/keystore/httpclientsslkeys.jceks"`
tea.http.client.keystore-password	The password for the key store residing on the client (Agent) For example: `tea.http.client.keystore-password = "password"`
tea.http.client.cert-alias	Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store For example: `tea.http.client.cert-alias = "httpclient"`
tea.http.client.key-manager-password	The password for the specific key within the key store For example: `tea.http.client.key-manager-password = "password"`
tea.http.client.truststore	The file name or URL of the trust store location For example: `tea.http.client.truststore = "/Users/<username>/tea/keystore/httpclientssltrusts.jceks"`
tea.http.client.truststore-password	The password for the trust store For example: `tea.http.client.truststore-password = "password"`
tea.http.client.exclude.protocols	The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter. For example, `tea.http.exclude.protocols="SSLv3,TLS1"` If the property is not mentioned, the SSLV3 protocol is excluded. If TIBCO Enterprise Administrator server must support all protocols including SSLV3, set the property to be empty. For example, `tea.http.exclude.protocols=""` Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.

Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters

Here are some guidelines for setting these parameters depending on the scenario you want to implement:

For this type of authentication...	setting the parameters in this combination...	will result in...
Certification-based two-way authentication	http.want.client.auth = true http.need.client.auth = false	The TEA server asks the client (web browser or Agent) to provide its client certificate while handshaking. But the client chooses not to provide authentication information about itself, but the authentication process will continue. So that would mean that the client certification is optional which in turn means that no certificate needs to be generated on the client. End Result The authentication process is successful.
http.want.client.auth = false http.need.client.auth = true	The TEA server asks the client (web browser or Agent) to provide its client certificate while handshaking, but the client chooses not to provide authentication information about itself, the authentication process will stop. So that would mean that the client certification is required which in turn means that a keypair and certificate must be generated on the client (Agent). End Result The authentication process fails
http.want.client.auth = true http.need.client.auth = true	Same as the above case where the client certification is required and a keypair and certificate must be generated on the client (Agent). End Result The authentication process fails
Certification-based one-way authentication	http.want.client.auth = false http.need.client.auth = false	Both of the parameters set to 'false' which means that it is a One-way Authentication, where only the client (web browser or Agent) will verify the TEA server but the TEA server trusts all the clients without verification. No need to generate any certificates at all. End Result The authentication process is successful, as long as the user name and password provided by the agent are both correct.

For this type of authentication...

setting the parameters in this combination...

will result in...

Certification-based two-way authentication

http.want.client.auth = true

http.need.client.auth = false

The TEA server asks the client (web browser or Agent) to provide its client certificate while handshaking. But the client chooses not to provide authentication information about itself, but the authentication process will continue.

So that would mean that the client certification is optional which in turn means that no certificate needs to be generated on the client.

End Result

The authentication process is successful.

http.want.client.auth = false

http.need.client.auth = true

The TEA server asks the client (web browser or Agent) to provide its client certificate while handshaking, but the client chooses not to provide authentication information about itself, the authentication process will stop.

So that would mean that the client certification is required which in turn means that a keypair and certificate must be generated on the client (Agent).

End Result

The authentication process fails

http.want.client.auth = true

http.need.client.auth = true

Same as the above case where the client certification is required and a keypair and certificate must be generated on the client (Agent).

End Result

The authentication process fails

Certification-based one-way authentication

http.want.client.auth = false

http.need.client.auth = false

Both of the parameters set to 'false' which means that it is a One-way Authentication, where only the client (web browser or Agent) will verify the TEA server but the TEA server trusts all the clients without verification.

No need to generate any certificates at all.

End Result

The authentication process is successful, as long as the user name and password provided by the agent are both correct.

Related concepts

SSL Configuration on the TIBCO Enterprise Administrator: An Overview

Related tasks

Setting SSL Properties on the Agent

Contents

Index

Search Results

SSL Properties

Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters

Property	Description
Properties for the HttpServer on the Agent
tea.agent.http.keystore	The file name or URL of the key store location For example: `tea.agent.http.keystore =` "/Users/`<username>`/tea/keystore/httpserversslkeys.jceks"
tea.agent.http.keystore.password	Password for the key store residing on the Agent. This is the password that was set when the key store was created For example: `tea.agent.http.keystore.password = "MyPassword"`
tea.agent.http.cert.alias	Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store For example: `tea.agent.http.cert.alias = "httpserver"`
tea.agent.http.keymanager.password	The password for the specific key within the key store. This is the password that was set when the key pair was created For example: `tea.agent.http.keymanager.password = "password"`
tea.agent.http.truststore	The file name or URL of the trust store location For example: `tea.agent.http.truststore =` "/Users/`<username>`/tea/keystore/httpserverssltrusts.jceks"
tea.agent.http.truststore.password	The password for the trust store For example: `tea.agent.http.truststore.password = "password"`
tea.agent.http.want.client.auth	See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication For example: `tea.agent.http.want.client.auth = true`
tea.agent.http.need.client.auth	See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication For example: `tea.agent.http.need.client.auth = true`
tea.agent.http.exclude.protocols	The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter. For example, `tea.http.exclude.protocols="SSLv3,TLS1"` If the property is not set either using system properties or using Agent Server API, the SSLV3 protocol is excluded. If TIBCO Enterprise Administrator Agent must support all protocols including SSLV3, set the property to be empty. For example, `tea.http.exclude.protocols=""` Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.
Properties for the HttpClient on the Agent Only required if you want to set up a two-way SSL configuration
tea.agent.http.client.keystore	The file name or URL of the key store location For example: `tea.agent.http.client.keystore = "/Users/<username>/tea/keystore/httpclientsslkeys.jceks"`
tea.agent.http.client.keystore.password	The password for the key store residing on the client (Agent) For example: `tea.agent.http.client.keystore.password = "password"`
tea.agent.http.client.cert.alias	Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store For example: `tea.agent.http.client.cert.alias = "httpclient"`
tea.agent.http.client.keymanager.password	The password for the specific key within the key store For example: `tea.agent.http.client.keymanager.password = "password"`
tea.agent.http.client.truststore	The file name or URL of the trust store location For example: `tea.agent.http.client.truststore = "/Users/<username>/tea/keystore/httpclientssltrusts.jceks"`
tea.agent.http.client.truststore.password	The password for the trust store For example: `tea.agent.http.client.truststore.password = "password"`
tea.agent.http.client.exclude.protocols	The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter. For example, `tea.http.exclude.protocols="SSLv3,TLS1"` If the property is not set either using system properties or using Agent Server API, the SSLV3 protocol is excluded. If TIBCO Enterprise Administrator Agent must support all protocols including SSLV3, set the property to be empty. For example, `tea.http.exclude.protocols=""` Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.