SSL Properties
When configuring SSL on the TIBCO Enterprise Administrator, you must set some properties on both the TIBCO Enterprise Administrator server as well as the agent.
| Property | Description |
|---|---|
| Properties for the HttpServer on the TIBCO Enterprise Administrator server | |
| tea.http.keystore |
The file name or URL of the key store location. For example:
|
| tea.http.keystore-password |
Password for the key store residing on the TIBCO Enterprise Administrator server. This is the password that was set when the key store was created. For example: tea.http.keystore-password = "MyPassword"
|
| tea.http.cert-alias |
Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store. For example: tea.http.cert-alias = "httpserver"
|
| tea.http.key-manager-password |
The password for the specific key within the key store. This is the password that was set when the key pair was created. For example:
|
| tea.http.truststore |
The file name or URL of the trust store location. For example:
|
| tea.http.truststore-password |
The password for the trust store. For example:
|
| tea.http.want.client.auth |
See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication. For example: tea.http.want.client.auth = true
|
| tea.http.need.client.auth |
See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication. For example: tea.http.need.client.auth = true
|
| tea.http.exclude.protocols | The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter.
For example,
For example,
Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.
|
| Properties for the HttpClient on the TIBCO Enterprise Administrator server
Only required if you want to set up a two-way SSL configuration |
|
| tea.http.client.keystore |
The file name or URL of the key store location. For example: tea.http.client.keystore = "/Users/<username>/tea/keystore/httpclientsslkeys.jceks"
|
| tea.http.client.keystore-password |
The password for the key store residing on the client (agent). For example: tea.http.client.keystore-password = "password"
|
| tea.http.client.cert-alias |
Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store For example: tea.http.client.cert-alias = "httpclient"
|
| tea.http.client.key-manager-password |
The password for the specific key within the key store. For example: tea.http.client.key-manager-password = "password"
|
| tea.http.client.truststore |
The file name or URL of the trust store location. For example: tea.http.client.truststore = "/Users/<username>/tea/keystore/httpclientssltrusts.jceks"
|
| tea.http.client.truststore-password |
The password for the trust store. For example: tea.http.client.truststore-password = "password"
|
| tea.http.client.exclude.protocols | The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter.
For example,
For example,
Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.
|
| Property | Description |
|---|---|
| Properties for the HttpServer on the agent | |
| tea.agent.http.keystore |
The file name or URL of the key store location. For example:
|
| tea.agent.http.keystore.password |
Password for the key store residing on the agent. This is the password that was set when the key store was created. For example: tea.agent.http.keystore.password = "MyPassword"
|
| tea.agent.http.cert.alias |
Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store. For example: tea.agent.http.cert.alias = "httpserver"
|
| tea.agent.http.keymanager.password |
The password for the specific key within the key store. This is the password that was set when the key pair was created. For example:
|
| tea.agent.http.truststore |
The file name or URL of the trust store location. For example:
|
| tea.agent.http.truststore.password |
The password for the trust store. For example:
|
| tea.agent.http.want.client.auth |
See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication. For example: tea.agent.http.want.client.auth = true
|
| tea.agent.http.need.client.auth |
See section Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters below. This property is used for mutual authentication. For example: tea.agent.http.need.client.auth = true
|
| tea.agent.http.exclude.protocols | The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter.
For example,
For example,
Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.
|
| Properties for the HttpClient on the Agent
Only required if you want to set up a two-way SSL configuration |
|
| tea.agent.http.client.keystore |
The file name or URL of the key store location. For example: tea.agent.http.client.keystore = "/Users/<username>/tea/keystore/httpclientsslkeys.jceks"
|
| tea.agent.http.client.keystore.password |
The password for the key store residing on the client (agent). For example: tea.agent.http.client.keystore.password = "password"
|
| tea.agent.http.client.cert.alias |
Alias for the SSL certificate. The certificate can be identified by this alias in case there are multiple certificates in the trust store. For example: tea.agent.http.client.cert.alias = "httpclient"
|
| tea.agent.http.client.keymanager.password |
The password for the specific key within the key store. For example: tea.agent.http.client.keymanager.password = "password"
|
| tea.agent.http.client.truststore |
The file name or URL of the trust store location. For example: tea.agent.http.client.truststore = "/Users/<username>/tea/keystore/httpclientssltrusts.jceks"
|
| tea.agent.http.client.truststore.password |
The password for the trust store. For example: tea.agent.http.client.truststore.password = "password"
|
| tea.agent.http.client.exclude.protocols | The property to list the protocols to be excluded. To exclude multiple protocols, use comma as a delimiter.
For example,
For example,
Attention: When connecting using HTTPS, some versions of the popular browsers may be configured to use SSLv3 as the protocol. If you have problems accessing secured TIBCO Enterprise Administrator server (by default the SSLv3 is disabled) using the browser, follow the browser's user guide to configure that browser to excludeSSLv3 protocol.
|
Guidelines to set the tea.http.want.client.auth and tea.http.need.client.auth Parameters
Here are some guidelines for setting these parameters depending on the scenario you want to implement:
| For this type of authentication... | setting the parameters in this combination... | results in... |
|---|---|---|
| Certification-based two-way authentication |
http.want.client.auth = true http.need.client.auth = false |
The TEA server asks the client (web browser or agent) to provide its client certificate while handshaking. But the client chooses not to provide authentication information about itself, but the authentication process continues. So that would mean that the client certification is optional which in turn means that no certificate needs to be generated on the client. End Result The authentication process is successful. |
|
http.want.client.auth = false http.need.client.auth = true |
The TEA server asks the client (web browser or agent) to provide its client certificate while handshaking, but the client chooses not to provide authentication information about itself, the authentication process stops. So that would mean that the client certification is required which in turn means that a keypair and certificate must be generated on the client (agent). End Result The authentication process fails |
|
|
http.want.client.auth = true http.need.client.auth = true |
Same as the above case where the client certification is required and a keypair and certificate must be generated on the client (agent). End Result The authentication process fails |
|
| Certification-based one-way authentication |
http.want.client.auth = false http.need.client.auth = false |
Both of the parameters set to 'false' which means that it is a One-way Authentication, where only the client (web browser or agent) verifies the TEA server but the TEA server trusts all the clients without verification. Do not generate any certificates. End Result The authentication process is successful, as long as the user name and password provided by the agent are both correct. |