Accessing TIBCO EMS using SSL

Here is a collection of notes gathered in my searching...

When you fail to create a connection between the TIBCO EMS server, the WebSphere application server and client container through SSL, you can check the following items to resolve the issue.

1. Verify the SSL configuration in the EMS server and the certificates being used by the WebSphere application server MDB.

You can run the Java sample program, tibjmsSSL.java, (available in the directory $EMS_HOME\sample\java) to verify if there are issues with SSL parameters in the EMS server or the client side. Refer to the TIBCO Enterprise Message Service User’s Guide, Chapter 17, entitled “Using the SSL Protocol” for details regarding SSL parameters usage.

2. You will need to have the following jar files (available under the directory EMS_Home\lib) added to the WebSphere Application server through the Administrator Console:

tibjms.jar, tibcrypt.jar, slf4j-api-1.4.2.jar, slf4j-simple-1.4.2.jar.

From the WebSphere Administrative Console, expand "Resources > JMS > JMS providers" and choose "TIBCO" in the content pane. Add the full path of the following jar files in each line:

EMS_HOME\lib\tibjms.jar

EMS_HOME\lib\TIBCrypt.jar

EMS_HOME\lib\slf4j-api-1.4.2.jar

EMS_HOME\lib\slf4j-simple-1.4.2.jar

3. When creating the JNDI name of queue or topic connection factories used by the WebSphere application server MDB, please refer to the TIBCO Enterprise Message Service User’s Guide > Chapter 18, entitled "Using the SSL Protocol, Configuring SSL in EMS Clients", for a complete list of ConnectionFactory SSL parameters which can be used with the client to create the SSL connection.

Here is an example defined in the factories.conf file using the certificates provide by the EMS installation:

[SSLQueueConnectionFactory]

type = queue

url = ssl://localhost:8080

ssl_identity = C:\TIBCO\ems\5.0\bin\certs\client_identity.p12

ssl_trusted = C:\TIBCO\ems\5.0\bin\certs\server_root.cert.pem

ssl_verify_hostname = disabled

Note: We can not set the ssl_password within the connection factory for security reasons. EMS will attempt to use the password that is provided in the createconnection() call which is the password you specified for the username. If the user password is different from the ssl_password, the connection will fail. To correct this issue, you will need to set the password of the EMS user used by the WebSphere application server MDB to be the same as the ssl_password.

4. The WebSphere application server uses the jndi.properties to lookup the queue or topic connection factory defined in the EMS server. The file jndi.properties is located in the WebSphere installation directory: <WebSphere installation_directory>\properties\jndi.properties.

For example, within jndi.properties, you can define the following properties:

com.tibco.tibjms.naming.security_protocol=ssl
com.tibco.tibjms.naming.ssl_vendor=j2se-default
com.tibco.tibjms.naming.ssl_enable_verify_host=true
com.tibco.tibjms.naming.ssl_expected_hostname=server
com.tibco.tibjms.naming.ssl_trusted_certs=c:\\tibco\\ems\\5.0\\bin\\certs\\serve r_root.cert.pem
com.tibco.tibjms.naming.ssl_identity=c:\\tibco\\ems\\5.0\\bin\\certs\\client_ide ntity.p12
com.tibco.tibjms.naming.ssl_password=password

When com.tibco.tibjms.naming.ssl_vendor is set to j2se-default, it selects IBM SSL vendor, which is embedded within the WebSphere Application server.

Due to the restricted security policies on the IBM JDK and the key size limitation, you may get the following exception when creating an SSL connection:

java.io.IOException: Error in loading the keystore: Private key decryption error: (java.security.InvalidKeyException: Illegal key size)

You will need to download the unrestricted security policies and unzip them into the IBM JRE's lib security directory within the WebSphere application server.

Here is the location to download the SDK policy files:

http://www.ibm.com/developerworks/java/jdk/security/50/#sdkpol