Modifying This Example to use SSL Communication


This section describes how to modify the above example to use SSL communications between the TIBCO Enterprise Message Service server, WebLogic Server, and the client program (t.java). This section assumes you have already set up and run the example detailed in the previous sections.

Add the SSL JAR Files and New JNDI Properties File to the CLASSPATH
  1. The following JAR files, distributed with TIBCO Enterprise Message Service, must be added to the CLASSPATH settings in both setEnv.cmd and startWebLogic.cmd:
  2.  
       jcert.jar 
       jnet.jar 
       jsse.jar 
       tibcrypt.jar 
    
  3. Create a new file named jndi.properties containing the following lines:
  4.  
       com.tibco.tibjms.naming.security_protocol=ssl 
       com.tibco.tibjms.naming.ssl_enable_verify_host=false 
    
  5. Save the file to directory C:\Tibco\EMS\clients\java. This directory must then be added to the CLASSPATH in both setEnv.cmd and startWebLogic.cmd.

These properties specify that the "SSL" protocol should be used for JNDI lookups and that host verification is turned off (the client will trust any host). JNDI reads this file automatically and adds the properties to the environment of the initial JNDI context.

Configure the TIBCO Enterprise Message Service Server for SSL
  1. In C:\Tibco\EMS\bin\tibemsd.conf, add the following lines:
  2.  
       listen = ssl://localhost:7223 
     
       ssl_server_identity 	= certs/server.cert.pem 
       ssl_server_key 		= certs/server.key.pem 
       ssl_password    	= password 
     
       listen = tcp://localhost:7222 
     

    These lines explicitly set the tcp and ssl listen ports, and specify the three required server-side SSL parameters: identity, private key, and password.

  3. Save the file, then stop and restart the TIBCO Enterprise Message Service server. When the server restarts, you should see messages like the following in the console window confirming SSL is enabled:
  4.  
       2002-03-19 13:48:34 Secure Socket Layer is enabled. 
       2002-03-19 13:48:34 Accepting connections on ssl://localhost:7223. 
       2002-03-19 13:48:34 Accepting connections on tcp://localhost:7222. 
    
  5. Start the administration tool, tibemsadmin. Then create a QueueConnectionFactory that establishes SSL connections. To do this, enter the following commands at the tibemsadmin prompt:
  6.  
       > connect 
       > create factory sslQCF queue url=ssl://localhost:7223 
       ssl_verify_host=disabled 
     

    In the above command, the SSL parameter "url" specifies that connections created by this factory will use the SSL protocol and connect on port 7223. The SSL parameter "ssl_verify_host" is set to disabled so that a server-side certificate property is not required (the client will trust any server). This is the simplest SSL configuration.

Configure WebLogic Server for SSL-Based Communication
  1. The file weblogic-ejb-jar.xml file must be modified to change the values of the JNDI provider URL and the connection factory JNDI name, as follows:
  2.  
       <provider-url> 
          tibjmsnaming://localhost:7223 
       </provider-url> 
       <connection-factory-jndi-name>sslQCF 
       </connection-factory-jndi-name> 
     

    The provider URL is changed to connect to port 7223 (instead of 7222), and the connection factory JNDI name is changed to specify the SSL-based queue connection factory that was created in the previous step.

  3. Rebuild the JAR file for the EJB. From the build directory, enter the following commands:
  4.  
       jar cvf myejb.jar META-INF MDB.class 
       cd .. 
       java weblogic.ejbc -compiler javac build\myejb.jar MDB.jar  
    
  5. Stop and restart the WebLogic Server server.
Modify the Test Program for SSL-Based Communication

The modifications necessary for the test program are similar to those that were necessary for WebLogic Server:

Save and recompile the program.

Re-Run this Example

Run the test program:

 
>java t 

You should see the same messages sent by the client and received by the MDB in the WebLogic server window. You may notice that this example runs slightly slower than the non-SSL version. This is because of the SSL handshake that occurs before the messages are displayed.

To prove that SSL communications are in fact occurring, you could remove the SSL settings you added to tibemsd.conf described in Configure the TIBCO Enterprise Message Service Server for SSL. Then restart the TIBCO Enterprise Message Service server and the WebLogic Server. You should find that the message normally printed indicating that the server is running in production mode never gets printed. The reason is that WebLogic Server cannot perform the SSL-based JNDI lookup of the connection factory, and it continues to retry forever. If you now run the test program again, you should see that it throws an exception indicating that it could not connect to the server using the SSL protocol.

Alternatively (or additionally), you could start the TIBCO Enterprise Message Service server from a command prompt window and turn SSL debug tracing on, as follows:

 
>tibemsd -ssl_debug_trace 

Then if you re-start WebLogic Server and re-run the test program you will see SSL debugging output on the tibemsd console window.


TIBCO Enterprise Message Service™ Application Integration Guide
Software Release 4.3, February 2006
Copyright © TIBCO Software Inc. All rights reserved
www.tibco.com