Modifying This Example to use SSL Communications


This section describes how to modify the above example to use SSL communications between the TIBCO Enterprise Message Service server, Borland Enterprise Server, and the client program. This section assumes you have already set up and run the example detailed in the previous sections.

Configuring the TIBCO Enterprise Message Service Server for SSL

In C:\Tibco\EMS\bin\tibemsd.conf, add the following lines:

 
listen = ssl://localhost:7223 
 
ssl_server_identity 	= certs/server.cert.pem 
ssl_server_key 		= certs/server.key.pem 
ssl_password    	= password 
 
listen = tcp://localhost:7222 

These lines explicitly set the tcp and ssl listen ports, and specify the three required server-side SSL parameters: identity, private key, and password.

Save the file, then stop and restart the TIBCO Enterprise Message Service server.

Configuring Borland Enterprise Server and the Application Client for SSL-Based Communication

You must configure the JMS ConnectionFactories that Borland Enterprise Server and the application client retrieve from JNDI to use SSL-based communication. Borland Enterprise Server reads definitions for JMS administered objects from the jndi-definitions.xml file, deployed as part of a DAR module. Borland Enterprise Server instantiates and stores the objects into its own JNDI provider for subsequent lookup by all J2EE clients. Therefore, modify the definitions of the ConnectionFactories in the jndi-definitions.xml as described in the following paragraphs. After the modifications are complete, build and deploy a new DAR module using the updated jndi-definitions.xml file.

Change the value of the serverUrl property for both the QueueConnectionFactory and the TopicConnectionFactory to specify "ssl" as the protocol and "7223" as the port. The following section of code illustrates this change.

 
<property> 
   <prop-name>serverUrl</prop-name> 
   <prop-type>String</prop-type> 
   <prop-value>ssl://localhost:7223</prop-value> 
</property>   

Add definitions for two additional properties to both the QueueConnectionFactory and the TopicConnectionFactory. These properties turn on SSL tracing so that output is generated indicating that SSL is being used. The properties also turn off host verification so that specifying a trusted certificate is not required for this example (refer to the Borland Enterprise Server documentation for a complete list of all the parameters that can be set for the Connection Factories). The following section of code illustrates this change:

 
<property> 
   <prop-name>SSLTrace</prop-name> 
   <prop-type>Boolean</prop-type> 
   <prop-value>true</prop-value> 
</property> 
<property> 
   <prop-name>SSLEnableVerifyHost</prop-name> 
   <prop-type>Boolean</prop-type> 
   <prop-value>false</prop-value> 
</property> 

Save the changes to the jndi-definitions.xml file and build a new DAR module using the following command:

> jar cvMf ems-resources.dar META-INF/jndi-definitions.xml 

Deploy the JAR file jcert.jar, jnet.jar, jsse.jar, and tibcrypt.jar from the TIBCO Enterprise Message Service installation to the target partition using the Borland Enterprise Server Console. Redeploy the ems-resources.dar file to the target partition (refer to the Borland Enterprise Server 5.1 User’s Guide for details).

Stop and restart Borland Enterprise Server to make these changes take effect.

When Borland Enterprise Server starts, it uses the new SSL-based ConnectionFactories to establish SSL-based topic and queue connections to invoke the example MDB. This can be verified by examining the SSL tracing output in the error log of the target partition. The error log can be viewed using the Borland Enterprise Server Console.

When Borland Enterprise Server completes its startup sequence, you should see output similar to the following:

 
[Mon Oct 18 18:32:03 PST 2002] stderr: [TibjmsSSL]: using security vendor 'j2se' 
[Mon Oct 18 18:32:03 PST 2002] stderr: [TibjmsSSL]: WARNING: server verification is 
disabled, will trust any server. 
[Mon Oct 18 18:32:03 PST 2002] stderr: [TibjmsSSL]: client identity not set, using 
empty identity. 
[Mon Oct 18 18:32:07 PST 2002] stderr: [TibjmsSSL]: selected cipher: 
SSL_RSA_WITH_RC4_128_SHA 
[Mon Feb 18 18:32:08 PST 2002] stderr: [TibjmsSSL]: WARNING: server verification is 
disabled, will trust any server. 
[Mon Oct 18 18:32:08 PST 2002] stderr: [TibjmsSSL]: client identity not set, using 
empty identity. 
[Mon Oct 18 18:32:08 PST 2002] stderr: [TibjmsSSL]: selected cipher: 
SSL_RSA_WITH_RC4_128_SHA 
Running This Example

To run the example client, navigate to the directory C:\<BES-install-dir>\examples\ejb\mdb and enter the following command:

 
> appclient message_beans_client.jar 

The client prints the same messages in the window as before, but the SSL trace messages described in the previous section are also output. For example:

 
[TibjmsSSL]: using security vendor 'j2se' 
[TibjmsSSL]: WARNING: server verification is disabled, will trust any server. 
[TibjmsSSL]: client identity not set, using empty identity. 
[TibjmsSSL]: selected cipher: SSL_RSA_WITH_RC4_128_SHA 
Sending a message to queue TibQ1. 
[TibjmsSSL]: WARNING: server verification is disabled, will trust any server. 
[TibjmsSSL]: client identity not set, using empty identity. 
[TibjmsSSL]: selected cipher: SSL_RSA_WITH_RC4_128_SHA 
Publishing a message to topic TibT1. 
Done. 

TIBCO Enterprise Message Service™ Application Integration Guide
Software Release 4.3, February 2006
Copyright © TIBCO Software Inc. All rights reserved
www.tibco.com