To use an SSL connection to the EMS server, a Java client must include appropriate JAR files in the CLASSPATH
(see Table 40 below). These files are included with EMS, and also with JDK (1.4 and later).
JAR File
|
Included with
|
---|---|
jsse.jar
|
JDK
|
jnet.jar
|
JDK
|
jcert.jar
|
JDK
|
tibcrypt.jar
|
EMS
|
To use Entrust with an EMS client, you must separately purchase and install the Entrust Version 7.1 libraries. If you use the Entrust libraries, you must include them in the CLASSPATH before the JSSE JAR files. To use Entrust Version 7.1 with JDK, you must download the unlimited strength policy JAR files from Sun's website and install them in your local installation of JDK. For installation and configuration details, see Entrust Version 7.1 documentation.
When client authentication with a digital certificate is required by the EMS server (see the description of the ssl_require_client_cert
parameter in tibemsd.conf
), the client may combine its client certificate and private key in a single file in one of the following formats:
You can also store the private key file separately from the client certificate file. If this is the case, the certificate and private key must be stored in one of the following formats:
The format of the client digital certificate and private key file depends on the SSL vendor used by the client. JSSE and Entrust support different formats and combinations of formats. For more information about formats, see your SSL vendor’s documentation.
A Java client connecting to an EMS server can configure SSL characteristics in three ways:
A preconfigured connection factory is the preferred mechanism in many situations.
TibjmsSSL
.tibemsSSLParams
.
Specifying any SSL parameters within a connection factory causes all global SSL parameters set with the TibjmsSSL
class to be ignored.
You can configure a connection factory using the administration tool or the EMS Administration APIs. See Chapter 8, Using the Administration Tool.
When configuring a connection factory, you can specify several SSL parameters. These parameters are similar to the server parameters that you can configure in tibemsd.conf
.
Table 41 briefly describes the parameters you can set in a connection factory, and refers to additional information about each parameter. For more information about each parameter, see the description of the equivalent parameter in tibemsd.conf
.
Parameter
|
Description
|
---|---|
ssl_vendor
|
The vendor name of the SSL implementation that the client uses.
|
ssl_identity
|
The client’s digital certificate.
For more information on file types for digital certificates, see File Names for Certificates and Keys.
|
ssl_issuer
|
Issuer’s certificate chain for the client’s certificate. Supply the entire chain, including the CA root certificate. The client reads the certificates in the chain in the order they are presented in this parameter.
Example
For more information on file types for digital certificates, see File Names for Certificates and Keys.
|
ssl_private_key
|
The client’s private key. If the key is included in the digital certificate in
ssl_identity , then you may omit this parameter.
For more information on file types for digital certificates, see File Names for Certificates and Keys.
|
ssl_trusted
|
List of CA certificates to trust as issuers of server certificates. Supply only CA root certificates.
For more information on file types for digital certificates, see File Names for Certificates and Keys.
|
ssl_verify_host
|
Specifies whether the client should verify the server’s certificate. The values for this parameter are
enabled or disabled . By default, this parameter is enabled, signifying the client should verify the server’s certificate.
When
disabled , the client establishes secure communication with the server, but does not verify the server’s identity.
|
ssl_verify_hostname
|
Specifies whether the client should verify the name in the CN field of the server’s certificate. The values for this parameter are
enabled and disabled . By default, this parameter is enabled, signifying the client should verify the name of the connected host or the name specified in the ssl_expected_hostname parameter against the value in the server’s certificate. If the names do not match, the client rejects the connection.
When
disabled , the client establishes secure communication with the server, but does not verify the server’s name.
|
ssl_expected_hostname
|
The name the client expects in the CN field of the server’s certificate. If this parameter is not set, the expected name is the hostname of the server.
The value of this parameter is used when the
ssl_verify_hostname parameter is enabled .
|
ssl_ciphers
|
Specifies the cipher suites that the client can use.
Supply a colon-separated list of cipher names. Names may be either OpenSSL names, or longer descriptive names.
For more information, see Specifying Cipher Suites.
|
ssl_rand_egd
|
The path for the entropy gathering daemon (EGD), if one is installed. This daemon generates random data for the client.
|
TIBCO Enterprise Message Service™ User’s Guide Software Release 4.3, February 2006 Copyright © TIBCO Software Inc. All rights reserved www.tibco.com |