![]() |
Support for SSL accelerators was deprecated as of release 4.1.0. In a future release, this feature will become obsolete and unsupported.
|
While the SSL protocol provides message security and integrity, the connection handshake and bulk message encryption can require significant machine resources. To reduce this overhead, you can deploy a third-party SSL hardware accelerator. The TIBCO Enterprise Message Service server supports external (rack-mount) hardware accelerators. SSL accelerators are capable of off-loading the main CPU from asymmetric public/private key negotiations as well as well as secret key bulk message encryption and decryption.
Ingrian provides a variety of accelerator products, such as the Ingrian i100, i140, i210, and so on. These products are external hardware accelerators that fit into standard rack mount space. The Ingrian Accelerator is placed on the network between the client and the server and off loads all SSL functionality from the server. The clients use SSL to communicate with the server by connecting to an SSL port on the Ingrian Accelerator. The Ingrian Accelerator completely performs the SSL handshake and passes messages to the server over TCP. Figure 17 illustrates the operation of the Ingrian Accelerator.
Because the Ingrian Accelerator performs all SSL functionality, it must be separately configured for listen ports, certificates, and so on. See www.ingrian.com for more information about Ingrian Accelerator products, and refer to the documentation for the specific accelerator for information about how to configure the accelerator for your application.
The Ingrian Accelerator is configured to pass data from a client to a server through forwarding rules. A forwarding rule specifies, among other things, the listen port that clients connect to, the target port on the back-end server, the protocol that clients use to communicate with the Ingrian Accelerator, and the protocol that the accelerator uses to communicate with the back end server.
The Ingrian Accelerator supports several protocols. To be used with the TIBCO Enterprise Message Service server however, the accelerator must be configured to use the “SSL Any” protocol to communicate with clients and the “Any” protocol to communicate with the server. See the documentation for the specific Ingrian Accelerator you are using for information about how to configure forwarding rules.
The Ingrian Accelerator can also be configured to extract the user name from the client certificate and pass it to the server for user authentication. If you require this functionality, please contact TIBCO for instructions about how to enable this feature in the Ingrian Accelerator and the TIBCO Enterprise Message Service server.
Because the Ingrian Accelerator off loads the server of all SSL functionality, none of the parameters in tibemsd.conf
for configuring SSL in the server are used. When the Ingrian Accelerator is deployed, the TIBCO Enterprise Message Service server should be configured to use standard TCP communication.
TIBCO Enterprise Message Service™ User’s Guide Software Release 4.3, February 2006 Copyright © TIBCO Software Inc. All rights reserved www.tibco.com |