|
The TIBCO EMS Connection is configured globally so that it can be
referenced when configuring TIBCO EMS consumers and TIBCO EMS producers
within the Enterprise Gateway. To configure a global connection to an TIBCO
EMS Server, right-click on the "TIBCO Enterprise Messaging Service
Connections" node, which can be found under the "External Connections"
node in the tree view of the Policy Studio. Select the
Add a TIBCO EMS Connection option from the context menu.
The remainder of this help guide describes how to configure the tabs and
fields on the
TIBCO Enterprise Messaging System Connection dialog.
Before configuring the following fields you must enter a name for this
TIBCO EMS Connection in the Name field. This connection
will then be available when configuring a TIBCO EMS Consumer and also
when configuring a TIBCO EMS Routing filter.
General Tab:
The following fields are available on the General Tab:
Server URL:
Enter the full URL of the TIBCO EMS Server in this field, for example
tcp://hostname:7222 for non-SSL connections or
ssl://server:7243 for SSL-enabled TIBCO EMS Servers.
User Name:
Enter a username to use when the Enterprise Gateway connects to the TIBCO
EMS Server.
Password:
Enter the password for this user.
SSL Tab:
The following tabs and fields are available on the
SSL Tab:
Limit the use of SSL to improve performance:
If this option is checked, SSL will only be used for establishing
(mutual) authentication with the TIBCO EMS Server, which takes place
during the initial SSL handshaking process. Once the channel has been
set up, data sent over this channel will be sent in the clear and will
not be encrypted as in a typical SSL session.
Enable client verification of the host certificate or host name:
Check this option if you want to compare the Common Name (i.e. "cn")
X.509 attribute of the Distinguished Name in the TIBCO EMS Server's
certificate. Typically, the SSL handshake requires that the common name
in the host's certificate matches the name of the host machine. So, for
example, in order to "trust" the certificate associated with the
www.abc.com site, the certificate must have the common name attribute set
to this name, i.e. "cn=www.abc.com". If you wish to perform this check
on the TIBCO EMS Server's certificate presented to the Enterprise Gateway during
SSL setup, you should check this checkbox.
Expected Host Name:
In cases where the common name in the certificate will
not be the same as the host machine, you can
override the default validation by specifying a host name that you expect
instead of the host given in the common name of the server's certificate.
For example, let's say a generic TIBCO EMS Server certificate is issued
for testing purposes and that this certificate has been created
with a common name of "server", i.e. "cn=server". Now, let's assume
that you want to create an SSL session with a TIBCO EMS Server running on
a machine that is called "host".
The default client verification of the host name setting will check to
make sure that the host on which the TIBCO EMS Server is running is called
"server" since this is what is in the common name of the certificate.
However, the host name of this machine is actually "host" and so this
check will fail.
In such cases, we need to override the default host checking behavior by
specifying the expected host name in this field.
So, in this case, we enter "host" in the
Expected Host Name field.
Cipher suites to be used:
Specify the OpenSSL cipher suites that the Enterprise Gateway supports. The
ciphers will be negotiated during the SSL handshake with the TIBCO EMS
Server so that the strongest and most secure ciphers that are common to
both parties are used.
Trusted Certificates Tab:
You can select the CA (Certificate Authority) certificates that you
consider "trusted" for setting up the connection to the TIBCO EMS Server
on this tab.
The TIBCO EMS Server's certificate can be explicitly trusted by
importing it into the Certificate Store and selecting it in the list.
Alternatively, in a solution more typical for a Public Key Infrastructure,
the CA certificate that issued the TIBCO EMS Server's certificate is
imported into the Certificate Store and is selected in the list. In this
case a "chain of trust" is established since all certificates issued by
the CA are implicitly trusted if the CA is considered trusted.
Client Identity Tab:
If you want to configure mutual authentication to the TIBCO EMS Server you
must select a client certificate from the list that the Enterprise Gateway can
use to authenticate to the TIBCO EMS Server. In order for the SSL channel
to be established successfully, the TIBCO EMS Server must trust the client
certificate selected here.
Important Note:
It is important to note that if the selected client certificate has been
issued by a CA (i.e. it is not self-signed), the certificate of this CA
must be imported into the Trusted
Certificate Store. If a chain of certificates exists (e.g. the client
certificate was issued by an intermediary CA, which was issued by the
root CA), then all intermediary CA certificates must be imported into the
Certificate Store.
|