The TIBCO EMS Connection is configured globally so that it can be
referenced when configuring TIBCO EMS consumers and TIBCO EMS producers
in the Enterprise Gateway. To configure a global connection to an TIBCO EMS
Server, right-click the External Connections ->
TIBCO Enterprise Messaging Service Connections node in
the Policy Studio tree, and select Add a TIBCO EMS Connection
from the context menu. The remainder of this topic describes how to
configure the tabs and fields on the TIBCO Enterprise Messaging
System Connection dialog.
Before configuring the following fields you must enter a name for this
TIBCO EMS Connection in the Name field. This connection
is then available when configuring a TIBCO EMS Consumer and when configuring
a TIBCO EMS Routing filter.
General Tab:
The following fields are available on the General Tab:
Server URL:
Enter the full URL of the TIBCO EMS Server in this field, for example
tcp://hostname:7222 for non-SSL connections or
ssl://server:7243 for SSL-enabled TIBCO EMS Servers.
User Name:
Enter a username to use when the Enterprise Gateway connects to the TIBCO
EMS Server.
Password:
Enter the password for this user.
SSL Tab:
The following tabs and fields are available on the
SSL Tab:
Limit the use of SSL to improve performance:
If this option is selected, SSL is only used for establishing (mutual)
authentication with the TIBCO EMS Server, which takes place during the
initial SSL handshaking process. When the channel is set up, data sent
over this channel is sent in the clear and is not encrypted like in a
typical SSL session.
Enable client verification of the host certificate or host name:
Select this option if you want to compare the Common Name (cn )
X.509 attribute of the Distinguished Name in the TIBCO EMS Server's
certificate. Typically, the SSL handshake requires that the common name
in the host's certificate matches the name of the host machine. For example,
to trust the certificate associated with the www.abc.com site ,
the certificate must have the common name attribute set to this name
(cn=www.abc.com ). If you wish to perform this check on the
TIBCO EMS Server's certificate presented to the Enterprise Gateway during SSL
setup, select this setting.
Expected Host Name:
In cases where the common name in the certificate is not
the same as the host machine, you can override the default validation by specifying
a host name that you expect instead of the host given in the common name of the
server's certificate.
For example, a generic TIBCO EMS Server certificate is issued for testing
purposes, and this certificate is created with a common name of server
(cn=server ). Now, assume that you want to create an SSL session
with a TIBCO EMS Server running on a machine that is called host .
The default client verification of the host name setting checks to make sure that
the host on which the TIBCO EMS Server is running is called server
because this is what is in the common name of the certificate. However, the host
name of this machine is host , and so this check fails.
In such cases, you must override the default host checking behavior by specifying
the expected host name in this field. In this case, enter
host in the Expected Host Name field.
Cipher suites to be used:
Specify the OpenSSL cipher suites that the Enterprise Gateway supports. The
ciphers are negotiated during the SSL handshake with the TIBCO EMS
Server so that the strongest and most secure ciphers that are common to
both parties are used.
Trusted Certificates Tab:
You can select the CA (Certificate Authority) certificates that you
consider trusted for setting up the connection to the TIBCO EMS Server
on this tab.
The TIBCO EMS Server's certificate can be explicitly trusted by
importing it into the Certificate Store and selecting it in the list.
Alternatively, in a solution more typical for a Public Key Infrastructure,
the CA certificate that issued the TIBCO EMS Server's certificate is
imported into the Certificate Store and is selected in the list. In this
case, a chain of trust is established because all certificates issued by
the CA are implicitly trusted if the CA is considered trusted.
Client Identity Tab:
If you want to configure mutual authentication to the TIBCO EMS Server you
must select a client certificate from the list that the Enterprise Gateway can
use to authenticate to the TIBCO EMS Server. For the SSL channel to be
established successfully, the TIBCO EMS Server must trust the client
certificate selected here.
Important Note:
If the selected client certificate has been issued by a CA (it is not self-signed),
the certificate of this CA must be imported into the Trusted
Certificate Store. If a chain of certificates exists (for example, the client
certificate was issued by an intermediary CA, which was issued by the root CA),
all intermediary CA certificates must be imported into the Certificate Store.
|