+ All Categories
Home > Documents > Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can...

Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can...

Date post: 16-Apr-2020
Category:
Upload: others
View: 6 times
Download: 0 times
Share this document with a friend
36
TIBCO Software Inc. http://www.tibco.com 3303 Hillview Avenue Palo Alto, CA 94304 1-800-420-8450 ©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary A TIBCO Whitepaper This whitepaper is intended to give the reader insight into the overall capabilities of BusinessWorks™ as it relates to communicating through the Secure Sockets Layer (SSL). This guide provides sufficient detail to implement a broad SSL deployment relatively easily. This whitepaper does not provide fundamental education on the use of BusinessWorks, SSL, or cryptography. These topics should be considered prerequisites to implementing the examples shown throughout this document. A near-comprehensive guide Version 1.3 October 2005 It’s all about…. Certificates and Keys SSL Securing TIBCO BusinessWorks™ 5.X with SSL
Transcript
Page 1: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

TIBCO Software Inc. http://www.tibco.com 3303 Hillview Avenue Palo Alto, CA 94304 1-800-420-8450

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary

A TIBCO Whitepaper

This whitepaper is intended to give the reader insight into the overall capabilities of BusinessWorks™ as it relates to communicating through the Secure Sockets Layer (SSL). This guide provides sufficient detail to implement a broad SSL deployment relatively easily.

This whitepaper does not provide fundamental education on the use of BusinessWorks, SSL, or cryptography. These topics should be considered prerequisites to implementing the examples shown throughout this document.

A near-comprehensive guide

Version 1.3

October 2005

It’s all about….

Certificates and Keys

SSL Securing TIBCO BusinessWorks™ 5.X with SSL

Page 2: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 2

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Copyright Notice COPYRIGHT© 2004-2010 TIBCO Software Inc. This document is unpublished and the foregoing notice is affixed to protect TIBCO Software Inc. in the event of inadvertent publication. All rights reserved. No part of this document may be reproduced in any form, including photocopying or transmission electronically to any computer, without prior written consent of TIBCO Software Inc. The information contained in this document is confidential and proprietary to TIBCO Software Inc. and may not be used or disclosed except as expressly authorized in writing by TIBCO Software Inc. Copyright protection includes material generated from our software programs displayed on the screen, such as icons, screen displays, and the like.

Trademarks Technologies described herein are either covered by existing patents or patent applications are in progress. All brand and product names are trademarks or registered trademarks of their respective holders and are hereby acknowledged.

Confidentiality The information in this document is subject to change without notice. This document contains information that is confidential and proprietary to TIBCO Software Inc. and may not be copied, published, or disclosed to others, or used for any purposes other than review, without written authorization of an officer of TIBCO Software Inc. Submission of this document does not represent a commitment to implement any portion of this specification in the products of the submitters.

Content Warranty The information in this document is subject to change without notice. THIS DOCUMENT IS PROVIDED "AS IS" AND TIBCO MAKES NO WARRANTY, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO ALL WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. TIBCO Software Inc. shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance or use of this material.

For more information, please contact:

TIBCO Software Inc. 3303 Hillview Avenue Palo Alto, CA 94304 USA

Page 3: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 3

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Table of Contents

Grand View – The Big Picture ...................................................................................... 5 Administrator ........................................................................................................................................... 5 JMS 5 Adapters ................................................................................................................................................. 6 HTTP & SOAP ........................................................................................................................................ 6 Rendezvous™ ........................................................................................................................................ 6 

A Very Brief Introduction to SSL.................................................................................. 6 

Common Components – JMS Example ...................................................................... 6 Trusted Certificates Folder ..................................................................................................................... 7 Identity Object ......................................................................................................................................... 8 SSL Checkbox and Configure SSL Button ............................................................................................. 9 JMS Configuration ................................................................................................................................ 10 

Tracing 10 Testing 10 Designer Console Output –SSL-enabled Topic Publication ........................................................................... 11 

Relationship of BW, JMS to CA Certs ....................................................................... 12 

Easy JMS/SSL POC ..................................................................................................... 12 

OpenSSL Basics ......................................................................................................... 13 Create Certificate Authority .................................................................................................................. 13 Create Signed Certificates and Keys ................................................................................................... 14 Other Tools – SimpleCA and KeyToolGUI ........................................................................................... 14 

Securing the Domain - domainutility ......................................................................... 15 Browser-to-Administrator ...................................................................................................................... 15 Component-to-Administrator (repoURL) .............................................................................................. 19 

Specifying Certificates for Deployed Components – urlFile ........................................................................... 21 

Securing TIBCO Adapters – JMS Example ............................................................... 22 Set Transport ........................................................................................................................................ 22 Set Advanced/Session and SSL Parameters ....................................................................................... 23 Configure ActiveEnterprise Activity ...................................................................................................... 25 Run the Adapter Tester ........................................................................................................................ 26 

Securing HTTP Activities, including SOAP ............................................................... 27 BusinessWorks as a Client/as a Server – SOAP Example .................................................................. 27 

HTTP Communications .................................................................................................................................. 27 Web Service - WSDL Bindings ...................................................................................................................... 28 Web Services – HTTP Client ......................................................................................................................... 29 

Installing Certificates in Internet Explorer ............................................................................................. 30 

Securing Rendezvous™ Activities ............................................................................ 33 Starting RVSD and Administrative Access ........................................................................................... 33 

Configuring Rendezvous Transport in BusinessWorks .................................................................................. 35 

Page 4: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 4

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Tips, Tricks, and Tool Help ......................................................................................... 36 Enforcing a particular cipher in JMS ..................................................................................................... 36 Simulating and Tracing SSL Clients and Servers using OpenSSL ...................................................... 36 

Page 5: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 5

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Grand View – The Big Picture BusinessWorks has many different communication channels, both in deployment and within the framework of the TIBCO Administrator. This section explores the landscape of SSL coverage for BusinessWorks.

Administrator TIBCO Administrator is accessed through a browser for the purposes of human interaction with the infrastructure it contains. In addition, the Administrator is accessed by deployed components, both BusinessWorks Engines and Adapters. In this context, upon initialization, these components access the Administrator for the purposes of obtaining the configuration information necessary to execute their respective roles in the context of the BusinessWorks Project.

You can enable SSL for the Browser-to-Administrator as well as Component-to-Administrator.

JMS TIBCO Enterprise for JMS supports SSL, and as such can be secured. Later in this document, we will cover a very simple, rapid Proof-of-Concept to show the ease-of-use of the security infrastructure. TIBCO Enterprise for JMS can be secured for both Topics and Queues.

You can enable SSL for TIBCO Enterprise for JMS.

Page 6: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 6

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Adapters TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous™ or JMS as transports. The communication from BusinessWorks to the JMS provider (Client-to-Server) can be secured and also from the Adapter to the JMS Provider (second Client-Server session). Each session or connection can have a unique identity.

You can enable SSL for TIBCO Adapters – on both RV and JMS transports.

HTTP & SOAP TIBCO BusinessWorks supports both HTTP 1.0 and HTTP 1.1 protocols. Both of these can be configured to use Proxy settings. It is through the HTTP configuration that you secure your SOAP environment.

You can enable SSL for HTTP in TIBCO BusinessWorks.

Rendezvous™ TIBCO Rendezvous supports SSL as a transport and HTTPS as an administrative option. The relevant applications are RVSD (Rendezvous Secure Daemon) or RVSRD (Rendezvous Secure Routing Daemon).

You can enable SSL for Rendezvous for both Adapters and for native Rendezvous activities.

A Very Brief Introduction to SSL The basic purpose of Secure Sockets Layer (SSL) is to provide secure communications over an inherently insecure medium. In this document, we are using examples from an open source implementation – OpenSSL. OpenSSL is a cryptographic library that can be used to implement many well-known algorithms, including Message Digest and encryption algorithms such as RSA, Triple DES, and others.

The underlying SSL basics include an initial handshake, an exchange of digital certificates, the use of public and private keys to validate identities through a challenge, and finally the set up of an agreed-upon key to be used with a symmetric cipher. There is significant processing overhead with SSL, especially during the session initiation phase though less so once the session has been established. Later in this document, we will introduce external hardware accelerators that make this performance issue moot.

Common Components – JMS Example This section covers the equivalent of a “Securing TIBCO Enterprise for JMS” chapter and provides some fundamentals for understanding how SSL is enabled and configured throughout TIBCO BusinessWorks.

Page 7: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 7

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Trusted Certificates Folder The players in an SSL environment include an initiator (or Client) and responder (or Server), but a third entity is important – the Certificate Authority or trusted third-party. In the next section, we cover the Identity Object, which is the role that the BusinessWorks process assumes. For the purposes of this section, the Trusted Certificates folder will hold the certificates necessary to identify caller or called objects. For example, if BW is calling a JMS provider to initiate a session, it needs the Server Certificate for the JMS provider and the Root Certificate to vouch for the Server Certificate.

Open up a BusinessWorks Project and create a folder – you can give it any name, but name it so it is obvious that it contains trusted certificates. Import the certificates by selecting the folder in the project, and accessing the menu and navigating from Tools → Trusted Certificates →Import into PEM Format. Repeat this action, selecting the folder, for each certificate that you need to import.

Page 8: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 8

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

You can inspect a certificate by selecting a particular Cert and right-click, then choose Inspect Resources, or go through the Resources menu item.

Identity Object The Identity Object has multiple flavors and sub-choices within a particular type. You can drag and drop an Identity Object anywhere in the Project. Remember, these are the identities to be used by BusinessWorks!

Type File Type Comment

Username/Password N/A Unsuitable for SSL.

Certificate/Private Key N/A Requires certificate URL, key URL, and key password.

Identity File Entrust Support for Entrust format. Requires URL and password.

JCEKS Support for Java Cryptography Extension Key Store. Requires URL and password. This has better private key cryptography than JKS.

JKS Support for Java Key Store format. Requires URL and password.

PEM Support for Privacy Enhanced Mail format. Requires URL and password.

PKCS12 Support for PKCS12 format. Requires URL and password This is the preferred type – it protects the private key.

Page 9: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 9

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

SSL Checkbox and Configure SSL Button In all of the SSL-configured activities, you see an SSL Configuration line that includes a checkbox for Use SSL? and a Configure SSL… button. Once the checkbox has been chosen, the button becomes active – and you are presented with a pop-up window where you choose the Trusted Certificates Folder and the associated Identities Object, bringing together all of the identities of the actors in the SSL configuration.

Page 10: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 10

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

In the Advanced Tab, choose whether you:

Trace

Debug Trace

Verify Hostname

…or have Strong Cipher Suites only

If you choose Verify Hostname, you must fill in the Expected Host Name text field, which is the Common Name (CN) found in the certificate of the Server you will be calling.

JMS Configuration You will need to change the port number on the Provider or JNDI Context URL to correspond with your JMS configuration. By default, the standard port is 7222 and when SSL-enabled, it becomes 7243. Similarly, you may need to use the Advanced Tab in the Configuration Panel to point to the appropriate Topic- and Queue- Connection Factories.

Tracing You can start your TIBCO Enterprise for JMS with these flags: tibjmsd –ssl_trace –ssl_debug_trace

Testing Testing is a must! Luckily, TIBCO BusinessWorks has a Test Connection Button! A pop-up will appear with either a success message, or information on the issue preventing success.

Page 11: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 11

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

If you enabled SSL-tracing when starting up the Enterprise for JMS, you see SSL-specific information related to the use of your certificates:

Figure Notes:

1. Using Server certificate

2. Added Client CA

3. Peer certificate

4. Peer certificate chain

Designer Console Output –SSL-enabled Topic Publication

Page 12: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 12

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Relationship of BW, JMS to CA Certs

The schematic shows how the various components of the Certificate Authority (certificates and keys) are cross-referenced in the Trusted Certificate folder and Identity Objects of BusinessWorks and in the three configuration files used by TIBCO Enterprise for JMS. If authorization is not required, but only encryption, then the entries in users.conf do not need to be managed in conjunction with the Common Name (CN) found in the corresponding certificate.

Easy JMS/SSL POC Configure JMS with “Standard” SSL configuration

Copy C:\tibco\jms\bin\tibjmsdssl.conf C:\tibco\jms\bin\tibjmsd.conf. This uses the C:\tibco\jms\bin\certs directory.

Start JMS – optional: trace flags!

Open up a BW 5 Project (Five Easy Steps)

1. Make folders for Trusted Certificates, Identities, Connections, Processes

2. Go to Trusted Certificates Folder (don’t forget to select the folder for 2nd import!)

- Tools->Trusted Certificates->Import into PEM format

- Import “server_root.cert.pem” (CA), and “server.cert.pem” (Server Cert)

3. Go to Identities Folder

Page 13: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 13

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

- Pick type Identity File & PKCS12

- URL: file://C:/tibco/JMS/bin/certs/client_identity.p12 with Password =password

4. Go to Connections Folder

- Drag/Drop JMS Connection

- Click Use SSL?, change JNDI Context URL Port to 7243

- Click Configure SSL – pick the folder and identity

- Click Advanced Tab – Expected Host Name = server

- On main Configuration panel, click advanced – prepend SSL to the factories

- Test Connection

5. Go to Processes Folder

- Build a simple “Pub Topic” process

- Run – then look at Console output

Hint: to see more about how the Certificates that come with TIBCO Enterprise for JMS are used, see the various readme files in the <tibco_home>/JMS/bin/certs directory.

OpenSSL Basics

Create Certificate Authority Modify openssl.cnf

[ ca ]

default_ca = CA_own [ CA_own ] dir = C:\\OpenSSL certs = C:\\OpenSSL new_certs_dir = C:\\OpenSSL\\ca.db.certs database = C:\\OpenSSL\\ca.db.index serial = C:\\OpenSSL\\ca.db.serial RANDFILE = C:\\OpenSSL\\ca.db.rand certificate = C:\\OpenSSL\\cacert.pem private_key = C:\\OpenSSL\\privkey.pem

Create CA – Self-Signed Certificate and Key SET OPENSSL_CONF=C:\OpenSSL\etc\OpenSSL\OpenSSL.cnf (for each openssl call)

openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 3650

Copy privkey.pem and cacert.pem files to directory dir

Translate from PEM to DER openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER

Copy cacert.der to directory dir

Page 14: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 14

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Create Signed Certificates and Keys Repeat for all Clients and Servers:

Create key and request openssl req -newkey rsa:1024 -keyout Key.pem -keyform PEM -out Req.pem -outform PEM

Sign the certificate by the CA openssl ca -in Req.pem -out Cert.pem

Make PEM certificate into PKCS #12 format for Clients openssl pkcs12 -chain -export -in Cert.pem -out Cert.p12 -inkey Key.pem -CAfile cacert.pem

Other Tools – SimpleCA and KeyToolGUI Graphical tools are available for both OpenSSL (SimpleCA), and for the Java Key Tool (KeyToolGUI). Though limited in capability, they provide ease-of-use while supplying many of the key functions.

KeyTool GUI Create and Open Java Key Stores Generate and Examine Key Pairs Import Key Pairs and Trusted Certs Change Key Store Types Password Administration

SimpleCA New Server Cert & Sign New Client Cert & Sign Export Client as PKCS #12 Revoke Cert Generate CRL

Page 15: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 15

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Securing the Domain - domainutility

Securing the Domain involves the use of the Domain Utility, which is found in the bin sub-directory of the TRA package. You are given several options for enabling HTTPS. The second major aspect of securing the domain is to have all relevant deployments communicate via HTTPS to obtain their repository information. We cover both aspects in this section.

Browser-to-Administrator Securing browser access to the TIBCO Administrator involves:

enabling HTTPS for the Administrator using the TIBCO Domain Utility

importing certificates into your browser, an activity useful for PortalBuilder and HTTPS-enabled browser sessions pointing to a BusinessWorks engine

Start the DomainUtility – by default on Windows platforms, it can be found at: C:\tibco\tra\5.1\bin

Pick Domain Configuration and Enable HTTPS as shown.

Here you have your choices: Generate and install self-signed certificate. Generate a certificate signing request (CSR). Install a server certificate.

Page 16: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 16

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

This example shows the fields that you fill-out to generate a Certificate Signing Request.

This example shows you where you can find the CSR file for signing by the Certificate Authority. Note that this is in JKS format.

Page 17: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 17

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Once installed, this step will condition the HTTPS Port – the default is 8443 You are also asked to provide the Keystore password.

Here is the final step – showing the Server Certificate, associated CA chain certificate (the CA that signed your CSR), and the HTTPS port that is going to be used to access the TIBCO Administrator.

Page 18: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 18

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Success! You will have to restart TIBCO Administrator for this to take affect. Note the URL, but you can also access the Administrator in the previous manner.

You can tell that this session has been encrypted by the https URL, and the lock icon in the lower tray.

Page 19: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 19

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Component-to-Administrator (repoURL) Upon deployment, each component needs to be able to access the Repository under the control of the TIBCO Administrator. This is accomplished through the TIBCO Administrator Configuration Builder Panel, shown below for the Application StockJMSSSL:

Click the application (top line, the link StockJMSSSL), and you see this screen:

Page 20: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 20

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

From this point, you simply click the Advanced Tab, and scroll down to TIBCO BusinessWorks and Adapter Deployment Repository Interface. If you enabled HTTPS through the DomainUtility, HTTPS becomes an option:

This can also be done by editing the relevant TRA file(s) and changing the Project Locator. The syntax to use is:

HTTP/S Syntax Description

HTTP or HTTPS Use HTTP// or HTTPS// as appropriate.

Host and port Name of the host, and if needed, its port number, separated by a colon (:). Include the port number if the port is not the default (80 or 8080 for HTTP, 443 or 8443 for HTTPS).

Repository locator string

Location of the repository on the host.

? Required delimiter to separate the path of the repository from any parameters that follow, such as urlFile.

urlFile TIBCO requires this parameter for HTTPS, but it is optional for HTTP, and is the path to the URL file you want to use. The value you specify for urlFile can either be a fully qualified path or a relative path. The properties in the URL file are appended to the repository locator string. If the same property appears in both the locator string and the properties file, the properties in the locator string take precedence. For more information about the URL file, see Specifying Certificates for Deployed Components – urlFile on page 21.

Here is a sample URL for tibco.repourl for HTTPS: https://host:8443/administrator/repo?urlFile=httpsProps.ini&myInst

Here is a sample URL for a Rendezvous implementation: tibcr://myInst:service=5456:userName=ann:timeout=4000

Page 21: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 21

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Here are some optional parameters for HTTPS:

Parameter Description

timeout Timeout value in seconds for server requests. https://host:8443/administrator/repo?urlFile=httpsProps.ini&myInst

tibcr://myInst:service=5456:userName=ann:timeout=4000

operationRetry Number of retries if a timeout occurs. userName Any identifier (null or empty implies read-only with guest privileges) password User password for security typeAccess Whether it is read-only or read-write. Valid values are:

CLIENT_USAGE_DONT_CARE—DEFAULT—Client reads until update, then switches to write. CLIENT_USAGE_READ_ONLY—Client is not allowed to do updates. CLIENT_USAGE_READ_WRITE—Client can do both reads and updates.

Specifying Certificates for Deployed Components – urlFile The file can contain any of the optional parameters listed below. Property values starting with # are considered obfuscated.

Parameter Description

trustedCertFormat Format of the SSL certificate. Can be one of these values: P12 P7 PEM DER EPF keystore

Only PEM is supported for C++ repository clients. httpsVendor Number of the SSL provider.

For Java repository clients, this can be either j2se or entrust61. This string is case sensitive. For C++ repository clients, OpenSSL is the only supported vendor, so this property is ignored.

keyFile Name of the key file. Keys can either be embedded (P12 and keystore) or non-embedded (PEM, P7, and DER). Key file is relevant only for non-embedded key files, like PEM, DER, and P7.

keyPassword Password for the key file. identityFile Location of the identity file. identityType Format of the identity file. Can be one of these values:

P12 P7 PEM DER keystore EPF

trustedCertPassword Password for the certificate specified by trustedCerts. This property is not relevant for C++ repository clients.

Page 22: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 22

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

trustedCerts Location of the trusted certificate or certificate chain. egdSocket Location of the socket from which to get the random number, for C++ applications using

HTTPS transport on UNIX platforms other than Linux. This property is not relevant for Java applications.

Examples This is an example for a URL file containing HTTPS-specific properties for Java applications: httpsVendor=j2se

trustedCerts=H:/downloads/certs/clientcerts/trustedcerts/RSA/PEM/RSA1024ca1.cert.PEM

trustedCertFormat=PEM

trustedCertPassword=RSA1024ca1

identityFile=H:/downloads/certs/clientcerts/idcert/RSA/P12/RSA1024ca2.cert.P12

identityType=P12

keyPassword=RSA1024ca2

Securing TIBCO Adapters – JMS Example This section covers the basic steps to secure both the Adapter-to-JMS Provider and the associated ActiveEnterprise™ Activity found in a BusinessWorks Project.

To start, drag and drop an Adapter Configuration Object into the canvas. Double-click and pick an appropriate service. In this example, we use the ActiveDatabase Adapter with an ADBPublisher Service. Pick JMS as the Transport Type.

Set Transport

Page 23: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 23

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Set Advanced/Session and SSL Parameters Next you will click through the Advanced Folder into the Sessions Folder, where you will see options for configuring SSL – just like you saw with JMS!

1. Pick Session of type JMS. 2. Click Use SSL? checkbox. 3. Click Configure SSL… button. 4. Fill out the details for Trusted Certificate Folders and Identity.

Page 24: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 24

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Continue with configuration – the Connection Factory and the Global Variables, as shown:

Page 25: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 25

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Configure ActiveEnterprise Activity Shown here is an Adapter Subscriber Activity to correspond with the Adapter Publisher:

Set the transport.

Pick the Adapter Service and navigate to the Transport Tab.

Configure SSL as you have previously, but choose a unique identity for the BW process.

Page 26: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 26

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Run the Adapter Tester Navigate to the main menu bar, choose Tools•Show → Adapter Tester. Next, pick the appropriate Adapter Configuration, Adapter Executable and Working Directory. Now you are ready to click the Start Button. Below you see the output of this configuration, with the configured cipher and certificate information.

Page 27: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 27

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Securing HTTP Activities, including SOAP Just like all of the other activities, you import certificates into the Trusted Certificate folder, create an identity, and configure the connection.

BusinessWorks as a Client/as a Server – SOAP Example The Identity Object is used whenever BusinessWorks initiates an activity, and this applies to the case where you have a Send HTTP Request, Send HTTP Response, or SOAP Request/Reply and SOAP Event Source.

HTTP Communications You pick a port, and configure SSL as you have done for the other communication activities:

Page 28: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 28

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Web Service - WSDL Bindings Next, you build an Abstract WSDL and use that WSDL to create your Web Service. This Service produces the Concrete WSDL with bindings to the HTTPS Transport. This Concrete WSDL is used in the Client Process.

The WSDL Source Tab reveals the HTTPS:

...<wsdl:service name="TheWebService">

<wsdl:port name="TheWebServiceHttpPort" binding="tns:TheWebServiceBinding">

<soap:address location="https://cmilono-nb:5544/Process_sp_Definitions/TheWebService"/>

</wsdl:port>

</wsdl:service>

Page 29: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 29

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Web Services – HTTP Client

Note that the Endpoint URL references HTTPS and basically inherits the HTTP Connection information from the Service. Note also that you must configure SSL again – you will probably have different Identity Objects in most cases, but reuse shared Trusted Certificates.

Page 30: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 30

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Installing Certificates in Internet Explorer You import certificates in Internet Explorer through the Tools Menu, and then navigate to Content→ Certificates

Pick the Certificate to import. In this case, we are importing a Client Certificate, so PKCS #12 is most appropriate.

Page 31: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 31

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Enter a password for the private key, and make choices about the style of using this certificate.

Pick the type of certificate store.

After finishing the confirmation steps, you see the imported certificate under the Personal tab. The next steps are to put the Server and Trusted Root certs in their appropriate folders – repeating the steps shown above, but selecting the appropriate tab.

Page 32: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 32

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Here you see the Trusted Root Certification Authorities Tab. Choose a type of PEM-encoded Certificate rather than a PKCS #12.

To see PEM files, you need to change the mask in the Files-of-Type chooser.

Using a browser: Because we made the choice to protect our certificate, this window pops up when the browser needs to access the Cert.

Since we borrowed the certs from our Enterprise for JMS distribution, the default Common Name for the Server is server, which is why we have an alert. In the real world, you can build a Server Certificate that truly matches your hostname.

Page 33: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 33

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Securing Rendezvous™ Activities This section does not cover TIBCO Adapters, but does cover the differences in SSL handling when contrasted with other aspects of TIBCO Technology.

Starting RVSD and Administrative Access In BusinessWorks 5.X, the TIBCO Runtime Agent is not started as a Service, but provides services dynamically. In this context, you have RVD dynamically started by processes, but RVSD must be started manually. C:\tibco\tibrv\bin>rvsd -store mystore.txt -listen ssl:10.105.16.244:7887

Here is an example startup command line, and the resulting output: TIB/Rendezvous daemon

Copyright 1994-2003 by TIBCO Software Inc

All rights reserved.

Version 7.2.16 2003-12-19 15:36:44 rvsd: Hostname: cmilono-nb 2003-12-19 15:36:44 rvsd: Hostname IP address: 10.105.16.244 2003-12-19 15:36:44 rvsd: Detected IP interface: 192.168.88.1 (IP00) 2003-12-19 15:36:44 rvsd: Detected IP interface: 192.168.5.1 (IP01) 2003-12-19 15:36:44 rvsd: Detected IP interface: 192.168.123.164 (IP02) 2003-12-19 15:36:44 rvsd: Detected IP interface: 10.105.16.244 (IP03) 2003-12-19 15:36:44 rvsd: Detected IP interface: 127.0.0.1 (loopback) 2003-12-19 15:36:44 rvsd: Using ticket file C:\tibco\tibrv\BIN\tibrv.tkt 2003-12-19 15:36:44 rvsd: Using store file mystore.txt 2003-12-19 15:36:44 rvsd: Initializing random pool... 2003-12-19 15:36:45 rvsd: Logging: [Connections - Off], [Subject Interest - Off] , [Subject Data - Off]. 2003-12-19 15:36:45 rvsd: Authorized publishable subject [>]. 2003-12-19 15:36:45 rvsd: Authorized subscribable subject [>]. 2003-12-19 15:36:45 rvsd: Http interface - http://cmilono-nb:1335/ 2003-12-19 15:36:45 rvsd: Https interface - https://cmilono-nb:1336/

Note the HTTP and HTTPS interfaces – these show the URL for Administrative access. I have previously configured Subject Interest and a few other items – all easily found in the TIBCO Rendevous Administration manual.

Page 34: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 34

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

After you have an Administrator login, configure the Default Network and Service. Next, access the XML Configuration.

The XML Configuration contains the Self-Signed Cert of the RVSD. Cut and paste the certificate part, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- parts! This is used in the Trusted Certificates part of a BW Project.

Create a User, and install a SELF-SIGNED Certificate only! At this time, CA-SIGNED Certs are not supported! This certificate will be the certificate used in the Identity Object calling this particular RVSD.

Now you are ready to configure BusinessWorks!

Page 35: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 35

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Configuring Rendezvous Transport in BusinessWorks

This all looks similar, except that you point to a specific Certificate – the Daemon Certificate – rather than a Trusted Certificates Folder. The Daemon corresponds to the Listen parameter and the Network and Service correspond to the configurations put into the RVSD daemon. Remember to import the Certificate you exported out of the Daemon and import the same SELF-SIGNED Cert for the identity. NOTE: Unlike JMS, Rendezvous does not have an SSL tracing facility.

Page 36: Securing TIBCO BusinessWorks™ 5.X with SSL...TIBCO Adapters, starting with the 5.0 release, can support either Rendezvous or JMS as transports. The communication from BusinessWorks

Securing TIBCO BusinessWorks with SSL 36

©2004-2010 TIBCO Software Inc. All Rights Reserved. TIBCO Confidential and Proprietary.

Tips, Tricks, and Tool Help

Enforcing a particular cipher in JMS To force a particular cipher suite in the TIBCO Enterprise Messaging Service, simply modify the tibjmsd.conf file to exclude all other suites and to include a particular suite.

If you need Triple DES (3DES), this entry forces that type of encryption: ssl_server_ciphers = -all:DES-CBC3-SHA

This syntax declares that EMS should remove all cipher suites, and then add DES-CBC3-SHA, which includes DES.

Simulating and Tracing SSL Clients and Servers using OpenSSL BusinessWorks can function as both a Client and a Server, depending on the functional activities that you configure. It might be useful to be able to see what ciphers are being invoked and other information regarding the validity of the certificates, and OpenSSL can give you this insight. In some cases, Customers want proof that a channel is encrypted with a particular suite – again, you can use OpenSSL.

Here is a command line to simulate a Client, using the well-known SSL port for HTTP and the default cert/key pair from JMS: openssl s_client -connect localhost:443 -cert server.cert.pem -key server.key.pem

Here is a command line to simulate a Server, including an instruction to force a particular cipher: openssl s_server -accept 443 -www -cert server.cert.pem -key server.key.pem -cipher DES-CBC3-SHA

Screenshot from simulating a Server – shows DES enforcement.


Recommended