History | Log In     View a printable version of the current page. Get help!  
Issue Details (XML | Word)

Key: HJMS-65
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Colin Crist
Reporter: Mike
Votes: 0
Watchers: 3

If you were logged in you would be able to see more operations.

Unable to configure Tibco EMS SSL connection

Created: 20/Jan/08 05:52 PM   Updated: 30/Oct/09 01:05 PM
Component/s: None
Affects Version/s: 1.12
Fix Version/s: 1.13

Environment: Tibco EMS 4.4.1, HermesJMS 1.12, jre 1.5

 Description  « Hide
Currently, all the SSL related parameters in the connection configuration UI for Tibco EMS are not connected to the actual factory parameters in TibjmsAdmin. Setting up an ssl://.... connection instead of tcp://.... results in the below exception to be thrown regardless of SSL configuration parameters provided.

com.tibco.tibjms.admin.TibjmsAdminException: Unable to connect to server. Root cause:
javax.jms.JMSSecurityException: Can not initialize SSL client: no trusted certificates are set
        at com.tibco.tibjms.admin.MessengerUtil.<init>(MessengerUtil.java:68)
        at com.tibco.tibjms.admin.TibjmsAdmin.<init>(TibjmsAdmin.java:222)
        at com.tibco.tibjms.admin.TibjmsAdmin.<init>(TibjmsAdmin.java:203)
        at hermes.ext.ems.TibcoEMSAdminFactory.createAdmin(TibcoEMSAdminFactory.java:97)
        at hermes.ext.ems.TibcoEMSAdmin.getAdmin(TibcoEMSAdmin.java:73)
        at hermes.ext.ems.TibcoEMSAdmin.discoverDestinationConfigs(TibcoEMSAdmin.java:253)
        at hermes.impl.HermesAdminAdapter.discoverDestinationConfigs(HermesAdminAdapter.java:83)
        at hermes.impl.DefaultHermesImpl.discoverDestinationConfigs(DefaultHermesImpl.java:1307)
        at hermes.browser.tasks.DiscoverDestinationsTask.invoke(DiscoverDestinationsTask.java:76)
        at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175)
        at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170)
        at java.lang.Thread.run(Thread.java:595)

 All   Comments   Change History      Sort Order:
Colin Crist [30/Jan/08 06:09 AM]

Annoyingly Tibco do not provide getter methods on their connection factory so once Hermes sets anything it cannot later on "get" them. To fix this, some time ago, I used bcel to bytecode generate a wrapper that caches the properties so I can later get them. This means only java bean properties can be get/set.

This means currently the following cannot be set:

SSLProxy host and port.
SSLProxyAuth username and password

None of this works if you use JNDI to store the administered EMS connection factory. I need to work out a better way of supporting SSL for EMS but in the meantime what I've done may get you moving forward.

I do not have an SSL secured EMS server to test with just yet so cannot guarantee what I've done works but I've put a build up on http://hermesjms.com/patches for you to try.

I'll test properly when I use SSL in the next month or two...

Mike [05/Feb/08 06:12 PM]
Sorry for the delay. Took us a while to get to test it.

I downloaded 1.13, but there is still no luck. hermes still throws JMSSecurityException: can not initialize SSL client: no trusted certificates are set even though I set the SSLTrustedCertificate to point to the trusted certificate stored locally.

I will try to upload the full screenshot of the configuration and the exception.

Mike [20/Feb/08 07:16 PM]
I downloaded the code and did a bit of looking around. The problem appears to be hiding in line 151 in TibcoEMSAdminFactory.java. There is a typo in the property name:

            rval.put(TibjmsSSL.TRUSTED_CERTIFICATES, BeanUtils.getProperty(tibCF, "SSLTrustedertificate")) ;

should be:

            rval.put(TibjmsSSL.TRUSTED_CERTIFICATES, BeanUtils.getProperty(tibCF, "SSLTrustedCertificate")) ;

I fixed it and built the hermes. My only issue is the evaluation version of JIDE that pops up warnings about hte version expiring on 8th of April 2008.


Can you, please, do the above fix in 1.13 patch and re-build it for me?


Colin Crist [21/Feb/08 06:17 AM]

Doh - thanks for finding this!

Build is at http://hermesjms.com/patches

Laurent Bernaille [30/Oct/09 01:05 PM]
I had a similar issue on versions 1.13 and 1.14
I discovered that the check to decide whether to use SSL or not for the EMS admin connection is based on the SSLIdentity property in the class TibcoEMSAdminFactory.java:

if (BeanUtils.getProperty(tibCF, "SSLIdentity") != null)

I think this check should rely on another field because you can use SSL without using a client certificate
This field could be "SSLTrustedCertificate" which is compulsory on the EMS clients