System Settings - TIBCO BusinessConnect™ Trading Partner Administration

General

General Settings allow you to modify the installation name, installation prefix, and description of the installation.

Table 13 Server Settings Fields

Field Description

Installation Name The name of the TIBCO BusinessConnect installation. TIBCO

BusinessConnect names the installation automatically as BC-domain_name.

You can change the name as desired.

Note BusinessConnectuses the installation name within TIBCO Rendezvous and JMS subjects. If you rename the installation after deploying the TIBCO BusinessConnect server, subject names will be out of synch. Therefore, if you modify the installation name, undeploy and then redeploy the server.

Installation Prefix The prefix TIBCO BusinessConnect appends to the subject of every message.

The default value is ^AX.BC.

Note If you change the installation prefix after deploying the TIBCO BusinessConnect server, subject names will be out of synch. Therefore, if you modify the prefix, undeploy and then redeploy the server.

Description An optional text description of this TIBCO BusinessConnect installation.

Default Host The default host for the TIBCO BusinessConnect installation. The first host participant that you add to the installation is automatically set as the default host.

A user can modify the default host when required, and this change does not require redeployment or restarting of the TIBCO BusinessConnect server.

Certificate Store

|

⁵¹

Certificate Store

The certificate store allows you to manage all credentials (certificates and private keys) in one location. These credentials are owned by participants, the TIBCO BusinessConnect server, and by the trusted CAs (Certificate Authorities). You can add and remove CA certificates, and you can create new identity (leaf)

certificates, which you can send to a certificate authority for signing using Certificate Signing Request (CSR). For information about certificates and security in general, see Credentials Tab for Participants, page 11 and TIBCO

Credentials Tab

This tab allows you to add or to remove trusted root certificates from the system.

Certificates are only valid if both trading partners trust the CA that signed the other’s root certificate.

Add Certificate Authority

1. Select BusinessConnect >System Settings>Certificate Store.

2. Click on Add Certificate Authority.

3. In the Import CA Certificate window, click on the link change.

4. Click Browse to upload the CA certificate file that should be already available on your machine. If not, make sure to acquire a root certificate before

proceeding with this configuration.

5. Click OK twice.

Remove Certificate Authority

1. Select BusinessConnect >System Settings>Certificate Store.

2. Select the checkbox associated with the certificate you wish to remove.

3. Click Remove Certificate Authority.

The CA (Certificate Authority) is not used with PGP keys. CA certificates are used only with the PKI validation method.

To learn how to work with keys, you can use the samples provided with this program in the directory BC_HOME/samples/keys. Keep in mind that the chosen password is ^Password1.

|

Chapter 4 System Settings

New Identities Tab

This tab allows you to create new identities (private keys with X.509v3 leaf certificates) and add them to your system. To create a new public key certificate for your server, you will first create a Certificate Signing Request (CSR) and send it to a Certificate Authority (CA) for verification. When you create a CSR, a new private key will be also created for decryption/ verification.

You will send the CSR, which only carries public information, to a CA. Once the signed certificate is returned, it will be attached to the corresponding private key and this new identity becomes usable for decryption/verification, representing itself as stated in the certificate.

Create New Identity

1. Select TIBCO BusinessConnect >System Settings>Certificate Store> New Identities.

2. Click Create New Identity.

Certificate Signing Request Wizard

A six-step Certificate Signing Request wizard appears that will allow you to generate a CSR.

Step 1. General Information

1. Supply the required information using Table 14.

Table 14 CSR Wizard, Step 1 General Information Field Name Enter Information:

Identity Alias (required)

Enter the logical name of the host for which the certificate will be created using the verified certificate and the existing private key of the host.

Example: MyCertificate

Country (required)

Only two digit entries are allowed, due to the restrictions posed by X.500.

Example: ^US State

(required)

Enter the state where the host is located.

Example: California

Certificate Store

|

⁵³

2. Once the information is entered, click Next.

Step 2. Confirm Settings

This dialog displays the information you have entered. If everything is correct, click Next.

Step 3. Generated CSR

This dialog displays the content of the CSR you have generated.

Figure 8 CSR Wizard Step 3, Generated CSR

3. Copy the text file including both the string “---BEGIN CERTIFICATE REQUEST---“and “---END CERTIFICATE REQUEST---“, and save it to Locality

(required)

Enter your locality.

Example: San Jose Common Name

(required)

Fully qualified domain name (FQDN) of the server where the host is located.

Example: widgets.com

Key Length (bits) (required)

Key length of the private key. Choose among 512, 1024, and 2048 bits.

Example: 512

Table 14 CSR Wizard, Step 1 General Information Field Name Enter Information:

|

Chapter 4 System Settings

You will send the generated CSR to a certificate authority (CA) of your choice for verification.

4. Click Next.

Step 4. CA Response

5. Once you get the verified leaf certificate back, upload it to your machine, or paste it directly into the dialog called CA Response (the fourth step of the CSR wizard):

— upload the leaf certificate from a location on your machine by clicking on the link change, or

— paste the certificate text into the dialog window Figure 9 CSR Wizard Step 4, CA Response

6. Click Next to proceed.

Step 5. Complete Certificate Chain

In this step, you will upload the CA root certificate to complete the certificate chain.

7. The dialog will open with an error message Missing CA Certificate. Certificates are only operable if both trading partners trust the CA that signed the other’s root certificate.

a. Upload the CA (root) certificate from a location on your machine by clicking on the link change , or

b. Paste the certificate text into the dialog window

Certificate Store

|

⁵⁵

Figure 10 CSR Wizard Step 5, Complete Certificate Chain

8. Click ^Next.

Step 6. Success

After successfully uploading the verified certificate, you arrive to step 6, Success.

Figure 11 CSR Wizard Step 6, Success

Your new leaf certificate, verified by the CA, is available for you to use. You need to assign the new leaf certificate to your server by selecting the server from the dropdown list next to the label Host.

9. Click Finish.

|

Chapter 4 System Settings

Server Identities and Certificates Tab

The Server Identities and Certificates tab allows you to add an LDAP or a JMS server certificate and a new private server key (server identity) to use with the main system. This server key is used only for the inbound HTTPS and HTTPSCA transports and cannot have a shadow key assigned to it (unlike private host keys).

Add LDAP/JMS Server Certificate

The JMS certificate is a credential of the JMS server, which is expected to be configured according to the corresponding guidelines. Before the TIBCO

BusinessConnect palette can verify the identity of a JMS server, this certificate has to be added and the checkbox Verify JMS Server has to be selected.

A server certificate is stored in the certificate store and must be created before it is assigned to a transport. To create it, do the following:

1. Select BusinessConnect>System Settings>Certificate Store> Server Identities & Certificates.

2. Click on Add LDAP/JMS Server Certificate.

3. In the New Certificate dialog, enter an alias name for this certificate.

4. Upload the certificate file.

The imported certificate will appear in the Credential Name list.

Figure 12 Imported Server Certificate

5. Click Done.

To learn how to work with keys, you can use the samples provided in the directory BC_HOME/samples/keys.

Keep in mind that the chosen password is ^Password1.

Inbound Public Transport Types

|

⁵⁷

Inbound Public Transport Types

The inbound transport types available for TIBCO BusinessConnect are:

• Email

— Mail POP3 Server Polling Service - Mailbox #1

— Mail POP3 Server Polling Service - Mailbox #2

— Mail POP3 Server Polling Service - Mailbox #3

• ^FTP Plain FTP Get Client

• ^FTPS Secure FTP Get SSL Client

• ^SSHFTP Secure FTP Get SSH Client

• ^HTTP Gateway Plain HTTP Service

• ^HTTPS Gateway Secure HTTP SSL Service

• ^HTTPSCA Gateway Secure HTTP SSL Service with Client Authentication

• ^File Gateway File Polling Service

Each of the public transports can be selected and enabled or disabled by selecting the appropriate checkbox associated with a specific transport and clicking on Enable or Disable.

These transports are described separately in the following sections:

• Inbound Mail POP3 Servers, page 58

• Chapter 8, Email Transport, page 127

• Chapter 9, FTP and FTPS Transports, on page 137

• Chapter 10, SSHFTP Transport, on page 151

• Chapter 11, HTTP, HTTPS, and HTTPSCA Transports, page 163

• Chapter 12, AS2 Transport

• Chapter 13, AS1 Transport

• Chapter 14, File Transport

|

Chapter 4 System Settings

Inbound Mail POP3 Servers

This part of the System Settings section allows you to configure mailboxes on your inbound mail POP3 servers.

Enter information as required in Table 15.

After you enter the required data, click Save and redeploy the Interior Server.

Table 15 Inbound Mail POP3 Servers

Mailbox #1, #2, or #3

Mail POP3 Server Name of the POP3 server

User Name Name of the user for this mailbox Password Password of the user for this mailbox Polling Interval

(seconds)

Set the polling interval to specify the frequency by which the credential alerter keeps tracking and publishing alerts on expiring credentials Default is 180 seconds

Shared Properties Number of Dispatch Attempts

Number of attempts to deliver inbound emails from the email event source component to the internal component.

Default is 3 Dispatch Timeout

(seconds)

Timeout on the email event source component waiting for an email delivery acknowledgement from the internal component.

Default is 3600 seconds Dispatch Interval (Time

interval for next retry in seconds)

Intervals between delivery attempts for emails sent from the email event source component to the internal component.

Default is 300 seconds

Outbound HTTP/FTP Proxy and Mail SMTP Servers

|

⁵⁹

Outbound HTTP/FTP Proxy and Mail SMTP Servers

The Outbound Proxy Settings link adds proxy servers for use by TIBCO BusinessConnect. Different proxy server types are supported to provide for different types of outbound transports protocols:

• HTTP Proxy and SOCKS4/ SOCKS5 Proxy Servers For outbound HTTP transport protocols

• SMTP Server For outbound Email transport protocols

• FTP Proxy and SOCK4 / SOCKS5 Proxy Servers For outbound FTP transport protocols

To select a proxy for a partner participant, see Select the Default Proxy for a Trading Partner, page 168 and Configure an SMTP Server for a Partner, page 186.

Add a Proxy for a Host

Using the Outbound Proxy Settings dialog, you can add a proxy server for a host.

1. Select TIBCO BusinessConnect>System Settings.

2. Click Outbound HTTP/FTP Proxy and Mail SMTP Servers.

Figure 13 Outbound HTTP/FTP Proxy Settings

3. To add a proxy server click Add.

Use of proxy servers is optional.

|

Chapter 4 System Settings

4. In the Name field, enter a meaningful Proxy Name

5. From the Type dropdown list, select the server: HTTP, SOCKS4, SOCKS5, FTP, or SMTP.

The FTP Gateway is an FTP server emulator application, which routes both ways between an FTP client (TIBCO BusinessConnect) and an FTP server using either passive or active mode.

6. When you configure a proxy for a participant, you will have only three options to select from: HTTP, FTP, and SMTP. The SOCKS4 and SOCKS5 proxies are available for users who use such proxies.

7. Click OK.

In the dialog New Proxy Connection, enter the information using Table 16:

8. Click change to set the proxy password.

9. Click Save.

The new proxy appears in the Proxy Alias list. You can now select this proxy server in the dropdown list for the appropriate server type (HTTP, FTP, or SMTP) in the Connection Defaults area.

10. Click Done to accept the new proxy.

FTP and FTPS support for ^mput/^mget is available through either SOCKS4, SOCKS5, or FTP Gateway.

SSHFTP can only use SOCKS4 or SOCKS5 and the methods listed in the SSHFTPClient interface.

Table 16 New Proxy Connection

Field Enter

Alias Type an identifier for these proxy settings.

Host Name Type the name of the host on which the proxy server is installed.

Port Number Type the number of the port that the proxy server is using.

Proxy User Name Type a valid user name for the proxy server, if applicable.

Proxy Password Type the password associated with the user name, if applicable.

Outbound HTTP/FTP Proxy and Mail SMTP Servers

|

⁶¹

Select the Default Proxy for a Host

In the section Connection Defaults of the Edit System Settings: Outbound Proxy Settings dialog, you can select which proxy server to use with a host.

1. Select TIBCO BusinessConnect>System Settings.

2. Click Outbound HTTP/FTP Proxy and Mail SMTP Servers.

The Edit System Settings dialog appears.

Figure 14 Select Outbound Proxy Settings for a Host

3. In the section Connection Defaults, select a Proxy (HTTP or FTP) from the dropdown list.

You can choose any of the added proxies or ^None. If you choose ^None, no proxies will be used for this host.

4. Select an SMTP Server from the dropdown list.

You can choose any of the added SMTP servers or ^None. If you choose ^None, no SMTP server will be used for this host.

5. Click Done.

|

Chapter 4 System Settings

Audit, Non-Repudiation and Runtime Database Configuration

Configuration of database connections, connection settings, as well as export DDL for the database table schemas and creation of database tables are described

User Authentication Configuration

|

⁶³

User Authentication Configuration

This system settings window is used to add or remove the authentication source for TIBCO BusinessConnect. These source types are:

• LDAP server, which is used only for external users.

• BusinessConnect database., which is used both for internal or external users.

Add an Authentication Source

1. Click on Add to add an authentication source.

2. Two options are available:

— LDAP server, page 63

— BC Database, page 64

Once the LDAP sever or a BC Database are configured, they appear in the Source Alias list.

LDAP server

When LDAP is selected, a window opens with the following configuration fields:

• ^Alias Alias name for the LDAP server

• ^{Host Name} The IP address or name of the machine on which the LDAP server resides.

• Port Number: The port number on the LDAP machine to use for connecting to LDAP.

• Bind DN and Bind Password: The LDAP server's Bind DN. The base DN is an X.500 distinguished name, which denotes the sub-tree of an LDAP directory where the to-be-authenticated user records are posted, such as:

ou=people,dc=unit,dc=company

The Bind DN provided can be an LDAP user that has only read access to LDAP. The user needs permission to:

— Read LDAP user objects

— Read LDAP group objects

— Authenticate other users to LDAP (that is, call the LDAP authenticate API or have read access to password/credentials of LDAP user objects).

|

Chapter 4 System Settings

• ^{Base DN}: Gets prepended to Bind DN when searching for users. This is the starting point in the LDAP hierarchy at which the search begins.

• User Search Filter You can specify a user search filter and only users that have the specified attribute are returned. Using the defaults for the user search filters, all users are returned. For example,

Base DN: dc=na,dc=tibco,dc=com

User Search Filter: objectclass=person

• User Name Attribute Provide the LDAP attribute name that represents the user name in the LDAP directory server. For example, uid for the Sun ONE Directory server.

• User to Group or Role Membership Attribute Provide the LDAP attribute that represents the User to Group (or Role) membership attribute in the LDAP directory server. The value for this attribute lists the Groups or Role the user is enrolled for the DN.

• ^isSecure: Used to check whether this is a secure LDAP URL or not

• Server Certificate: The server certificate used for secure LDAP communication.

Select one of the certificates that was configured under System Settings>

Certificate Store> Server Identities & Certificates.

BC Database

The BC Database option is added by default when a user chooses it and it is then used as a source of user information.

Authentication Source Defaults

The LDAP sever or the BC Database in the Source Alias list can be selected under Authentication Source Defaults as the default source for the installation.

Remove the configured LDAP Server or the BC Database

Click Remove to remove the configured LDAP server or a BC Database.

Activated Protocol Plug-ins and Properties

|

⁶⁵

Activated Protocol Plug-ins and Properties

This section explains management of the TIBCO BusinessConnect plug-in properties. The Activated Protocol Plug-ins and Properties window allows you to do the following:

• Verify installed protocols Verify the installed protocols and their versions.

• Add, change, or remove BusinessConnect or protocol specific properties.:

This screen will contain any other activated protocols. Refer to the documentation for each of the protocols for details.

Table 17 Activated Protocol Plug-ins and Properties

Plug-in Title Protocols Ver.

BC TIBCO BusinessConnect Interior Server Note The pre-defined (default) properties for BusinessConnect cannot be deleted by a user. This applies also to the internal (hidden) BusinessConnect properties.

In the Edit Plug-in Properties, enter or select data as described in .

Currently there are no default properties specific to the BusinessConnect Remote Client Server.

PartnerSelfService

EBICS TIBCO BusinessConnect EBICS Protocol EBICS EZComm TIBCO BusinessConnect Services Plug-in EZComm

GS-FILE TIBCO BusinessConnect Plug-in for FILE FILE Gateway Service GS-FTPS TIBCO BusinessConnect Plug-in for FTP

Server

FILE Gateway Server

GS-HTTP TIBCO BusinessConnect Plug-in for HTTP HTTP Gateway Service GS-MGMT TIBCO BusinessConnect Gateway

|

Chapter 4 System Settings

Adding, Deleting, and Editing Plug-in Properties for the BusinessConnect Server Table 18 TIBCO BusinessConnect Server Properties Overview

Table

Section Field Explanation / Enter

BC (BusinessConnect Interior Server) Database

Settings

bc.db.maxretry Controls the maximum number of retries for a database connection in case of failures. Default: 3

bc.db.auditlog

.style Controls how audit and non-repudiation data will be stored:

Uncompressed or Compressed.

Messages are compressed to save disk space, which also triggers the overhead of compressing the messages. Therefore, choosing whether messages will be stored in compressed or in uncompressed format depends on the priorities for a specific server: saving disk space or keeping better performance.

Note This property cannot be changed dynamically: the

BusinessConnect server has to be restarted for this property to take effect.

HTTP Settings

bc.http.thread

Pool.maximum Maximum number of threads used for Outbound HTTP (or HTTPS) requests. Default: 32

Activated Protocol Plug-ins and Properties

|

⁶⁷

SSL Caching Setting

bc.https.disableSes sionCache

Disable session cache for outbound HTTPS and FTPS.

HTTPS (SSL) transport endpoints (HTTPS, AS2-HTTPS) and FTPS use an internal SSL transport cache to significantly improve the

performance of negotiating security parameters while establishing trusted connections. In some situations, problems may arise when third party server implementations are not able to properly handle cached sessions or renegotiation of security properties at the beginning of each application level communication session. For example, the Initiator always wants to ensure that the peer's credential is the one that is trusted and hasn't changed during any cached session.

The cache usually holds successfully negotiated security parameters for about 5 minutes, so that large numbers of transactions between the Initiator and any given trading partner require a credential

renegotiation in approximately 5 minutes.

在文檔中 TIBCO BusinessConnect™ Trading Partner Administration (頁 70-106)