Central Administration of TIBCO Enterprise Message Service (EMS)

In the summer of 2012, Tibco launched a new version of its messaging bus called Enterprise Message Service (EMS). TIBCO Enterprise Message Service lets applications consume or publish messages according to the Java Message Service (JMS) API.

One of the new features, is the ability to perform central administration through a standard web browser. In the past you mainly had 3 options to ‘control’ your EMS server:

• The command line utility tibemsadmin
• The EMS plugin of Tibco Administrator
• A tool, like Gems or Hermes, created by a third-party

The Central Administration feature, installed automatically with EMS 7.0, offers you:

• A web-based graphical user interface for configuring TIBCO EMS servers
• Centralized configuration, allowing administrators to apply configuration changes across multiple TIBCO Enterprise Message Service servers from a single location
• Support on Windows, Linux, and Mac platforms

How to get the central administration running on your machine.

After the installation of version 7 of Tibco Enterprise Message Service you need to convert the ’old style’ tibemsd.conf to a JSON (JavaScript Object Notation) file. The text-based tibemsd.conf file is not compliant with the Central Configuration feature and EMS servers started with a tibemsd.conf file cannot be managed using the Central Administration server.

Command: tibemsconf2json.bat -conf source-file.conf -json output-file.json

Note: when ems is configured as windows service, you need to tweak the registry key to change the startup parameter tibemsd.conf to tibemsd.json (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00X\services\tibemsd\Parameters)

Once converted, you can start your EMS server but now using the json configuration file.

Creating a configuration file

Although not mandatory, you can configure the server using a properties file to hold Central Administration server options.  Example:
com.tibco.emsca.data.dir=c:/tibcoems7/tibco/cfgmgmt/emsca_data
com.tibco.emsca.http.hostport=*:8080

I’ve saved mine as emsca.properties in the EMS_HOME/bin location.

Start the central administration server with the command tibemsca.bat (or tibemsca.sh). By default the server will look for a file called emsca.properties in the current working directory.

By default, the Central Administration server does not automatically configure an SSL connection or requires users to pass login credentials. The Central Administration server uses the same username and password to log into the EMS server as was used to log in to the Central Administration web interface. But as said by default there is no login and so it uses user ‘admin’ with no password.  You’ll have to configure JAAS authentication to make it work with a password. (I’ll leave some room for a next blog post).

Default screen after installation

When typing  a name (e.g. local_ems_instance) without spaces, clicking on create, and passing a url of your EMS server (e.g.  tcp://localhost:7222) you are good to go!

Configuring your EMS server using the web portal.

Author: Günther

TUCON2011

Last week TUCON2011 took place in Las Vegas, USA. As we are the only TIBCO partner, with its HQ in Belgium, Integr8 Consulting could not be absent this year! So together with my colleague, we went out to the far-west of the USA.

This year TUCON started with the keynote speakers and the BIG idea track. The focus of these BIG idea tracks is to hear from TIBCO customers and TIBCO visionaries, how they are using TIBCO technologies and how it provides them with the 2-second advantage. For those out there not knowing what the 2-second advantage is, here is a link to a video from Vivek (TIBCO CEO) explaining the 2-second advantage.

Putting the right information on the right time in the right context

These are my 4 keywords I remember from my TUCON visit:

• Tibbr 
• Context 
• Silver 
• Mobility

If it’s one thing that is clear, TIBCO is investing a lot in its social computing tool, tibbr. Tibbr is a tool; build specific for the work-space, which will allow you to follow subjects, applications and event streams. Using this approach it will be possible to put the information you receive, directly in the right context when and where you want it.

This brings me to the second keyword, context. One of the keynote speakers stated ‘what if you have a million of data events, but you can’t place it’. And that’s what it’s all about. If you can place the data at the right time in the right context, it will provide you with a 2-second advantage.

The third keyword is Silver. Silver is TIBCO’s brand name for its cloud services like you have ActiveMatrix for the SOA/BPM platform. Next to Tibbr, Silver will become a focus point for the future. You will get Silver Mobile, Silver Fabric, Silver Spotfire and many more. All providing you with Cloud services to start with Tibco technology in just a matter of seconds (at least in theory).

Now the fourth option will look a bit strange but this might become the biggest shifting of enterprise communication since the rise of the email (maybe a bit exaggerated) . With the upcoming boost of the smartphones, ipads, smart devices (like smart grid readers, which read your electricity usages, and send it to your electricity provider), new technologies are needed that will make it possible to use your mobile device as…. well as a workstation. If you’re interested on how Silver Mobile will work:

• Silver Mobile will provide you with a platform that runs on your Android, iPhone or BlackBerry. Using the platform, you will receive a common API that you can use in your mobile framework (jQuery Mobile, etc…) when building your own app
• Using Silver Fabric you can push, from the cloud, your apps to the Silver Mobile platform on your company’s iphones, blackberries, or androids.
• The example shown on TUCON was showing the status of your BW applications on your iphone. In case something went down, you got a notification using the native notification bus from your mobile device.

In the sessions of Orange, we saw a M2M (Machine-2-Machine) example on how Orange is using mobile communication technology. Now imagine about the possibilities when you think again about ‘context’. You can analyze the date from a mobile device and correlate this context with build in embedded devices like GPS, etc… to provide you with … the context of the data.
To conclude, enterprises will have to adapt their architectures to provide more and more a context-aware mobility delivery architecture in order to ‘please’ there customers.

Announcements

Next to the BIG idea tracks, day 2 and 3 are technology tracks that provided us with some insights of the current developments done by TIBCO. Now I will start this chapter, like TIBCO started each session. Every information provided is purely informational and does not legally bound us / TIBCO to any delivery

I tried to follow a diverse schema trying to know as much as I can and these are the things that are still in my mind:

• The ActiveMatrix platform will be extended with a rule engine, TIBCO ActiveMatrix Decisions. This product is build based on BusinessEvents and exposes it rules as services which can be used for example in a BPM process of ActiveMatrix BPM
• TIBCO ActiveSpaces 2.0 data grid. Woow, was I overwhelmed with this technology. To be honest, I didn’t really know this technology, but from what I’ve seen on TUCON, I immediately want to start with it!
• BusinessWorks plugins. Instead of adapter based technology, TIBCO is coming more and more with external plugins that can enhance BusinessWorks. Examples are tibbr, SalesForce, ActiveSpaces and an Aspect plugin that you could use for AOP programming in BW!
• Hawk! What Hawk?? Yes indeed, Hawk is coming with a nice web interface that will provide you with a better overview of your TIBCO Administrative domains. And as most products will do, Hawk will also integrate with Tibbr and maybe Spotfire in the future.
• Nimbus. This newly acquired technology provides you with a tool that can be used for documenting your business processes in a way your business can understand them. Don’t see it as an automation engine but rather as a tool for documenting (discovering) your business process. If TIBCO will connect AMX BPM and Nimbus, information is exchanged between them, it might become a strong product bundle.
• TIBCO EMS / FTL. During the engineering roundtable, it came to a discussion on how the future will look like for messaging. In the end there is no real answer. EMS is still the messaging solution if you want a guaranteed reliable messaging solution. FTL is the future for TIBCO if it concerns really fast messaging.

If you visited TUCON this year, maybe you joined some other sessions and got other ideas then myself. Please share your experiences. By sharing information and putting it in the right context, we can get that 2-second advantage!

Author: Günther

How to do NTLMv2 authentication in TIBCO BusinessWorks

As a proof of concept I had to test if TIBCO could perform authentication from its BusinessWorks suite to a Microsoft Dynamics CRM web service using ‘Integrated Windows Authentication’.

TIBCO BusinessWorks has all the necessary tools for connectivity, transformation and orchestration of processes but unfortunately it has no support for Integrated Windows Authentication. But I don’t consider it as a flaw of TIBCO BusinessWorks. Integrated Windows Authentication is specific to Microsoft products and the protocol that is currently in scope for the POC, NTLM, is a proprietary protocol.

What is the goal of the POC?

Authenticate TIBCO when calling the Microsoft Dynamics CRM web service. The authentication needs to be done using the NTLMv2 protocol. The account I use is a designated system account for TIBCO, which has received the correct access.

How did I start?

A lot of developers think: ‘what I do, I do better’. Well, I am more in favor of ‘use instead of build’. So first I started to find solutions on the internet that might do the trick for us. Since that didn’t work out well, I started to use some libraries that implement NTLM and to see if it works with TIBCO BusinessWorks.

I also wanted to find a solution as fast as possible. So instead of trying to investigate further on why something doesn’t work by the book, I just tried a different library/application.

So here is a summary of things I’ve tried:

Proxy solutions:

NTLMAPS: This is a tool that was used at a client side but stopped working for them after they switched to a new Active Directory domain. For my POC, and using the latest NTLMAPS version, I constantly received a 401 error back. So I had to quickly give up on this.

CNTLM: A rewrite of NTLMAPS and I managed to get authenticated when I was trying it from a Non-MS browser like chrome or Firefox. However the tool was prompting me for credentials for user authentication, which were then used for NTLM authentication. I quickly tried to configure my SOAP Request-Reply activity using HTTP Authentication and a correctly set Identity but unfortunately it didn't work. I didn’t investigate further on this.

Since the proxy solutions did not work out well, I tried to use a Java Code activity and tried to use libraries implementing the NTLM protocol.

Client solutions:

Apache Commons HTTPClient:

According to the documentation on Apache it should support NTLMv2 but I didn’t manage to get it to work. Although following the guidelines, authentication was always failing with a 401 error. Maybe I was doing something wrong but since TIBCO BusinessWorks is also using (an older) HTTPClient in its third party library repository, I decided not to investigate further on this.  Just to be sure that an upgrade would cause a nasty side effect.

Jespa:

On http://devsac.blogspot.com/2010/10/supoprt-for-ntlmv2-with-apache.html I found an interesting article about configuring the HTTPClient 3.x of Apache with the JCIFS library to get NTLM support.

I didn’t try this one because on the site of JCIFS, they themselves recommend to use the Jespa library if you’re looking for full NTLM support.

Unfortunately the Jespa library is not open-source and has some limitations when you integrate directly with Active Directory. However in my situation I only needed a small portion of this library. I needed to establish a connection and needed a provider that will authenticate against the NTLMv2 protocol. So for my POC there is no impact.

Proxy setup

I’ve made a small TIBCO BW project, which can act as a proxy, between TIBCO BusinessWorks and MS Dynamics CRM web services. This service is working identically as the NTLMAPS application. It will sit as a proxy between the Soap Request-Reply activities and the endpoint.

 

How does the Forward request activity look like?

1)     First I defined some input parameters so I could dynamically configure my process:

 

2)     Configuring the Java Code: Updating the import statements

import java.util.*;

import java.io.*;

import java.net.URL;

import java.security.PrivilegedExceptionAction;

import jespa.http.HttpURLConnection;

import jespa.security.PasswordCredential;

import jespa.security.RunAs;

3)     Configuring the Java Code: Add an inner class

This class will perform the POST action and return the soap reply.

public class HttpPost implements PrivilegedExceptionAction

{

private URL url = null;

private HttpURLConnection conn = null;

private OutputStreamWriter wout = null;

private BufferedReader rd  = null;

private StringBuilder sb = null;

private String line = null;

private String responseMessage = null;

private int responseCode = 0;

private String responseBody = null;

private String endpoint;

public HttpPost(String endpoint){

       this.endpoint = endpoint;

}

public Object run() throws Exception

{

       url = new URL(endpoint);

       conn = new HttpURLConnection(url);

       try {

       conn.setDoOutput(true);

       conn.setDoInput(true);

       conn.setRequestMethod("POST");

       conn.addRequestProperty("SOAPAction", soapAction);

       conn.addRequestProperty("Content-Type", contentType);

       conn.setReadTimeout(timeout);

       // Set the input

       wout = new OutputStreamWriter( conn.getOutputStream() );

       wout.write(soapRequest);

       wout.flush(); // this triggers the POST

       wout.close();

       // Get the response

       rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));

       sb = new StringBuilder();

       while ((line = rd.readLine()) != null) {

             sb.append(line + "\n");

       }

       rd.close();

      

        } catch (IOException ioe) {

             System.err.println(ioe.getMessage()); // such as '404 Not Found'

             rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));

             sb = new StringBuilder();

             while ((line = rd.readLine()) != null) {

                    sb.append(line + "\n");

             }

             rd.close();

        } finally {

             responseCode = conn.getResponseCode();

             responseMessage = conn.getResponseMessage();

             responseBody = sb.toString();

             conn.disconnect();

             wout=null;

             rd = null;

             sb = null;

             conn = null;

        }

        return null;

}

public int getResponseCode()

{

       return this.responseCode;

}

public String getResponseMessage()

{

       return this.responseMessage;

}

public String getResponseBody()

{

       return this.responseBody;

}

}

4)     Implement the invoke function

org.apache.log4j.Logger logger = org.apache.log4j.Logger.getLogger("bw.logger");

HttpPost t = new HttpPost(endpoint);

RunAs.runAs(t, new PasswordCredential(domain + "\\" + userName, password.toCharArray()));

logger.info("Server replied with HTTP status code: " + t.getResponseCode() + " " + t.getResponseMessage());

soapReply = t.getResponseBody();

Using the proxy class

When configuring my Soap Request-Reply message, I only need to configure a Proxy Configuration which points to my HTTP Receiver. My HTTP Receiver will forward the request and returns back the correct response.

Update: As some readers have commented, there seems to be a bug inside the above code. 
The updated project can be downloaded here. This project has updated java code that improves the handling of the soap request/response. You'll have to change the global variables so the authentication group is updated with your login credentials.
Also note that since BusinessWorks version 5.10, Tibco has added NTLM authentication support. See the release notes at https://docs.tibco.com/

Author: Günther