TIB Ems 10.3.0 User Guide
TIB Ems 10.3.0 User Guide
TIB Ems 10.3.0 User Guide
User Guide
Version 10.3.0 | February 2024
Contents
Contents 2
Overview 25
Jakarta Messaging Overview 25
Jakarta Messaging Compliance 26
Jakarta Messaging Message Models 26
Point-to-Point 27
Publish and Subscribe 28
EMS Destination Features 30
Client APIs 31
Sample Code 32
TIBCO Rendezvous Java Applications 32
Administration 32
Administering the Server 33
User and Group Management 33
Using TIBCO Hawk 34
Modes, Roles, and States 34
Security 35
Fault Tolerance 36
Routing 36
Integrating with Third-Party Products 36
Transaction Support 36
Containerization 37
Messages 38
EMS Extensions to Jakarta Messaging Messages 38
Expressions 61
Operators 62
White Space 63
Performance 63
Data Type Conversion 65
Sending Messages Synchronously and Asynchronously 66
Sending Synchronously 66
Sending Asynchronously 67
Receiving Messages Synchronously and Asynchronously 68
Destinations 69
Destination Overview 70
Destination Names 71
Static Destinations 71
Dynamic Destinations 71
Temporary Destinations 72
Destination Bridges 72
Destination Name Syntax 72
Examples of Destination Names 74
Destination Properties 75
exclusive 76
expiration 77
export 78
flowControl 78
global 79
import 79
maxbytes 80
maxmsgs 82
maxRedelivery 82
overflowPolicy 83
prefetch 85
redeliveryDelay 90
secure 91
sender_name 91
sender_name_enforced 92
store 93
trace 94
Temporary Destination Properties 94
Usage Notes 95
Creating and Modifying Destinations 96
Creating Secure Destinations 97
Wildcards 97
Wildcards * and > 98
Overlapping Wildcards and Disjoint Properties 98
Wildcards in Topics 99
Wildcards in Queues 99
Wildcards and Dynamically Created Destinations 99
Inheritance 100
Inheritance of Properties 101
Inheritance of Permissions 102
Destination Bridges 103
Create a Bridge 105
Access Control and Bridges 107
Transactions 107
Flow Control 107
Enable Flow Control 108
Enforce Flow Control 108
Routes and Flow Control 109
Destination Bridges and Flow Control 109
Flow Control, Threads and Deadlock 110
Delivery Delay 111
shutdown 208
suspend route 208
time 208
timeout 208
transaction commit 209
transaction rollback 209
updatecrl 209
whoami 209
factories.conf 283
groups.conf 287
jaas.conf 288
queues.conf 288
routes.conf 289
stores.conf 291
tibrvcm.conf 295
topics.conf 296
transports.conf 297
users.conf 301
Configuration 466
Import—Start and Stop 467
Message Translation 467
Jakarta Messaging Header Fields 467
Jakarta Messaging Property Fields 469
Message Body 470
Message Fields 471
Wildcards 486
Import Issues 486
Field Identifiers 486
JMSDestination 487
JMSReplyTo 487
JMSExpiration 487
Guaranteed Delivery 488
Export Issues 488
JMSReplyTo 488
Certified Messages 489
Guaranteed Delivery 489
Message Translation 489
Jakarta Messaging Header Fields 489
Jakarta Messaging Property Fields 491
Message Body 492
Data Types 494
Pure Java Rendezvous Programs 496
Routes 574
Overview 574
Route 574
Basic Operation 574
Global Destinations 575
Unique Routing Path 576
Zone 576
Basic Operation 576
Eliminate Redundant Paths with a One-Hop Zone 577
Overlapping Zones 578
Active and Passive Routes 579
Active-Passive Routes 579
Active-Active Routes 580
Configure Routes and Zones 580
Routes to Fault-Tolerant Servers 582
Routing and TLS 583
Routed Topic Messages 586
Registered Interest Propagation 586
Selectors for Routing Topic Messages 588
Routed Queues 592
Owner and Home 593
Example 593
Producers 594
Consumers 594
Configuration 595
Browsing 595
Transactions 595
Authentication and Authorization for Routes 596
Authentication 596
ACL 600
Product Editions
TIBCO Messaging is available in a community edition and an enterprise edition.
TIBCO Messaging - Community Edition is ideal for getting started with TIBCO Messaging, for
implementing application projects (including proof of concept efforts), for testing, and for
deploying applications in a production environment. Although the community license limits
the number of production clients, you can easily upgrade to the enterprise edition as your
use of TIBCO Messaging expands.
The community edition is available free of charge. It is a full installation of the TIBCO
Messaging software, with the following limitations and exclusions:
l Users may run up to 100 connections in a production environment. A connection is as
defined in the Jakarta Messaging Specification and established between an
application built with the TIBCO Enterprise Message Service Client Libraries and an
instance of the TIBCO Enterprise Message Service Server.
l Users do not have access to TIBCO Support, but you can use TIBCO Community as a
resource (https://community.tibco.com).
l Available on Red Hat Enterprise Linux Server, Microsoft Windows & Windows Server
and Apple macOS.
TIBCO Messaging - Community Edition has the following additional limitations and
exclusions:
l Excludes Fault Tolerance of the server.
l Excludes Unshared State Failover.
l Excludes Routing of messages between servers.
l Excludes JSON configuration files.
l Excludes EMS OSGi bundle.
l Excludes grid store and FTL store types.
TIBCO Messaging - Enterprise Edition is ideal for all application development projects, and
for deploying and managing applications in an enterprise production environment. It
includes all features presented in this documentation set, as well as access to TIBCO
Support.
Overview
The following sections contain a general overview of Jakarta Messaging and TIBCO
Enterprise Message Service concepts.
Note: Jakarta Messaging 2.0 TCK tests were run using Open Java Development
Kit 8, as the corresponding version of the TCK does not support later Java
versions.
Jakarta Messaging 3.0 TCK tests were run using Open Java Development Kit 11.
Point-to-Point
Point-to-point messaging has one producer and one consumer per message. This style of
messaging uses a queue to store messages until they are received. The message producer
sends the message to the queue; the message consumer retrieves messages from the
queue and sends acknowledgment that the message was received.
More than one producer can send messages to the same queue, and more than one
consumer can retrieve messages from the same queue. The queue can be configured to be
exclusive, if desired. If the queue is exclusive, then all queue messages can only be
retrieved by the first consumer specified for the queue. Exclusive queues are useful when
you want only one application to receive messages for a specific queue. If the queue is not
exclusive, any number of receivers can retrieve messages from the queue. Non-exclusive
queues are useful for balancing the load of incoming messages across multiple receivers.
Regardless of whether the queue is exclusive or not, only one consumer can ever consume
each message that is placed on the queue.
The following image illustrates point-to-point messaging using a non-exclusive queue. Each
message consumer receives a message from the queue and acknowledges receipt of the
message. The message is taken off the queue so that no other consumer can receive it.
messages.
The EMS APIs allow you to create durable subscribers to ensure that messages are
received, even if the message consumer is not currently running. Messages for durable
subscriptions are stored on the server as long as durable subscribers exist for the topic, or
until the message expiration time for the message has been reached, or until the storage
limit has been reached for the topic. Durable subscribers can receive messages from a
durable subscription even if the subscriber was not available when the message was
originally delivered.
When an application restarts and recreates a durable subscriber with the same ID, all
messages stored on the server for that topic are delivered to the durable subscriber.
See Create a Message Consumer for details on how to create durable subscribers.
If a message is received on foo, each of the above four subscriptions receive that same
message. For the shared subscriptions mySharedSub and myDurableSharedSub, the message
is delivered to only one of its respective shared consumers.
If the shared consumers of the shared durable subscription myDurableSharedSub are
closed, then the shared durable subscription continues to exist and accumulate messages
until it is deleted, or until the application creates a new durable shared consumer named
myDurableSharedSub to resume this subscription. If the shared consumers of mySharedSub
are all closed, the subscription is removed from topic foo.
See Create a Message Consumer for details on how to create shared subscriptions.
from an exclusive queue. More than one receiver can receive messages from non-
exclusive queues. See exclusive.
l Specify a redelivery policy for queues. When messages must be redelivered, you can
specify a property on the queue that determines the maximum number of times a
message should be redelivered. See maxRedelivery.
l Trace and log all messages passing through a destination. See trace.
l Include the user name of the message producer in the message. See sender_name
and sender_name_enforced.
l Administrator operations can use wildcards in destination names. The wildcard
destination name is the parent, and any names that match the wildcard destination
name inherit the properties of the parent. See Wildcards.
l Use the store property to cause messages sent to a destination to be written to a
store file. Set the destination store to store=$sys.failsafe to direct the server to
write messages to the file synchronously and guarantee that messages are not lost
under any circumstances. See store for more information.
l Specify that a consumer is to receive batches of messages in the background to
improve performance. Alternatively, you can specify that queue receivers are to only
receive one message at a time. See prefetch for more information.
Client APIs
Java applications use the javax.jms package to send or receive Jakarta Messaging
messages. This is a standard set of interfaces, specified by the Jakarta Messaging
specification, for creating the connection to the EMS server, specifying the type of message
to send, and creating the destination (topic or queue) on which to send or receive
messages. You can find a description of the javax.jms package in TIBCO Enterprise
Message Service Java API Reference included in the online documentation.
Because EMS implements the Jakarta Messaging standard, you can also view the
documentation on these interfaces along with the Jakarta Messaging specification at
https://jakarta.ee/specifications/messaging/2.0.
TIBCO Enterprise Message Service includes parallel APIs for other development
environments. See the following for more information:
l TIBCO Enterprise Message Service C & COBOL API Reference
Sample Code
EMS includes several example programs that illustrate the various features of EMS.
You may wish to view these example programs when reading about the corresponding
features in this manual. The examples are included in the samples subdirectory of the EMS
installation directory.
For more information about running the examples, see Getting Started.
Administration
EMS provides mechanisms for administering server operations and creating objects that
are managed by the server, such as ConnectionFactories and Destinations.
Administration functions can be issued either using the command-line administration tool
or by creating an application that uses the administration API (either Java or .NET). The
command-line administration tool is described in EMS Administration Tool. The
administration APIs are described in the online documentation.
The administration interfaces allow you to create and manage administered objects such
as ConnectionFactories, Topics, and Queues. EMS clients can retrieve references to these
administered objects by using Java Naming and Directory Interface (JNDI). Creating static
administered objects allows clients to use these objects without having to implement the
objects within the client.
The server can publish messages when various system Monitor Server Activity
events occur. This allows you to create robust
monitoring applications that subscribe to these
system monitor topics.
The server can provide various statistics at the desired Monitor Server Activity
level of detail.
Modes
By default, the EMS server operates in standalone mode. However, it can also be
configured to run in a fault tolerant mode:
l Standalone — the default EMS server mode.
l Classic Fault Tolerant — configured through the ft_active parameter if using file-
based stores or grid stores and through the FTL configuration if using FTL stores.
Roles
Each server operating in a fault tolerant mode has a distinct role: primary or secondary.
These roles are implicit for EMS servers started using tibemsd.conf files. They are explicit
for EMS servers started using a JSON configuration file. For JSON-configured servers, the
primary server is the EMS server started without the -secondary command line parameter,
while the secondary server is started with it. In the .conf files, each server in the fault
tolerant pair has a distinct tibemsd.conf file.
Note: Although EMS servers using FTL stores are JSON-configured, the primary
and secondary roles for a fault-tolerant EMS server pair are still implicit.
States
The state of the EMS server tells you about its current operations.
Use the info or show state command in the administration tool to determine the state of
the EMS server.
State Description
standby The server is in classic fault tolerant mode and is ready to take over should its
peer fail.
Security
For communication security between servers and clients, and between servers and other
servers, you must explicitly configure TLS within EMS.
Transport Layer Security (TLS) is a protocol for transmitting encrypted data over the
Internet or an internal network. TLS works by using public and private keys to encrypt data
that is transferred over the TLS connection.
EMS supports TLS between the following components:
l between an EMS client and the EMS server
l between the administration tool and the EMS server
l between the administration APIs and the EMS server
l between routed servers
l between fault-tolerant servers (not applicable when using FTL stores)
See TLS Protocol for more information about TLS support in EMS.
Fault Tolerance
You can configure EMS servers as primary and secondary servers to provide fault tolerance
for your environment. The primary and secondary servers act as a pair, one of them
starting out in the active state and the other in the standby state. The active server accepts
client connections and performs the work of handling messages, while the standby server
acts as a backup in case of failure. If the active server fails, the standby server assumes
operation and becomes the active server.
See Fault Tolerance for more information about the fault-tolerance features of EMS.
Routing
EMS provides the ability for servers to route messages between each other. Topic messages
can be routed across multiple hops, provided there are no cycles (that is, the message can
not be routed to any server it has already visited). Queue messages can travel at most one
hop to any other server from the server that owns the queue.
EMS stores and forwards messages in most situations to provide operation when a route is
not connected.
See Routes for more information about the routing features of EMS.
Transaction Support
TIBCO Enterprise Message Service can integrate with Jakarta Transactions API (JTA)
compliant transaction managers. EMS implements all interfaces necessary to be JTA
compliant.
The EMS C API is compliant with the X/Open XA specification. The EMS .NET API supports
Microsoft Distributed Transaction Coordinator (MS DTC) with .NET Framework. Transactions
created using MSDTC in a .NET Framework client are seen as XA transactions in C and Java
clients.
Containerization
TIBCO Enterprise Message Service supports containerization.
Refer to the corresponding TIBCO Community pages for specific solutions involving
environments such as Docker, Kubernetes, OpenShift, etc.
Messages
The following sections provide an overview of EMS messages.
StreamMessage body types. However, they are extensions and therefore not
compliant with Jakarta Messaging specifications. Extended messages are
tagged as extensions with the vendor property tag JMS_TIBCO_MSG_EXT.
For more information on compatibility with Rendezvous messages, see Message
Body.
JMSRedelivered Jakarta If this field is set, it is possible that the message was
Messaging delivered to the client earlier, but not acknowledged
provider at that time.
For example:
JMSDestination='Queue[A]'
JMSDestination='Topic[B7]'
JMSDestination NOT LIKE 'Queue[A]'
JMSDestination LIKE 'Queue[A]'
JMSDestination LIKE 'Q%'
JMSDestination IS NOT NULL
JMSDestination IN ('Queue[H]','Queue[J]')
JMSDestination NOT IN ('Topic[H]','Topic[J]')
JMSDestination='Queue[A]' OR JMSDestination='Queue[B]'
Message This message type has no body. This is useful for simple event
notification.
TextMessage A java.lang.String.
MapMessage A set of name/value pairs. The names are java.lang.String objects, and
the values are Java primitive value types or their wrappers. The entries
can be accessed sequentially by enumeration or directly by name. The
order of entries is undefined.
BytesMessage A stream of uninterrupted bytes. The bytes are not typed; that is, they
are not assigned to a primitive data type.
StreamMessage A stream of primitive values in the Java programming language. Each set
of values belongs to a primitive data type, and must be read sequentially.
Message Priority
The Jakarta Messaging specification includes a JMSPriority message header field in which
senders can set the priority of a message, as a value in the range [0,9]. EMS does support
message priority (though it is optional, and other vendors might not implement it).
When the EMS server has several messages ready to deliver to a consumer client, and must
select among them, then it delivers messages with higher priority before those with lower
priority.
However, priority ordering applies only when the server has a backlog of deliverable
messages for a consumer. In contrast, when the server has only one message at a time to
deliver to a consumer, then the priority ordering feature will not be apparent.
You can set default message priority for the Message Producer, as described in Configure a
Message Producer. The default priority can be overridden by the client when sending a
message, as described in Send Messages.
Also refer to Jakarta Messaging Specification, chapter 3.4.10.
PERSISTENT
When a producer sends a PERSISTENT message, the producer must wait for the server to
reply with a confirmation. The message is persisted on disk by the server. This delivery
mode ensures delivery of messages to the destination on the server in almost all
circumstances. However, the cost is that this delivery mode incurs two-way network traffic
for each message or committed transaction of a group of messages.
NON_PERSISTENT
Sending a NON_PERSISTENT message omits the overhead of persisting the message on disk
to improve performance.
If authorization is disabled on the server, the server does not send a confirmation to the
message producer.
If authorization is enabled on the server, the default condition is for the producer to wait
for the server to reply with a confirmation in the same manner as when using PERSISTENT
mode.
Regardless of whether authorization is enabled or disabled, you can use the
npsend_check_mode parameter in the tibemsd.conf file to specify the conditions under
which the server is to send confirmation of NON_PERSISTENT messages to the producer. See
the description for npsend_check_mode for details.
RELIABLE_DELIVERY
EMS extends the Jakarta Messaging delivery modes to include reliable delivery. Sending a
RELIABLE_DELIVERY message omits the server confirmation to improve performance
regardless of the authorization setting.
Also see authorization.
When using RELIABLE_DELIVERY mode, the server never sends the producer a receipt
confirmation or access denial and the producer does not wait for it. Reliable mode
decreases the volume of message traffic, allowing higher message rates, which is useful for
messages containing time-dependent data, such as stock price quotations.
When you use the reliable delivery mode, the client application does not receive any
response from the server. Therefore, all publish calls will always succeed (not throw an
exception) unless the connection to the server has been terminated.
In some cases a message published in reliable mode may be disqualified and not handled
by the server because the destination is not valid or access has been denied. In this case,
the message is not sent to any message consumer. However, unless the connection to the
server has been terminated, the publishing application will not receive any exceptions,
despite the fact that no consumer received the message.
This behavior is consistent with the Jakarta Messaging specification because durable
subscribers to a topic cause published messages to be saved. Additionally, subscribers to a
topic that have a fault-tolerant connection need to receive messages from the new active
server after a failover. However, non-durable subscribers without a fault-tolerant
connection that re-connect after a server failure are considered newly created subscribers
and are not entitled to receive any messages created prior to the time they are created
(that is, messages published before the subscriber re-connects are not resent).
the message has been replicated to the other EMS servers in the cluster and written to
disk. This parameter is not relevant in the case of grid stores, where the disk access mode
is always synchronous.
When using file-based stores, the EMS server writes persistent messages to a store file. To
prevent two servers from using the same store file, each server restricts access to its store
file for the duration of the server process. For details on how EMS manages access to
shared file-based stores, see Managing Access to Shared File-Based Stores.
When using FTL stores, the EMS server stores persistent messages in FTL. See Persistence
with FTL Stores for more information.
With the multiple stores feature, you can configure your messaging application to store
messages in different locations for each application, or create separate stores for related
destinations. For example, you can create one store for messages supporting Marketing,
and one for messages supporting Sales. Because stores are configured in the server, they
are transparent to clients.
When using the multiple stores feature, all stores must be of the same type. Configuring
multiple store types in the same server is not supported.
The EMS Administration Tool allows administrators to review the system’s configured
stores and their settings by using the show stores and show store commands.
Store Types
TIBCO Enterprise Message Service allows you to configure several different types of stores,
described here.
File-Based Stores
The EMS server stores persistent messages in file-based stores. You can use the default
store files, or create your own file-based stores. You direct the EMS server to write
messages to these store files by associating a destination with a store.
File-based stores are enabled by default, and the server automatically defines three default
stores, described below. You do not need to do anything in order to use the default stores.
The section Configuring File-Based Stores describes how to change store settings or create
custom stores.
Grid Stores
The EMS server can store messages in a TIBCO ActiveSpaces data grid. See Grid Stores for a
full description of this feature.
FTL Stores
The EMS server can store messages in a TIBCO FTL server cluster. See FTL Stores for a full
description of this feature.
Default Stores
The EMS server defines these default stores, and writes persistent messages and meta data
to them:
l $sys.nonfailsafe—Persistent messages without a store property designation are
written to $sys.nonfailsafe by default. The server writes messages to this store
using asynchronous I/O calls.
l $sys.failsafe—Associate a destination with this store to write messages
synchronously. The server writes messages to this store using synchronous I/O calls.
l $sys.meta—The server writes state information about durable subscribers, fault-
tolerant connections, and other metadata in this store.
The EMS server creates these default stores as file-based stores automatically, and no steps
are required to enable or deploy them. However, you can change the system configuration
to customize the default store file settings, or even override the default store settings to
either point to different file location, or write to a grid store or FTL store.
If the EMS server is started as a service under an FTL server, or with grid store command
line parameters and the default stores are not present in the configuration, the server
automatically creates the three default stores as FTL stores or grid stores respectively.
Procedure
1. Setup and configure stores in the stores.conf file.
Stores are created and configured in the stores.conf file. Each store must have a
When using file-based stores, you can also change store associations dynamically using the
setprop topic or setprop queue command in the EMS Administration Tool.
Multiple destinations can be mapped to the same store, either explicitly or using wildcards.
Even if no stores are configured, the server sends persistent messages that are not
associated with a store to default stores. See Default Stores for more information.
For details about the store parameter, see store.
EMS clients can specify a variety of common character encodings for strings in messages.
The character encoding for a message applies to strings that appear in any of the following
places within a message:
l property names and property values
l MapMessage field names and values
The EMS client APIs (Java, .NET and C) include mechanisms for handling strings and
specifying the character encoding used for all strings within a message. The following
sections describe the implications of string character encoding for EMS clients.
Note: Nearly all character sets include unprintable characters. EMS software
does not prevent programs from using unprintable characters. However,
messages containing unprintable characters (whether in headers or data) can
cause unpredictable results if you instruct EMS to print them. For example, if you
enable the message tracing feature, EMS prints messages to a trace log file.
Sending Messages
When a client sends a message, the message stores the character encoding name used for
strings in that message. Java clients represent strings using Unicode. A message created by
a Java client that does not specify an encoding will use UTF-8 as the named encoding
within the message.
UTF-8 uses up to four bytes to represent each character, so a Java client can improve
performance by explicitly using a single-byte character encoding, if possible.
Java clients can globally set the encoding to use with the setEncoding method or the
client can set the encoding for each message with the setMessageEncoding method. For
more information about these methods, see TIBCO Enterprise Message Service Java API
Reference.
Typically, C clients manipulate strings using the character encoding of the machine on
which they are running. The EMS C client library itself does not do any encoding or
decoding of characters. When sending a message, an EMS C client application can use
tibemsMsg_SetEncoding to put information into the message describing the encoding
used. When receiving a message in an EMS C client application, the encoding can be
retrieved using tibemsMsg_GetEncoding. Use a third party library to do the actual decoding
based on the retrieved encoding information.
Message Compression
The TIBCO Enterprise Message Service client can compress the body of a message before
sending the message to the server. EMS supports message compression/decompression
across client types (Java, C and C#). For example, a Java producer may compress a
message and a C consumer may decompress it.
generally longer than the time to send the same messages uncompressed. There is little
purpose to message compression for small messages that are not be stored by the server.
Message Acknowledgment
The interface specification for Jakarta Messaging requires that message delivery be
guaranteed under many, but not all, circumstances.
The following figure illustrates the basic structure of message delivery and
acknowledgment.
1. A message is sent from the message producer to the machine on which the EMS
server resides.
2. For persistent messages, the EMS server sends a confirmation to the producer that
the message was received.
3. The server sends the message to the consumer.
4. The consumer sends an acknowledgment to the server that the message was
received. A session can be configured with a specific session mode that specifies how
the consumer-to-server acknowledgment is handled. These session modes are
described below.
5. In many cases, the server then sends a confirmation of the acknowledgment to the
consumer.
The Jakarta Messaging specification defines three levels of acknowledgment for non-
transacted sessions:
l CLIENT_ACKNOWLEDGE specifies that the consumer is to acknowledge all messages that
have been delivered so far by the session. When using this mode, it is possible for a
consumer to fall behind in its message processing and build up a large number of
unacknowledged messages.
l AUTO_ACKNOWLEDGE specifies that the session is to automatically acknowledge
consumer receipt of messages when message processing has finished.
l DUPS_OK_ACKNOWLEDGE specifies that the session is to "lazily" acknowledge the
delivery of messages to the consumer. "Lazy" means that the consumer can delay
acknowledgment of messages to the server until a convenient time; meanwhile the
server might redeliver messages. This mode reduces session overhead. Should
Jakarta Messaging fail, the consumer may receive duplicate messages.
l EXPLICIT_CLIENT_ACKNOWLEDGE
l EXPLICIT_CLIENT_DUPS_OK_ACKNOWLEDGE
Warning: The Simplified Jakarta Messaging API introduced in JMS 2.0 supports
the session modes defined in the Jakarta Messaging specification:
CLIENT_ACKNOWLEDGE, AUTO_ACKNOWLEDGE, DUPS_OK_ACKNOWLEDGE, and
SESSION_TRANSACTED. However, it does not support the EMS extended session
modes.
The session mode is set when creating a Session, as described in Create a Session.
NO_ACKNOWLEDGE
NO_ACKNOWLEDGE mode suppresses the acknowledgment of received messages.
After the server sends a message to the client, all information regarding that message for
that consumer is eliminated from the server. Therefore, there is no need for the client
application to send an acknowledgment to the server about the received message. Not
sending acknowledgments decreases the message traffic and saves time for the receiver,
therefore allowing better utilization of system resources.
EXPLICIT_CLIENT_ACKNOWLEDGE
EXPLICIT_CLIENT_ACKNOWLEDGE is like CLIENT_ACKNOWLEDGE except it acknowledges only
the individual message, rather than all messages received so far on the session.
One example of when EXPLICIT_CLIENT_ACKNOWLEDGE would be used is when receiving
messages and putting the information in a database. If the database insert operation is
slow, you may want to use multiple application threads all doing simultaneous inserts. As
each thread finishes its insert, it can use EXPLICIT_CLIENT_ACKNOWLEDGE to acknowledge
only the message that it is currently working on.
EXPLICIT_CLIENT_DUPS_OK_ACKNOWLEDGE
EXPLICIT_CLIENT_DUPS_OK_ACKNOWLEDGE is like DUPS_OK_ACKNOWLEDGE except it 'lazily'
acknowledges only the individual message, rather than all messages received so far on the
session.
Message Selectors
A message selector is a string that lets a client program specify a set of messages, based on
the values of message headers and properties. A selector matches a message if, after
substituting header and property values from the message into the selector string, the
string evaluates to true. Consumers can request that the server deliver only those
messages that match a selector.
The syntax of selectors is based on a subset of the SQL92 conditional expression syntax.
Identifiers
Identifiers can refer to the values of message headers and properties, but not to the
message body. Identifiers are case-sensitive.
Basic Syntax
An identifier is a sequence of letters and digits, of any length, that begins with a letter. As
in Java, the set of letters includes _ (underscore) and $ (dollar).
Illegal
Certain names are exceptions, which cannot be used as identifiers. In particular, NULL,
TRUE, FALSE, NOT, AND, OR, BETWEEN, LIKE, IN, IS, and ESCAPE are defined to have special
meaning in message selector syntax.
Value
Identifiers refer either to message header names or property names. The type of an
identifier in a message selector corresponds to the type of the header or property value. If
an identifier refers to a header or property that does not exist in a message, its value is
NULL.
Literals
String Literal
A string literal is enclosed in single quotes. To represent a single quote within a literal, use
two single quotes; for example, 'literal''s'. String literals use the Unicode character
encoding. String literals are case sensitive. The server has a limit of 32,767 string literals in
a selector string.
Expressions
Selectors as Expressions
Every selector is a conditional expression. A selector that evaluates to true matches the
message; a selector that evaluates to false or unknown does not match.
Arithmetic Expression
Arithmetic expressions are composed of numeric literals, identifiers (that evaluate to
numeric literals), arithmetic operations, and smaller arithmetic expressions.
Conditional Expression
Conditional expressions are composed of comparison operations, logical operations, and
smaller conditional expressions.
Order of Evaluation
Order of evaluation is left-to-right, within precedence levels. Parentheses override this
order.
Operators
Case Insensitivity
Operator names are case-insensitive.
Logical Operators
Logical operators in precedence order: NOT, AND, OR.
Comparison Operators
Comparison operators: =, >, >=, <, <=, <> (not equal).
These operators can compare only values of comparable types. (Exact numeric values and
approximate numerical values are comparable types.) Attempting to compare
incomparable types yields false. If either value in a comparison evaluates to NULL, then
the result is unknown (in SQL 3-valued logic).
Comparison of string values is restricted to = and <>. Two strings are equal if and only if
they contain the same sequence of characters.
Comparison of boolean values is restricted to = and <>.
Arithmetic Operators
Arithmetic operators in precedence order:
l +, - (unary)
Arithmetic operations obey numeric promotion rules of the Java programming language.
Between Operator
arithmetic-expr1 [NOT] BETWEEN arithmetic-expr2 AND arithmetic-expr3
The BETWEEN comparison operator includes its endpoints. For example:
l age BETWEEN 5 AND 9 is equivalent to age >= 5 AND age <= 9
The identifier must evaluate to either a string or NULL. If it is NULL, then the value of this
expression is unknown. You can use a maximum of 32,767 string-literals in the string set.
Pattern Matching
identifier [NOT] LIKE pattern-value [ESCAPE escape-character]
The identifier must evaluate to a string.
The pattern-value is a string literal, in which some characters bear special meaning:
l _ (underscore) can match any single character.
White Space
White space is any of the characters space, horizontal tab, form feed, or line terminator—or
any contiguous run of characters in this set.
Performance
In order to efficiently handle queue consumers with a selector when there is a large
backlog of messages in the queue, message headers and properties are cached in the
memory of the server for the queue. The caching begins for a given queue the first time a
queue consumer with a selector is created.
This may result in an increase of the memory footprint of the server when such queue
consumers are created. Both new incoming messages and messages already existing in the
backlog are optimized through the server cache. If the server is restarted and a fault
tolerant consumer on the queue is restored, then all recovered messages in that queue are
optimized.
bool byte short char int long float double string byte[]
bool X X
byte X X X X X
short X X X X
char X X
int X X X
long X X
float X X X
double X X
string X X X X X X X X
byte[] X
Note:
l Message properties cannot have byte array values.
l Values written as strings can be extracted as a numeric or boolean type only when it is possible to parse the string as a number of that type.
Each sending mode has certain benefits. The following sections describe the benefits of the
different modes.
Sending Synchronously
Because synchronous sending does not have the overhead involved in asynchronous
sending, it yields better performance in most cases. Synchronous sending is also the best
choice when sending the following types of messages:
l Non-Persistent Messages
When high performance is a concern, use synchronous sending for non-persistent or
reliable messages. Although asynchronous sending of non-persistent messages is
supported, it is generally not recommended.
l Transactions
Typically, it makes sense for applications to use synchronous sending when using
transactions. Sending messages within a transaction does not require a response
from the server, so higher throughput can be obtained sending synchronously within
a transaction.
Synchronous sending simplifies a transaction; coordination of asynchronous send
notifications and committing or rolling back a transaction introduces complexity to
the application.
Sending Asynchronously
The message producer can send messages asynchronously by registering a completion
listener to monitor message send success or failure.
Operating in a thread separate from that of the message producer, the completion listener
manages the response to a successful or failed send, leaving the message producer free to
perform other operations. See Create a Completion Listener for Asynchronous Sending for
details.
Asynchronous sending can increase performance in certain circumstances. One of the best
uses for asynchronous sending is when sending persistent messages. High level outgoing
message throughput can be obtained when sending non-transacted persistent messages.
There are other considerations for the application programmer when sending messages
asynchronously. These considerations are described below.
Memory Use
Application programmers should be aware that some additional memory is used by the
EMS server when asynchronously sending. Memory use increases if the performance of
completion listeners is slower than overall application send rates.
Destinations
Destinations for messages can be either Topics or Queues. A destination can be created
statically in the server configuration files, or dynamically by a client application.
Servers connected by routes exchange messages sent to temporary topics. As a result,
temporary topics are ideal destinations for reply messages in request/reply interactions.
Destination Overview
The following table summarizes the differences between static, dynamic, and temporary destinations. The sections that follow provide more detail.
Purpose Static destinations let administrators configure EMS behavior at the Dynamic destinations give client programs the flexibility to Temporary destinations are ideal for limited-
enterprise level. Administrators define these administered objects, and define destinations as needed for short-term use. scope uses, such as reply subjects.
client programs use them—relieving program developers and end
users of the responsibility for correct configuration.
Scope of Static destinations support concurrent use. That is, several client Dynamic destinations support concurrent use. That is, Temporary destinations support only local
Delivery processes (and in several threads within a process) can create local several client processes (and in several threads within a use. That is, only the client connection that
objects denoting the destination, and consume messages from it. process) can create local objects denoting the destination, created a temporary destination can
and consume messages from it. consume messages from it.
Creation Administrators create static destinations using EMS server Client programs create dynamic destinations, if permitted by Client programs create temporary
administration tools or administration API. the server configuration. destinations.
Lookup Client programs lookup static destinations by name. Successful lookup Not applicable. Not applicable.
returns a local object representation of the destination.
Duration A static destination remains in the server until an administrator A dynamic destination remains in the server as long as at A temporary destination remains in the
explicitly deletes it. least one client actively uses it. The server automatically server either until the client that created it
deletes it (at a convenient time) when all applicable explicitly deletes it, or until the client
conditions are true: disconnects from the server.
l Topic or Queue
Destination Names
A destination name is a string divided into elements, each element separated by the dot
character (.). The dot character allows you to create multi-part destination names that
categorize destinations.
For example, you could have an accounting application that publishes messages on several
destinations. The application could prefix all messages with ACCT, and each element of the
name could specify a specific component of the application. ACCT.GEN_LEDGER.CASH,
ACCT.GEN_LEDGER.RECEIVABLE, and ACCT.GEN_LEDGER.MISC could be subjects for the
general ledger portion of the application.
Separating the subject name into elements allows applications to use wildcards for
specifying more than one subject. See Wildcards for more information. The use of
wildcards in destination names can also be used to define "parent" and "child" destination
relationships, where the child destinations inherit the properties from its parents. See
Inheritance of Properties.
Static Destinations
Configuration information for static destinations is stored in configuration files for the EMS
server. Changes to the configuration information can be made in a variety of ways. To
manage static destinations, you can edit the configuration files using a text editor, you can
use the administration tool, or you can use the administration APIs.
Clients can obtain references to static destinations through a naming service such as JNDI
or LDAP. See Creating and Modifying Destinations for more information about how clients
use static destinations.
Dynamic Destinations
Dynamic destinations are created on-the-fly by the EMS server, as required by client
applications. Dynamic destinations do not appear in the configuration files and exist as
long as there are messages or consumers on the destination. A client cannot use JNDI to
lookup dynamic queues and topics.
When you use the show queuesor show topics command in the administration tool, you
see dynamic topics and queues have an asterisk (*) in front of their name in the list of
topics or queues. If a property of a queue or topic has an asterisk (*) character in front of
its name, it means that the property was inherited from the parent queue or topic and
cannot be changed.
See Dynamically Create Topics and Queues for details on topics and queues can be
dynamically created by the EMS server.
Temporary Destinations
TIBCO Enterprise Message Service supports temporary destinations as defined in Jakarta
Messaging specification and its API.
Servers connected by routes exchange messages sent to temporary topics. As a result,
temporary topics are ideal destinations for reply messages in request/reply interactions.
For more information on temporary queues and topics, refer to the Jakarta Messaging
documentation described in Third Party Documentation.
Destination Bridges
You can create server-based bridges between destinations of the same or different types to
create a hybrid messaging model for your application. This allows all messages delivered to
one destination to also be delivered to the bridged destination. You can bridge between
different destination types, between the same destination type, or to more than one
destination. For example, you can create a bridge between a topic and a queue or from a
topic to another topic.
See Destination Bridges for more information about destination bridging.
Structure
A destination name is a string divided into elements, each element separated by the dot
character (.). The dot character allows you to create multi-part destination names that
categorize destinations.
Empty strings ("") are not permitted in destination names. Likewise, elements cannot
incorporate the dot character by using an escape sequence.
Although they are not prohibited, we recommend that you do not use tabs, spaces, or any
unprintable character in a destination name. You may, however, use wildcards. See
Wildcards for more information.
Length
Destinations are limited to a total length of 249 characters. However, some of that length is
reserved for internal use. The amount of space reserved for internal use varies according to
the number of elements in the destination; destinations that include the maximum number
of elements are limited to 196 characters.
A destination can have up to 64 elements. Each element cannot exceed 127 characters. Dot
separators are not included in element length.
Valid Examples
NEWS.LOCAL.POLITICS.CITY_COUNCIL
NEWS.NATIONAL.ARTS.MOVIES.REVIEWS
CHAT.MRKTG.NEW_PRODUCTS
CHAT.DEVELOPMENT.BIG_PROJECT.DESIGN
News.Sports.Baseball
finance
This.long.subject_name.is.valid.even.though.quite.uninformative
Invalid Examples
Destination Properties
The following section contain a description of properties for topics and queues.
You can set the destination properties directly in the topics.conf or queues.conf file or by
means of the setprop topic or setprop queue command in the EMS Administration Tool.
The following table lists the properties that can be assigned to topics and queues. The
sections that follow describe each property.
exclusive No Yes
export Yes No
maxRedelivery No Yes
redeliveryDelay No Yes
exclusive
The exclusive property is available for queues only (not for topics), and cannot be used
with global queues.
When exclusive is set for a queue, the server sends all messages on that queue to one
consumer. No other consumers can receive messages from the queue. Instead, these
additional consumers act in a standby role; if the primary consumer fails, the server selects
one of the standby consumers as the new primary, and begins delivering messages to it.
You can set exclusive using the form:
exclusive
This arrangement prevents a large buildup of messages at one receiver and balances the
load of incoming messages across a set of queue receivers.
expiration
If an expiration property is set for a destination, the server honors the overridden
expiration period and retains the message for the length of time specified by the expiration
property.
However, the server overrides the JMSExpiration value set by the producer in the message
header with the value 0 and therefore the consuming client does not expire the message.
You can set the expiration property for any queue and any topic using the form:
expiration=time[msec|sec|min|hour|day]
where time is the number of seconds. Zero is a special value that indicates messages to the
destination never expire.
You can optionally include time units, such as msec, sec, min, hour or day to describe the
time value as being in milliseconds, seconds, minutes, hours, or days, respectively. For
example:
expiration=10min
means 10 minutes.
When a message expires it is either destroyed or, if the JMS_TIBCO_PRESERVE_UNDELIVERED
property on the message is set to true, the message is placed on the undelivered queue so
it can be handled by a special consumer. See Undelivered Message Queue for details.
All machines running EMS servers must be synchronized using NTP. If you use grid stores or
FTL stores, all machines running ActiveSpaces and FTL processes must also be
synchronized using NTP. Machines running EMS clients do not need to synchronized. For
information about how non-synchronized client machines are handled, refer to the
clock_sync_interval parameter.
export
The export property allows messages published by a client to a topic to be exported to the
external systems with configured transports.
You can set export using the form:
export="list"
where list is one or more transport names, as specified by the [transport_name] ids in the
transports.conf file. Multiple transport names in the list are separated by commas.
For example:
export="RV1,RV2"
You can configure transports for TIBCO FTL or Rendezvous reliable and certified messaging
protocols. You can specify the name of one or more transports of the same type in the
export property.
You must purchase, install, and configure the external system (for example, Rendezvous)
before configuring topics with the export property. Also, you must configure the
communication parameters to the external system by creating a named transport in the
transports.conf file.
flowControl
The flowControl property specifies the target maximum size the server can use to store
pending messages for the destination. Should the number of messages exceed the
maximum, the server will slow down the producers to the rate required by the message
consumers.
This is useful when message producers send messages much more quickly than message
consumers can consume them. Unlike the behavior established by the overflowPolicy
property, flowControl never discards messages or generates errors back to producer.
flowControl=size[KB|MB|GB]
where size is the maximum number of bytes of storage for pending messages of the
destination. If you specify the flowControl property without a value, the target maximum
is set to 256KB.
You can optionally include a KB, MB or GB after the number to specify kilobytes,
megabytes, or gigabytes, respectively. For example:
flowControl=1000KB
global
Messages destined for a topic or queue with the global property set are routed to the
other servers that are participating in routing with this server.
You can set global using the form:
global
import
The import property allows messages published by an external system to be received by a
EMS destination (a topic or a queue), as long as the transport to the external system is
configured.
You can set import using the form:
import="list"
where list is one or more transport names, as specified by the [NAME] ids in the
transports.conf file. Multiple transport names in the list are separated by commas. For
example:
import="RV1,RV2"
You can configure transports for TIBCO FTL or Rendezvous reliable and certified messaging
protocols. You can specify the name of one or more transports of the same type in the
import property.
You must purchase, install, and configure the external system (for example, Rendezvous)
before configuring topics with the import property. Also, you must configure the
communication parameters to the external system by creating a named transport in the
transports.conf file.
maxbytes
Topics and queues can specify the maxbytes property in the form:
maxbytes=value[KB|MB|GB]
maxbytes=1000
maxbytes=1000KB
For queues, maxbytes defines the maximum size (in bytes) that the queue can store,
summed over all messages in the queue. Should this limit be exceeded, messages will be
rejected by the server and the message producer send calls will return an error (see also
overflowPolicy). For example, if a receiver is off-line for a long time, then the queue size
could reach this limit, which would prevent further memory allocation for additional
messages.
If maxbytes is zero, or is not set, the server does not limit the memory allocation for the
queue.
You can set both maxmsgs and maxbytes properties on the same queue. Exceeding either
limit causes the server to reject new messages until consumers reduce the queue size to
below these limits.
Warning: If the maxbytes limit is not set on a destination, the server still checks
to see if that destination’s memory footprint is growing beyond a threshold. If
so, a warning is logged. For more details, see large_destination_memory and
large_destination_count.
For topics, maxbytes limits the maximum size (in bytes) that the topic can store for delivery
to each durable or non-durable online subscriber on that topic. That is, the limit applies
separately to each subscriber on the topic. For example, if a durable subscriber is off-line
for a long time, pending messages accumulate until they exceed maxbytes; when the
subscriber consumes messages (freeing storage) the topic can accept additional messages
for the subscriber. For a non-durable subscriber, maxbytes limits the number of pending
messages that can accumulate while the subscriber is online.
When a destination inherits different values of this property from several parent
destinations, it inherits the smallest value.
Note: You can further protect against consumers that receive messages without
acknowledging them using the parameter disconnect_non_acking_consumers.
maxmsgs
Topics and queues can specify the maxmsgs property in the form:
maxmsgs=value
where value defines the maximum number of messages that can be waiting in a queue.
When adding a message would exceed this limit, the server does not accept the message
into storage, and the message producer’s send call returns an error (but see also
overflowPolicy).
If maxmsgs is zero, or is not set, the server does not limit the number of messages in the
queue.
Warning: If the maxmsgs limit is not set on a destination, the server still checks
to see if that destination’s memory footprint is growing beyond a threshold. If
so, a warning is logged. For more details, see large_destination_memory and
large_destination_count.
You can set both maxmsgs and maxbytes properties on the same queue. Exceeding either
limit causes the server to reject new messages until consumers reduce the queue size to
below these limits.
Note: You can further protect against consumers that receive messages without
acknowledging them using the parameter disconnect_non_acking_consumers.
maxRedelivery
The maxRedelivery property specifies the number of attempts the server should make to
deliver a message sent to a queue.
Set maxRedelivery using the form:
maxRedelivery=count
where count is an integer between 2 and 255 that specifies the maximum number of times
a message can be delivered to receivers. A value of zero disables maxRedelivery, so there
is no maximum.
Once the server has attempted to deliver the message the specified number of times, the
message is either destroyed or, if the JMS_TIBCO_PRESERVE_UNDELIVERED property on the
message is set to true, the message is placed on the undelivered queue so it can be
handled by a special consumer. See Undelivered Message Queue for details.
For messages that have been redelivered, the JMSRedelivered header property is set to
true and the JMSXDeliveryCount property is set to the number of times the message has
been delivered to the queue. If the server restarts, the current number of delivery attempts
in the JMSXDeliveryCount property is not retained.
Note: In the event of an abrupt exit by the client, the maxRedelivery count can
be mistakenly incremented. An abrupt exit prevents the client from
communicating with the server; for example, when the client exits without
closing the connection or when the client application crashes. If a client
application exits abruptly, the EMS server counts all messages sent to the client
as delivered, even if they were not presented to the application.
overflowPolicy
Topics and queues can specify the overflowPolicy property to change the effect of
exceeding the message capacity established by either maxbytes or maxmsgs.
Set the overflowPolicy using the form:
overflowPolicy=default|discardOld|rejectIncoming
l If a child destination has a non-default overflowPolicy policy set, then that policy is
used and it does not inherit any conflicting policy from a parent.
l If a parent has OVERFLOW_REJECT_INCOMING set, then it is inherited by the child
destination over any other policy.
l If no parent has OVERFLOW_REJECT_INCOMING set and a parent has
OVERFLOW_DISCARD_OLD policy set, then that policy is inherited by the child
destination.
l If no parent has the OVERFLOW_REJECT_INCOMING or OVERFLOW_DISCARD_OLD set, then
the default policy is used by the child destination.
default
For topics, default specifies that messages are sent to each subscriber in turn. If the
maxbytes or maxmsgs setting has been reached for a subscriber, that subscriber does not
receive the message. No error is returned to the message producer.
For queues, default specifies that new messages are rejected by the server and an error is
returned to the producer if the established maxbytes or maxmsgs value has been exceeded.
discardOld
For topics, discardOld specifies that, if any of the subscribers have an outstanding number
of undelivered messages on the server that are over the message limit, the oldest
messages are discarded before they are delivered to the subscriber.
The discardOld setting impacts subscribers individually. For example, you might have
three subscribers to a topic, but only one subscriber exceeds the message limit. In this
case, only the oldest messages for the one subscriber are discarded, while the other two
subscribers continue to receive all of their messages.
When messages for a topic or queue exceed the maxbytes or maxmsgs value, the oldest
messages are silently discarded. No error is returned to the producer.
rejectIncoming
For topics, rejectIncoming specifies that, if any of the subscribers have an outstanding
number of undelivered messages on the server that are over the message limit, all new
messages are rejected and an error is returned to the producer.
For queues, rejectIncoming specifies that, if messages on the queue have exceeded the
maxbytes or maxmsgs value, all new messages are rejected and an error is returned to the
producer. (This is the same as the default behavior.)
Examples
To discard messages on myQueue when the number of queued messages exceeds 1000,
enter:
To reject all new messages published to myTopic when the memory used by undelivered
messages for any of the topic subscribers exceeds 100KB, enter:
prefetch
The message consumer portion of a client and the server cooperate to regulate fetching
according to the prefetch property. The prefetch property applies to both topics and
queues.
You can set prefetch using the form:
prefetch=value
prefetch Values
The following table lists values used with the prefetch property.
Value Description
2 or The message consumer automatically fetches messages from the server. The
more message consumer never fetches more than the number of messages specified by
value.
none Disables automatic fetch. That is, the message consumer initiates fetch only when
the client calls receive—either an explicit synchronous call, or an implicit call (in
an asynchronous consumer).
0 The destination inherits the prefetch value from a parent destination with a
matching name. If it has no parent, or no destination in the parent chain sets a
value for prefetch, then the default value is 5 queues and 64 for topics.
When a destination does not set any value for prefetch, then the default value is 0
(zero; that is, inherit the prefetch value).
Note: If both prefetch and maxRedelivery are set to a non-zero value, then
there is a potential to lose prefetched messages if one of the messages exceeds
the maxRedelivery limit. For example, prefetch=5 and maxRedelivery=4. The
first message is redelivered 4 times, hits the maxRedelivery limit and is sent to
the undelivered queue (as expected). However, the other 4 pre-fetched messages
are also sent to the undelivered queue and are not processed by the receiving
application. The work around is to set prefetch=none, but this can have
performance implications on large volume interfaces.
Background
Delivering messages from the server destination to a message consumer involves two
independent phases—fetch and accept.
l The fetch phase is a two-step interaction between a message consumer and the
server.
o The message consumer initiates the fetch phase by signaling to the server that
it is ready for more messages.
o The server responds by transferring one or more messages to the client, which
stores them in the message consumer.
l In the accept phase, client code takes a message from the message consumer.
The receive call embraces both of these phases. It initiates fetch when needed and it
accepts a message from the message consumer.
To reduce waiting time for client programs, the message consumer can prefetch
messages—that is, fetch a batch of messages from the server, and hold them for client
code to accept, one by one.
acl.conf
This file defines all permissions on topics and queues for all users and groups.
The format of the file is:
Parameter Description
Name
Parameter Description
Name
GROUP Name of the group to which you wish to add permissions. The designation
all specifies a predefined group that contains all users.
The permissions which can be assigned to queues are send, receive and
browse. The permissions which can be assigned to topics are publish,
subscribe and durable and use_durable. The designation all specifies all
possible permissions. For information about these permissions, refer to When
Permissions Are Checked and Inheritance of Permissions.
Example
Note: Automatic fetch cannot be disabled for global queues or for topics.
Inheritance
When a destination inherits the prefetch property from parent destination with matching
names, these behaviors are possible:
l When all parent destinations set the value none, then the child destination inherits
the value none.
l When any parent destination sets a non-zero numeric value, then the child
destination inherits the largest value from among the entire parent chain.
l When none of the parent destinations sets any non-zero numeric value, then the
child destination uses the default value (which is 5).
redeliveryDelay
When redeliveryDelay is set, the EMS server waits the specified interval before returning
an unacknowledged message to the queue.
When a previously delivered message did not receive a successful acknowledgment, the
EMS server waits the specified redelivery delay before making the message available again
in the queue. This is most likely to occur in the event of a transaction rollback, session or
message recovery, session or connection close, or the abrupt exit of a client application.
However, note that the delay time is not exact, and in most situations will exceed the
specified redeliveryDelay.
The value can be specified in seconds, minutes, or hours. The value may be in the range of
15 seconds and 8 hours.
You can set redeliveryDelay using the form:
redeliveryDelay=time[sec|min|hour]
where time is the number of seconds. Zero is a special value that indicates no redelivery
delay.
You can optionally include time units, such as sec, min, or hour describe the time value as
being in seconds, minutes, or hours, respectively. For example:
redeliveryDelay=30min
secure
When the secure property is enabled for a destination, it instructs the server to check user
permissions whenever a user attempts to perform an operation on that destination.
You can set secure using the form:
secure
If the secure property is not set for a destination, the server does not check permissions
for that destination and any authenticated user can perform any operation on that topic or
queue.
The server authorization property acts as a master switch for checking permissions. That
is, the server checks user permissions on secure destinations only when the authorization
property is enabled. To enforce permissions, you must both enable the authorization
configuration parameter, and set the secure property on each affected destination.
See Authentication and Permissions for more information on permissions and the secure
property.
sender_name
The sender_name property specifies that the server may include the sender’s user name for
messages sent to this destination.
You can set sender_name using the form:
sender_name
When the sender_name property is enabled, the server takes the user name supplied by the
message producer when the connection is established and places that user name into the
JMS_TIBCO_SENDER property in the message.
The message producer can override this behavior by specifying a property on a message. If
a message producer sets the JMS_TIBCO_DISABLE_SENDER property to true for a message,
the server overrides the sender_name property and does not add the sender name to the
message.
If authentication for the server is turned off, the server places whatever user name the
message producer supplied when the message producer created a connection to the
server. If authentication for the server is enabled, the server authenticates the user name
supplied by the connection and the user name placed in the message property will be an
authenticated user. If TLS is used, the TLS connection protocol guarantees the client is
authenticated using the client’s digital certificate.
sender_name_enforced
The sender_name_enforced property specifies that messages sent to this destination must
include the sender’s user name. The server retrieves the user name of the message
producer using the same procedure described in the sender_name property above.
However, unlike, the sender_name property, there is no way for message producers to
override this property.
You can set sender_name_enforced using the form:
sender_name_enforced
If the sender_name property is also set on the destination, this property overrides the
sender_name property.
Note: In some business situations, clients may not be willing to disclose the user
name of their message producers.
If this is the case, these clients may wish to avoid sending messages to
destinations that have the sender_name or sender_name_enforced properties
enabled.
In these situations, the operator of the EMS server should develop a policy for
disclosing a list of destinations that have these properties enabled. This will
allow clients to avoid sending messages to destinations that would cause their
message producer usernames to be exposed.
store
The store property determines where messages sent to this destination are stored.
Messages may be stored in a file, in a TIBCO ActiveSpaces data grid, or in a TIBCO FTL
server cluster.
See Store Messages in Multiple Stores for more information on using and configuring
multiple stores.
Warning: When using the setprop or addprop commands to change the store
settings for a topic or queue, note that existing messages are not migrated to
the new store. As a result, stopping the EMS server and deleting the original
store may result in data loss, if a destination still had messages in the original
store.
store=name
> store=everythingelse
giants.games store=baseball
Only one store is allowed for each destination. If there is a conflict, for example if
overlapping wildcards cause a topic to inherit multiple store properties, the topic creation
will fail.
Note: This parameter cannot be used without first enabling this feature in the
tibemsd.conf file. The stores.conf file must also exist, but can be left empty if
the only store names that are associated with destinations are the default
stores. These rules apply when using a JSON configuration file as well.
See Store Messages in Multiple Stores for more information.
trace
The trace property specifies that tracing should be enabled for this destination.
You can set trace using the form:
trace = [body]
Specifying trace (without =body), generates trace messages that include the message
sequence, message ID, and message size. Specifying trace=body generates trace messages
that include the message body. See Message Tracing for more information about message
tracing.
l maxmsgs
l overflowPolicy
Topics
Properties set on the $TMP$.> topic are immediately and directly inherited by all existing
temporary topics and all temporary topics created in the future.
Queues
Properties set on the $TMP$.> queue are immediately and directly inherited by all existing
temporary queues and all temporary queues created in the future.
Usage Notes
The temporary destination wildcard $TMP$.> can only be used to set properties on
temporary topics or queues through inheritance.
l $TMP$.> cannot be used to send or receive messages.
l You cannot create a durable subscription on the temporary topic wildcard $TMP$.>.
l You cannot use $TMP$.> to import or export messages from TIBCO FTL or
Rendezvous.
l $TMP$.> never inherits any properties from other destination wildcards. For example,
$TMP$.> does not inherit from the wildcard >.
The queue and topic data stored on the EMS server is located in the queues.conf and
topics.conf files, respectively. You can use the show queues and show topics commands
to list all of the queues and topics on your EMS server and the show queue and show topic
commands to show the configuration details of specific queues and topics.
A queue or topic may include optional properties that define the specific characteristics of
the destination. These properties are described in Destination Properties and they can be
specified when creating the queue or topic or modified for an existing queue or topic using
the addprop queue, addprop topic, setprop queue, setprop topic, removeprop queue,
and removeprop topic commands.
For example, to discard messages on myQueue when the number of queued messages
exceeds 1000, you can set an overflowPolicy by entering:
The setprop queue and setprop topic commands remove properties that are not
explicitly set by the command. For example, to change maxmsgs to 100 and to remove the
overflowPolicy parameter, enter:
Wildcards
You can use wildcards when specifying statically created destinations in queues.conf and
topics.conf.
The use of wildcards in destination names can be used to define "parent" and "child"
destination relationships, where the child destinations inherit the properties and
permissions from its parents. You must first understand wildcards to understand the
inheritance rules described in Inheritance.
foo.>
foo.*
foo.*.bar
topic.sample.> store=$sys.failsafe
topic.sample.quotes.* store=$sys.nonfailsafe
Wildcards in Topics
TIBCO Enterprise Message Service enables you to use wildcards in topic names in some
situations.
l You can subscribe to wildcard topics.
If you subscribe to a topic containing a wildcard, you will receive any message
published to a matching topic. For example, if you subscribe to foo.* you will receive
messages published to a topic named foo.bar.
You can subscribe to a wildcard topic (for example foo.*), whether or not there is a
matching topic in the configuration file (for example, foo.*, foo.>, or foo.bar).
However, if there is no matching topic name in the configuration file, no messages
will be published on that topic.
l You cannot publish to wildcard topics.
l If foo.bar is not in the configuration file, then you can publish to foo.bar if foo.* or
foo.> exists in the configuration file.
l On routed topic messages, subscribers must specify a topic that is a direct subset (or
equal) of the configured global topic. For more information, see Wildcards.
Wildcards in Queues
TIBCO Enterprise Message Service enables you to use wildcards in queue names in some
situations. You can neither send to nor receive from wildcard queue names. However, you
can use wildcard queue names in the configuration files.
For example, if the queue configuration file includes a line:
foo.*
then users can dynamically create queues foo.bar, foo.bob, and so forth, but not
foo.bar.bob.
created destinations.
The same basic wildcard rules apply to dynamically created destinations as described
above for static destinations.
Examples
l If the queues.conf file contains:
>
The EMS server can dynamically create a queue with any name.
l If the topics.conf file contains only:
foo.>
The EMS server can dynamically create topics with names like foo.bar, foo.boo,
foo.boo.bar, and foo.bar.boo.
foo.*
The EMS server can dynamically create queues with names like foo.bar and foo.boo,
but not foo.bar.boo.
l If the topics.conf file contains only:
foo.*.bar
The EMS server can dynamically create topics with names like foo.boo.bar, but not
foo.bar.
Inheritance
The following sections describe the inheritance of properties and permissions.
The Wildcards, Destination Properties, and Authentication and Permissions sections
provide useful information in this context
Inheritance of Properties
All destination properties are inheritable for both topics and queues. This means that a
property set for a "wildcarded" destination is inherited by all destinations with matching
names.
For example, if you have the following in your topics.conf file:
foo.* secure
foo.bar
foo.bob
Topics foo.bar and foo.bob are secure topics because they inherit secure from their
parent, foo.*. If your EMS server were to dynamically create a foo.new topic, it too would
have the secure property.
The properties inherited from a parent are in addition to the properties defined for the
child destination.
For example, if you have the following in your topics.conf file:
foo.* secure
foo.bar sender_name
foo.* maxbytes=200
foo.bar maxbytes=2000
> sender_name
foo.* secure
foo.bar trace
The foo.bar topic has the sender_name, secure and trace properties.
When there are multiple parents for a destination that contain conflicting property values,
the destination inherits the smallest value. For example:
> maxbytes=2000
foo.* maxbytes=200
foo.bar
> store=mystore
you make every topic store messages, regardless of additional entries. This might require a
great deal of memory for storage and greatly decrease the system performance.
Inheritance of Permissions
Inheritance of permissions is similar to inheritance of properties. If the parent has a
permission, then the child inherits that permission.
For example, if Bob belongs to GroupA, and GroupA has publish permission on a topic,
then Bob has publish permission on that topic.
Permissions for a single user are the union of the permissions set for that user, and of all
permissions set for every group in which the user is a member. These permission sets are
additive. Permissions have positive boolean inheritance. Once a permission right has been
granted through inheritance, it can not be removed.
All rules for wildcards apply to inheritance of permissions. For example, if a user has
permission to publish on topic foo.*, the user also has permission to publish on foo.bar
and foo.new.
Destination Bridges
Some applications require the same message to be sent to more than one destination,
possibly of different types.
For example, an application may send messages to a queue for distributed load balancing.
That same application, however, may also need the messages to be published to several
monitoring applications. Another example is an application that publishes messages to
several topics. All messages however, must also be sent to a database for backup and for
data mining. A queue is used to collect all messages and send them to the database.
An application can process messages so that they are sent multiple times to the required
destinations. However, such processing requires significant coding effort in the application.
EMS provides a server-based solution to this problem. You can create bridges between
destinations so that messages sent to one destination are also delivered to all bridged
destinations.
Bridges are created between one destination and one or more other destinations of the
same or of different types. That is, you can create a bridge from a topic to a queue or from
a queue to a topic. You can also create a bridge between one destination and multiple
destinations. For example, you can create a bridge from topic a.b to queue q.b and topic
a.c.
When specifying a bridge, you can specify a particular destination name, or you can use
wildcards. For example, if you specify a bridge on topic foo.* to queue foo.queue,
messages delivered to any topic matching foo.* are sent to foo.queue.
Note: Because global topics are routed between servers and global queues are
limited to their neighbors, in most cases the best practice is to send messages to
a topic and then bridge the topic to a queue.
When multiple bridges exist, using wildcards to specify a destination name may result in a
message being delivered twice. For example, if the queues Q.1 and Q.> are both bridged to
QX.1, the server will deliver two copies of sent messages to QX.1.
Note: When a bridge exists between two queues, the message is delivered to
both queues. The queues operate independently; if the message is retrieved
from one queue, that has no effect on the status of the message in the second
queue.
Bridges are not transitive. That is, messages sent to a destination with a bridge are only
delivered to the specified bridged destinations and are not delivered across multiple
bridges. For example, topic A.B has a bridge to queue Q.B. Queue Q.B has a bridge to topic
B.C. Messages delivered to A.B are also delivered to Q.B, but not to B.C.
The bridge copies the source message to the target destination, which assigns the copied
message a new message identifier. Note that additional storage may be required,
depending on the target destination store parameters.
Create a Bridge
Bridges are configured using the bridges.conf configuration file.
You specify a bridge using the following syntax:
[destinationType:destinationName]
destinationType=destinationToBridgeTo selector="msg-selector"
[topic:A.B]
queue=queue.B
topic=C.B
[topic:A.B]
queue=queue.B
topic=C.B selector="urgency in('medium', 'high')"
For detailed information about message selector syntax, see the documentation for the
Message class in the relevant EMS API reference document.
Transactions
When a message producer sends a message within a transaction, all messages sent across
a bridge are part of the transaction. Therefore, if the transaction succeeds, all messages are
delivered to all bridged destinations. If the transaction fails, no consumers for bridged
destinations receive the messages.
If a message cannot be delivered to a bridged destination because the message producer
does not have the correct permissions for the bridged destination, the transaction cannot
complete, and therefore fails and is rolled back.
Flow Control
In some situations, message producers may send messages more rapidly than message
consumers can receive them. The pending messages for a destination are stored by the
server until they can be delivered, and the server can potentially exhaust its storage
capacity if the message consumers do not receive messages quickly enough.
To avoid this, EMS allows you to control the flow of messages to a destination. Each
destination can specify a target maximum size for storing pending messages. When the
target is reached, EMS blocks message producers when new messages are sent. This
effectively slows down message producers until the message consumers can receive the
pending messages.
Note: Prior to release 8.4, if there was no message consumer for a destination,
the server would not enforce flow control for the destination. That is, if a queue
had no started receiver, the server did not enforce flow control for that queue.
Also, if a topic had inactive durable subscriptions or no current subscriber, the
server did not enforce flow control for that topic. For topics, if flow control was
set on a specific topic (for example, foo.bar), then flow control was enforced as
long as there were subscribers to that topic or any parent topic (for example, if
there were subscribers to foo.*).
This behavior can be restored by setting the
flow_control_only_with_active_consumer property but note that this property
and the corresponding behavior are deprecated and will be removed in a future
release.
The dependency analysis is analogous to mutex deadlock. You must analyze your programs
and distributed systems in a similar way to avoid potential deadlock.
Delivery Delay
The delivery delay feature allows the message producer to specify the earliest time at
which a message should be delivered to consumers. This is done by using the
setDeliveryDelay() method to set the minimum length of time that must elapse after a
message is sent before the EMS server may deliver the message to a consumer.
Whenever a message is sent to destination dest with a non-zero delivery delay for the first
time, the server dynamically creates a queue named $sys.delayed.q.dest when dest is a
queue, or $sys.delayed.t.dest when dest is a topic.
$sys.delayed queues support browsing and purging but do not support other permissions
such as receive or send. They inherit destination limits, security, and storage selection
properties from dest. However, note that a $sys.delayed.t queue created for a topic that
has the secure property cannot be browsed.
Note that the $sys.delayed queue corresponding to a destination takes any maxmsgs
property setting from the destination. That is, if dest has property maxmsgs set to X, its
$sys.delayed queue also has maxmsgs set to X. This doubles the number of messages that
can potentially be held for dest in the server.
If the maxmsgs limit has been reached and the destination has the property
overflowPolicy=rejectIncoming, when the delivery delay expires for a message one of
two things can happen. If the message has the JMS_TIBCO_PRESERVE_UNDELIVERED set to
true, it is put on the $sys.undelivered queue. Otherwise, the message is discarded.
Note that, when delivery delay is enabled for a topic, the behavior of
overflowPolicy=default mimics that of a queue. That is, when maxbytes or maxmsgs has
been reached, new messages are rejected by the server and an error is returned to the
producer.
Getting Started
This following topics provide a quick introduction to setting up a simple EMS configuration
and running some sample client applications to publish and subscribe users to a topic.
In this chapter, you will use some of the sample clients in the EMS_HOME/samples/java
directory. For information on compiling and running the other sample clients, see the
Readme files in their respective folders.
Procedure
1. Make sure you have JDK 1.8 or greater installed and that you’ve added the bin
directory to your PATH variable.
2. Open a command line or console window, and navigate to the
EMS_HOME/samples/java directory.
3. Open the correct setup script file and verify that the TIBEMS_ROOT environment
variable identifies the correct pathname to your EMS_HOME directory. For example,
on a Windows system this might look like:
> setup
This compiles all the samples in the directory, except for those samples in the JNDI,
tibrv, and admin subdirectories.
If the files compile successfully, the class files will appear in the
EMS_HOME/samples/java directory. If they do not compile correctly, an error
message appears.
Note: All of the parameters you set using the administration tool in this chapter
can also be set by editing the configuration files described in Configuration Files.
You can also programmatically set parameters using the C, .NET, or Java APIs.
Parameters set programmatically by a client are only set for the length of the
session.
Procedure
1. Start the EMS server
Start the EMS server as described in Starting and Stopping the EMS Server.
2. Start the Administration Tool and Connect to the EMS Server
a. Start the EMS administration tool as described in Starting the EMS
Administration Tool.
b. After starting the administration tool, connect it to the EMS server.
To connect the EMS administration tool to the EMS server, execute one of the
following commands:
l If you are using TIBCO Enterprise Message Service on a single computer, type
connect in the command line of the Administration tool:
> connect
You will be prompted for a login name. If this is the first time you’ve used the
EMS administration tool, follow the procedure described in When You First Start
tibemsadmin.
Once you have logged in, the screen will display:
connected to tcp://localhost:7222
tcp://localhost:7222>
l If you are using TIBCO Enterprise Message Service in a network, use the connect
server command as follows:
> connect [server URL] [user-name] [password]
For more information on this command, see connect.
For further information on the administration tool, see Starting the EMS
Administration Tool and Command Listing.
3. Create Users
Once you have connected the administration tool to the server, use the create user
command to create two users.
In the administration tool, enter:
tcp://localhost:7222> create user user1
tcp://localhost:7222> create user user2
The tool will display messages confirming that user1 and user2 have been created.
You have now created two users. You can confirm this with the show users
command:
tcp://localhost:7222> show users
User Name Description
user1
user2
For more information on the create user command, refer to create user.
Creating a Queue
In the point-to-point messaging model, client send messages to and receive messages from
a queue.
To create a new queue in the administration tool, use the create queue command to
create a new queue named myQueue:
For more information on the create queue command, refer to create queue. For more
information on the commit command, see commit and autocommit.
2. In each command line window, enter setup to set the environment and classpath:
> setup
4. In the second command line window, execute the tibjmsMsgConsumer client to direct
user2 to read the messages from the message queue:
The messages placed on the queue are displayed in the receiver’s window.
Creating a Topic
In the publish/subscribe model, you publish and subscribe to topics.
To create a new topic in the administration tool, use the create topic command to create
a new topic named myTopic:
For more information on the create topic command, refer to create topic. For more
information on the commit command, see commit and autocommit.
> setup
The screen will display a message showing that user1 is subscribed to myTopic.
> setup
The screen will display a message showing that user2 is subscribed to myTopic.
Note: The command windows do not return to the prompt when the
subscribers are running.
Procedure
1. In the third command line window, navigate to the EMS_HOME/samples/java folder.
> setup
Result
The command line window will display a message stating that both messages have been
published:
After the messages are published, the command window for the publisher returns to the
prompt for further message publishing.
without adding the messages, you will see an error message, reminding you that
you must have at least one message text.
The first and second command line windows containing the subscribers will show that
each subscriber received the two messages:
Procedure
1. In each subscriber window, enter Control-C to stop each subscriber.
2. In the administration tool, use the set server command to enable the
authorization property:
For more information on the set server command, refer to set server. For more
information on the addprop topic command, refer to addprop topic.
For more information on the grant topic command, refer to grant topic.
You can now start user1 as the publisher and send messages to user2, as described in
Starting the Publisher Client and Sending Messages.
Procedure
1. In the a command line window, navigate to the EMS_HOME/samples/java folder.
2. Enter setup to set the environment and classpath:
> setup
4. In the administration tool, use the show durables command to confirm that user2 is
a durable subscriber to myTopic:
The subscriber is no longer durable and any additional messages published to the
myTopic topic are lost.
Procedure
1. Create a local directory called datastore (for example,
/opt/tibco/ems/samples/config/datastore)
Procedure
1. From the command line, navigate to EMS_HOME/bin.
2. Enter the following command and option:
where json-file-path is the path to your JSON configuration file. For example:
Procedure
1. Navigate to the samples subdirectory.
Sample EMS server configuration files are located in EMS_HOME/samples/config. For
more information, see 'Installing TIBCO Enterprise Message Service' in TIBCO
Enterprise Message Service Installation.
The EMS server dynamically loads the OpenSSL and compression shared libraries. If
the tibemsd executable is executed from the samples directory, it automatically
locates these libraries. If the server is moved elsewhere, the shared library directory
must be moved as well.
2. Start the tibemsd
Type tibemsd [options]
where options are described in tibemsd Options. The command options to tibemsd
are similar to the parameters you specify in tibemsd.conf, and the command options
override any value specified in the parameters. See tibemsd.conf for more
information about configuration parameters.
tibemsd Options
The tibemsd options override any value specified in the parameters.
Note: A number of these options are unsupported when using FTL stores. See
the Unsupported tibemsd Options section for details.
Option Description
-config config file name config file name is the name of the main
configuration file for tibemsd server. Default is
tibemsd.conf.
-trace items Specifies the trace items. These items are not
stored in the configuration file. The value has
the same format as the value of log_trace
parameter specified with set server
command of the administration tool; see Trace
Messages for the Server.
Option Description
Grid Store Options Options required for starting the EMS server
Option Description
emsntsrg
The emsntsrg utility registers or unregisters the EMS server as a Windows service.
Syntax
Remarks
Some situations require the EMS server processes to start automatically. You can satisfy
this requirement by registering these with the Windows service manager. This utility
facilitates registry.
Restrictions
You must have administrator privileges to change the Windows registry.
Location
Locate this utility program as an executable file in the EMS bin directory.
Parameter Description
/? Display usage.
Parameter Description
tibemsd. Required.
suffix When registering more than one instance of a service, you can
use this suffix to distinguish between them in the Windows
services applet. Optional.
Register
To register tibemsd as a Windows service, run the utility with this command line:
l Example 1
This simple example registers one tibemsd service:
l Example 2
This example registers a service with command line arguments:
l Example 3
This pair of example commands registers two tibemsd services with different
configuration files. In this example, the numerical suffix and the configuration
directory both reflect the port number that the service uses.
Remove
To unregister a service, run the utility with this command line:
Both parameters are optional. If the service_name is present, it must be tibemsd. To supply
the suffix parameter, you must also supply the service_name. When both parameters are
absent, the utility removes the services named tibemsd.
Command Summary
To view a command line summary, run the utility with this command line:
emsntsrg
When the EMS server encounters one of these errors during startup, the recovery policy is:
l By default, the server exits startup completely when a corrupt disk record error is
detected. Because the state can not be safely restored, the server can not proceed
with the rest of the recovery. You can then examine your configuration settings for
errors. If necessary, you can then copy the store and configuration files for
examination by TIBCO Support.
l You can direct the server to delete bad records by including the -forceStart
command line option. This prevents corruption of the server runtime state.
l The server exits if it runs out of memory during startup.
It is important to backup all stores before restarting the server with the -forceStart
option, because data will be lost when the problematic records are deleted. To back up
file-based stores, you can simply create a copy of the store files. For grid stores and FTL
stores, you will need to back up the associated ActiveSpaces or FTL deployment. Refer to
the TIBCO ActiveSpaces Administration and TIBCO FTL Administration product guides for
instructions on creating backups for these products.
Keep in mind that different type of records are stored in the stores. The most obvious are
the persistent Jakarta Messaging Messages that your applications have sent. However,
other internal records are also stored. If a consumer record used to persist durable
subscriber state information were to be corrupted and later deleted with the -forceStart
option, all Jakarta Messaging messages that were persisted (and valid in the sense that
they were not corrupted) would also be lost because the durable subscription itself would
not be recovered.
When running in this mode, the server still reports any errors found during the recovery,
but problematic records are deleted and the recovery proceeds. This mode may report
more issues than are reported without the -forceStart option, because without that flag
the server stops with the very first error.
Warning: We strongly recommended that you make a backup of all the stores
before restarting the server with the -forceStart option. The backup is useful
when doing a postmortem analysis to find out what records were deleted with
the -forceStart option.
Security Considerations
Warning: This section highlights information relevant to secure deployment. We
recommend that all administrators read this section.
Secure Environment
To ensure secure deployment, EMS administration must meet certain criteria.
These criteria include:
l Correct Installation: EMS is correctly installed and configured.
l Physical Controls: The computers where EMS is installed are located in areas where
physical entry is controlled to prevent unauthorized access. Only authorized
administrators have access, and they cooperate in a benign environment.
l Domain Control: The operating system, file system and network protocols ensure
domain separation for EMS, to prevent unauthorized access to the server, its
configuration files, LDAP servers, etc.
l Benign Environment: Only authorized administrators have physical access or
domain access, and those administrators cooperate in a benign environment.
Destination Security
Three interacting factors affect the security of destinations (that is, topics and queues). In a
secure deployment, you must properly configure all three of these items.
Authorization Parameter
The authorization parameter of the server acts as a master switch for checking
permissions for connection requests and operations on secure destinations.
The default value of this parameter is disabled—the server does not check any
permissions, and allows all operations. For secure deployment, you must enable this
parameter.
Admin Password
For ease in installation and initial testing, the default setting for the admin password is no
password at all. Until you set an actual password, the user admin can connect without a
password. Once the administrator password has been set, the server always requires it.
To configure a secure deployment, the administrator must change the admin password
immediately after installation; see Assigning a Password to the Administrator.
Connection Security
When authorization is enabled, the server requires a name and password before users
can connect. Only authenticated users can connect to the server. The form of
authentication can be either an X.509 certificate or a username and password (or both).
When authorization is disabled, the server does not check user authentication; user (non-
admin) connections are allowed. However, even when authorization is disabled, admin
connections must still supply the correct password to connect to the server.
Even when authorization is enabled, the administrator (admin) may explicitly allow
anonymous user connections, which do not require password authorization. To allow these
connections, create a user with the name anonymous and no password.
Note: Creating the user anonymous does not mean that anonymous has all
permissions. Individual topics and queues can still be secure, and the ability to
use these destinations (either sending or receiving) is controlled by the access
control list of permissions for those destinations. The user anonymous can access
only non-secure destinations.
Nonetheless, this feature (anonymous user connections) is outside the tested
configuration of EMS security certification.
For more information on destination security, refer to the destination property secure, and
Create Users.
Communication Security
For communication security between servers and clients, and between servers and other
servers, you must explicitly configure TLS within EMS .
TLS communication requires software to implement TLS on both server and client. The
EMS server includes the OpenSSL implementation. Java client programs use JSSE (part of
the Java environment). JSSE is not a part of the EMS product. C client programs can use
the OpenSSL library shipped with EMS.
For more information, see TLS Protocol
You must safeguard the security of EMS configuration files and LDAP servers.
For more information, see ssl_server_trusted.
Timestamp
The administration tool can either include or omit a timestamp associated with the output
of each command.
To ensure a secure deployment, you must explicitly enable the timestamp feature. Use the
following administration tool command:
time on
Passwords
Warning: Passwords are a significant point of vulnerability for any enterprise.
We recommend enforcing strong standards for passwords.
For security equivalent to single DES (an industry minimum), security experts
recommend passwords that contain 8–14 characters, with at least one upper
case character, at least one numeric character, and at least one punctuation
character.
EMS software does not automatically enforce such standards for passwords. You must
enforce such policies within your organization.
Windows
On Windows platforms, servers use the standard Windows CreateFile function, supplying
FILE_SHARE_READ as the dwShareMode (third parameter position) to restrict access to other
servers.
UNIX
On UNIX platforms, servers use the standard fcntl operating system call to implement
cooperative file locking:
fl.l_type = F_WRLCK;
fl.l_whence = 0;
fl.l_start = 0;
fl.l_len = 0;
Performance Tuning
By default, the TIBCO Enterprise Message Service server has the following general thread
architecture:
l A single thread to process network traffic.
l One thread for each store.
schedule EMS server threads to react to changing workloads on the machine. Also
examine if the application is making efficient use of the API before changing the
default behavior. For example, when performing persistent messaging operations,
consider using multiple threads in the applications (each with its own session) or
consider using local transactions to batch sends and acknowledgments.
l Use the minimum number of threads to handle network traffic. Specifying a single
thread may yield sufficient performance improvements over the default behavior, so
start testing affinity there. Using excessive numbers of threads leads to greater
thread contention for global data structures, which can reduce throughput and waste
machine resources. Excessive numbers can also lead to more unbalanced connection
assignments. TIBCO tests have shown that three (or four under some workloads) is
the maximum useful number for network traffic.
l Specifying thread affinity to specific cores can provide the highest performance but
can also lead to a configuration that does not react well to changing workloads. If
you specify thread affinity for network traffic for persistent messaging, also set thread
affinity for stores in order to prevent contention between threads handling those
tasks.
Other Considerations
l When assigning cores for EMS use, ensure that the Operating System does not
schedule those cores for other processes.
l Assign cores on the same die if possible. This reduces cache sharing between dies.
High levels of cache sharing between dies reduces memory performance.
l Hyper-threads are not real cores. Disable hyper-threading if possible. Do not assign
cores to the EMS server such that it sets affinity for two "cores" that are actually
sharing the same physical core by hyper-threading.
Note: When a system uses shared configuration files in the .conf format, actions
performed using the tibemsadmin tool take effect only when connected to the
active server.
When a system uses a shared configuration file in the .json format, most
commands in the tibemsadmin tool are unavailable when connected to a server
that is not in the active state. In such a situation, the only commands available
are show connections, show state, shutdown, and rotatelog. In the particular
case of systems configured to use FTL stores, non-active servers also support the
activate_dr_site, setup_dr_site, show server, and show config commands.
Option Description
Line breaks within the file delimit each command. That is,
every command must be contained on a single line (no
line breaks within the command), and each command is
separated by a line break.
-pwdfile password-file Use the clear-text password in the specified file to connect
to the server. If both -pwdfile and -password options are
given, the password specified through the -password
option takes precedence.
Option Description
-oauth2_client_secret The OAuth 2.0 client secret to use when connecting to the
OAuth 2.0 authorization server.
-oauth2_expected_hostname The name that is expected in the CN field of the OAuth 2.0
authorization server's certificate.
-mangle [password] Mangle the password and quit. Mangled string in the
output can be set as a value of one of these passwords
from the configuration files:
l server password
Option Description
-ssl_pwdfile password-file Use the private key or PKCS12 password in the specified
file to connect to the server. If both -ssl_pwdfile and
-ssl_password options are given, the password specified
through the -ssl_password option takes precedence.
Note: When a command specifies -user and -password, that information is not
stored for later use. It is only used to connect to the server specified in the same
command line. The user name and password entered on one command line are
not reused with subsequent connect commands entered in the script file or
interactively.
Examples
Some options are needed when you choose to make a TLS connection. For more
information on TLS connections, refer to TLS Protocol.
Procedure
1. Log in and connect to the administration tool, as described directly above.
2. Use the set password command to change the password:
Result
When you restart the administration tool and type connect, the administration tool now
requires your password before connecting to the server.
For further information about setting and resetting passwords, refer to set password.
Naming Conventions
These rules apply when naming users, groups, topics or queues:
l $ is illegal at the beginning of the queue or topic names—but legal at the beginning
of user and group names.
l A user name cannot contain colon (":") character.
l Space characters are permitted in a description field—if the entire description field is
enclosed in double quotes (for example, "description field").
l Both * and > are wildcards, and cannot be used in names except as wildcards.
For more information about wildcards, see Wildcards.
l Dot separates elements within a destination name (foo.bar.*) and can be used only
for that purpose.
Command Listing
The command line interface of the administration tool allows you to perform a variety of
functions. Note that when a system uses shared configuration files, the actions performed
using the administration tool take effect only when connected to the active server.
Note: Many of the commands listed below accept arguments that specify the
names of users, groups, topics or queues. For information about the syntax and
that apply to these names, see Naming Conventions.
TLS aspects are addressed in TLS Protocol.
The following is an alphabetical listing of the commands including command syntax and a
description of each command.
activate_dr_site
activate_dr_site
This command is only available when using FTL stores with Disaster Recovery configured.
Inform the FTL servers at the disaster recovery site that their site of operations is now the
new primary site.
This command should be issued to one of the EMS servers in the fault-tolerant pair at the
disaster recovery site. It should only ever be used if the primary site becomes unavailable.
add member
add member group_name user_name [,user2,user3,...]
Add one or more users to the group. User names that are not already defined are added to
the group as external users; see Administration Commands and External Users and Groups.
addprop factory
addprop factory factory-name properties ...
addprop queue
addprop queue queue-name properties,...
addprop route
addprop route route-name prop=value[ prop-value...]
addprop topic
addprop topic topic_name properties,...
autocommit
autocommit [on|off]
When autocommit is set to on, the changes made to the configuration files are
automatically saved to disk after each command. When autocommit is set to off, you must
manually use the commit command to save configuration changes to the disk.
By default, autocommit is set to on when interactively issuing commands.
Entering autocommit without parameters displays the current setting of autocommit (on or
off).
Note: Regardless of the autocommit setting, the EMS server acts on each admin
command immediately making it part of the configuration. The autocommit
feature only determines when the configuration is written to the files.
commit
commit
compact
compact store-name max-time
compact
Compacts a specified store of type file, or all stores of type ftl. Compaction is not
available for stores of type as.
For stores of type file:
l Since compaction for file-based stores can be a lengthy operation and it blocks other
operations, a time limit (in seconds) must be specified for the operation through the
max-time parameter. Note that max-time must be a number greater than zero.
l If truncation is not enabled for the store file, the compact command does not reduce
the file size. Enable truncation using the file_truncate parameter in the
stores.conf file. See stores.conf for more information.
l We recommend compacting the store files only when the Used Space usage is 30% or
less (see show store).
l The store-name and max-time arguments are not supported for the compact
command when using FTL stores. The compaction process occurs at the FTL level
and automatically affects all FTL stores; and since the compaction process occurs
asynchronously over time, a time limit is not required.
connect
connect [server-url {admin|user_name} password]
Connects the administration tool to the server. Any administrator can connect. An
administrator is either the admin user, any user in the $admin group, or any user that has
administrator permissions enabled. See Administrator Permissions for more information
about administrator permissions.
protocol://host-name:port-number
for example:
tcp://myhost:7222
create bridge
create bridge source=type:dest_name target=type:dest_name [selector=msg-selector]
create durable
create durable topic-name durable-name [property, ... ,property]
create factory
create factory factory_name factory_parameters
create group
create group group_name "description"
create jndiname
create jndiname new_jndiname topic|queue|jndiname name
Creates a JNDI name for a topic or queue, or creates an alternate JNDI name for a topic
that already has a JNDI name.
The following example will create new JNDI name FOO referring the same object referred
by JNDI name BAR
create queue
create queue queue_name [properties]
Creates a queue with the specified name and properties. The possible queue properties are
described in Destination Properties. Properties are listed in a comma-separated list, as
described in queues.conf.
create route
create route name url=URL [properties ...]
Creates a route.
The name must be the name of the other server to which the route connects.
The local server connects to the destination server at the specified URL. If you have
configured fault-tolerant servers, you may specify the URL as a comma-separated list of
URLs.
The route properties are listed in routes.conf and are specified as a space-separated list
of parameter name and value pairs.
You can set the zone_name and zone_type parameters when creating a route, but you
cannot subsequently change them.
If a passive route with the specified name already exists, this command promotes it to an
active-active route; see Active and Passive Routes.
For additional information on route parameters, see Configure Routes and Zones.
create rvcmlistener
create rvcmlistener transport_name cm_namesubject
Registers an RVCM listener with the server so that any messages exported to a tibrvcm
transport (including the first message sent) are guaranteed for the specified listener. This
causes the server to perform the TIBCO Rendezvous call tibrvcmTransport_AddListener.
The parameters are:
l transport_name — the name of the transport to which this RVCM listener applies.
l cm_name — the name of the RVCM listener to which topic messages are to be
exported.
l subject — the RVCM subject name that messages are published to. This should be the
same name as the topic names that specify the export property.
For more information, see tibrvcm.conf and Rendezvous Certified Messaging (RVCM)
Parameters.
create topic
create topic topic_name [properties]
Creates a topic with specified name and properties. See Destination Properties for the list
of properties. Properties are listed in a comma-separated list, as described in topics.conf.
create user
create user user_name ["user_description"] [password=password]
Creates a new user. Following the user name, you can add an optional description of the
user in quotes. The password is optional and can be added later using the set password
command.
delete all
delete all users|groups|topics|queues|durables [topic-name-pattern|queue-name-
pattern]
If used with a topic or queue, and the optional parameters, such as those seen below, the
command deletes all topics and queues that match the topic or queue name pattern.
delete bridge
delete bridge source=type:dest_name target=type:dest_name
Delete the bridge between the specified source and target destinations.
type is either topic or queue.
See Destination Bridges for more information on bridges.
delete connection
delete connection connection-id
Delete the named connection for the client. The connection ID is shown in the first column
of the connection description printed by show connection.
delete durable
delete durable durable-name [client ID]
delete factory
delete factory factory-name
delete group
delete group group-name
delete jndiname
delete jndiname jndiname
Delete the named JNDI name. Notice that deleting the last JNDI name of a connection
factory object will remove the connection factory object as well.
See The EMS Implementation of JNDI for more information.
delete message
delete message messageID
delete queue
delete queue queue-name
delete route
delete route route-name
delete rvcmlistener
delete rvcmlistener transport_name cm_namesubject
Unregister an RVCM listener with the server so that any messages being held for the
specified listener in the RVCM ledger are released. This causes the server to perform the
TIBCO Rendezvous call tibrvcmTransport_RemoveListener.
The parameters are:
l transport_name — the name of the transport to which this RVCM listener applies.
l cm_name — the name of the RVCM listener to which topic messages are exported.
l subject — the RVCM subject name that messages are published to. This should be the
same name as the topic names that specify the export property.
For more information, see tibrvcm.conf and Rendezvous Certified Messaging (RVCM)
Parameters.
delete topic
delete topic topic-name
delete user
delete user user-name
disconnect
disconnect
echo
echo [on|off]
Echo controls the reports that are printed into the standard output. When echo is off the
administrative tool only prints errors and the output of queries. When echo is on, the
administrative tool report also contains a record of successful command execution.
Choosing the parameter on or off in this command controls echo. If echo is entered in the
command line without a parameter, it displays the current echo setting (on or off). This
command is used primarily for scripts.
The default setting for echo is on.
exit
exit (aliases: quit, q, bye, end)
grant queue
grant queue queue-name user=name | group=namepermissions
Grants specified permissions to specified user or group on specified queue. The name
following the queue name is first checked to be a group name, then a user name.
Specified permissions are added to any existing permissions. Multiple permissions are
separated by commas. Enter all in the permissions string if you choose to grant all possible
user permissions.
User permissions are:
l receive
l send
l browse
l create
l delete
l modify
l purge
grant topic
grant topic topic-name user=name | group=namepermissions
Grants specified permissions to specified user or group on specified topic. The name
following the topic name is first checked to be a group name, then a user name.
Specified permissions are added to any existing permissions. Multiple permissions are
separated by commas. Enter all in the permissions string if you choose to grant all possible
permissions.
Topic permissions are:
l subscribe
l publish
l durable
l use_durable
l create
l delete
l modify
l purge
grant admin
grant admin user=name | group=name admin_permissions
Grant the named global administrator permissions to the named user or group. For a
complete listing of global administrator permissions, see Global Administrator Permissions.
help
help (aliases: h, ?)
info
info (alias: i)
jaci clear
jaci clear
jaci resetstats
jaci resetstats
jaci showstats
jaci showstats
purge durable
purge durable durable-name [client ID]
Purge all messages in the topic for the named durable subscriber.
When both the durable name and the client ID are specified, the server looks for a durable
named clientID:durable-name in the list of durables.
purge queue
purge queue queue-name
purge topic
purge topic topic-name
remove member
remove member group-name user-name[,user2,user3,...]
removeprop factory
removeprop factory factory-name properties
Remove the named properties from the named factory. See Connection Factory Parameters
for a list of properties.
removeprop queue
removeprop queue queue-name properties
removeprop route
removeprop route route-name properties
removeprop topic
removeprop topic topic-name properties
resume route
resume route route-name
Resumes sending messages to named route, if messages were previously suspended using
the suspend route command.
revoke admin
revoke admin user=name | group=name permissions
Revoke the specified global administrator permissions from the named user or group. See
Authentication and Permissions, for more information about administrator permissions.
revoke queue
revoke queue queue-name user=name | group=name permissions
revoke queue queue-name * [user | admin | both]
Revoke the specified permissions from a user or group for the named queue.
User and group permissions for queues are receive, send, browse, and all. Administrator
permissions for queues are view, create, delete, modify, and purge.
If you specify an asterisk (*), all user-level permissions on this queue are removed. You can
use the optional admin parameter to revoke all administrative permissions, or the both
parameter to revoke all user-level and administrative permissions on the queue.
For more information, see Authentication and Permissions.
revoke topic
revoke topic topic-name user=name | group=name permissions
revoke topic topic-name * [user | admin | both]
Revoke the specified permissions from a user or group for the named topic.
User and group permissions for topics are subscribe, publish, durable, use_durable, and
all. Administrator permissions for topics are view, create, delete, modify, and purge.
If you specify an asterisk (*), all user-level permissions on this topic are removed. You can
use the optional admin parameter to revoke all administrative permissions, or the both
parameter to revoke all user-level and administrative permissions on the topic.
For more information, see Authentication and Permissions.
rotatelog
rotatelog
Force the current log file to be backed up and truncated. The server starts writing entries
to the newly empty log file.
The backup file name is the same as the current log file name with a sequence number
appended to the filename. The server queries the current log file directory and determines
what the highest sequence number is, then chooses the next highest sequence number for
the new backup name. For example, if the log file name is tibems.log and there is already
a tibems.log.1 and tibems.log.2, the server names the next backup tibems.log.3.
This command is not supported if the EMS server is using FTL stores.
save_and_exit
save_and_exit
When using in-memory replication with FTL stores, save the state of each server to disk
and exit. Each server's state is written to a file named <FTL server name>.state in its FTL
store-specific data directory. If a state file already exists in the directory, the server will first
rename it as <FTL server name>.state.backup before writing the new state file.
This command should be used when all FTL servers have to be shut down. The YAML
configuration of the FTL server cluster will need to be altered to instruct each of the
servers to load its saved state upon restart.
This command is only relevant when using FTL stores with in_memory_replication
enabled. See Shutting down and Restarting an In-Memory Cluster for more details.
set password
set password user-name [password]
l To remove a password, use this command without supplying a password, and press
the Enter key at the prompt (without typing a password).
set server
set server parameter=value [parameter=value ...]
The set server command can control many parameters. Multiple parameters are
separated by spaces. The following table describes the parameters you can set with this
command.
Parameter Description
Parameter Description
Examples
log_trace=ACL
Parameter Description
log_trace=DEFAULT,-ADMIN,+SSL
console_trace=-DEFAULT
Examples
See log_trace above.
Parameter Description
Parameter Description
Parameter Description
setprop factory
setprop factory factory-name properties ...
Set the properties for a connection factory, overriding any existing properties. Multiple
properties are separated by spaces. See Connection Factory Parameters for the list of the
properties that can be set for a connection factory.
setprop queue
setprop queue queue-name properties, ...
Set the properties for a queue, overriding any existing properties. Any properties on a
queue that are not explicitly specified by this command are removed.
Multiple properties are separated by commas. See Destination Properties for the list of the
properties that can be set for a queue.
setprop route
setprop route route-name properties ...
Set the properties for a route, overriding any existing properties. Any properties on a route
that are not explicitly specified by this command are removed.
You can set the zone_name and zone_type parameters when creating a route, but you
cannot subsequently change them.
Multiple properties are separated by spaces. For route parameters, see routes.conf and
Configure Routes and Zones.
setprop topic
setprop topic topic-name properties
Set topic properties, overriding any existing properties. Any properties on a topic that are
not explicitly specified by this command are removed.
Multiple properties are separated by commas. See Destination Properties for the list of the
properties that can be set for a topic.
setup_dr_site
setup_dr_site url_list
This command is only available when using FTL stores with Disaster Recovery configured.
Establish a new Disaster Recovery (DR) site after the original DR site has become the new
primary site.
This command must be issued to the active EMS server of the FTL server cluster at the
designated new DR site.
The url_list is a pipe-separated list of URLs of the FTL server cluster at the primary site.
Each URL should be of the form:
show bridge
show bridge topic|queue bridge_source
Display information about the configured bridges for the named topic or queue. The
bridge_source is the name of the topic or queue established as the source of the bridge.
The following is example output for this command:
The names of the destinations to which the specified destination has configured bridges
are listed in the Target Name column. The type and the message selector (if one is defined)
for the bridge are listed in the Type and Selector column.
show bridges
show bridges [type=topic|queue] [pattern]
Shows a summary of the destination bridges that are currently configured. The type option
specifies the type of destination established as the bridge source. For example, show
bridges topic shows a summary of configured bridges for all topics that are established
as a bridge source. The pattern specifies a pattern to match for source destination names.
For example show bridges foo.* returns a summary of configured bridges for all source
destinations that match the name foo.*. The type and pattern are optional.
The following is example output for this command:
Destinations that match the specified pattern and/or type are listed in the Source Name
column. The number of bridges to queues for each destination is listed in the Queue
Targets column. The number of bridges to topics for each destination is listed in the Topic
Targets column.
show config
show config
Shows the configuration parameters for the connected server. The output includes:
l configuration files
l server database
l server JVM
l listen ports
l configuration settings
l message tracking
l server tracing parameters
l statistics settings
l fault-tolerant setup
l external transport setup
l server TLS setup
show consumer
show consumer consumerID
Shows details about a specific consumer. The consumerID can be obtained from the show
consumers output.
show consumers
show consumers [topic=name | queue=name] [durable] [user=name]
[connection=id] [sort=conn|user|dest|msgs] [full]
Shows information about all consumers or only consumers matching specified filters.
Output of the command can be controlled by specifying the sort or full parameter. If the
topic or queue parameter is specified, then only consumers on destinations matching
specified queue or topic are shown. The user and/or connection parameters show
consumers only for the specified user or connection. Note that while the queue browser is
open, it appears as a consumer in the EMS server.
The durable parameter shows only durable topic subscribers and queue receivers, but it
does not prevent queue consumers to be shown. To see only durable topic consumers, use:
The sort parameter sorts the consumers by either connection ID, user name, destination
name, or number of pending messages. The full parameter shows all columns listed below
and can be as wide as 120-140 characters or wider. Both topic and queue consumers are
shown in separate tables, first the topic consumers and then the queue consumers.
Note: When connected to an EMS 8.0 or higher server, this command no longer
displays offline durable subscribers. In order to see offline durables, use the
command show durables or show subscriptions.
Id Consumer ID.
If performed on an EMS 7.x or earlier server, this field displays '-' to indicate
a disconnected durable topic subscriber.
If performed on an EMS 7.x or earlier server, this field displays '-' to indicate
a disconnected durable topic subscriber.
Name (Topics Only.) Durable or shared subscription name. This column is shown
Heading Description
Msgs Sent Current number of messages sent to consumer which are not yet
acknowledged by consumer's session.
Pend Msgs (Topics Only.) Total number of messages pending for the topic consumer.
Pend Size (Topics Only.) Combined size of messages pending for the topic consumer.
Heading Description
Last Sent Approximate time elapsed since last message was sent by the server to the
consumer. Value is approximate with precision of 1 second.
Last Ackd Approximate time elapsed since last time a message sent to the consumer
was acknowledged by consumer's session. Value is approximate with
precision of 1 second.
Total Sent Total number of messages sent to consumer since it was created. This
includes resends due to session recover or rollback.
Total Acked Total number of messages sent to the consumer and acknowledged by
consumer's session since consumer created.
show connections
show connections [type=q|t|s] [host=hostname] [user=username] [version]
[address] [counts] [full]
Show connections between clients and server. The table show connections (description of
output fields) describes the output.
The type parameter selects the subset of connections to display as shown in the following
table. The host and user parameters can further narrow the output to only those
connections involving a specific host or user. When the version flag is present, the display
includes the client’s version number.
If the address parameter is specified, then the IP address is printed in the output table. If
the counts parameter is specified, then number of producers, consumers and temporary
destinations are printed. Specifying the full parameter prints all of the available
information.
Type Description
absent Show queue and topic connections, but not system connections.
Heading Description
transaction.
l - — connection is not XA or MS DTC
l + — connection is either an XA or MS DTC connection
Port The ephemeral port used by the client on the client machine.
Host Connection's host name. (If the name is not available, this column displays
the host’s IP address.)
If you supply the keyword address, then the table includes this column.
User Connection user name. If a user name was not provided when the connection
was created, it is assigned the default user name anonymous.
Heading Description
show db
show db
Print a summary of the server’s databases. Databases are also printed by show stores, the
preferred command. This command is only supported when using file-based stores.
See show store for details about a specific database.
show durable
show durable durable-name [client ID]
Durable Fully qualified name of the durable subscriber. This name concatenates the
Subscriber client ID (if any) and the subscription name (separated by a colon).
Topic The topic from which the durable subscription receives messages.
static—configured by an administrator
Status online
offline
Username Username of the durable subscriber (that is, of the client’s connection).
Consumer ID This internal ID number is not otherwise available outside the server.
No Local enabled—the subscriber does not receive messages sent from its local
connection (that is, the same connection as the subscriber).
Heading Description
Selector The subscriber receives only those messages that match this selector.
Pending Msgs Number of all messages in the topic. (This count includes the number of
delivered messages.)
Delivered Msgs Number of messages in the topic that have been delivered to the durable
subscriber, but not yet acknowledged.
show durables
show durables [pattern]
If a pattern is not entered, this command shows a list of all durable subscribers on all
topics.
If a pattern is entered (for example foo.*) this command shows a list of durable
subscribers on topics that match that pattern.
Heading Description
User Name of the user of this durable subscriber. If the durable subscriber is
currently offline, the value in this column is offline. If this is a shared durable
subscription, the value of this column is shared.
For users defined externally, there is an asterisk in front of the user name.
show factory
show factory factory-name
show factories
show factories [generic|topic|queue]
Shows all factories. You can refine the listed output by specifying only generic, topic, or
queue factories be listed.
show jndiname
show jndiname jndi-name
Shows the object that the specified name is bound to by the JNDI server.
show jndinames
show jndinames [type]
When type is specified only JNDI names bound to objects of the specified type are shown.
When type is not specified, all JNDI names are shown.
show group
show group group-name
show groups
show groups
show members
show members group-name
show message
show message messageID
show messages
show messages correlationID
Shows the message IDs of all messages with the specified correlation ID set as
JMSCorrelationID message header field. You can display the message for each ID returned
by this command by using the show message messageID command.
This command requires that tracking by correlation ID be turned on using the
track_correlation_ids configuration parameter.
show parents
show parents user-name
Shows the user’s parent groups. This command can help you to understand the user’s
permissions.
show queue
show queue queue-name
Note: If the queue is a routed queue, specify only the name of the queue (do not
specify the server using the queue-name@server form).
static—configured by an administrator
Properties A list of property names that are set on the queue, and their values. For an
index list of property names, see Destination Properties.
JNDI Names A list of explicitly assigned JNDI names that refer to this queue.
Pending Number of all messages in the queue, followed by the number of persistent
Msgs messages in parenthesis.
Delivered Number of messages in the queue that have been delivered to a consumer,
Msgs but not yet acknowledged.
Pending Total size of all pending messages, followed by the size of all persistent
Msgs Size messages in parenthesis.
show queues
show queues [pattern-name [notemp|static|dynamic] [first=n|next=n|last=n]]
When a pattern-name is entered, you can also cursor through the list of queues using one
of the following commands, where n is whole number:
l first=n — show the first n queues
The cursor examines n queues and displays queues that match the pattern-name. Because
it does not traverse the full list of queues, the cursor may return zero or fewer than n
queues. To find all matching queues, continue to use next until you receive a Cursor
complete message.
Queue Name Name of the queue. If the name is prefixed with an asterisk (*),
then the queue is temporary or was created dynamically.
Properties of dynamic and temporary queues cannot be changed.
Heading Description
All Msgs
Persistent Msgs
show route
show route route-name
show routes
show routes
Shows the properties (URL and TLS properties) of all created routes.
These commands print the information described in the following table.
Heading Description
T Type of route:
l A indicates an active route.
l P indicates a passive route.
ConnID Unique ID number of the connection from this server to the server at the
other end of the route.
A hyphen (-) in this column indicates that the other server is not connected.
show rvcmtransportledger
show rvcmtransportledger transport_name [subject-or-wildcard]
Displays the TIBCO Rendezvous certified messaging (RVCM) ledger file entries for the
specified transport and the specified subject. You can specify a subject name, use
wildcards to retrieve all matching subjects, or omit the subject name to retrieve all ledger
file entries.
For more information about ledger files and the format of ledger file entries, see TIBCO
Rendezvous documentation.
show rvcmlisteners
show rvcmlisteners
Shows all RVCM listeners that have been created using the create rvcmlistener
command or by editing the tibrvcm.conf file.
show server
show server (aliases: info, i)
show stat
show stat consumers [topic=name|queue=name] [user=name]
[connection=id] [total]
show stat producers [topic=name|queue=name] [user=name]
[connection=id] [total]
show stat route name [topic=name|queue=name] [total] [wide]
show stat topic name [total] [wide]
show stat queue name [total] [wide]
Displays statistics for the specified item. You can display statistics for consumers,
producers, routes, or destinations. Statistic gathering must be enabled for statistics to be
displayed. Also, detailed statistics for each item can be displayed if detailed statistic
tracking is enabled. Averages for inbound/outbound messages and message size are
available if an interval is specified in the rate_interval configuration parameter.
The total keyword specifies that only total number of messages and total message size for
the item should be displayed. The wide keyword displays inbound and outbound message
statistics on the same line.
See Server Statistics for a complete description of statistics and how to enable/disable
statistic gathering options.
Note: When connected to an EMS 8.0 or higher server, this command does not
return statistics for offline durable subscribers.
show state
show state
Shows the state and a minimal subset of the information about the connected EMS server.
show store
show store store-name
Heading Description
Heading Description
Swapped Count The number of messages that have been swapped from process memory
to the store.
Average Write Average time in seconds a write call takes. (Not available for
Time asynchronous file stores.)
Write Usage The ratio between time spent within write calls and the time specified by
the server_rate_interval. (Not available for asynchronous file stores.)
File File name associated with this store file, as it is set by the file parameter
in the stores.conf file.
Pre-allocation The amount of disk space, if any, that is preallocated to this file.
Minimum
disabled—the EMS server does not truncate the store file to relinquish
unused disk space.
Destination The size of the batch used by the destination defrag feature.
Defrag Batch Size
File Size The size of the store file, including unused allocated file space.
Heading Description
Grid URL The pipe-separated URLs of the data grid the store is connected to.
Grid Name Name of the data grid the store is connected to.
Discard Scan The maximum length of time that the EMS server takes to examine all
Interval messages in the grid store.
This interval is controlled with the scan_iter_interval store parameter.
See scan_iter_interval for more information.
Discard Scan The bytes read and processed every Discard Scan Interval. This number is
Interval Bytes proportional to the grid store file size, and must be kept within the limits
of your storage medium. See Understanding Grid Store Intervals for more
information.
First Scan true—all the data in the store has been examined at least once since the
Finished EMS server startup.
false—not all data has been examined since the EMS server last started.
When false, certain server statistics (such as the Message Count field)
may be underreported as a result of expired or purged messages still in
the store. See Implications for Statistics for more information.
show stores
show stores
show subscriptions
show subscriptions [topic=name] [name=sub-name] [shared=only|none]
[durable=only|none] [sort=msgs|topic|name|cons|id]
This command prints information about all topic subscriptions, or only subscriptions
matching specified filters. Command output is controlled using the sort parameter.
If topic=name is specified, then only subscriptions on destinations matching specified
topic are shown. If name=sub-name is specified, then only subscriptions of that name are
shown.
If durable=only is specified, then only durable subscriptions are shown.
If durable=none is specified, then only non-durable subscriptions are shown.
If shared=only is specified, then only shared subscriptions are shown.
If shared=none is specified, then only unshared subscriptions are shown.
The parameter sort allows you to specify how the command output is sorted in the output
table. You can use to sort by number of pending messages, topic name, subscription name,
number of consumers on that subscription, or the subscription's identifier.
l D — durable subscription
Heading Description
SS Description of columns:
l S - '+' if the subscription has a selector, '-' otherwise.
l S - '+' if the subscription is shared, '-' otherwise.
For a durable subscription, the value can be 0, meaning that there is no active
consumer and the subscription is offline.
Uptime The length of time, in hours, minutes, and seconds, since the subscription was
created.
show topic
show topic topic-name
static—configured by an administrator
Heading Description
Properties A list of property names that are set on the topic, and their values. For
an index list of property names, see Destination Properties.
JNDI Names A list of explicitly assigned JNDI names that refer to this topic.
Subscriptions Number of subscriptions on this topic. (This count also includes durable
subscriptions.)
Pending Msgs The total number of messages sent but not yet acknowledged by the
consumer, followed by the number of persistent messages in
parenthesis. These counts include copies sent to multiple subscribers.
Pending Msgs Size Total size of all pending messages, followed by the size of all persistent
messages in parenthesis.
The server accumulates the following statistics only when the administrator has enabled
statistics. Otherwise these items are zero.
Heading Description
Msgs
Total Inbound Cumulative total of message size over all messages delivered to the
Bytes topic.
Total Outbound Cumulative count of messages consumed from the topic by consumers.
Msgs Each consumer of a message increments this count independently of
other consumers, so one inbound message results in n outbound
messages (one per consumer).
Total Outbound Cumulative total of message size over all messages consumed from the
Bytes topic by consumers. Each consumer of a message contributes this total
independently of other consumers.
show topics
show topics [pattern-name [notemp|static|dynamic] [first=n|next=n|last=n]]
When a pattern-name is entered, you can also cursor through the list of topics using one of
the following commands, where n is whole number:
l first=n — show the first n topics
The cursor examines n topics and displays topics that match the pattern-name. Because it
does not traverse the full list of topics, the cursor may return zero or fewer than n topics.
To find all matching topics, continue to use next until you receive a Cursor complete
message.
Topic Name Name of the topic. If the name is prefixed with an asterisk (*), then the
topic is temporary or was created dynamically. Properties of dynamic
and temporary topics cannot be changed.
All Msgs
The total number of messages sent but not yet acknowledged by the
Heading Description
Persistent Msgs
Msgs The total number of persistent messages sent but not yet acknowledged
by the consumer
Size Total size of pending persistent messages
show transaction
show transaction XID
Shows a list of messages that were sent or received within the specified transaction. This
command returns information on transactions in prepared, ended, and roll back states
only. Transactions in a suspended or active state are not included.
Heading Description
(committed).
Remaining time The seconds remaining before the TX timeout is reached. For example, 3
before timeout sec.
Messages to be consumed
Message ID The message ID of the message. null indicates the message ID could not
be obtained or was disabled. If track_message_ids is not enabled, this
field displays Disabled.
l T topic
Destination The destination name to which the message was sent. null indicates that
destination could not be found.
Consumer ID The consumer ID of the Consumer that is consuming the message. Zero
indicates that the consumer is offline.
Messages to be produced
Message ID The message ID of the message. null indicates the message ID could not
be obtained or was disabled. If track_message_ids is not enabled, this
field displays Disabled.
l T topic
Destination The destination name to which the message was sent. null indicates
that destination could not be found.
JMSTimestamp The timestamp indicating the time at which the message was created.
show transactions
show transactions
Shows the XID for all client transactions that were created using the XA or MS DTC
interfaces. Each row presents information about one transaction. The XID is the
concatenation of the Format ID, GTrid Len, Bqual Len, and Data fields for a transaction. For
example, if show transactions returns the row:
l E ended
l R rollback only
l P prepared
l S suspended
-1 = NULL
GTrid Len The number of bytes that constitute the global transaction ID.
Heading Description
Bqual Len The number of bytes that constitute the branch qualifier.
Data The global transaction identifier (gtrid) and the branch qualifier (bqual).
show transport
show transport transport
show transports
show transports
show user
show user user-name
Shows user name and description. If no user name is specified, this command displays the
currently logged in user.
For users defined externally, there is an asterisk in front of the user name.
show users
show users
showacl admin
showacl admin
Shows all administrative permissions for all users and groups, but does not include
administrative permissions on destinations.
showacl group
showacl group group-name [admin]
Shows all permissions set for a given group. Shows the group and the set of permissions.
You can optionally specify admin to show only the administrative permissions for
destinations or principals. Specifying showacl admin shows all administrative permissions
for all users and groups (not including administrative permissions on destinations).
showacl queue
showacl queue queue-name [admin]
Shows all permissions set for a queue. Lists all entries from the acl file. Each entry shows
the “grantee” (user or group) and the set of permissions. You can optionally specify admin
to show only the administrative permissions for destinations or principals. Specifying
showacl admin shows all administrative permissions for all users and groups (not including
administrative permissions on destinations).
showacl topic
showacl topic topic-name [admin]
Shows all permissions set for a topic. Lists all entries from the acl file. Each entry shows
the “grantee” (user or group) and the set of permissions. You can optionally specify admin
to show only the administrative permissions for destinations or principals. Specifying
showacl admin shows all administrative permissions for all users and groups (not including
administrative permissions on destinations).
showacl user
showacl user user-name [admin | all | admin-all]
Shows the user and the set of permissions granted to the user for destinations and
principals.
showacl user username — displays permissions granted directly to the user. (An
administrator can use this form of the command to view own permissions, even without
permissions to view any other user permissions.)
showacl user username admin — displays administrative permissions granted directly to
the user.
showacl user username all — displays direct and inherited (from groups to which the user
belongs) permissions.
showacl user username admin-all — displays all administrative permissions for a given
user (direct and inherited)
Note: The output from this command displays inherited permissions prefixed
with a '*'. Inherited permissions cannot be changed. An attempt to revoke an
inherited permission for the principal user will not change the permission.
shutdown
shutdown
suspend route
suspend route route-name
time
time [on | off]
timeout
timeout [seconds]
Show or change the current command timeout value. The timeout value is the number of
seconds the Administration Tool will wait for a response from the server after sending a
command.
By default, the timeout is 30 seconds. When timeout is entered with the optional seconds
parameter, the timeout value is reset to the specified number of seconds. When entered
without parameter, the current timeout value is returned.
transaction commit
transaction commit XID
Commits the transaction identified by the transaction ID. The transaction must be in the
ended or prepared state. To obtain a transaction ID, issue the show transactions
command, and cut and paste the XID into this command.
transaction rollback
transaction rollback XID
Rolls back the transaction identified by the transaction ID. The transaction must be in the
ended, rollback only, or the prepared state. To obtain a transaction ID, issue the show
transactions command, and cut and paste the XID into this command.
updatecrl
updatecrl
whoami
whoami
Alias for the show user command to display the currently logged in user.
Configuration Files
This chapter describes configuring TIBCO Enterprise Message Service.
Mechanics of Configuration
Configuration Files
The EMS server reads configuration files only once, when the server starts. It ignores
subsequent changes to the configuration files. If you change a configuration file, use the
shutdown command from the EMS Administration Tool to shut down the server and then
restart the server as described in Running the EMS Server.
Administrative Requests
You can also change the server configuration with administrative requests, using either
tibemsadmin (a command line tool), the Java or .NET administrative APIs, or TIBCO
Administrator™ (a separate TIBCO product).
When the server validates and accepts an administrative request, it writes the change to
the appropriate configuration file as well (overwriting any manual changes to that file). This
policy keeps configuration files current in case the server restarts (for example, in a fault-
tolerant situation, or after a hardware failure).
Re-installing or updating EMS overwrites the files in the bin/ and
samples/config/ directories. Do not use these directories to configure your deployment.
tibemsd.conf
The main configuration file controls the characteristics of the EMS server. This file is usually
named tibemsd.conf, but you can specify another file name when starting the server.
You can find more information about starting the server in Running the EMS Server.
An example of the tibemsd.conf file is included in the
config-file-directory/cfmgmt/ems/data/ directory, where config-file-directory is specified
during TIBCO Enterprise Message Service installation. You can edit this configuration file
with a text editor. There are a few configuration items in this file that can be altered using
the administration tool, but most configuration parameters must be set by editing the file
(that is, the server does not accept changes to those parameters). See EMS Administration
Tool for more information about using the administration tool.
Several parameters accept boolean values. In the description of the parameter, one specific
set of values is given (for example, enable and disable), but all parameters that accept
booleans can have the following values:
l enable, enabled, true, yes, on
Parameters that take multiple elements cannot contain spaces between the elements,
unless the elements are enclosed in starting and ending double quotes. Parameters are
limited to line lengths no greater than 256,000 characters in length.
The following table summarizes the parameters in tibemsd.conf according to category.
The sections that follow provide more detail on each parameter.
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
JVM Parameters
always_exit_on_disk_error
Enable or disable the server behavior to exit on any disk error.
Defaults to disable.
authorization
Enable or disable server authorization.
Authorization is disabled by default. If you require that the server verify user credentials
and permissions on secure destinations, you must enable this parameter.
See Enable Access Control for more information.
For example:
authorization = enabled
See Authentication and Permissions for more information about this parameter.
auth_thread_count
Specifies the number of EMS server threads dedicated to authenticating incoming
connections.
auth_thread_count = threads
compliant_queue_ack
Guarantees that, once a client successfully acknowledges a message received from a
routed queue, the message will not be redelivered. This is accomplished by the EMS server
waiting until the message has been successfully acknowledged by the queue’s home EMS
server before sending the response to the client.
disconnect_non_acking_consumers
This parameter works in conjunction with the maxbytes and maxmsgs destination
properties. In situations where consumers consume messages but do not acknowledge
them, the messages are held in the server until they are confirmed. This can push the
server above the set limits.
flow_control
Specifies whether flow control for destinations is enabled or disabled.
By default, flow control is disabled. When flow control is enabled, the flowControl
property on each destination specifies the target maximum storage for pending messages
on the destination.
See Flow Control for more information about flow control.
flow_control_only_with_active_consumer
Restores the flow control behavior that was enforced before release 8.4. This property and
the corresponding behavior are deprecated and will be removed in a future release.
By default, this parameter is disabled. For more information, see Flow Control in the
Absence of Consumers.
listen
Specifies the port on which the server is to listen for connections from clients.
listen=protocol://servername:port
For example:
listen=tcp://localhost:7222
listen=ssl://localhost:7222
You can use multiple listen entries if you have computers with multiple interfaces. For
example:
listen=tcp://localhost:7222
listen=tcp://localhost:7224
If localhost is specified, or if the servername is not present, then the server uses every
available interface. For example:
listen=tcp://7222
listen=ssl://7243
listen=tcp://192.168.10.107:7222
When specifying an IPv6 address, use square brackets around the address specification. For
example:
listen=tcp://[2001:cafe::107]:7222
Note: This parameter is not supported when using FTL stores. See the
Parameters Unsupported for FTL Stores section for details.
max_msg_field_print_size
Limits the size of string fields in trace messages. If a string field is larger than size, the field
is truncated in the trace message.
Specify signed 32-bit integer values as KB, MB or GB. The minimum permitted size is 1 KB.
By default, the field limit is 1 KB.
max_msg_print_size
Limits the size of the printed message of traced messages. If the message is larger than
size, the message is truncated.
Specify signed 32-bit integer values as KB, MB or GB. The minimum permitted size is 8 KB.
By default, the field limit is 8 KB.
module_path
module_path = shared-library-directory
where shared-library-directory is the absolute path to the directory containing any external
library the server may need. This may include TIBCO FTL, ActiveSpaces, and Rendezvous
libraries.
You can specify multiple directories (for example, to load TIBCO FTL, ActiveSpaces, and
Rendezvous libraries). Separate paths using a colon (:) on UNIX platforms, or semicolon (;)
on Windows platforms.
For example:
module_path = c:\tibco\ftl\6.10\bin
monitor_listen
Specifies the port on which the server is to listen for health check and Prometheus metrics
requests.
monitor_listen=protocol://servername:port
For example:
monitor_listen = http://machine1:7220
monitor_listen = https://machine1:7220
When using localhost as the servername, the listen will only be accessible from the local
machine. If you omit the servername, the listen will behave similarly to setting localhost
in the server listen parameter.
For example:
monitor_listen = http://:7220
monitor_listen = http://192.168.10.107:7220
When specifying an IPv6 address, use square brackets around the address specification.
For example:
monitor_listen = http://[2001:cafe::107]:7220
You can use only one monitor_listen entry at a time. For more information, see Server
Health and Metrics.
Note: This parameter is not supported when using FTL stores. See the
Parameters Unsupported for FTL Stores section for details.
network_thread_count
Specifies the number of network threads used by the EMS server.
network_thread_count = threads
The threads count can be any positive integer. The default value is 1.
When set, this parameter allows the EMS server to control the number of threads while still
allowing the system administrator to control the thread affinity externally (for example, by
using the Linux taskset command).
If you intend to set the thread affinity externally, we recommend that you avoid setting any
thread affinity in the EMS server for either network traffic of stores.
The EMS server ignores this parameter if the processor_ids parameter is also specified.
npsend_check_mode
Specifies when the server is to provide confirmation upon receiving a NON_PERSISTENT
message from a producer.
The npsend_check_mode parameter applies only to producers sending messages using NON_
PERSISTENT delivery mode and non-transactional sessions.
Message confirmation has a great deal of impact on performance and should only be
enabled when necessary. The circumstances in which a producer might want the server to
send confirmation a NON_PERSISTENT message are:
l When authorization is enabled, so the producer can take action if permission to
send the message is denied by the server.
l When sending to a temporary destination, so the producer can take action if the
password
The password used when connecting to another EMS server that has authorization enabled.
password = password
For information on authorization between routed servers, see Routing and Authorization.
For information on authorization between fault tolerant server pairs, see Authorization and
Fault-Tolerant Servers.
processor_ids
Setting this parameter causes the EMS Server to start as many network I/O threads as there
are processor IDs specified in the list. Each network I/O thread is bound to the given
processor ID, which means that the thread can execute only on that processor.
processor_ids = processor-id1,processor-id2,...
Note: Do not use this parameter if the default behavior provides sufficient
throughput.
Specify the processor-id as an integer. Ask your system administrator for the valid
processor IDs on the EMS Server host. Note that the IDs can be listed in any order. List IDs
in a comma-separated list, with no spaces separating list items. For example:
processor_ids = 0,1,3,6
On startup, the parameter is parsed and the server refuses to start (regardless of the
presence of the startup_abort_list parameter) if:
l The list is malformed. That is, if it contains invalid values such as non-numeric
elements.
l The server is unable to bind a network I/O thread to a given processor ID. This can
happen when the processor ID has been disabled, or the tibemsd process has been
restricted by the system administrator to a set of processors that does not contain
this processor ID. Additionally, the server cannot correctly bind the network I/O
thread to the process ID if spaces are included in the parameter definition.
This parameter can be used in conjunction with the stores.conf parameter processor_id.
For more information, see Performance Tuning.
routing
Enables or disables routing functionality for this server.
For example:
routing = enabled
secondary_monitor_listen
Specifies the port on which the server designated as secondary in a fault tolerant pair is to
listen for health check and Prometheus metrics requests.
secondary_monitor_listen = http://machine1:7220
secondary_monitor_listen = https://machine1:7220
If the secondary_monitor_listen is not set, the secondary server assumes the value of
monitor_listen.
Note: This parameter is available only for JSON-configured EMS servers that are
using file-based stores or grid stores.
selector_logical_operator_limit
Limits the number of operators that the server reviews during selector evaluation.
selector_logical_operator_limit = number
The server evaluates operators until reaching the specified number of false conditions. The
server then stops evaluating further to protect itself from too many recursive evaluations. A
very long selector clause, such as one including many OR conditions, can cause recursive
selector evaluation and lead to a stack overflow in the EMS server.
number may be any positive integer. The default value is 5000. Zero is a special value,
indicating no limit.
For example, if selector_logical_operator_limit = 10 and the selector is:
a=1 or b=2 or c=3 or d=4 or e=5 or f=6 or g=7 or h=8 or i=9 or j=10 or
k=11 or l=12 or m=13 or n=14 or o=15 or p=16 or q=17 or r=18 or s=19 or
t=20 or u=21 or v=22 or w=23 or x=24 or y=25 or z=26
if the first 10 conditions are false, the server stops further evaluation.
server
Name of server.
server = serverName
Server names are limited to at most 64 characters, and may not include the dot character
(.).
startup_abort_list
Specifies conditions that cause the server to exit during its initialization sequence.
startup_abort_list=[SSL,TRANSPORTS,CONFIG_FILES,CONFIG_ERRORS,
DB_FILES]
You may specify any subset of the conditions in a comma-separated list. The list cannot
contain spaces between the elements, unless the elements are enclosed in starting and
ending double quotes. If a space is included but not enclosed in quotation marks, the
server ignores any conditions following the space.
Conditions that do not appear in the list are ignored by the server. The default is an empty
list.
l DB_FILES—If the server cannot find one or more of its stores, then it exits. Stores
include the default stores as well as any stores configured in the stores.conf
configuration file.
Note that if DB_FILES is not included in the startup_abort_list and the server
cannot find a store, the server will create the missing store. For best results, do not
include DB_FILES the first time a server is started, allowing it to create the stores.
After initial startup or a major store configuration change (such as the addition of a
new store), include DB_FILES in the list so that on restart the server will only start if
all the configured stores are present.
user_auth
Specifies the authentication methods to be used by the EMS server.
This parameter can have one or more of the following values (separated by comma
characters):
l local—authenticate incoming connection requests by validating the presented user
credentials against locally defined user information (users.conf and groups.conf).
l jaas—authenticate incoming connection requests by validating the presented user
credentials using a custom or provided JAAS authentication module, including LDAP
support (see Extensible Authentication).
Each time the server receives a connection request, it attempts to authenticate it via each
of the specified authentication methods in the order that this parameter specifies. The EMS
server accepts successful authentication using any of the specified methods.
Note: The user_auth setting does not affect authentication of the default
administrator. The server always authenticates the admin user from the local
configuration file. See Assigning a Password to the Administrator for more
information.
xa_default_timeout
Specifies the default TX timeout, in seconds, for XA transactions. The default is 0, which
specifies no timeout.
xa_default_timeout = seconds
The default timeout setting cannot be changed dynamically. However, you can specify a
different transaction timeout for each individual XA resource using the API.
store
store = directory
store = /usr/tmp
destination_backlog_swapout
Specifies the number of messages that may be stored in the server's memory before
message swapping is enabled. The limit given is for each destination. For example, if the
limit is 10,000 and you have three queues, the server can store up to 30,000 unswapped
messages in memory.
destination_backlog_swapout = number
handshake_timeout
handshake_timeout = seconds
The amount of time that the EMS server waits for an incoming connection to complete
depends on the server_timeout_server_connection and
server_timeout_client_connection properties.
If either is specified, the connection handshake times out only after the duration
mentioned in one of these properties. If both are specified, the largest of the two values is
used. If neither is specified, you can set the period (in seconds) using handshake_timeout.
The period specified must be a positive integer. If absent, the timeout defaults to 3
seconds. When the timeout is reached, the EMS server closes the connection and continues
handling other clients.
The handshake_timeout server property, in addition to controlling the wait time for an
incoming connection to complete, also controls:
l The amount of time that the server waits for an outgoing route connection to
complete;
l The amount of time the server waits for an incoming TLS connection to complete the
TLS handshake. Note that this is independent from the wait time for the incoming
TLS connection to complete.
large_destination_count
Specifies the number of messages that an unbounded destination (a destination without
either of its maxbytes or maxmsgs properties set) can gather before the server starts logging
warnings about that destination’s message count.
large_destination_count = number
By default, large_destination_count is not set and the server establishes its own
message count threshold. It can be set dynamically. Zero is a special value that disables
the logging of the corresponding warning.
large_destination_memory
Specifies the size in memory that an unbounded destination (a destination without either
of its maxbytes or maxmsgs properties set) can grow to before the server starts logging
warnings about that destination’s size.
By default, large_destination_memory is not set and the server establishes its own size
threshold. It can be set dynamically. Zero is a special value that disables the logging of the
corresponding warning.
max_client_msg_size
Maximum size allowed for an incoming message. This parameter setting instructs the
server to reject incoming messages that are larger than the specified size limit.
Specify whole numbers as KB, MB or GB. The maximum value is 2 GB. However, we
recommend that the application programs use smaller messages, since messages
approaching this maximum size will strain the performance limits of most current
hardware and operating system platforms.
When omitted or zero, the EMS server accepts and attempts to process messages of any
size.
Note: While using FTL stores, the default value of this parameter is set to 10 MB.
The maximum value is still 2 GB.
max_connections
Maximum number of simultaneous client connections.
max_connections = number
max_msg_memory
Maximum memory the server can use for messages. This parameter lets you limit the
memory that the server uses for messages, so server memory usage cannot grow beyond
the system’s memory capacity.
When msg_swapping is enabled, and messages overflow this limit, the server begins to
swap messages from process memory to disk. Swapping allows the server to free process
memory for incoming messages, and to process message volume in excess of this limit.
When the server swaps a message to disk, a small record of the swapped message remains
in memory. If all messages are swapped out to disk, and their remains still exceed this
memory limit, then the server has no room for new incoming messages. The server stops
accepting new messages, and send calls in message producers result in an error. (This
situation probably indicates either a very low value for this parameter, or a very high
message volume.)
Specify units as KB, MB or GB. The minimum value is 8 MB. The default value of 0 (zero)
indicates no limit.
For example:
max_msg_memory = 512MB
msg_pool_block_size
To lessen the overhead costs associated with malloc and free, the server pre-allocates
pools of storage for messages. This parameter determines the behavior of these pools.
Performance varies depending on operating system platform and usage patterns.
msg_pool_block_size = size
Note: Consult with your TIBCO support representative before using this
parameter.
The size argument determines the approximate number of internal message structs that a
block or pool can accommodate (not the number of bytes).
msg_pool_block_size instructs the server to allocate an expandable pool. Each time the
server exhausts the pool, the server increases the pool by this size, as long as additional
storage is available. The value may be in the range 32 to 65536.
When this parameter is not present, the default is msg_pool_block_size 128.
msg_swapping
This parameter enables and disables the message swapping feature (described above for
max_msg_memory).
prefetch_none_timeout_request_reply
Prevents the memory utilization of the server to grow in the context of the following
scenario.
The combination of a client consuming from a queue with prefetch set to none and calling
receive with a short timeout in a loop can cause the memory utilization of the server to
grow significantly. This can happen when the receive timeout is so short that the server
doesn't have a chance to deliver a message to the consumer before being asked again,
causing a backup of receive requests in the server.
To prevent this from happening, enable this parameter.
Defaults to disable.
Note: Consult with your TIBCO support representative before using this
parameter.
reserve_memory
When reserve_memory is non-zero, the EMS server allocates a block of memory for use in
emergency situations to prevent the EMS server from being unstable in low memory
situations.
reserve_memory = size
When the server process exhausts memory resources, it disables clients and routes from
producing new messages, and frees this block of memory to allow consumers to continue
operation (which tends to free memory).
The EMS server attempts to reallocate its reserve memory once the number of pending
messages in the server has dropped to 10% of the number of pending messages that were
in the server when it experienced the allocation error. If the server successfully reallocates
memory, it begins accepting new messages.
The reserve_memory parameter only triggers when the EMS server has run out of memory
and therefore is a reactive mechanism. The appropriate administrative action when an EMS
server has triggered release of reserve memory is to drain the majority of the messages by
consuming them and then to stop and restart the EMS server. This allows the operating
system to reclaim all the virtual memory resources that have been consumed by the EMS
server. A trace option, MEMORY, is also available to help show what the server is doing
during the period when it is not accepting messages.
Specify size in units of MB. When non-zero, the minimum block is 16MB. When absent, the
default is zero.
Note: There are a variety of limits that the user can set to prevent the EMS
server from storing excessive messages, which can lead to situations where the
EMS server runs out of memory.
These include global parameters, such as max_msg_memory, as well as destination
properties such as maxbytes. These limits should be used to prevent the
reserve_memory mechanism from triggering.
socket_send_buffer_size
Sets the size (in bytes) of the send buffer used by clients when connecting to the EMS
server.
l Optionally, specify units of KB, MB, or GB for units. If no units are specified, the file size
is assumed to be in bytes.
When omitted, the server skips the call for the specified buffer. In this case, the operating
system's auto-tuning controls buffering.
socket_receive_buffer_size
Sets the size (in bytes) of the receive buffer used by clients when connecting to the EMS
server.
l Optionally, specify units of KB, MB, or GB for units. If no units are specified, the file size
is assumed to be in bytes.
When omitted, the server skips the call for the specified buffer. In this case, the operating
system's auto-tuning controls buffering.
active_route_connect_time
Specifies the interval (in seconds) at which an EMS server attempts to connect or reconnect
a route to the another server. The default is 2 seconds.
active_route_connect_time = interval
client_heartbeat_server
In a server-to-client connection, clients send heartbeats to the server at this interval (in
seconds).
client_heartbeat_server = interval
clock_sync_interval
Periodically send the EMS server’s Coordinated Universal Time (UTC) time to clients. This
allows EMS clients to update their offset.
clock_sync_interval = seconds
The time specified, in seconds, determines the interval at which clock sync commands are
sent from the server to its clients.
When omitted or zero, the EMS server sends the offset time only when the EMS client
connects to the server. If clock_sync_interval is -1, the offset is never sent, not even on
connect. Clients do not adjust their time values to match the server time.
server_timeout_client_connection
In a server-to-client connection, if the server does not receive a heartbeat for a period
exceeding this limit (in seconds), it closes the connection.
server_timeout_client_connection = limit
Zero is a special value, which disables heartbeat detection in the server (although clients
still send heartbeats).
server_heartbeat_server
In a server-to-server connection, this server sends heartbeats at this interval (in seconds).
The two servers can be connected either by a route, or as a fault-tolerant pair.
server_heartbeat_server = interval
When using FTL stores, this parameter only affects server-to-server route connections. It
has no effect on the behavior of fault-tolerance.
server_timeout_server_connection
In a server-to-server connection, if this server does not receive a heartbeat for a period
exceeding this limit (in seconds), it closes the connection. This parameter applies to
connections from other routes and to the standby server connection.
server_timeout_server_connection = limit
We recommend setting this value to approximately 3.5 times the heartbeat interval of the
other server. When the other server or the network are heavily loaded, or when client
programs send very large messages, we recommend a larger multiple.
When using FTL stores, this parameter only affects server-to-server route connections. It
has no effect on the behavior of fault-tolerance.
server_heartbeat_client
In a server-to-client connection, the server sends heartbeats to all clients at this interval (in
seconds).
server_heartbeat_client = interval
client_timeout_server_connection
In a server-to-client connection, if a client does not receive a heartbeat for a period
exceeding this limit (in seconds), it closes the connection.
client_timeout_server_connection = limit
We recommend setting this value to approximately 3.5 times the heartbeat interval.
Zero is a special value, which disables heartbeat detection in the client (although the
server still sends heartbeats).
ft_active
Specifies the URL of the active server. If this server can connect to the active server, it will
act as a standby server. If this server cannot connect to the active server, it will become the
active server.
ft_active = URL
ft_heartbeat
Specifies the interval (in seconds) the server is to send a heartbeat signal to its peer to
indicate that it is still operating.
ft_heartbeat = seconds
Default is 3 seconds.
ft_activation
Activation interval (maximum length of time between heartbeat signals) which indicates
that server has failed.
ft_activation = seconds
Set in seconds: default is 10. This interval should be set to at least twice the heartbeat
interval.
For example:
ft_activation = 60
ft_reconnect_timeout
The amount of time (in seconds) that a standby server waits for clients to reconnect (after
it becomes the active server in a failover situation).
ft_reconnect_timeout = seconds
If a client does not reconnect within this time period, the server removes its state from the
shared state files. The ft_reconnect_timeout time starts once the server has fully
recovered the shared state, so this value does not account for the time it takes to recover
the store files.
The default value of this parameter is 60.
ft_ssl_identity
The path to a file that contains the certificate in one of the supported formats. The
supported formats are PEM, DER, or PKCS#12. A DER format file can only contain the
certificate; it cannot contain both the certificate and a private key.
ft_ssl_identity = pathname
See File Names for Certificates and Keys for more information on file types for digital
certificates.
ft_ssl_issuer
Certificate chain member for the server. Supply the entire chain, including the CA root
certificate. The server reads the certificates in the chain in the order they are presented in
this parameter.
ft_ssl_issuer = chain_member
The certificates must be in PEM, DER, PKCS#7, or PKCS#12 format. A DER format file can
only contain a single certificate; it cannot contain a certificate chain. See File Names for
Certificates and Keys for more information on file types for digital certificates.
ft_ssl_private_key
The server’s private key. If it is included in the digital certificate in ft_ssl_identity, then
this parameter is not needed.
ft_ssl_private_key = key
This parameter supports private keys in the following formats: PEM, DER, PKCS#12.
You can specify the actual key in this parameter, or you can specify a path to a file that
contains the key. See File Names for Certificates and Keys for more information on file
types for digital certificates.
ft_ssl_password
Private key or password for private keys.
ft_ssl_password = password
You can set passwords by way of the tibemsadmin tool. When passwords are set with this
tool, the password is obfuscated in the configuration file. See EMS Administration Tool for
more information about using tibemsadmin to set passwords.
ft_ssl_trusted
List of trusted certificates. This sets which Certificate Authority certificates should be
trusted as issuers of the client certificates.
ft_ssl_trusted = trusted_certificates
The certificates must be in PEM, DER, or PKCS#7 format. You can either provide the actual
certificates, or you can specify a path to a file containing the certificate chain. If using a
DER format file, it can contain only a single certificate, not a certificate chain.
See File Names for Certificates and Keys for more information on file types for digital
certificates.
ft_ssl_verify_host
Specifies whether the fault-tolerant server should verify the other server’s certificate.
ft_ssl_verify_hostname
Specifies whether the fault-tolerant server should verify the name in the CN field of the
other server’s certificate.
The values for this parameter are enabled and disabled. By default, this parameter is
enabled, signifying the fault-tolerant server should verify the name of the connected host
or the name specified in the ft_ssl_expected_hostname parameter against the value in
the server’s certificate. If the names do not match, the connection is rejected.
When this parameter is set to disabled, the fault-tolerant server establishes secure
communication with the other server, but does not verify the server’s name.
ft_ssl_expected_hostname
Specifies the name the server is expected to have in the CN field of the fault-tolerant
server’s certificate.
ft_ssl_expected_hostname = serverName
If this parameter is not set, the expected name is the hostname of the server.
This parameter is used when the ft_ssl_verify_hostname parameter is set to enabled.
ft_ssl_ciphers
Specifies the cipher suites used by the server; each suite in the list is separated by a colon
(:). This parameter can use the OpenSSL name for cipher suites or the longer, more
descriptive names.
ft_ssl_ciphers = cipherSuite
See Specify Cipher Suites for more information about the cipher suites available in EMS
and the OpenSSL names and longer names for the cipher suites.
ft_oauth2_access_token_file
Specifies the path to a file containing an OAuth 2.0 access token to use to authenticate
with the fault-tolerant peer EMS server.
ft_oauth2_access_token_file = pathname
If an access token is provided using this parameter, the EMS server will not attempt to
obtain access tokens from an OAuth 2.0 authorization server even if ft_oauth2_server_url
and other relevant parameters are set.
ft_oauth2_server_url
Specifies the HTTP or HTTPS URL of the OAuth 2.0 authorization server from which the EMS
server will obtain access tokens for authenticating with its fault-tolerant peer EMS server.
ft_oauth2_server_url = http://hostname:port
ft_oauth2_server_url = https://hostname:port
ft_oauth2_client_id
The OAuth 2.0 client ID to use when authenticating with the OAuth 2.0 authorization server.
This parameter and ft_oauth2_client_secret are both required in order to obtain access
tokens from the authorization server, regardless of the grant type to be used.
ft_oauth2_client_id = client_id
ft_oauth2_client_secret
The OAuth 2.0 client secret to use when authenticating with the OAuth 2.0 authorization
server. This parameter and ft_oauth2_client_id are both required in order to obtain access
tokens from the authorization server, regardless of the configured grant type.
ft_oauth2_client_secret = client_secret
ft_oauth2_grant_type
The grant type to use for requesting access tokens from the OAuth 2.0 authorization server.
The accepted values are:
l client_credentials–for Client Credentials grant.
ft_oauth2_grant_type = client_credentials|password
If using the resource owner password credentials grant type, the username and password
included in the grant are the server name and server password configured through the
server and password parameters.
If this parameter is not set, the client credentials grant type is used by default.
ft_oauth2_server_trust_file
Specifies the path to a file containing one or more PEM-encoded public certificates that
can be used to validate a secure OAuth 2.0 authorization server's identity.
ft_oauth2_server_trust_file = trust_file
This parameter is only required if an HTTPS URL was specified for ft_oauth2_server_url.
ft_oauth2_disable_verify_hostname
When this parameter is enabled, the EMS server will not verify the hostname in the CN field
of the OAuth 2.0 authorization server’s certificate.
ft_oauth2_disable_verify_hostname = enabled|disabled
ft_oauth2_expected_hostname
The name that the EMS server expects in the CN field of the OAuth 2.0 authorization
server’s certificate.
ft_oauth2_expected_hostname = hostname
If this parameter is not set, the expected name is the hostname of the authorization server.
This parameter is not relevant when the ft_oauth2_disable_verify_hostname parameter
is set to true.
track_message_ids
Tracks messages by message ID. Default is disabled.
Enabling this parameter allows you to display messages using the show messagemessageID
command in the administration tool.
track_correlation_ids
Tracks messages by correlation ID. Disabled by default.
Enabling this parameter allows you to display messages using the show
messagescorrelationID command in the administration tool.
Note: The EMS server creates a single FTL event queue that is used for all EMS
transports for FTL configured in the transports.conf file.
ftl_log_level
Optional. Determines the trace level of FTL messages logged in the server when the EMS
Server FTL trace item is enabled.
ftl_log_level = level
ftl_trustfile
Optional. Specifies the trust file for the EMS server to validate the FTL server on a TLS
connection.
The trust file must be the same as that used by other FTL clients to validate the FTL server.
Note: For the trust file to be used, the ftl_url must start with https:// instead
of http://.
Note: If the ftl_url starts with https:// but a ftl_trustfile is not provided,
a warning is logged that the connection is not secure.
following way:
l If ftl_url starts with https:// and ftl_trustfile exists:
com.tibco.ftl.trust.type is set to
TIB_REALM_HTTPS_CONNECTION_USE_SPECIFIED_TRUST_FILE and
ftl_url
Required. Specifies the URL at which the EMS server can connect to the TIBCO FTL server.
ftl_url = URL
ftl_username
Optional. The username that the EMS server should use to authenticate itself when
connecting to the TIBCO FTL server.
ftl_username = user
Sets the com.tibco.ftl.client.username property. For more details, see the TIBCO FTL
documentation on realms.
When authenticating with FTL using OAuth 2.0, this parameter determines the grant type
used to request access tokens from the OAuth 2.0 authorization server. If ftl_username is
not set, the Client Credentials Grant type is used. If ftl_username is set, the
Resource Owner Password Credentials Grant type is used, with ftl_username and ftl_
password serving as the username and password credentials.
ftl_password
Optional. The password that the EMS server should use to authenticate itself when
connecting to the TIBCO FTL server. Note that the password can be stored in a mangled
form.
ftl_password = password
Sets the com.tibco.ftl.client.userpassword property. For more details, see the TIBCO
FTL documentation on realms.
This parameter may need to be set if authenticating with FTL using OAuth 2.0. See
ftl_username for details.
ftl_oauth2_access_token_file
Specifies the path to a file containing an OAuth 2.0 access token to use to authenticate
with the FTL deployment.
ftl_oauth2_access_token_file = pathname
If an access token is provided via this parameter, the EMS server will always use that
access token for authentication with the FTL deployment. The server will not attempt to
obtain access tokens from an OAuth 2.0 provider even if ftl_oauth2_server_url and other
relevant parameters are set.
ftl_oauth2_server_url
Specifies the HTTP or HTTPS URL of the OAuth 2.0 authorization server from which the EMS
server will obtain access tokens for authenticating with the FTL deployment.
ftl_oauth2_server_url = http://hostname:port
ftl_oauth2_server_url = https://hostname:port
ftl_oauth2_client_id
The OAuth 2.0 client ID to use when authenticating with the OAuth 2.0 authorization server.
This parameter and ftl_oauth2_client_secret are both required in order to obtain
access tokens from the authorization server, regardless of the configured grant type.
ftl_oauth2_client_id = client_id
ftl_oauth2_client_secret
The OAuth 2.0 client secret to use when authenticating with the OAuth 2.0 authorization
server. This parameter and ftl_oauth2_client_id are both required in order to obtain
access tokens from the authorization server, regardless of the grant type to be used.
ftl_oauth2_client_secret = client_secret
ftl_oauth2_server_trust_file
Specifies the path to a file containing one or more PEM-encoded public certificates for
validating a secure OAuth 2.0 authorization server's identity.
ftl_oauth2_server_trust_file = trust_file
This parameter is only required if an HTTPS URL was specified for ftl_oauth2_server_url.
ftl_oauth2_disable_verify_hostname
When this parameter is enabled, the EMS server will not verify the hostname in the CN field
of the OAuth 2.0 authorization server’s certificate.
ftl_oauth2_disable_verify_hostname = enabled|disabled
ftl_oauth2_expected_hostname
The name that the EMS server expects in the CN field of the OAuth 2.0 authorization
server’s certificate.
ftl_oauth2_expected_hostname = hostname
If this parameter is not set, the expected name is the hostname of the authorization server.
This parameter is not relevant when the ftl_oauth2_disable_verify_hostname parameter
is set to true.
tibftl_transports
Specifies whether the TIBCO FTL transports defined in transports.conf are enabled or
disabled.
Unless you explicitly set this parameter to enabled, the default value is disabled—that is,
all transports are disabled and will neither send messages to external systems nor receive
messages from them.
tibrv_transports
Specifies whether TIBCO Rendezvous transports defined in transports.conf are enabled
or disabled.
Unless you explicitly set this parameter to enabled, the default value is disabled—that is,
all transports are disabled and will neither send messages to external systems nor receive
message from them.
Note: When using FTL stores, only the client_trace, console_trace, and
trace_client_host parameters are applicable. All other log file related
parameters are unsupported. See Logging With FTL Stores for details.
client_trace
Administrators can trace a connection or group of connections. When this property is
enabled, the server instructs each client to generate trace output for opening or closing a
connection, message activity, and transaction activity. This type of tracing does not require
restarting the client program.
Each client sends trace output to location, which may be either stderr (the default) or
stdout.
Note: You can also direct client tracing output to a file, using the
tibems_SetTraceFile, Tibjms.setTraceFile and Tibems.SetTraceFile in the
C, Java and .NET libraries, respectively.
The default behavior is to trace all connections. You can specify either user, connid or
clientid to selectively trace specific connections. The value can be a user name or ID (as
appropriate).
Setting this parameter using the administration tool does not change its value in the
configuration file tibemsd.conf; that is, the value does not persist across server restarts
unless you set it in the configuration file.
console_trace
Sets trace options for output to stderr. The possible values are the same as for log_trace.
However, console tracing is independent of log file tracing.
console_trace = traceOptions
console_trace=-DEFAULT
Note: Important error messages (and some other messages) are always output,
overriding the trace settings.
logfile
Name and location of the server log file.
logfile = pathname
log_trace
Sets the trace preference on the file defined by the logfile parameter. If logfile is not
set, the values have no effect.
log_trace = traceOptions
The value of this parameter is a comma-separated list of trace options. For a list of trace
options and their meanings, see Server Tracing Options,.
You may specify trace options in three forms:
l plain A trace option without a prefix character replaces any existing trace options.
l + A trace option preceded by + adds the option to the current set of trace options.
l - A trace option preceded by - removes the option from the current set of trace
options.
The following example sets the trace log to only show messages about access control
violations.
log_trace=ACL
The next example sets the trace log to show all default trace messages, in addition to TLS
messages, but ADMIN messages are not shown.
log_trace=DEFAULT,-ADMIN,+SSL
logfile_max_count
Specifies the maximum number of log files to be kept.
logfile_max_count = integer
logfile_max_size
Specifies the recommended maximum log file size before the log file is rotated. Set to 0 to
specify no limit. Use KB, MB, or GB for units (if no units are specified, the file size is
assumed to be in bytes).
The server periodically checks the size of the current log file. If it is greater than the
specified size, the file is copied to a backup and then emptied. The server then begins
writing to the empty log file until it reaches the specified size again.
Backup log files are named sequentially and stored in the same directory as the current
log.
secondary_logfile
Name and location of the server log file used by the secondary EMS server in a fault
tolerant pair. The EMS server designated as primary in the pair writes to the file specified
by the logfile parameter.
secondary_logfile = pathname
If the secondary_logfile parameter is not set, the secondary server assumes the value of
logfile.
Note: This parameter is available only for JSON-configured EMS servers using
file-based stores or grid stores.
trace_client_host
Trace statements related to connections can identify the host by its hostname, its IP
address, or both. When absent, the default is hostname. The both_with_port option
displays the ephemeral port used on the host as well as the IP address and hostname.
trace_client_host = [hostname|address|both|both_with_port]
server_rate_interval
Sets the interval (in seconds) over which overall server statistics are averaged.
server_rate_interval = seconds
This parameter can be set to any positive integer greater than zero.
Overall server statistics are always gathered, so this parameter cannot be set to zero. By
default, this parameter is set to 1.
Setting this parameter allows you to average message rates and message size over the
specified interval.
statistics
Enables or disables statistic gathering for producers, consumers, destinations, and routes.
By default this parameter is set to disabled.
Disabling statistic gathering resets the total statistics for each object to zero.
rate_interval
Sets the interval (in seconds) over which statistics for routes, destinations, producers, and
consumers are averaged.
rate_interval = seconds
By default, this parameter is set to 3 seconds. Setting this parameter to zero disables the
average calculation.
detailed_statistics
Specifies which objects should have detailed statistic tracking.
Detailed statistic tracking is only appropriate for routes, producers that specify no
destination, or consumers that specify wildcard destinations. When detailed tracking is
enabled, statistics for each destination are kept for the object.
Setting this parameter to NONE disabled detailed statistic tracking. You can specify any
combination of PRODUCERS, CONSUMERS, or ROUTES to enable tracking for each object. If
you specify more than one type of detailed tracking, separate each item with a comma.
For example:
detailed_statistics = NONE
detailed_statistics = PRODUCERS,ROUTES
statistics_cleanup_interval
Specifies how long (in seconds) the server should keep detailed statistics if the destination
has no activity.
statistics_cleanup_interval = seconds
This is useful for controlling the amount of memory used by detailed statistic tracking.
When the specified interval is reached, statistics for destinations with no activity are
deleted.
max_stat_memory
Specifies the maximum amount of memory to use for detailed statistic gathering.
If no units are specified, the amount is in bytes, otherwise you can specify the amount
using KB, MB, or GB as the units.
Once the maximum memory limit is reached, the server stops collecting detailed statistics.
If statistics are deleted and memory becomes available, the server resumes detailed
statistic gathering.
ssl_server_ciphers
Specifies the cipher suites used by the server; each suite in the list is separated by a colon
(:). This parameter must follow the OpenSSL cipher string syntax.
ssl_server_ciphers = cipherSuites
For example, you can enable the cipher suites for security level 2 with the following setting:
ssl_server_ciphers = @SECLEVEL=2
See Specify Cipher Suites for more information about the cipher suites available in EMS
and the syntax for specifying them in this parameter.
ssl_require_client_cert
If this parameter is set to enable, the server only accepts TLS connections from clients that
have digital certificates. Connections from clients without certificates are denied.
If this parameter is set to disable, then connections are accepted from clients that do not
have a digital certificate.
Whether this parameter is set to enable or disable, clients that do have digital certificates
are always authenticated against the certificates supplied to the ssl_server_trusted
parameter.
The default value is disable.
ssl_require_route_cert_only
This parameter overrides the ssl_require_client_cert parameter.
ssl_use_cert_username
If this parameter is set to enable, a client’s user name is always extracted from the CN field
of the client’s digital certificate, if the digital certificate is specified.
If a different username is provided through the connection factory or API calls, then that
username is discarded. Only the username from the CN is used.
The CN field is either a username, an email address, or a web address.
ssl_cert_user_specname
This parameter is useful if clients are required to supply a username, but you wish to
designate a special username to use when the client’s username should be taken from the
ssl_cert_user_specname = username
For example, you may wish all clients to specify their username when logging in. This
means the ssl_use_cert_username parameter would be set to disable. The username is
supplied by the user, and not taken from the digital certificate. However, you may wish one
username to signify that the client logging in with that name should have the name taken
from the certificate. A good example of this username would be anonymous. All clients
logging in as anonymous will have their user names taken from their digital certificates.
The value specified by this parameter is the username that clients will use to log in when
the username should be taken from their digital certificate. A good example of the value of
this parameter would be anonymous.
Also, the value of this parameter is ignored if ssl_use_cert_username is set to enable, in
which case all client usernames are taken from their certificates. This parameter has no
effect for users that have no certificate.
ssl_server_identity
The server’s digital certificate in PEM, DER, or PKCS#12 format. You can specify the path to
a file that contains the certificate in one of the supported formats.
ssl_server_identity = certificate
This parameter must be specified if any TLS ports are listed in the listen parameter.
PEM and PKCS#12 formats allow the digital certificate to include the private key. If these
formats are used and the private key is part of the digital certificate,
then setting ssl_server_key is optional.
For example:
ssl_server_identity = certs/server.cert.pem
ssl_server_key
The server’s private key. If it is included in the digital certificate in ssl_server_identity,
then this parameter is not needed.
ssl_server_key = private_key
This parameter supports private keys in the following formats: PEM, DER, PKCS#8,
PKCS#12.
You must specify a path to a file that contains the key.
ssl_password
Private key or password for private keys. This password can optionally be specified on the
command line when tibemsd is started.
ssl_password = password
If TLS is enabled, and the password is not specified with this parameter or on the
command line, tibemsd will ask for the password upon startup.
You can set passwords by way of the tibemsadmin tool. When passwords are set with this
tool, the password is obfuscated in the configuration file. See EMS Administration Tool for
more information about using tibemsadmin to set passwords.
ssl_server_issuer
Certificate chain member for the server. The server reads the certificates in the chain in the
order they are presented in this parameter.
ssl_server_issuer = chain_member
The same certificate can appear in multiple places in the certificate chain.
The certificates must be in PEM, DER, PKCS#7, or PKCS#12 format. A DER format file can
only contain a single certificate, it cannot contain a certificate chain.
See File Names for Certificates and Keys for more information on file types for digital
certificates.
ssl_server_trusted
List of CA root certificates the server trusts as issuers of client certificates.
ssl_server_trusted = certificates
ssl_server_trusted = certs\CA1_root.pem
ssl_server_trusted = certs\CA2_root.pem
See File Names for Certificates and Keys for more information on file types for digital
certificates.
ssl_crl_path
A non-null value for this parameter activates the server’s certificate revocation list (CRL)
feature.
ssl_crl_path = pathname
The server reads CRL files from this directory. The directory should contain only CRL files. If
other files are located in the pathname directory, TLS initialization will fail.
ssl_crl_update_interval
The server automatically updates its CRLs at this interval (in hours).
ssl_crl_update_interval = hours
ssl_auth_only
When enabled, the server allows clients to request the use of TLS only for authentication
(to protect user passwords).
fips140-2
When true, the EMS server is enabled to run in FIPS 140-2 compliant mode. When false or
excluded, the server is not FIPS compliant.
monitor_ssl_identity
The digital certificate used for the Server Health and Metrics HTTPS listen in PEM, DER, or
PKCS#12 format. You can specify the path to a file that contains the certificate in one of
the supported formats.
monitor_ssl_identity = certificate
If this parameter is not specified, the identity file configured for the server’s TLS listen is
used in its place. If neither are specified, the server will fail to start up.
PEM, PKCS#12 formats allow the digital certificate to include the private key. If these
formats are used and the private key is part of the digital certificate, then setting
monitor_ssl_key is optional.
For example:
monitor_ssl_identity = certs/server.cert.pem
monitor_ssl_key
The private key used for the Server Health and Metrics HTTPS listen. If it is included in the
digital certificate in monitor_ssl_identity, then this parameter is not needed.
monitor_ssl_key = private_key
If this parameter is not specified, the private key file configured for the server’s TLS listen is
used in its place. If neither are specified, the server will fail to start up.
This parameter supports private keys in the following formats: PEM, DER, PKCS#8,
PKCS#12.
You must specify a path to a file that contains the key.
monitor_ssl_password
Password for the private key used for the Server Health and Metrics HTTPS listen.
monitor_ssl_password = password
If this parameter is not specified, the password for the private key file configured for the
server’s TLS listen is used in its place. If neither are specified, the server will fail to start up.
monitor_ssl_trusted
List of CA root certificates the server trusts as issuers of client certificates. This list only
applies to incoming connections on the Server Health and Metrics HTTPS listen.
monitor_ssl_trusted = certificates
If this parameter is not specified, an attempt is made to use the list from the server’s TLS
listen.
Specify only CA root certificates. Do not include intermediate CA certificates.
The certificates must be in PEM or DER format. You can either provide the paths to
certificates as individual monitor_ssl_trusted entries, or you can specify a path to a file
containing the certificate chain. If using a DER format file, it can contain only a single
certificate, not a certificate chain.
For example:
monitor_ssl_trusted = certs\CA1_root.pem
monitor_ssl_trusted = certs\CA2_root.pem
See File Names for Certificates and Keys for more information on file types for digital
certificates.
oauth2_server_validation_key
Specifies the path to a file containing the PEM-encoded public key or JSON Web Key Set
(JWKS) to use for validating the signature of an OAuth 2.0 JWT access token presented by
an incoming connection request.
oauth2_server_validation_key = public_key|JWKS
oauth2_user_claim
Specifies the claim in the OAuth 2.0 access token that contains the EMS user to associate
with the incoming connection request.
oauth2_user_claim = claim_name
oauth2_group_claim
Specifies the claim in the OAuth 2.0 access token that contains the list of groups that the
EMS user belongs to.
oauth2_group_claim = claim_name
This parameter is optional. If not specified, the EMS server will assume that the incoming
connection is associated with an EMS user that does not belong to any groups.
oauth2_audience
Specifies the expected value of the ‘aud’ claim in the access token presented by the
incoming connection request.
oauth2_audience = audience
The EMS server can be configured to accept multiple audience values. For example:
oauth2_audience = ems_aud1
oauth2_audience = ems_aud2
This parameter is optional. If not specified, the JWT audience will not be verified.
jaas_config_file
Specifies the location of the JAAS configuration file used by the EMS server to run a custom
authentication LoginModule.
jaas_config_file = file-name
For more information, see Loading the LoginModule in the EMS Server.
This parameter is required to enable the extensible security feature for authentication.
For example:
jaas_config_file = jaas.conf
jaas_login_timeout
Specifies the length of time, in milliseconds, that the EMS server will wait for the JAAS
authentication module to execute and respond.
jaas_login_timeout = milliseconds
This timeout is used each time the server passes a username and password to the
LoginModule. If the module does not return a response, the server denies authentication.
This parameter is optional. If it is not included, the default timeout is 10000 milliseconds.
For example:
jaas_login_timeout = 250
jaci_class
Specifies the name of the class that implements the extensible permissions interface.
jaci_class = class-name
The class must be written using the Java Access Control Interface (JACI). For more
information about writing a custom application using JACI to grant permissions, see
Permissions Module.
For example:
jaci_class = com.userco.auth.CustomAuthorizer
jaci_timeout
Specifies the length of time, in milliseconds, that the EMS server will wait for the JACI
permissions module to execute and respond.
jaci_timeout = milliseconds
This timeout is used each time the server passes a destination, username, and action to
the permissions module. If the module does not return a response, the server denies
authorization.
This parameter is optional. If it is not included, the default timeout is 10000 milliseconds.
For example:
jaci_timeout = 250
security_classpath
Includes the JAR files and dependent classes used by the JAAS LoginModules and JACI
modules.
security_classpath = classpath
This parameter is required to enable the extensible security feature for authentication and
the extensible security feature for granting permissions.
For example:
security_classpath = .:/usr/local/custom/user_jaci_plugin.jar
JVM Parameters
These parameters enable and configure the Java virtual machine (JVM) in the EMS server.
For more information on how the JVM works in EMS, see Enable the JVM.
jre_library
Enables the JVM in the EMS server, where path is the absolute path to the JRE shared
library file that is installed with the JRE.
jre_library = path
jre_library =
"C:\Program Files\Java\jdk1.8.0_121\jre\bin\server\jvm.dll"
jre_option
Passes command line options to the JVM at start-up.
jre_option = JVMoption
The jre_option parameter can be used to define Java system properties, which are used
by applications running in the JVM, such as extensible security modules.
You can use multiple jre_option entries in order to pass more than one options to the
JVM. Permitted values for JVMoption include most JVM options that are defined by Sun
Microsystems.
For example, this restricts the maximum heap size of the JVM to 256 megabytes:
jre_option = -Xmx256m
stores.conf Defines the locations of the stores where the EMS server will
store messages.
acl.conf
This file defines all permissions on topics and queues for all users and groups.
The format of the file is:
Parameter Description
Name
Parameter Description
Name
GROUP Name of the group to which you wish to add permissions. The designation
all specifies a predefined group that contains all users.
The permissions which can be assigned to queues are send, receive and
browse. The permissions which can be assigned to topics are publish,
subscribe and durable and use_durable. The designation all specifies all
possible permissions. For information about these permissions, refer to When
Permissions Are Checked and Inheritance of Permissions.
Example
bridges.conf
This file defines bridges between destinations.
See Destination Bridges for more information about destination bridges.
The format of the file is:
Example
[topic:myTopic1]
topic=myTopic2
queue=myQueue1
durables.conf
This file defines static durable subscribers.
The file consists of lines with either of these formats:
topic-name durable-name
[route]
[clientid=id]
[nolocal]
[selector="msg-selector"]
Parameter Description
Name
route When present, the subscriber is another server, and the durable-name is the
name of that server.
nolocal When present, the subscriber does not receive messages published from its
own connection.
selector= When present, this selector narrows the set of messages that the durable
msg-selector subscriber receives.
For detailed information about message selector syntax, see the ’Message
Selectors’ section in description for the Message class in TIBCO Enterprise
Message Service Java API Reference.
Example
topic1 dName1
topic2 dName2 clientid=myId,nolocal
topic3 dName3 selector="urgency in ('high','medium')"
topic4 Paris route
Conflicting Specifications
When the server detects an conflict between durable subscribers, it maintains the earliest
specification, and outputs a warning. Consider these examples:
l A static specification in this file takes precedence over a new durable dynamically
created by a client.
l An existing durable dynamically created by a client takes precedence over a new
Conflict can also arise because of wildcards. For example, if a client dynamically creates a
durable subscriber for topic foo.*, and an administrator later attempts to define a static
durable for topic foo.1, then the server detects this conflict and warns the administrator.
Configuration
To configure durable subscriptions in this file, we recommend using the create durable
command in the tibemsadmin tool; see create durable.
If the create durable command detects an existing dynamic durable subscription with the
same topic and name, it promotes it to a static subscription, and writes a specification to
the file durables.conf.
factories.conf
This file defines the connection factories for the internal JNDI names.
The file consists of factory definitions with this format:
Mandatory Parameters
These parameters are required. Values given to these parameters cannot be overridden using
API calls.
url This string specifies the servers to which this factory creates
connections:
l A single URL specifies a unique server. For example:
tcp://host1:8222
tcp://host1:8222,tcp://backup1:8222
tcp://a:8222|tcp://b:8222|tcp://c:8222
tcp://a1:8222,tcp://a2:8222|tcp://b1:8222,tcp://b2:8222
This example defines two servers (a and b), each of which has a
Optional Parameters
These parameters are optional. The values of these parameters can be overridden using API
calls.
metric The factory uses this metric to balance the load among a group of
servers:
l connections—Connect to the server with the fewest client
connections.
l byte_rate—Connect to the server with the lowest byte rate.
Byte rate is a statistic that includes both inbound and
outbound data.
clientID The factory associates this client ID string with the connections that it
creates. The client ID cannot exceed 255 characters in length.
connect_attempt_ When attempting a first connection, the client sleeps for this interval
delay (in milliseconds) between attempts to connect to its server (or in
fault-tolerant configurations, iterations through its URL list). When
connect_attempt_ When attempting to connect to the EMS server, you can set this
timeout connection timeout period to abort the connection attempt after a
specified period of time (in milliseconds).
reconnect_attempt_ After losing its server connection, a client program configured with
count more than one server URL attempts to reconnect, iterating through
its URL list until it re-establishes a connection with an EMS server.
This property determines the maximum number of iterations. When
absent, the default is 4.
reconnect_attempt_ When attempting to reconnect, the client sleeps for this interval (in
delay milliseconds) between iterations through its URL list. When absent,
the default is 500 milliseconds.
reconnect_attempt_ When attempting to reconnect to the EMS server, you can set this
timeout connection timeout period to abort the connection attempt after a
specified period of time (in milliseconds).
Example
[north_america]
type = topic
url = tcp://localhost:7222,tcp://server2:7222
clientID = "Sample Client ID"
ssl_verify_host = disabled
Configuration
To configure connection factories in this file, we recommend using the tibemsadmin tool;
see create factory.
Load Balancing
groups.conf
This file defines all groups. The format of the file is:
group-name1:"description"
user-name1
user-name2
group-name2:"description"
user-name1
user-name2
Group Parameters
Parameter Description
Name
group-name The name of the group. The group name cannot exceed 255 characters in
length.
Example
jaas.conf
This file directs the TIBCO Enterprise Message Service server to the JAAS LoginModule.
See Loading the LoginModule in the EMS Server for more information about the jaas.conf
file.
queues.conf
This file defines all queues.
The format of the file is:
Note: Note that, while including JNDI names is optional, the square brackets [ ]
must be included around JNDI names if they are included. For more information
about setting JNDI names, see create jndiname.
test store=mystore,secure,prefetch=2
Only queues listed in this file or queues with names that match the queues listed in this file
can be created by the applications (unless otherwise permitted by an entry in acl.conf).
For example, if queue foo.* is listed in this file, queues foo.bar and foo.baz can be
created by the application.
Properties of the queue are inherited by all static and dynamic queues with matching
names. For example, if test.* has the property secure, then test.1 and test.foo are also
secure. For information on properties that can be assigned to queues, see Destination
Properties.
For further information on the inheritance of queue properties, refer to Wildcards * and >
and Inheritance of Properties.
Note: In the sample file, a > wildcard at the beginning of the file allows the
applications to create valid queues with any name. A > at the beginning of the
queue configuration file means that name-matching is not required for creation
of queues.
Restrictions and rules on queue names are described in Destination Name Syntax.
routes.conf
This file defines routes between this TIBCO Enterprise Message Service server and other
TIBCO Enterprise Message Service servers.
[route-name] [route-name] is the name of the passive server (at the other
url The URL of the server to and from which messages are
routed.
zone_name The route belongs to the routing zone with this name. When
absent, the default value is default_mhop_zone.
You can set this parameter when creating a route, but you
cannot subsequently change it.
zone_type The zone type is either 1hop or mhop. When omitted, the
default value is mhop.
You can set this parameter when creating a route, but you
cannot subsequently change it.
The EMS server will refuse to start up if the zone type in the
routes.conf file does not match the zone type already
created in the $sys.meta file that holds the shared state for
the primary and secondary server.
Example
[test_route_2]
url = tcp://server2:7222
ssl_verify_host = disabled
stores.conf
This file defines the locations of stores where the EMS server will store messages or
metadata (if the default $sys.meta definition is overridden). You can configure one or
many stores in the stores.conf file.
Store parameters specific to file-based stores are described here. Grid store parameters are
described in Configuring and Deploying Grid Stores and FTL store parameters are described
in Configuring and Deploying FTL Stores.
The format of the file is:
If file_destination_defrag is zero or
absent, the destination defrag feature is
disabled.
For example:
file_minimum = 32MB
Example
[my_sync]
type = file
file = /var/local/tibems/my_sync.db
file_destination_defrag=2MB
file_minimum = 10MB
file_truncate = true
mode = sync
tibrvcm.conf
This file defines the TIBCO Rendezvous certified messaging (RVCM) listeners for use by
topics that export messages to a tibrvcm transport. The server preregisters these listeners
when the server starts up so that all messages (including the first message published) sent
by way of the tibrvcm transport are guaranteed. If the server does not preregister the
RVCM listeners before exporting messages, the listeners are created when the first message
is published, but the first message is not guaranteed.
listenerName The name of the RVCM listener to which topic messages are to
be exported.
subjectName The RVCM subject name that messages are published to. This
should be the same name as the topic names that specify the
export property.
Example
topics.conf
This file defines all topics.
The format of the file is:
Note: Note that, while including JNDI names is optional, the square brackets [ ]
must be included around JNDI names if they are included. For more information
about setting JNDI names, see create jndiname.
Only topics listed in this file or topics with names that match the topics listed in this file
can be created by the applications (unless otherwise permitted by an entry in acl.conf).
For example, if topic foo.* is listed in this file, topics foo.bar and foo.baz can be created
by the application.
Properties of the topic are inherited by all static and dynamic topics with matching names.
For example, if test.* has the property secure, then test.1 and test.foo are also secure.
For information on properties that can be assigned to topics, see Destination Properties.
For further information on the inheritance of topic properties, refer to Wildcards * and >
and Inheritance of Properties.
Restrictions and rules on topic names are described in Destination Name Syntax.
transports.conf
This file defines transports for importing messages from or exporting messages to TIBCO
FTL and Rendezvous.
The format of the file is:
Transport-specific Parameters
tibftl transports
If type = tibftl, the extended syntax is:
[endpoint = endpoint-name]
[import_subscriber_name = subscriber-name]
[import_match_string = {"fieldname1":value1,...,"fieldnameN":valueN}]
[export_format = format-name]
[export_constant = constant1,value1]
...
[export_constant = constantN,valueN]
tibrv transports
If type = tibrv, the extended syntax is:
[service = service]
[network = network]
[daemon = daemon]
[temp_destination_timeout = seconds]
[rv_queue_policy = [TIBRVQUEUE_DISCARD_NONE |
TIBRVQUEUE_DISCARD_FIRST |
TIBRVQUEUE_DISCARD_LAST]:max_msgs:qty_discard]
tibrvcm transports
If type = tibrvcm, the extended syntax is:
TIBRVQUEUE_DISCARD_FIRST |
TIBRVQUEUE_DISCARD_LAST]:max_msgs:qty_discard]
Example
[FTL01]
type = tibftl
endpoint = EP1
import_subscriber_name = sub1
import_match_string = {"f1":"foo","f2":true}
export_format = format-1
export_constant = constant1,value1
export_constant = constant2,value2
export_constant = constant3,value3
[RV01]
type = tibrv
topic_import_dm = TIBEMS_RELIABLE
queue_import_dm = TIBEMS_PERSISTENT
service = 7780
network = lan0
daemon = tcp:host5:7885
[RVCM01]
type = tibrvcm
export_headers = true
export_properties = true
rv_tport = RV02
cm_name = RVCMTrans1
ledger_file = ledgerFile.store
sync_ledger = true
request_old = true
default_ttl = 600
[RV02]
type = tibrv
topic_import_dm = TIBEMS_PERSISTENT
queue_import_dm = TIBEMS_PERSISTENT
service = 7780
network = lan0
daemon = tcp:host5:7885
rv_queue_policy = TIBRVQUEUE_DISCARD_LAST:10000:100
users.conf
This file defines all users.
The format of the file is:
username:password:"description"
Parameter Description
Name
username The name of the user. The username cannot exceed 255 characters in length.
password Leave this item blank when creating a new user. For example:
bob::"Bob Smith"
User passwords are not entered in this configuration file, and remain empty
(and therefore not secure) until you set them using the administration tool;
see Assigning a Password to the Administrator. You can also create users and
assign passwords using API calls; see the API reference for the language you
are working with.
Example
admin::"Administrator"
Bob::"Bob Smith"
Bill::"Bill Jones"
After the server has started and passwords have been assigned, the file will look like this:
admin:$1$urmKVgq78:"Administrator"
Bob:$2$sldfkj;lsafd:"Bob Smith"
Bill:$3$tyavmwq92:"Bill Jones"
Procedure
1. Enable authentication and access control for the system. See Enable Authentication
and Access Control.
2. Determine which destinations require access control, and enable access control for
those destinations. See Destination Access Control .
3. Configure the list of authentication methods. See Authentication Methods.
4. Determine the names of the authorized users of the system and create usernames
and passwords for these users. See Users.
5. Optionally, set up groups and assign users to groups. See Groups.
6. Determine which users need administrator permissions, and decide whether
administrators can perform actions globally or be restricted to a subset of actions.
See Administrator Permissions for more information.
Users
Users are specific, named IDs that allow you to identify yourself to the server. When a client
attempts to connect to the server, it presents a set of credentials to identify itself as a
particular user. These credentials can either be a username and corresponding password,
or an OAuth 2.0 access token containing a username (see Authentication Using OAuth 2.0).
Note: In special cases, you may wish to allow anonymous access to the server.
In this case, a connect request does not have to supply a username or password.
To configure the server to allow anonymous logins, you must create a user
named anonymous and specify no password. Anonymous logins are not
permitted unless the anonymous user exists.
Clients logging in anonymously are only able to perform the actions that the
anonymous user has permission to perform.
Users are the basis for access control in the EMS server. Users can be assigned server-wide
administrative permissions and destination-level permissions. These permissions dictate
what actions the user can perform once connected to the EMS server.
There is one predefined user, admin, that performs administrative tasks, such as creating
other users.
You can create and remove users and change passwords by specifying the users in the
users.conf configuration file, using the tibemsadmin tool, or by using the administration
APIs. For more information about specifying users in the configuration file, see users.conf.
For more information about specifying users using the tibemsadmin tool, see EMS
Administration Tool. For more information on the administration APIs, see the online
documentation.
EMS can also obtain user information from an external directory (such as an LDAP server),
or an OAuth 2.0 access token presented by the connecting client. Such externally-
configured users must be defined and managed directly via the external directory or OAuth
2.0 provider.
Groups
Groups allow you to create classes of users. Groups make access control administration
significantly simpler because you can grant and revoke permissions to large numbers of
users with a single operation on the group.
Each user can belong to as many groups as necessary. A user’s permissions are the union
of the permissions of the groups the user belongs to, in addition to any permissions
granted to the user directly.
You can create, remove, or add users to groups by specifying the groups in groups.conf,
using the tibemsadmin tool, or by using the administration APIs. For more information
about specifying groups in the configuration file, see groups.conf. For more information
about specifying groups using the tibemsadmin tool, see EMS Administration Tool. For
more information on the administration APIs, see the online documentation.
EMS can also obtain group information from an external directory (such as an LDAP server),
or an OAuth 2.0 access token presented by the connecting client. Such externally-
configured groups must be defined and managed directly using the external directory, or
the OAuth 2.0 provider.
Note: EMS can retrieve both static and dynamic groups from an external
directory.
Note: In order to combine users and groups in this manner, the user_auth
configuration parameter must have at least two authentication methods
specified. See Authentication Methods for details.
When you attempt to view users and groups using the show user/s or show group/s
commands, any externally-defined users and groups have an asterisk next to their names.
Externally-defined users and groups will only appear in the output of these commands in
the following situations:
l an externally-defined user successfully authenticates
l a user belonging to an externally-defined group successfully authenticates
l an externally-defined user has been added to a locally-defined group
l permissions on a topic or queue have been granted to an externally-defined user or
group
Therefore, not all externally-defined users and groups may appear when the show user/s
or show group/s commands are executed. Only the users and groups that meet the above
criteria at the time the command is issued will appear.
You can create users and groups with the same names as externally-defined users and
groups. If a user or group exists in the server’s configuration and is also defined externally,
the local definition of the user takes precedence. Locally-defined users and groups will not
have an asterisk by their names in the show user/s or show group/s commands.
You can also issue the delete user or delete group command to delete users and groups
from the local server’s configuration. The permissions assigned to the user or group are
also deleted when the user or group is deleted. If you delete a user or group that is defined
externally, this deletes the user or group from the server’s memory and deletes any
permissions assigned in the access control list, but it has no effect on the external
definition of that user or group (for example, it will not be deleted from the external
directory or OAuth 2.0 provider). The externally-defined user can once again log in, and the
user is created in the server’s memory and any groups to which the user belongs are also
created. However, any permissions for the user or group have been deleted and therefore
must be re-granted.
When authorization is disabled, the server grants any connection request, and does not
check permissions when a client accesses a destination (for example, publishing a message
to a topic).
When authorization is enabled, the server grants connections only upon successful
authentication. The server checks permissions for client operations involving secure
destinations.
To enable authorization, either edit tibemsd.conf (set the authorization property to
enabled, and restart the server). Or you can use the tibemsadmin tool to dynamically
enable authorization with the following set server command:
Authorization does affect connections between fault-tolerant server pairs; see Authorization
and Fault-Tolerant Servers.
Administrators must always log in with the correct administration username and password
to perform any administrative function—even when authorization is disabled.
When a destination does not have the secure property set, any authenticated user can
perform any actions on that topic or queue.
See Destination Properties for more information about destination properties.
Authentication Methods
The parameter user_auth in tibemsd.conf determines the authentication methods the EMS
server can use to authenticate incoming connection requests - either from EMS clients or
other EMS servers. This parameter can have one or more of the following values (separated
by comma characters):
l local—authenticate incoming connection requests by validating the presented user
credentials against locally defined user information (users.conf and groups.conf).
l jaas—authenticate incoming connection requests by validating the presented user
Each time the server receives a connection request, it attempts to authenticate it via each
of the specified authentication methods in the order that this parameter specifies. The EMS
server accepts successful authentication using any of the specified methods.
another EMS server or a TIBCO messaging product that is configured for OAuth 2.0
authentication.
Note: EMS only supports access tokens in the form of signed JWTs with
asymmetric validation keys. Unsigned JWTs, or JWTs with symmetric validation
keys are not supported.
The EMS client APIs and the EMS server can be configured to use either the Client
Credentials grant or Resource Owner Password Credentials grant for obtaining OAuth 2.0
access tokens.
Note: The EMS client APIs additionally support user-defined callbacks for
obtaining access tokens. This method of obtaining access tokens requires the
use of new APIs. Existing EMS client applications will need to be modified to use
the new APIs in order to make use of this method. Refer to the corresponding
client API documentation for details.
User-defined callbacks are only available in the client APIs. This method of
obtaining access tokens is not supported in the EMS server.
user_auth=oauth2
Note: The EMS server can be configured to use oauth2 alongside other
authentication methods. See Authentication Methods for details.
In order to validate the signature and claims of access tokens presented by incoming
connections, the oauth2_server_validation_key and oauth2_user_claim server
parameters must also be set. See OAuth 2.0 Parameters for descriptions of all required and
optional OAuth 2.0 related server parameters.
Administrator Permissions
Administrators are a special class of users that can manage the EMS server. Administrators
create, modify, and delete users, destinations, routes, factories, and other items. In
general, administrators must be granted permission to perform administration activities
when using the Administration Tool or administration API. Administrators can be granted
global permissions (for example, permission to create users or to view all queues), and
administrators can be granted permissions to perform operations on specific destinations
(for example, purging a queue, or viewing properties for a particular topic).
Administrators must be created using the administration tool, the administration APIs, or in
the configuration files.
If a user has both global and destination-level administrator permissions, the actions that
user can perform are determined by combining all global and destination-level
administrator permissions granted to the user. For example, if an administrator is granted
the view-destination permission, that administrator can view information about all
destinations, even if the view permission is not granted to the administrator for specific
destinations.
The admin user or all users in the $admin group can grant or revoke any administrator
permission to any user. All other users must be granted the change-admin-acl permission
and the view-user and/or the view-group permissions before they can grant or revoke
administrator permissions to other users.
If a user has the change-admin-acl permission, that user can only grant or revoke
permissions that have been granted to the user. For example, if user BOB is not part of the
$admin group and he has only been granted the change-admin-acl and view-user
permissions, BOB cannot grant any administrator permissions except the view-user or
change-admin-acl permissions to other users.
Users have all administrator permissions that are granted to any group to which they
belong. You can create administrator groups, grant administrator permissions to those
groups, and then add users to each administrator group. The users will be able to perform
any administrative action that is allowed by the permissions granted to the group to which
the user belongs.
Any destination-level permission granted to a user or group for a wildcard destination is
inherited for all child destinations that match the parent destination.
If protection permissions are set up, administrators can only grant or revoke permissions to
other users that have the same protection permission as the administrator. See Protection
Permissions for more information about protection permissions.
Note: An administrator can always change his/her own password, even if the
administrator is not granted the change-user permission.
An administrator can always view his/her own permissions by issuing the:
showacl username
Note: Any type of modification to an item requires that the user can view that
item. Therefore, granting any create, modify, delete, change, or purge
permission implicitly grants the permission to view the associated item.
Granting the view permissions is useful when you want specific users to only be
able to view items. It is not necessary to grant the view permission if a user
already has a permission that allows the user to modify the item.
Global permissions are stored in the acl.conf file, along with all other permissions. Global
permissions in this file have the following syntax:
or
For example, if a user named BOB is granted the view-user global administration
permission and the group sys-admins is granted the change-acl permission, the following
entries are added to the acl.conf file:
Destination-Level Permissions
Administrators can be granted permissions on each destination. Destination-level
permissions control the administration functions a user can perform on a specific
destination. Global permissions granted to a user override any destination-level
permissions.
The typical use of destination-level administration permissions is to specify permissions on
wildcard destinations for different groups of users. This allows you to specify particular
destinations over which a group of users has administrative control. For example, you may
allow one group to control all ACCOUNTING.* topics, and another group to control all
PAYROLL.* queues.
create Create the specified destination. This permission is useful when used with
wildcard destination names. This allows the user to create any destination
that matches the specified parent.
purge Either purge this queue, if the destination is a queue, or purge the durable
subscribers, if the destination is a topic with durable subscriptions.
Note: Any type of modification to an item requires that the user can view that
item. Therefore, granting create, modify, delete, change, or purge implicitly
grants the permission to view the associated item.
Granting the view permissions is useful when you want specific users to only be
able to view items. It is not necessary to grant the view permission if a user
already has a permission that allows the user to modify the item.
Administration permissions for a destination are stored alongside all other permissions for
the destination in the acl.conf file. For example, if user BOB has publish and subscribe
permissions on topic foo, and then BOB is granted view permission, the acl listing would
look like the following:
Note: Both user and administrator permissions for a destination are stored in
the same entry in the acl.conf file. This is for convenience rather than for
clarity. User permissions specify the actions a client application can perform on
a destination (publish, subscribe, send, receive, and so on). Administrator
permissions specify what administrative commands the user can perform on the
destination when using the administration tool or administration API.
Protection Permissions
Protection permissions allow you to group users into administrative domains so that
administrators can only perform actions within their domain. An administrator can only
perform administrative operations on a user that has the same protection permission as
the user.
There are four protection permissions (protect1, protect2, protect3, and protect4) that
allow you to create four groups of administrators. Protection permissions do not apply to
the admin user or users in the $admin group — these users can perform any action on any
user regardless of protection permissions.
To use protection permissions, grant one of the protection permissions to a set of users
(either individually, or to a defined group(s)). Then, grant the same protection permission
to the administrator that can perform actions on those users.
For example, there are four departments in a company: sales, finance, manufacturing, and
system administrators. Each of these departments has a defined group and a set of users
assigned to the group. Within the system administrators, there is one manager and three
other administrators, each responsible for administering the resources of the other
departments. The manager of the system administrators can perform any administrator
action. Each of the other system administrators can only perform actions on members of
the groups for which they are responsible.
The user name of the manager is mgr, the user names of the other system administrators
are admin1, admin2, and admin3. The following commands illustrate the grants necessary
for creating the example administration structure.
Note: You can grant a protection permission, in addition to the all permission.
This signifies that the user has all administrator privileges for anyone who also
has the same protection permission. However, if you revoke the all permission
from a user, all permissions, including any protection permissions are removed
from the access control list for the user.
An administrator is able to view users that have a different protection permission set, but
the administrator can only perform actions on users with the same protection permission.
For example, admin1 can perform any action on any user in the sales group, and can view
any users in the manufacturing or finance groups. However, admin1 is not able to grant
permissions, change passwords, delete users from, or perform any other administrative
action on users of the manufacturing or finance groups. The mgr user is able to perform
any action on any user, regardless of their protection permission because mgr is a member
of the $admin group.
User Permissions
User permissions are stored in the access control list and determine the actions a user can
perform on a destination. A user’s permissions are the union of the permissions granted
explicitly to that user along with any permissions the user receives by belonging to a
group.
When granting user permissions, you specify the user or group to whom you wish to grant
the permission, the name of the destination, and the permission(s) to grant. Granting
permissions is an action that is independent from both the authorization server
parameter, and the secure property of the relevant destinations. The currently granted
permissions are stored in the access control file, however, the server enforces them only if
the authorization is enabled, and only for secure destinations.
Note: When setting permissions for users and groups defined externally, user
and group names are case-sensitive. Make sure you use the correct case for the
name when setting the permissions.
Queue Permission
Name Description
Topic Permission
Name Description
use_durable permission to use an existing durable subscriber on the topic, but not to
create, delete, or modify the durable subscriber
This set of permissions means that bob can subscribe to topic foo and publish messages to
it, but bob cannot create durable subscribers to foo.
If bob is a member of group engineering and the group has the following entry in the acl
file:
then bob can publish and subscribe to topics foo and bar.
If both the user bob and the group engineering have entries in the acl.conf file, then bob
has permissions that are a union of all permissions set for bob directly and the permissions
of the group engineering.
A user cannot create or send a message to a destination for which he or she has not
explicitly been granted the appropriate permission. So, before creating or sending
messages to the destination, a user must be granted permissions on the destination.
However, for wildcard topic names (queue consumers cannot specify wildcards),
permissions are not checked when users create non-durable subscriptions. Therefore, a
user can create a subscription to topic foo.* without having explicit permission to create
subscriptions to foo.* or any child topics. This allows administrators to grant users the
desired permissions after the user’s application creates the subscriptions. You may wish to
allow users to subscribe to unspecific wildcard topics, then grant permission to specific
topics at a later time. Users are not able to receive messages based on their wildcard
subscriptions until permissions for the wildcard topic or one or more child topics are
granted.
Attempts to perform an operation by a user who does not have the permission to perform
it are traced in the server log file.
Note: When creating a durable subscriber, users must have the durable
permission explicitly set for the topic they are subscribing to. For example, to
create a durable subscriber to topic foo.*, the user must have been granted the
durable permission to create durable subscriptions for topic foo.*. To subscribe
an existing durable subscriber to a topic,
you must have either durable or use_durable permission set on that topic.
1. User bob is working with a EMS application that subscribes to topics and displays
any messages sent to those topics.
2. User bob creates a subscription to user.*. This topic is the parent topic of each user.
Messages are periodically sent to each user (for example, messages are sent to the
topic user.bob). Because the same application is used by many users, the application
creates a subscription to the parent topic.
3. User bob creates a subscription to topic corp.news. This operation fails because bob
has not been granted access to that topic yet.
4. A message is sent to the topic user.bob, but the application does not receive the
message because bob has not been granted access to the topic yet.
5. The administrator, as part of the daily maintenance for the application, grants access
to topics for new users. The administrator grants the subscribe permission to topic
user.bob and corp.* to user bob. These grants occur dynamically, and user bob is
now able to receive messages sent to topic user.bob and can subscribe to topic
corp.news.
6. The administrator sends a message on the topic user.bob to notify bob that access
has been granted to all corp.* topics.
7. The application receives the new message on topic user.bob and displays the
message.
8. User bob attempts to create a subscription for topic corp.news and succeeds.
9. A message is sent to topic corp.news. User bob’s application receives this message
and displays it.
10. The administrator notices that bob is a contractor and not an employee, so the
administrator revokes the subscribe permission on topic corp.* to user bob.
The subscription to corp.news still exists for user bob’s application, but bob cannot
create any new subscriptions to children of the corp.* topic.
Extensible Security
The following sections outline how to develop and implement custom authentication and
permissions modules.
Extensible Authentication
The extensible authentication feature uses the Java virtual machine (JVM) and the Java
Authentication and Authorization Service (JAAS) to allow you to run your own Java-based
authentication module in the EMS server.
Your authentication module, or LoginModule, runs in the JVM within the EMS server, and is
accessed by tibemsd using the JAAS interface. This is a flexible way to extend the security
of your EMS application. The LoginModule can be used to augment existing authentication
processes, or can be the sole method of authentication used by the EMS server.
The user_auth parameter in the main configuration file determines when the LoginModule
is used.
Each time an EMS client attempts to create a connection to the server, the server will
authenticate the client before accepting the connection. When extensible authentication is
enabled, tibemsd passes user information to the LoginModule, which returns an allow or
deny response.
If more than one authentication mechanism is enabled, when a user attempts to
authenticate, the server seeks corresponding authentication information from each of the
specified locations in the order determined by the user_auth parameter. The EMS server
accepts successful authentication using any of the specified sources.
For example, if local authentication appears before JAAS authentication, the server will
search for the provided username and password first in the users.conf file. If the user
does not exist there or if the provided username and password don't match, the EMS
server passes those to the LoginModule, which allows or denies the connection attempt.
Because the LoginModule runs in the Java virtual machine, you must also enable the JVM
in the EMS server. See Enable the JVM for more information.
LoginModule Requirements
In order to implement extensible authentication, you must write a LoginModule
implementing the JAAS interface.
There are some requirements for a LoginModule that will run in the EMS server:
l The LoginModule must accept the username and password from the EMS server by
way of the NameCallback and PasswordCallback callbacks. The EMS server passes
the username and password to the LoginModule using these callbacks, ignoring the
prompt argument.
l If the username and password combination is invalid, the LoginModule must throw a
FailedLoginException. The EMS server then rejects the corresponding connection
attempt.
l The LoginModule must be thread-safe. That is, the LoginModule must be able to
function both in a multi-threaded environment and in a single-threaded environment.
l The LoginModule should perform authentication only, by determining whether a
username and password combination is valid. For information about custom
permissions, see Extensible Permissions.
l The LoginModule, like the Permissions Module, should not perform long operations,
and should return values quickly. As these modules become part of the EMS server’s
message handling process, slow operations can have a severe effect on performance.
l The LoginModule must be named EMSUserAuthentication.
More information about JAAS, including documentation of JAAS classes and interfaces, is
available through http://java.sun.com/products/jaas/.
Note: The LoginModule in the JAAS configuration file must have the name
EMSUserAuthentication.
Extensible Permissions
The extensible permissions feature uses the Java virtual machine (JVM) and the Java
Access Control Interface (JACI) to allow you to run your own Java-based permissions
module in the EMS server.
Your Permissions Module runs in the JVM within the EMS server, and connects to tibemsd
using the JACI interface. Like the LoginModule, the Permissions Module provides an extra
layer of security to your EMS application. It does not supersede standard EMS procedures
for granting permissions. Instead, the module augments the existing process.
When a user attempts to perform an action, such as subscribing to a topic or publishing a
message, the EMS server checks the acl.conf file, the Permissions Module, and cached
results from previous Permissions Module queries, for authorization. This process is
described in detail in Granting Permissions.
Cached Permissions
In order to speed the authorization process, the EMS server caches responses received
from the Permissions Module in two pools, the allow cache and the deny cache. Before
invoking the Permissions Module, the server first checks these caches for a cache entry
matching the user’s request.
What is Cached
Each cache entry consists of a username and action, and the authorization result response
from the Permissions Module.
Properties of cache entries:
l The username is specific; the cached permission applies only to this user.
l The action is also specific. Only one action is included in each cache entry. Actions
that require authorization are the same as those listed in the acl.conf file.
l The destination can include wildcards. That is, a single cache entry can determine
the user’s authorization to perform the action on multiple destinations.
If the response from the Permissions Module authorized the action, the permission is
cached in the allow cache. If the action was denied, it is cached in the deny cache.
l jaci resetstats
l jaci clear
1. First, the server checks the acl.conf for authorization. This is the standard EMS
mechanism for granting permissions, as is documented in Authentication and
Permissions.
2. Next, the server checks the Permissions Module allow cache for authorization. If an
entry matching the username, action, and destination exists in the cache, the request
is allowed.
Because destinations with wildcards can exist in the cache, an entry can have a
wildcard destination that contains the requested destination. If that entry specifies
the same username and action, the request is allowed. For more information on this
topic, see Implications of Wildcards on Permissions below.
3. The server then checks the deny cache for a matching entry. If an entry exists in the
deny cache, the request is denied.
As in the allow cache, wildcards used in destinations can result in a cache entry with
a destination that contains the requested destination. If that entry matches the
username and action, the request is denied. For more information on this topic, see
Implications of Wildcards on Permissions below.
4. Finally, if there are no matching entries in either cache, the server passes the
username, action type, and destination to the Permissions Module, which returns an
allow or deny authorization response. The response is also saved to the cache for the
timeout specified in the response.
If the Permissions Module does not respond to the request within the timeout
specified by the jaci_timeout parameter in the tibemsd.conf file, the server denies
authorization by default.
Actions that require permissions are the same as those listed in the acl.conf file, and
include operations such as subscribe to a topic and publishing to a queue. Permissions are
described in acl.conf. The following figure shows the decision tree the server follows
when granting or denying permissions.
Durable Subscribers
When a durable subscriber is disconnected from the EMS server, the server continues to
accumulate messages for the client. However, while the client is disconnected, there is no
user associated with the durable subscriber. Because of this, the server cannot immediately
check permissions for a message that is received when the client is not connected.
When a user later reconnects to the server and resubscribes to the durable subscription,
the server checks permissions for the subscribe operation itself, but all messages in the
backlog are delivered to the consumer without additional permission checks.
Special Circumstances
There are some special circumstances under which the request, although it is not exactly
matched in the acl.conf file, will be denied without reference to either the permissions
cache or the Permissions Module. Any request will be denied if, in the acl.conf
l The username exists but is not associated with any destinations.
l The username exists and is associated with destinations, but not with the specific
destination in the request.
l The username is part of a group, but the group is not associated with any
destinations.
l The username is part of a group and the group is associated with destinations, but
not with the specific destination in the request.
In general entries in the acl.conf file supersede entries in the Permissions Module,
allowing you to optimize permission checks in well-defined static cases. When the
acl.conf does not mention the user, the Permissions Module is fully responsible for
permissions.
Similarly, an entry in the deny cache remains there until the timeout has expired and the
entry is removed. Only then does the EMS server send the request to the Permissions
Module, so that a change in status can take effect.
Overlapping wildcards can make this situation even more complex. For example, consider
these three destinations:
foo.*.baz
foo.bar.*
foo.>
It might seem that, if foo.*.baz were in a cache, then foo.bar.* would match it and
permissions for that destination would come from the cache. In fact, however, permissions
could not be determined by the cache entry, because foo.bar.* intersects but is not a
subset of foo.*.baz. That is, not every destination that matches foo.bar.* will also match
foo.*.baz. The destination foo.bar.boo, for example, would be granted permissions by
foo.bar.*, but not by foo.*.baz.
Since not all destinations that foo.bar.* matches will also match foo.*.baz, we say that
foo.*.baz intersects foo.bar.*. The cache entry can determine a permission if the
requested destination is a subset of the cache entry, but not if it is merely an intersection.
In this case, permissions cannot be determined by the cache.
The destination foo.>, on the other hand, contains as subsets both foo.bar.* and
foo.*.baz, because any destination name that matches either foo.bar.* or foo.*.baz will
also match foo.>. If foo.> is in the cache, permissions will be determined by the cache.
The Permissions Module will be used to grant permissions only to those destinations that
are defined as secure in the topics.conf and queues.conf configuration files. If there are
no topics or queues that include the secure property, then the Permissions Module will
never be called because the server does not check permissions at all.
Because the Permissions Module runs in the Java virtual machine, you must also enable
the JVM in the EMS server. See Enable the JVM for more information.
Permissions Module
The Permissions Module is a custom module that runs inside the EMS server within a JVM.
The Permissions Module is written using JACI, a set of APIs developed by TIBCO Software
Inc. that you can use to create a Java module that will authorize EMS client requests.
JACI provides the interface between your code and the EMS server. JACI is a standard
component of EMS, and JACI classes and interfaces are documented in
com.tibco.tibems.tibemsd.security.
Requirements
In order to implement extensible permissions, you must write a Permissions Module
implementing the JACI interface.
There are some requirements for a Permissions Module that will run in the EMS server:
l The Permissions Module must implement the JACI Authorizer interface, which
accepts information about the operation to be authorized.
l The Permissions Module must return a permission result, by way of the
AuthorizationResult class. Permission results contain:
o An allowed parameter, where true means that the request is allowed and false
means the request is denied.
o A timeout, which determines how long the permission result will be cached.
Results can be cached for a time of up to 24 hours, or not at all.
o The destination on which the user is authorized to perform the action. The
destination returned can be more inclusive than the request. For example, if
the user requested to subscribe to the topic foo.bar, the permission result can
allow the user to subscribe to foo.*. If a destination is not included in the
permission result, then the allow or deny response is limited to the originally
requested destination.
o The action type that the permission result replies to. For example,
authorization to publish to the destination, or authorization to receive
messages from a queue. Permissions can be granted to multiple action types,
for example permission to publish and subscribe on foo.>. Note that the EMS
server creates one cache entry for each action specified in the result.
l The Permissions Module must be thread-safe. That is, the Permissions Module must
be able to function both in a multi-threaded environment and in a single-threaded
environment.
l The Permissions Module, like the LoginModule, should not employ long operations,
and should return values quickly. As these modules become part of the EMS server’s
message handling process, slow operations can have a severe effect on performance.
For more information about these parameters, see JVM Parameters and tibemsd.conf.
LDAP. An extension of LDAP Authentication, this module also retrieves LDAP group
membership information and passes it back into the EMS server, where it may be
used for authorization. This modules provides the most functionality but generates
more requests to the LDAP server.
l Host Based Authentication — authentication based on the hostname or IP of a user
connection. The module is most often used in conjunction with other modules, or in
situations where only specific network nodes may authenticate to the EMS server.
EMS_HOME/src/java/jaas
The readme.txt file in that directory contains instructions on compiling the source files.
Procedure
1. Configure the JAAS Module
Create a JAAS module configuration file with parameter values appropriate to your
environment.
If you are using one of the provided default modules, locate the configuration file for
the desired module in the EMS_HOME/samples/config/jaas directory, and configure
the module parameters for your environment. It is a good practice to copy this file
along side your other EMS configuration files.
The prebuilt JAAS modules and their parameters are described in Prebuilt JAAS
Modules.
2. Configure the EMS Server Parameters
The default EMS_HOME/samples/config/tibemsd-jaas.conf file is configured for JAAS.
This file can be copied as tibemsd.conf, or the server can be started with the
-config parameter to specify this file. See Starting the EMS Server Using Options for
details.
If you prefer to manually configure JAAS, then take the following steps to modify the
main EMS server configuration file, tibemsd.conf:
a. Set the jre_library parameter to enable the JVM. For more information, see
The JVM in the EMS Server.
b. Set the security_classpath parameter to include the following JAR files:
EMS_HOME/bin/tibemsd_jaas.jar
EMS_HOME/lib/tibjmsadmin.jar
EMS_HOME/lib/tibjms.jar
EMS_HOME/lib/jakarta.jms-api-2.0.3.jar
For example:
security_classpath = c:\tibco\ems\10.3\bin\tibemsd_
jaas.jar;c:\tibco\ems\10.3\lib\tibjmsadmin.jar;c:\tibco\ems\10
.3\lib\tibjms.jar;c:\tibco\ems\10.3\lib\jakarta.jms-api-
2.0.3.jar
jaas_config_file = jaas_configuration.txt
user_auth=jaas
authenticating to the LDAP server. The authentication process uses the name and
password that the application used when connecting to the EMS server.
The user name must be in the form of a distinguished name, unless a user name pattern is
supplied through the tibems.ldap.user_pattern parameter. When a user pattern is
supplied, the DN used for the lookup is that pattern string, with %u replaced with the name
of the user.
Authentication Process
The simple authentication login module creates a local LDAP context, binding to the LDAP
server as a particular user with credentials from the incoming connection. The result of the
bind dictates authentication success or failure.
Implementation
The LDAP Simple Authentication module name is:
com.tibco.tibems.tibemsd.security.jaas.LDAPSimpleAuthentication
The JAAS configuration file entry for this login module should have a section similar to the
following:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPSimpleAuthentication required
tibems.ldap.url="ldap://ldapserver:389"
tibems.ldap.user_pattern="CN=%u" ;
};
Parameters
The LDAP Simple Authentication Module parameters are listed in the following table.
Parameter Description
Parameter Description
Parameter Description
LDAP Authentication
The LDAP Authentication login module is a more fully featured LDAP authentication
module. This module validates all connections (users, routes, and so on) by authenticating
to the LDAP server using the supplied credentials.
This EMS JAAS module keeps one lookup context open using a manager context, and then
uses copies of that context to search for users. This allows the LDAP implementation to
reuse the connection for subsequent searches, improving performance.
Authentication Process
This implementation queries LDAP, and optionally a user cache, to authenticate a user. A
context with LDAP manager credentials is first used to look up a user and retrieve the
complete distinguished name of the user's entry. If the user exists, a separate LDAP context
is then created to authenticate the user. For performance reasons, the manager context,
once created, exists for the lifetime of the module.
Should connectivity with the LDAP server break, multiple reconnection attempts may be
made based on the parameters.
To increase performance, you can enable user caching. When enabled, a user is added to
the user cache after being authenticated though LDAP. This allows for faster authentication
on subsequent logins. If the user cache entry is found to be expired, the user is
authenticated with LDAP again and the cache is updated.
Implementation
The LDAP Authentication module name is:
com.tibco.tibems.tibemsd.security.jaas.LDAPAuthentication.
The JAAS configuration file entry for this login module should have a section similar to the
following:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPAuthentication required
tibems.ldap.url="ldaps://ldapserver:391"
tibems.ldap.truststore="/certificates/cacerts"
tibems.ldap.user_base_dn="ou=Marketing,dc=company,dc=com"
tibems.ldap.user_attribute="uid"
tibems.ldap.scope="subtree"
tibems.cache.enabled=true
tibems.cache.user_ttl=600
tibems.ldap.manager="CN=Manager"
tibems.ldap.manager_password="password" ;
};
Parameters
The LDAP Authentication Module parameters are listed in the following table.
Parameter Description
debug When set to true, enables debug output for the module.
Enabling this parameter may aid in diagnosing
configuration problems.
tibems.ldap.operation_timeout The timeout set for LDAP connect and LDAP read
operations. The property is specified in milliseconds.
Parameter Description
tibems.ldap.user_base_dn The base DN used for the LDAP search. For example:
ou=People,dc=TIBCO,dc=com
Parameter Description
tibems.ldap.manager The distinguished name of the user that this module uses
when binding to the LDAP server to perform a search.
l subtree
Parameter Description
l object
tibems.ldap.user_attribute The attribute that is compared to the user name for the
search.
Authentication Process
The Group User LDAP module authenticates a user just as the LDAP Authentication module
does, but will make additional requests to garner group membership information from
LDAP and update the EMS server for authorization purposes.
For example, consider a user "Joe", who belongs to the "Engineering" group in the LDAP
server. When an application connects to the EMS server using Joe's credentials, the
information that Joe belongs to the Engineering group is passed back up to the server after
a successful authentication. If access controls are set up in EMS for the group Engineering,
then Joe inherits those permissions.
Implementation
The LDAP Group User Authentication module name is:
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication
The JAAS configuration file entry for this module should have an entry similar to:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
tibems.ldap.url="ldap://ldapserver:389"
tibems.ldap.user_base_dn="ou=Marketing,dc=company,dc=com"
tibems.ldap.user_attribute="uid"
tibems.ldap.scope="subtree"
tibems.ldap.group_base_dn="ou=Groups,dc=company"
tibems.ldap.group_member_attribute="uniqueMember"
tibems.ldap.dynamic_group_base_dn="ou=Groups,dc=company"
tibems.ldap.dynamic_group_class="groupOfURLs"
tibems.ldap.dynamic_group_member_attribute="uid"
tibems.ldap.dynamic_group_filter="(objectClass=GroupOfURLs)"
tibems.cache.enabled=true
tibems.cache.user_ttl=600
tibems.ldap.manager="CN=Manager"
tibems.ldap.manager_password="password" ;
};
Parameters
In addition to all parameters available for the LDAP Authentication module, which are
described in the following table, the following parameters are supported:
Parameter Description
Default is cn.
Parameter Description
Default is {0}={1}.
Default is uniqueMember.
Default is groupOfURLs.
Default is cn.
Parameter Description
When using
tibems.ldap.dynamic_group_search_direct,
a simple filter should be used which matches
all dynamic groups that may contain the
user. For example,
(objectClass=GroupOfURLs).
Default is {0}={1}.
Default is uniqueMember.
Default is memberURL.
Parameter Description
Default is false.
Default is memberOf.
Parameter Description
Default is CN.
Default is (distinguishedName={1}).
Authentication Process
When a client connects to the EMS server, this module compares the IP address with the
specified IP net/prefix list, if configured. If that is not successful, then the hostname is
compared with the list of hostnames or domain names. Should none of the above succeed,
authentication fails.
Implementation
The Host Based Authentication module name is:
com.tibco.tibems.tibemsd.security.jaas.HostBasedAuthentication
The JAAS configuration file entry for this login module should have a section similar to the
following:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.HostBasedAuthentication required
tibems.hostbased.accepted_hostnames="'production.*','.tibco.com'"
tibems.hostbased.accepted_addresses"10.1.2.23, 10.100.0.0/16, 0:0:0:0:0:0:0:1"
};
Parameters
The Host Based Authentication Module parameters are listed in the following table.
Parameter Description
Parameter Description
For example:
'host1', '.tibco.com', '^.*_
SERVER\\.tibco\\.com'
For example:
10.1.2.23, 10.100.0.0/16,
0:0:0:0:0:0:0:1
Authentication Process
When a client connects, the user name is identified and then authenticated based on the
number of connections open for that user. If the number of connections is less than the
configured limit, the user is authenticated successfully, and the internal connection count
is incremented. When a user disconnects, the internal connection count is decremented.
A client’s user name can be specified as one of the following types: hostname, IP address,
LDAP ID, or LDAP ID and hostname.
Note: If you plan on stacking this module with other JAAS modules, it is
important to use this as the final JAAS module and to list all of the JAAS
modules as 'requisite'. This ensures that the internal connection count of the
Connection Limit Authentication module remains accurate.
Implementation
The Connection Limit Authentication module name is:
com.tibco.tibems.tibemsd.security.jaas.ConnectionLimitAuthentication
The JAAS configuration file entry for this login module should have a section similar to the
following:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.ConnectionLimitAuthentication required
tibems.connectionlimit.max_connections="5"
tibems.connectionlimit.type="HOSTNAME" ;
};
Parameters
The Host Based Authentication Module parameters are listed in the following table.
Parameter Description
debug When set to true, enables debug output for the module.
Enabling this parameter may aid in diagnosing
Parameter Description
configuration problems.
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.HostBasedAuthentication requisite
tibems.hostbased.accepted_addresses="10.98.48.45, ::1"
tibems.hostbased.accepted_hostnames="'jsmith.*','.tibco.com'";
com.tibco.tibems.tibemsd.security.jaas.LDAPSimpleAuthentication requisite
tibems.ldap.user_pattern="uid=%u,ou=People,dc=tibco.com"
tibems.ldap.url="ldap://localhost:389" ;
};
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPSimpleAuthentication sufficient
tibems.ldap.user_pattern="uid=%u,ou=People,dc=Local"
tibems.ldap.url="ldap://localhost:389" ;
com.tibco.tibems.tibemsd.security.jaas.LDAPSimpleAuthentication sufficient
tibems.ldap.user_pattern="uid=%u,ou=People,dc=Remote"
tibems.ldap.url="ldap://localhost:389" ;
};
ldap_conn_type
The connection type is indirectly supported by the JAAS modules through the protocol
portion of the LDAP URL.
l ldap:// creates a TCP connection.
If the startTLS LDAP extension is required, additional JNDI parameters may be specified
through the JAAS configuration. Alternately, you can customize the JAAS module. See
Custom JAAS Modules for more information.
ldap_tls Parameters
The JAAS modules have the ability to pass any parameters to JNDI. It is up to the user to
determine what java TLS parameters to pass to JNDI through the JAAS configuration.
In most cases, only a certificate key store is required. For convenience, the
tibems.ldap.truststore parameter can be used to specify the store. Refer to Java
documentation for additional information regarding the use of TLS.
Filters
Filters perform the same function in the JAAS modules as they do when LDAP
authentication is configured within the EMS server, but the specification of the filter
parameters is slightly different.
Be sure to substitute the EMS server's %s filters for the appropriate {n} JAAS module filter.
tibems.ldap_user_filter="(&({0}={1})(objectClass=uniqueMember))"
and
tibems.ldap.group_filter="(&({0}={1})(objectClass=groupofUniqueNames))"
Refer to the filter documentation to map various identifiers. For example, in converting the
user filter, the former EMS server LDAP parameter, %s maps to {1} in the JAAS filter. Many
group searches should work with a filter similar to:
(&{0}={1})(objectClass=<group class>)
However, dynamic groups do allow you to specify the class in order to mirror the search
algorithm used by the former EMS server native LDAP functionality.
Dynamic Groups
Dynamic groups in LDAP should normally behave similarly to static groups in LDAP.
However, some LDAP implementations require a modified search algorithm.
In order to perform this type of search with the JAAS modules, set the parameter:
tibems.ldap.dynamic_group_search_direct="true"
It is recommended this is parameter be enabled after you have determined that there is a
problem, or when using an OpenLDAP server. In some cases, this is required in order to
mirror the former EMS server native LDAP functionality.
Example
This section provides a walk through converting an existing set of pre-EMS 10.0 LDAP
parameters using the LDAP Group User Authentication login module.
For example:
security_classpath =
c:\tibco\ems\10.3\bin\tibemsd_jaas.jar;
c:\tibco\ems\10.3\lib\tibjmsadmin.jar;
c:\tibco\ems\10.3\lib\tibjms.jar;c:\tibco\ems\10.3\lib\jakarta.jms-
api-2.0.3.jar
3. Enable JAAS for LDAP authentication by modifying the user_auth parameter. Remove
ldap from the list of authentication sources, and verify that jaas is present.
For example:
user_auth=jaas
b. Copy the file to a secure location, ideally alongside the other EMS server
configuration files.
5. Set the jaas_config_file to reference the JAAS module configuration file created in
Step 4 above.
For example:
jaas_config_file = ems_ldap_with_groups.txt
ldap_url = ldap://ldaphost:389
ldap_principal = cn=Manager
ldap_credential =$man$fPSdYgyVTQloUv36Km36AEOrARW
ldap_user_class = person
ldap_user_attribute = uid
ldap_user_base_dn = "ou=People,dc=TIBCO"
ldap_user_scope = subtree
ldap_user_filter = "(&(uid=%s)(objectclass=person))"
ldap_group_base_dn = "ou=Groups,dc=TIBCO"
ldap_group_scope = subtree
ldap_group_filter = "(&(cn=%s)(objectclass=groupOfUniqueNames))"
ldap_static_group_class = groupOfUniqueNames
ldap_static_group_attribute = cn
ldap_static_member_attribute = uniqueMember
ldap_cache_enabled = FALSE
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPGroupUserAuthentication required
tibems.ldap.url="ldap://ldaphost:389"
tibems.ldap.manager="cn=Manager"
tibems.ldap.manager_password="$man$fPSdYgyVTQloUv36Km36AEOrARW"
tibems.ldap.user_attribute="uid"
tibems.ldap.user_base_dn="ou=People,dc=TIBCO"
tibems.ldap.scope="subtree"
tibems.ldap.user_filter="(&(uid={1})(objectclass=person))"
tibems.ldap.group_base_dn="ou=Groups,dc=TIBCO"
tibems.ldap.group_scope="subtree"
tibems.ldap.group_filter="(&({0}={1}(objectclass=groupOfUniqueNames))"
tibems.ldap.group_attribute="cn"
tibems.ldap.group_member_attribute="uniqueMember"
tibems.ldap.cache.enabled = "false" ;
};
Procedure
1. Add JAAS to the EMS server trace options in the main server configuration file:
console_trace = DEFAULT,+JAAS,+JVM,+JVMERR
2. Enable debugging in the JAAS module itself, by setting the debug parameter to true:
EMSUserAuthentication {
com.tibco.tibems.tibemsd.security.jaas.LDAPSimpleAuthentication required
debug="true"
tibems.ldap.url="ldap://ldapserver:389"
tibems.ldap.user_pattern="CN=%u"
};
Warning: Note that enabling the debug flag may create security
vulnerabilities by revealing information in the log file. This parameter
should be enabled only for troubleshooting purposes.
Result
This will provide a list of parameters passed into LDAP, which is useful in identifying any
mistyped parameters or default values that need to be changed. Verbose output is
provided to help identify the problem.
When developing a custom JAAS module, it is possible for a runtime exception inside a
JAAS method to cause the JAAS module to fail. In those cases, catching and printing
exceptions to the default output stream provides valuable information.
Grid Stores
You can configure TIBCO Enterprise Message Service to store messages, state information,
and configuration information in supported versions of TIBCO ActiveSpaces.
The following topics describe grid stores. For information about other store types, see
Store Messages in Multiple Stores and FTL Stores.
This storage-centered design of grid stores lends itself to quick server start-up times. As
opposed to other store types, the entirety of each store's contents is not read upon server
start-up or failover. Instead, the server continuously performs incremental scans of the grid
stores in the background. This allows for much faster server recovery when the store sizes
have grown very large.
The server scans through its grid stores incrementally in the background and discards stale
data, such as purged and expired messages. As a result, purged and expired messages are
not immediately removed, and may remain in a grid store longer than they would in a file-
based or FTL store - although they are not delivered to consumers. The scanning behavior
is determined by parameter settings in the store's configuration, and is further described in
Understanding Grid Store Intervals.
A full background scan of the grid stores must be completed in order to obtain the correct
overall statistics. Due to this, querying the server for a total pending message count before
the grid stores have been fully scanned may return an inaccurate value. However, querying
specific destinations, consumers or durables will return an accurate count. See Implications
for Statistics for more information.
The latency costs in communicating with ActiveSpaces can make grid stores slower than
file-based stores or FTL stores. The strength of grid stores lies with their scalability and
consistent recovery time regardless of store size.
data processed each increment are controlled by two parameter settings. These
parameters can be configured for each grid store.
The default parameter settings are optimized for best performance in most production
environments (see Configuring Grid Stores for information about the default values).
However, if the amount of data in a grid store grows significantly, the read rates associated
with the background activity may begin to affect message transmission rates in the EMS
server. If the EMS server performance is negatively affected by the size of the grid store,
you can tune the grid store parameter values to spread grid store background activity over
a longer period of time, thereby decreasing the associated read rates.
l scan_target_interval: the maximum amount of time allowed before each message
in the store is examined.
For example, if the scan_target_interval is 24 hours, each section of the grid store
will be examined at least once every day. Because purged and expired messages are
not removed from the grid store until they are examined by this background process,
this means that it can take up to 24 hours before a message is removed from the
queue following a purge command (making underlying storage space available for re-
use).
l scan_iter_interval: the length of time between each increment of background
activity.
For example, if the scan_iter_interval is 10 seconds, the EMS server begins
examining a new section of the grid store every 10 seconds. The amount of data read
in each increment is dependent on the total size of the store and the length of the
scan_target_interval. The server must examine enough data in each interval to
fully traverse the store within the target interval.
Example
For example, assume that scan_iter_interval is 10 seconds, scan_target_interval is 1
day (86,400 seconds), and the grid store contains 9 GB of data. Every 10 seconds, the EMS
server will examine about 1 MB of data. This produces an average read rate of about 100
KB/sec, which is unlikely to produce performance degradation with most modern storage
mediums.
If EMS server performance does slow, you may need to increase the scan_target_interval
value in order to spread the background activity over a longer period of time. You can
monitor the settings for problems using the show store command and checking the ratio of
"Discard Scan Interval Bytes" to "Discard Scan interval". For best results, this ratio should
be kept below 20% of the system capacity. Adhering to this ratio will help ensure that the
background activity does not occupy an excessive amount of system resources.
server.
l TIBCO ActiveSpaces must already be installed on all host machines that are to run
the state keeper or node processes.
Overview
An ActiveSpaces data grid suitable for use with grid stores is composed of the following
components:
l Realm service (runs as part of a TIBCO FTL server)
l Administrative daemon
l State keeper
l Node
l Proxy
Embedded Proxy
The ActiveSpaces proxy facilitates communication between the EMS server and the data
grid. While the EMS server requires an external proxy process to connect to the data grid
during startup, all subsequent communication between the server’s grid stores and the
data grid is carried out via an ActiveSpaces proxy embedded directly in the server. Using
this embedded proxy improves grid store performance by eliminating any would-be server
to proxy communication latency. Note that the embedded proxy must be included in the
data grid definition. See the Defining the Data Grid and Component Processes section for
details.
Procedure
1. Navigate to an empty directory that can be used as the realm configuration data
directory.
cd data_dir_1
The FTL server uses the current directory as the default location to store its working
data files. When the FTL server detects an empty working directory, it begins with a
default realm definition.
If you have already begun to configure the realm definition, then navigate to your
existing data directory instead.
2. Start the FTL server executable.
tibftlserver -n <name>@<host>:<port>
Where,
<name> is a unique name for the FTL server, for example, ftl1.
<port> is any port not bound by another process.
ActiveSpaces component processes initiate contact with the FTL server at this
address.
Procedure
1. In a text editor, start editing a script file.
2. Add the script command to create the data grid by using the syntax:
4. Run the script using the tibdg administration tool to create the data grid.
where <host> and <port> refer to the pipe-separated FTL server URLs.
Procedure
1. Start the administrative daemon process
tibdgadmind -r http://<host>:<port>
For all of the above <host> and <port>, refer to the pipe-separated FTL server URLs.
keeper_name, node_name, proxy_name and grid_name refer to the names chosen in Defining
the Data Grid and Component Processes
You can now run the following tibdg command to verify that all component processes are
running and that the data grid is online:
In a development environment, the FTL server, administrative daemon, state keeper, node,
proxy, and EMS server processes can be started on the same host machine.
Required Parameters
type=as Identifies the store type. This parameter is required for all
store types. The type corresponding to grid stores is as
(abbreviation of ActiveSpaces).
Optional Parameters
For example:
scan_iter_interval=100msec
EMS does not support configuration of multiple store types in the same server. If using grid
stores, all stores in the configuration must be of type as.
The tibemsconf2json tool cannot be used to make changes to the JSON configuration file
after it has been generated.
The tibemsjson2grid tool can be used to upload JSON configuration files to a specified
data grid. It can also download JSON configuration files from a specified data grid.
export LD_LIBRARY_PATH=<AS_HOME>/lib:<FTL_HOME>/lib:$LD_LIBRARY_PATH
tibemsjson2grid options
tibemsjson2grid Options
The following table shows the options that are used with the tibemsjson2grid tool.
Option Description
-url url The pipe-separated URLs of the data grid the store is
connected to.
Option Description
-trustfile path Path to the plaintext file that contains the FTL server’s
public certificate. Required for TLS communication with
a secure FTL server.
Examples
Example 1
Uploading configuration to the data grid:
Example 2
Downloading configuration from a data grid:
Example 3
Uploading configuration to a secure data grid:
Option Description
The syntax for starting the EMS server with grid stores is as follows:
Examples
Example 1
Example 2
FTL Stores
You can configure TIBCO Enterprise Message Service to store messages, state information,
and configuration information in supported versions of TIBCO FTL.
The following topics describe FTL stores. For information about other store types, see Store
Messages in Multiple Stores and Grid Stores.
FTL stores have a somewhat unique configuration and deployment model in comparison to
other EMS storage types. When using FTL stores, the EMS server runs as a service within an
FTL server – which is an umbrella process that launches and manages a number of
messaging services that constitute a TIBCO FTL deployment. The integration of EMS with
FTL in this manner reduces latency in communication between the EMS server and its FTL
backend. Additionally, it also allows EMS to make use of FTL’s disaster recovery
capabilities.
In terms of functionality, FTL stores are similar to file-based stores. When using FTL stores,
all pending persistent message information and state information is maintained in EMS
server memory and persisted on disk via FTL. Keeping this information in memory reduces
the amount of disk reads required and facilitates faster message processing
As with file-based stores, an EMS server using FTL stores must recover all state information
and pending message information before it can activate. Depending on the situation, this is
achieved either by reading the contents of all stores from disk via FTL, or by processing the
data that has already been replicated to the EMS server by FTL.
Each of the three FTL servers in the cluster has its own EMS server running under it. One of
those three EMS servers is configured as standby_only, meaning that it will always remain
in the fault-tolerant standby state and can never transition to the active state. This server's
only purpose is to perform data replication and provide redundancy. The other two EMS
servers comprise the actual fault-tolerant EMS server pair. One of these is chosen by the
cluster to enter the active state and the other becomes its fault-tolerant peer in standby
state.
A client making a fault-tolerant connection to these EMS servers would specify only the
URLs of the fault-tolerant EMS server pair. The URL of the standby_only EMS server should
not be used since that EMS server will never activate.
The fault-tolerant EMS server pair makes use of the connections between the FTL servers in
the cluster for fault-tolerance related communication. This means that the specifics of
fault-tolerance are handled by the FTL server cluster rather than the EMS servers
themselves. The majority of EMS server parameters and options relating to configuration of
fault-tolerance are not applicable when using FTL stores.
To provide data redundancy, the persistence capabilities of FTL are leveraged to
consistently replicate FTL store data to at least a majority of EMS servers running within
the FTL server cluster. By default, the FTL store data replicated to each server is also
persisted on disk to provide an additional layer of redundancy (See Persistence with FTL
Stores). In most fault-tolerant failover scenarios, the standby EMS server already has the
required store data in memory and is able to activate with minimal recovery time.
When using FTL stores, the EMS server configuration is stored in the FTL server cluster. This
allows the configuration to be accessible to EMS servers running in separate machines or
containers. Static configuration elements including JAAS modules, JAAS module
configuration files, JACI modules and digital certificates are not stored in the cluster and
must still be maintained manually.
performant alternative that fulfills all the data persistence and replication requirements
needed for EMS fault-tolerance. A good example of this is in cloud-based deployments,
where shared storage may not be an option, or may be prohibitively slow even when
available. FTL stores would be able to leverage the more performant storage options
offered by the cloud service provider to support a fault-tolerant deployment. Additionally, a
cloud-based deployment of FTL stores would also be capable of deploying across multiple
availability zones to provide a level of redundancy and availability that may not be
achievable using shared storage.
Failover Time
For deployments where a large amount of backlogged persistent message data is expected,
FTL stores can provide faster recovery time than file-based stores in most fault-tolerant
failover scenarios. With smaller pending message backlogs, the fault-tolerant failover
recovery times for both store types will be comparable.
Disaster Recovery
Another criteria to consider is whether disaster recovery is important for the deployment.
When using FTL stores, EMS is able to leverage its integration with FTL to provide disaster
recovery as an in-built feature. The EMS server does not have this capability when using
file-based stores.
globals:
core.servers:
<name of FTL server #1>: <host>:<port>
<name of FTL server #2>: <host>:<port>
<name of FTL server #3>: <host>:<port>
servers:
<name of FTL server #1>:
- tibemsd:
-listens: <comma-separated list of URLs for EMS server #1>
exepath: EMS_HOME/bin/tibemsd
-config_wait:
<name of FTL server #2>:
- tibemsd:
-listens: <comma-separated list of URLs for EMS server #2>
exepath: EMS_HOME/bin/tibemsd
-config_wait:
<name of FTL server #3>:
- tibemsd:
-listens: <comma-separated list of URLs for EMS server #3>
exepath: EMS_HOME/bin/tibemsd
-config_wait:
-standby_only:
While this YAML template configures a cluster of 3 FTL servers, it can easily be adapted for
a standalone FTL server by removing server entries from the servers section and from the
core.servers list in the globals section.
In addition to the examples in the next section, sample YAML configuration files can be
found under the EMS_HOME/samples/config directory of the EMS installation.
globals
The globals section contains parameters that directly affect the operation of the FTL
servers in the cluster.
servers
The servers section must contain a list of all FTL servers in the cluster. For each server in
the list, a sub-list of services whose behavior is to be configured can be specified. No
service should be specified more than once for a given server.
The table below details the parameters available to configure each service.
-standby_only This parameter informs the FTL server that its EMS
server is configured to be standby_only, meaning
that it cannot ever transition to active state. This
parameter does not accept a value.
-store The path to the directory where the FTL server will
write out FTL store-specific data. If not specified, FTL
store data will be written to the current working
directory by default.
-monitor_listen The URL at which the EMS server will listen for health
check and Prometheus metrics requests.
load The path to the state file from which the FTL server
will load its state information during startup.
<EMS server command line option> Any EMS server command line option can be included
in this section. For example, -ssl_trace.
data The general data directory for the FTL server. This
directory will contain all non-FTL store specific data.
If not specified, the default is the current working
directory.
file:<path to password_file>
ftlserver.properties Parameters
logfile The prefix for the filenames of the rolling log files
generated by the FTL server.
max.log.size The maximum size of each FTL server log file in bytes.
Examples
Example 1
Configuration for a standalone FTL server that does not have security enabled and is using
the default data directories.
globals:
core.servers:
ftls1: host1:8080
servers:
ftls1:
- tibemsd:
-listens: tcp://host1:7222
exepath: /opt/tibco/ems/10.3/bin/tibemsd
-config_wait:
Example 2
Configuration for a secure FTL server cluster that specifies generic and FTL store-specific
data directories, has logging configured and is also configured to replicate data to a
disaster recovery site.
globals:
core.servers:
ftls1: host1:8080
ftls2: host2:8085
ftls3: host3:8090
tls.secure: file:/opt/deployment/keystore_password_file
auth.url: file:///opt/deployment/users.txt
servers:
ftls1:
- tibemsd:
-listens: ssl://host1:7222
exepath: /opt/tibco/ems/10.3/bin/tibemsd
-store: /opt/deployment/ftls1/ftlstore_data
-config_wait:
- realm:
data: /opt/deployment/ftls1/ftlserver_data
drto: dr_ftls1@host4:8080|dr_ftls2@host5:8085|dr_ftls3@host6:8090
user: admin
password: file:/opt/deployment/password_file
- ftlserver.properties:
logfile: /opt/deployment/ftls1/logs/log
max.log.size: 1048576
max.logs: 100
ftls2:
- tibemsd:
-listens: ssl://host2:7224
exepath: /opt/tibco/ems/10.3/bin/tibemsd
-store: /opt/deployment/ftls2/ftlstore_data
-config_wait:
- realm:
data: /opt/deployment/ftls2/ftlserver_data
drto: dr_ftls1@host4:8080|dr_ftls2@host5:8085|dr_ftls3@host6:8090
user: admin
password: file:/opt/deployment/password_file
- ftlserver.properties:
logfile: /opt/deployment/ftls2/logs/log
max.log.size: 1048576
max.logs: 100
ftls3:
- tibemsd:
-listens: ssl://host3:7226
exepath: /opt/tibco/ems/10.3/bin/tibemsd
-store: /opt/deployment/ftls3/ftlstore_data
-config_wait:
-standby_only:
- realm:
data: /opt/deployment/ftls3/ftlserver_data
drto: dr_ftls1@host4:8080|dr_ftls2@host5:8085|dr_ftls3@host6:8090
user: admin
password: file:/opt/deployment/password_file
- ftlserver.properties:
logfile: /opt/deployment/ftls3/logs/log
max.log.size: 1048576
max.logs: 100
This results in the generation of two files - the trust file which contains the public
certificate and the keystore file which contains the encrypted private key data.
3. Copy the trustfile and keystore to the general data directory of each FTL server in
the cluster. See Deploying the FTL Server Cluster for details on configuring the
general data directory and FTL store-specific data directory for an FTL server.
4. Add the tls.secure parameter to the globals section of the YAML configuration file
and specify the path to keystore_password_file.
globals:
# ...
tls.secure: file:<absolute path to keystore_password_file>
Note: There are several other ways to pass the keystore password to the
tls.secure parameter. See the Password Security section of the TIBCO FTL
Administration product guide for details.
5. Choose a password to be used for authentication and create a new file containing
the authentication data for the FTL server cluster.
6. Add the auth.url parameter to the globals section of the YAML configuration file
and specify the path to the users.txt file.
globals:
# ...
auth.url: file://<absolute path to users.txt file>
Note: As an alternative to flat file based internal authentication, FTL also offers
support for authentication via an external service. See the Authentication Service
section of the TIBCO FTL Administration product guide for details.
With these steps completed, the FTL server cluster can be deployed by following the steps
in the next section.
servers:
# ...
If not specified, both the general data directory and the FTL store-specific data
directory for the FTL server will default to the current working directory.
3. Run the FTL server executable.
stores.conf Parameters
The following table describes the stores.conf parameters required for FTL stores. Any
stores.conf parameters not listed here are unsupported when using FTL stores.
name.
type=ftl Identifies the store type. This parameter is required for all
store types. The type corresponding to FTL stores is ftl.
EMS does not support configuration of multiple store types in the same server. If using FTL
stores, all stores in the configuration must be of type ftl.
tibemsd.conf Parameters
The following table describes the tibemsd.conf parameters that are specific to FTL stores,
unsupported with FTL stores, or which behave differently when used with FTL stores.
disk.
For example:
ftl_disk_preallocation = 20GB
All parameters with prefix ft_ aside In general, any parameters that configure fault-
from ft_reconnect_timeout tolerance between EMS servers are ignored when
using FTL stores. The specifics of fault-tolerance are
handled directly by FTL.
logfile When using FTL stores, the EMS server log file
log_trace should not be configured. See the Logging With FTL
logfile_max_count
Stores section for details on setting up FTL server
logfile_max_size
logging.
Synchronous
If an FTL store is configured with mode=sync, all data sent to the store is synchronously
written to disk via FTL.
Synchronous mode for FTL stores provides high reliability with guaranteed message
persistence on disk. Message processing performance may be lower than other persistence
modes due to the additional latency introduced by synchronous disk writes.
Asynchronous Replication
If an FTL store is configured with mode=async, all data sent to the store is persisted to disk
asynchronously. Messages sent to a destination that is mapped to an asynchronous mode
FTL store are synchronously replicated to at least a majority of EMS servers within the
cluster to guarantee data persistence and redundancy in memory, then asynchronously
written to disk via FTL.
Asynchronous mode for FTL stores can offer higher performance at the cost of guaranteed
message persistence on disk. This persistence mode can be especially advantageous in
deployments with slower disks.
If the mode parameter is not configured for a user-defined FTL store, it is set to
asynchronous persistence mode by default.
In-Memory Replication
The in_memory_replication EMS server parameter can be used to configure the
deployment to persist message data and state information only in memory and avoid all
disk writes. This parameter applies to all FTL stores in the deployment and overrides the
mode parameter of all stores.
In-memory persistence mode offers higher FTL store performance at the cost of disk
persistence. This persistence model is only suggested for deployments with higher
tolerance for message loss. Users are encouraged to measure whether the desired
performance is achievable using synchronous or asynchronous persistence modes before
considering in-memory persistence.
The procedure for shutting down the FTL server cluster differs when this parameter is
enabled. See Shutting Down and Restarting an In-Memory Cluster for details.
Option Description
-config When using FTL stores, the EMS server reads its
configuration directly from the FTL server cluster.
The tibemsjson2ftl tool must be used to upload
the EMS server configuration to the FTL server
cluster.
-secondary When using FTL stores, the EMS server roles are
implicit, which makes the -secondary option
Option Description
irrelevant.
The tibemsconf2json tool cannot be used to make changes to the JSON configuration file
after it has been generated.
JSON configuration must be available in the FTL server cluster prior to starting the EMS
server. If no configuration is available in the cluster, the EMS server will start-up with a
default configuration.
The tibemsjson2ftl tool can be used to upload JSON configuration files to a specified FTL
server cluster. It can also download JSON configuration files from a specified cluster.
export LD_LIBRARY_PATH=<FTL_HOME>/lib:$LD_LIBRARY_PATH
tibemsjson2ftl options
tibemsjson2ftl Options
The following table shows the options that are used with the tibemsjson2ftl tool.
Option Description
-url url The pipe-separated list of URLs of the FTL server cluster to
connect to.
http://<host>:<port>
https://<host>:<port>
Option Description
-trustfile path Path to the trust file created in the Initializing FTL Server
Cluster Security section. Required when connecting to a secure
FTL server cluster.
-user user User name to use when connecting to an FTL server cluster that
has authentication enabled.
-password password Password to use when connecting to an FTL server cluster that
has authentication enabled. This should be the same password
written to the users.txt file in Initializing FTL Server Cluster
Security.
-oauth2_access_token The OAuth 2.0 access token to use when connecting to an FTL
token server cluster configured with OAuth 2.0 authentication.
Examples
Example 1
Uploading configuration to an FTL server cluster:
Example 2
Downloading configuration from an FTL server cluster:
Example 3
Uploading configuration to a secure FTL server cluster:
Note: Killing an EMS server process is not supported. Since each EMS server runs
as a service within an FTL server, killing an EMS server process will simply cause
its hosting FTL server to automatically restart it.
down both the EMS server and its hosting FTL server process.
See the Using the EMS Administration Tool section for a list of tibemsadmin options and
usage instructions.
tibftladmin Options
The following table describes the tibftladmin options that are relevant to FTL stores.
Option Description
–-ftlserver url URL of the FTL server to connect to. This URL can belong to
any one of the FTL servers in the cluster.
http://<host>:<port>
https://<host>:<port>
--shutdown Shut down the FTL server process and all its services,
including its associated EMS server.
Shut down all FTL server processes in the cluster and all their
services, including all associated EMS servers.
--tls.trust.file path Path to the trust file created in the Initializing FTL Server
Cluster Security section. Required when connecting to a
secure FTL server cluster.
--user user User name to use when connecting to an FTL server cluster
that has authentication enabled.
Option Description
Examples
Example 1
Shut down one of the FTL servers in the cluster:
Example 2
Shut down the entire FTL server cluster:
Example 3
Shut down a secure FTL server cluster:
When the FTL server cluster needs to be restarted, the first step should be to modify the
YAML configuration to instruct the cluster to load its saved state from disk upon startup.
This can be done by adding the load parameter to the tibemsd service of each FTL server
present in the YAML configuration. Each FTL server’s load parameter must be supplied with
the absolute path to the matching state file that was generated during the cluster
shutdown.
servers:
<name of FTL server #1>
# ...
- tibemsd
# ...
load: <path to state file of FTL server #1>
<name of FTL server #2>
# ...
- tibemsd
# ...
load: <path to state file of FTL server #2>
<name of FTL server #3>
# ...
- tibemsd
# ...
load: <path to state file of FTL server #3>
Disaster Recovery
When using FTL stores, the disaster recovery capabilities of TIBCO FTL are extended to
EMS. Setting up a Disaster Recovery (DR) site of operations can minimize EMS server
downtime in the event that the primary site of operations becomes disabled.
FTL’s disaster recovery implementation works as follows. Whenever the FTL server cluster
receives data that needs to be replicated among its constituent FTL servers, it immediately
also forwards it to an identical FTL server cluster running in a remote DR site. This means
that if the FTL server cluster at the primary site becomes unavailable, the cluster at the DR
site, and thereby the EMS servers at the DR site, can pick up right where things left off. The
only information that would have been lost is in-flight data that the FTL server cluster was
in the process of replicating when the primary site went down. Data replication to the DR
site is asynchronous and does not add latency to operations at the primary site.
servers:
<name of FTL server #1>
# ...
- realm:
drto: <name of DR FTL server #1>@<host>:<port>|<name of DR FTL
server #2>@<host>:<port>|<name of DR FTL server #3>@<host>:<port>
user: admin
password: file:<path to password_file>
<name of FTL server #2>
# ...
- realm:
drto: <name of DR FTL server #1>@<host>:<port>|<name of DR FTL
server #2>@<host>:<port>|<name of DR FTL server #3>@<host>:<port>
user: admin
password: file:<path to password_file>
<name of FTL server #3>
# ...
- realm:
drto: <name of DR FTL server #1>@<host>:<port>|<name of DR FTL
server #2>@<host>:<port>|<name of DR FTL server #3>@<host>:<port>
user: admin
password: file:<path to password_file>
3. Start (or restart) the FTL server cluster at the primary site.
4. Copy the YAML configuration of the FTL server cluster at the primary site to the DR
site. If security is configured at the primary site, also copy over the trustfile,
keystore, keystore_password_file, password_file, and users.txt file. Rename the FTL
servers in the YAML configuration file such that there are no repeated FTL server
names between the primary and DR sites. Remove all occurrences of the drto
parameter. Alter any URLs in the core.servers list and -listens parameters that
overlap with URLs in the primary site. Also modify any invalid paths present in the
configuration.
Once the YAML has been modified for the DR site, add the drfor parameter. This
parameter must be supplied with a pipe-separated list of URLs of the FTL servers in
the primary site’s cluster. Each URL must be of the form <FTL server
name>@<host>:<port>. If security is configured for the FTL servers at the primary
site, the user and password parameters will also need to be added to the YAML
configuration.
servers:
<name of DR FTL server #1>
# ...
- realm
drfor: <name of FTL server #1>@<host>:<port>|<name of FTL server
#2>@<host>:<port>|<name of FTL server #3>@<host>:<port>
user: admin
password: file:<path to password_file>
<name of DR FTL server #2>
# ...
- realm
drfor: <name of FTL server #1>@<host>:<port>|<name of FTL server
#2>@<host>:<port>|<name of FTL server #3>@<host>:<port>
user: admin
password: file:<path to password_file>
<name of DR FTL server #3>
# ...
- realm
drfor: <name of FTL server #1>@<host>:<port>|<name of FTL server
5. Start up the FTL server cluster at the DR site. The primary site's FTL server cluster
will connect to the DR site's FTL server cluster at this point.
Issuing this command will cause one of the EMS servers that is not configured as
-standby_only to transition into active state.
primary site. Also modify any invalid paths present in the configuration.
Once the above changes have been made, replace the value of the drfor parameter
with a pipe-separated list of URLs of the FTL servers in the new primary site cluster.
Each URL must be of the form <FTL server name>@<host>:<port>. If security is
configured for the FTL servers at the new primary site, the user and password
parameters will also need to be added to the YAML configuration.
servers:
<name of DR FTL server #1>
# ...
- realm
drfor: <name of FTL server #1>@<host>:<port>|<name of FTL server
#2>@<host>:<port>|<name of FTL server #3>@<host>:<port>
user: admin
password: file:<path to password_file>
<name of DR FTL server #2>
# ...
- realm
drfor: <name of FTL server #1>@<host>:<port>|<name of FTL server
#2>@<host>:<port>|<name of FTL server #3>@<host>:<port>
user: admin
password: file:<path to password_file>
<name of DR FTL server #3>
# ...
- realm
drfor: <name of FTL server #1>@<host>:<port>|<name of FTL server
#2>@<host>:<port>|<name of FTL server #3>@<host>:<port>
user: admin
password: file:<path to password_file>
l tibjmsadmin.jar
l tibjmsufo.jar
l tibrvjms.jar
To run applications based on the Jakarta Messaging 3.0 API, primarily for use in the Jakarta
EE 9+ world, use the following files instead:
l jakarta.jms-api-3/jakarta.jms-api-3.0.0.jar
l jakarta.jms-api-3/jakarta.jms-tibjms.jar
l jakarta.jms-api-3/jakarta.jms-tibjmsadmin.jar
l jakarta.jms-api-3/jakarta.jms-tibjmsufo.jar
l jakarta.jms-api-3/jakarta.jms-tibrvjms.jar
This applies to every mention of a Jakarta Messaging 2.0 based jar file throughout the
present book.
A message consumer that has the ability to receive a message body without the need
to use a Message object.
l JMSProducer
Similar to an anonymous message producer, and provides a convenient API for
configuring delivery options, message properties, and message headers.
Methods in the Simplified API throw unchecked exceptions rather than checked exceptions.
For a sample showing the Simplified API in use, see the new Java sample file called
tibjmsJMSContextSendRecv.java. This sample file demonstrates the Simplified API in the
simplest possible way; for greater detail, refer to the Java API Reference Pages.
Sample Clients
TIBCO Enterprise Message Service includes several sample client applications that illustrate
various features of EMS. You may wish to view these sample clients when reading about
the corresponding features in this manual.
The samples are included in the EMS_HOME/samples/java, EMS_HOME/samples/c, and
EMS_HOME/samples/cs subdirectories of the EMS installation directory. Each subdirectory
includes a README file that describes how to compile and run the sample clients.
Getting Started walks through the procedures for setting up your EMS environment and
running some of the sample clients.
Programmer Checklists
This section provides a checklist that outlines the steps for creating an EMS application in
each language:
l Java Programmer’s Checklist
l C Programmer’s Checklist
l C# Programmer’s Checklist
Install
l Install the EMS software release, which automatically includes the EMS jar files in the
EMS_HOME/lib subdirectory.
l Add the full pathnames for the following jar files to your CLASSPATH:
jakarta.jms-api-2.0.3.jar
tibjms.jar
l Programs that use the unshared state failover API must add the following file to the
CLASSPATH:
tibjmsufo.jar
l Programs that use OAuth 2.0 authentication must add the following file to the
CLASSPATH:
json_simple-1.1.jar
l Programs that are set to operate in FIPS 140-2 compliant mode must add the
bc-fips-1.0.2.4.jar
bctls-fips-1.0.17.jar
Note: All jar files listed in this section are located in the lib subdirectory of the
TIBCO Enterprise Message Service installation directory.
Code
Import the following packages into your EMS application:
import javax.jms.*;
import javax.naming.*;
Compile
Compile your EMS application with the javac compiler to generate a .class file.
For example:
javac MyApp.java
Run
Use the java command to execute your EMS .class file.
For example:
java MyApp
C Programmer’s Checklist
Developers of EMS C programs can use this checklist during the five phases of the
development cycle.
Install
Install the EMS software release, which includes the EMS client libraries, binaries, and
header files.
Code
Application programs must:
l Add EMS_HOME/include to the include path.
l Include the tibems.h header file:
#include <tibems/tibems.h>
l Programs that use the C administration API must also include the emsadmin.h header
file:
#include <tibems/emsadmin.h>
l Programs that use the unshared state failover API must also include the tibufo.h
header file:
#include <tibems/tibufo.h>
l Call tibems_Open() to initialize the EMS C API and tibems_Close() to deallocate the
memory used by EMS when complete.
Run
l UNIX
The library path must include the EMS_HOME/lib directories (which contain the
shared library files).
l Windows
The PATH must include the ems\10.3\bin directory.
l All Platforms
The application must be able to connect to a EMS server process (tibemsd).
UNIX
Include EMS_HOME/lib in your library path.
-ltibemslookup Programs that reference the defunct EMS LDAP lookup API must link
using this library flag. This is provided so as not to break builds but will
no longer provide the feature. Non-LDAP JNDI lookups are still supported.
-ltibemsadmin Programs that use the C administration library must link using this library
flag.
-ltibemsufo Programs that use the unshared state failover library must link using this
library flag.
Microsoft Windows
tibemslookup.lib Programs that reference the defunct EMS LDAP lookup API must link
using this library. This is provided so as not to break builds but will no
longer provide the feature. Non-LDAP JNDI lookups are still supported.
tibemsadmin.lib Programs that use the C administration library must link using this
library.
tibemsufo.lib Programs that use the C unshared state failover library must link using
this library.
C# Programmer’s Checklist
Developers of EMS C# programs can use this checklist during the four phases of the
development cycle.
The EMS .NET client libraries are built to the .NET Standard 2.0 specification. They can be
used to build both .NET Framework applications, which can only run on Windows, and
.NET Core applications, which can run on both Windows and Linux.
Install
Install the EMS software release, which automatically includes the EMS assembly DLLs in
the EMS_HOME\bin subdirectory.
Code
Import the correct EMS assembly (see the following table).
Version DLL
Compile
Both .NET Framework and .NET Core applications can be built using the Microsoft dotnet
build tool, C# project files (*.csproj) and, optionally, solution files (*.sln).
Run
The .NET Framework application built in the above example can be executed directly in the
.NET Framework environment:
> my-EMS-net-program.exe
The .NET Core application built in the above example can be executed in the .NET Core
runtime environment:
l In the .NET Framework environment, the EMS assembly must be in the global
assembly cache (this location is preferred), or in the system path, or in the same
directory as your program executable.
l In the .NET Framework environment, to automatically upgrade to the latest .NET
assemblies, include the appropriate policy file in the global cache. See Automatic
Upgrades Between Versions for more information.
l In the .NET Core environment, the EMS assembly must be in the same directory as
your application executable.
l In both the .NET Framework and .NET Core environments, the application must be
able to connect to a EMS server process (tibemsd).
The following table shows the policy and configuration files for each EMS assembly.
Version Files
Enabling Updates
To enable automatic updates for a library, add the appropriate policy file to the global
cache. Note that the related configuration file must be located in the directory with the
policy file in order to add the policy file to the global cache.
Character Encoding
.NET programs represent strings within messages as byte arrays. Before sending an
outbound message, EMS programs translate strings to their byte representation using an
encoding, which the program specifies. Conversely, when EMS programs receive inbound
messages, they reconstruct strings from byte arrays using the same encoding.
When a program specifies an encoding, it applies to all strings in message bodies (names
and values), and properties (names and values). It does not apply to header names nor
values. The method BytesMessage.WriteUTF always uses UTF-8 as its encoding.
l Outbound Messages
Programs can determine the encoding of strings in outbound messages in three
ways:
o Use the default global encoding, UTF-8.
o Set a non-default global encoding (for all outbound messages) using
Tibems.SetEncoding.
o Set the encoding for an individual message using Tibems.SetMessageEncoding.
l Inbound Messages
An inbound message from another EMS client explicitly announces its encoding. A
receiving client decodes the message using the proper encoding.
For more information about character encoding, see Character Encoding in Messages.
Connection Factories
A client must connect to a running instance of the EMS server to perform any Jakarta
Messaging operations. A connection factory is an object that encapsulates the data used to
define a client connection to an EMS server. The minimum factory parameters are the type
of connection and the URL for the client connection to the EMS server.
A connection factory is either dynamically created by the application or obtained from a
data store by means of a naming service, such as a Java Naming and Directory Interface
(JNDI) server or a Lightweight Directory Access Protocol (LDAP) server.
serverUrl = protocol://host:port
serverUrl = tcp://server0:7222
For a fault-tolerant connection, you can specify two or more URLs. For example:
serverUrl = tcp://server0:7222,tcp://server1:7344
See Configure Clients for Shared State Failover Connections for more information. For
details on using TLS for creating secure connections to the server, see Configure TLS in
EMS Clients and Create Connection Factories for Secure Connections.
l Java
To dynamically create a TibjmsConnectionFactory object in a Java client:
factory = tibemsConnectionFactory_Create();
status = tibemsConnectionFactory_SetServerURL(factory, serverUrl);
A client can modify this behavior by setting new connection attempt count and delay
values. There are also a number of factors that may cause a client to hang while
attempting to create a connection to the EMS server, so you can set a connection timeout
value to abort a connection attempt after a specified period of time. For best results,
timeouts should be at least 500 milliseconds. EMS also allows you to establish separate
count, delay and timeout settings for reconnections after a fault-tolerant failover, as
described in Set Reconnection Failure Parameters.
The following examples establish a connection count of 10, a delay of 1000 ms and a
timeout of 1000 ms.
l Java
Use the TibjmsConnectionFactory object’s setConnAttemptCount(),
setConnAttemptDelay(), and setConnAttemptTimeout() methods to establish new
connection failure parameters:
factory.setConnAttemptCount(10);
factory.setConnAttemptDelay(1000);
factory.setConnAttemptTimeout(1000);
l C
Use the tibemsConnectionFactory_SetConnectAttemptCount and
tibemsConnectionFactory_SetConnectAttemptDelay functions to establish new
connection failure parameters:
l C#
Use the ConnectionFactory.SetConnAttemptCount,
ConnectionFactory.SetConnAttemptDelay, and
ConnectionFactory.SetConnAttemptTimeout and methods to establish new
connection failure parameters:
factory.setConnAttemptCount(10);
factory.setConnAttemptDelay(1000);
factory.setConnAttemptTimeout(1000);
Create a Session
A Session is a single-threaded context for producing or consuming messages. You create
Message Producers or Message Consumers using Session objects.
A Session can be transactional to enable a group of messages to be sent and received in a
single transaction. A non-transactional Session can define the acknowledge mode of
message objects received by the session. See Message Acknowledgement for details.
l Java
Use the Connection object’s createSession() method to create a Session object.
For example, to create a Session that uses the default AUTO_ACKNOWLEDGE session
mode:
The EMS extended session modes, such as NO_ACKNOWLEDGE, require that you include
the com.tibco.tibjms.Tibjms constant when you specify the EMS session mode. For
Session session =
connection.createSession(com.tibco.tibjms.Tibjms.NO_ACKNOWLEDGE);
See the tibjmsMsgConsumer.java sample client for a working example (without the
setExceptionOnFTSwitch call).
l C
Define an onException function to handle exceptions,
use the tibemsConnection_SetExceptionListener function to call onException
when an error is encountered, and call tibems_setExceptionOnFTSwitch to call the
exception handler after a fault-tolerant failover:
void onException(
tibemsConnection conn,
tibems_status reason,
void* closure)
{
/* Handle exception */
}
.....
status = tibemsConnection_SetExceptionListener(
connection,
onException,
NULL);
tibems_setExceptionOnFTSwitch(TIBEMS_TRUE);
See the tibemsMsgConsumer.c sample client for a working example (without the
setExceptionOnFTSwitch call).
l C#
Implement an IExceptionListener.OnException method, set the Connection
object’s ExceptionListener property to register the exception listener, and call
Tibems.SetExceptionOnFTSwitch to call the exception handler after a fault-tolerant
failover:
See the csMsgConsumer.cs sample client for a working example (without the
setExceptionOnFTSwitch call).
For example, as described in the Message Delivery Modes, you can set the message deliver
mode to either PERSISTENT, NON_PERSISTENT, or RELIABLE_DELIVERY.
l Java
Use the MessageProducer object’s setDeliveryMode() method to configure your
Message Producer with a default delivery mode of RELIABLE_DELIVERY:
QueueSender.setDeliveryMode(com.tibco.tibjms.Tibjms.RELIABLE_DELIVERY);
QueueSender.setDeliveryMode(javax.jms.DeliveryMode.NON_PERSISTENT);
l C
Use the tibemsMsgProducer_SetDeliveryMode function to configure your Message
Producer to set a default delivery mode for each message
it produces to RELIABLE_DELIVERY:
l C#
Set the DeliveryMode on the MessageProducer object to RELIABLE_DELIVERY:
QueueSender.DeliveryMode = DeliveryMode.RELIABLE_DELIVERY;
static void
onCompletion(tibemsMsg msg, tibems_status status, void* closure)
{
if (status == TIBEMS_OK)
{
/* Handle the send success case for the message */
}
else
{
/* Handle the send failure case for the message */
}
}
/* Create a connection, session, and producer. When sending, pass
* the onCompletion() function as the tibemsMsgCompletionCallback
*/
status = tibemsMsgProducer_AsyncSend(producer, msg, onCompletion,
NULL);
failed selectors. This is especially so when queue consumers connect, consume a message,
and immediately disconnect.
As described in Durable Subscribers for Topics, messages published to topics are only
consumed by active subscribers to the topic; otherwise the messages are not consumed
and cannot be retrieved later. You can create a durable subscriber that ensures messages
published to a topic are received by the subscriber, even if it is not currently running. For
queues, messages remain on the queue until they are either consumed by a Message
Consumer, the message expiration time has been reached, or the maximum size of the
queue is reached.
The following examples create a Message Consumer that consumes messages from the
queue and a durable subscriber that consumes messages from a topic. The queue and
topic are those that were dynamically created in Dynamically Create Topics and Queues.
l Java
Use the Session object’s createConsumer() method to create a MessageConsumer
object:
cons1 and cons2 are two shared consumers on the same subscription called
mySharedSub. If a message is published to the topic, then one of those two
consumers will receive it. Note that shared consumers on a given subscription do not
have to use the same session/connection.
Use the Session object's createSharedDurableConsumer() method to create or add
to a shared durable subscription:
cons1 and cons2 are two shared durable consumers on the same durable
subscription called myDurableSharedSub. If a message is published to the topic, then
one of those two consumers will receive it. Note that shared durable consumers on a
given subscription do not have to use the same session/connection.
l C
Use the tibemsSession_CreateConsumer function to create a message consumer of
type tibemsMsgConsumer:
TopicSubscriber subscriber =
session.CreateDurableSubscriber(topic, "myDurable");
Note: The J2EE 1.3 platform introduced message-driven beans (MDBs) that are a
special kind of Message Listener. See the J2EE documentation for more
information about MDBs.
l Java
Create an implementation of the MessageListener interface, create a
Implement the onMessage() method to perform the desired actions when a message
arrives:
void run()
{
Messages
Messages are a self-contained units of information used by Jakarta Messaging applications
to exchange data or request operations.
Create Messages
As described in Jakarta Messaging Message Bodies , EMS works with the following types of
messages:
l Messages with no body
l Text Messages
l Map Messages
l Bytes Messages
l Stream Messages
l Object Messages
l C#
Use the Session.CreateTextMessage method to create text message of type
TextMessage:
message.setBooleanProperty("JMS_TIBCO_PRESERVE_UNDELIVERED", true);
userID = message.getStringProperty("JMS_TIBCO_SENDER");
l C
Use the tibemsMsg_SetBooleanProperty function
to set the JMS_TIBCO_PRESERVE_UNDELIVERED property to true:
status = tibemsMsg_SetBooleanProperty(message,
"JMS_TIBCO_PRESERVE_UNDELIVERED", true);
l C#
Use the Message.SetBooleanProperty method to set the
JMS_TIBCO_PRESERVE_UNDELIVERED property to true:
message.SetBooleanProperty("JMS_TIBCO_PRESERVE_UNDELIVERED", true);
Send Messages
Use a Message Producer client to send messages to a destination. You can either send a
message to the destination specified by the Message Producer or, if the Message Producer
specifies NULL as the destination, you can send a message to a specific destination.
In either case, you can optionally set the JMSDeliveryMode, JMSExpiration, and
JMSPriority message header fields described in Jakarta Messaging Message Header Fields
when sending each message.
The following examples show different ways to send a text message in each language:
l Send the message to the Message Producer, QueueSender, created in Create a
Message Producer.
l Use a Message Producer with a NULL destination that sends the message to the topic
created in Dynamically Create Topics and Queues.
l Use a Completion Listener, created in Create a Message Listener for Asynchronous
Message Consumption, to send the message asynchronously.
See EMS Extensions to Jakarta Messaging Messages for more information about creating
messages.
l Java
Use the MessageProducer object’s send() method to send a message to the
destination specified by the MessageProducer object:
QueueSender.send(message);
Use the following form of the send() method to send a message to a specific
destination:
Use the form of the send() method with a completion listener argument to send a
message asynchronously:
QueueSender.send(message, completionListener);
status = tibemsMsgProducer_SendToDestination(NULLsender,
topic, message);
Note: Unlike the Java and C# APIs, in the C API, you can use the
tibemsMsgProducer_SendToDestination function to specify the
destination regardless of whether a destination is in the
tibemsMsgProducer.
l C#
Use the MessageProducer.Send method to send a message to the destination
specified by the MessageProducer:
QueueSender.Send(message);
Receive Messages
A Message Consumer receives messages from a destination and acknowledges the receipt
of messages using the mode established for the session, as described in Create a Session.
Before receiving messages, the Message Consumer must start the connection to the EMS
server. Before exiting, the Message Consumer must close the connection.
The following examples start the connection created in Connect to the EMS Server;
synchronously receive messages from the queue created in Dynamically Create Topics and
Queues, and then close the connection.
Note: You can also implement a Message Listener for your Message Consumer to
asynchronously receive messages, as described in Create a Message Listener for
Asynchronous Message Consumption.
l Java
Use the Connection object’s start() method to start the connection:
connection.start();
When the client has finished receiving messages, it uses the Close() method to close
the connection:
connection.close();
status = tibemsConnection_Start(connection);
When the client has finished receiving messages, use the tibemsConnection_Close
function to close the connection:
status = tibemsConnection_Close(connection);
connection.Start();
When the client has finished receiving messages, use the Connection.Close function
to close the connection:
connection.Close();
The connection factory data stored on the EMS server is located in the factories.conf file.
You can use the show factories command to list all of the connection factories on your
EMS server and the show factory command to show the configuration details of a specific
connection factory.
A connection factory may include optional properties for balancing server load and
establishing thresholds for attempted connections, as described in Connection Factory
Parameters. These properties can be specified when creating the factory or modified for an
existing factory using the addprop factory, setprop factory, and removeprop factory
commands.
For example, to set the maximum number of connection attempts for the connection
factory, myFactory, from the default value of 2 to 5, start the EMS Administration Tool and
enter:
To create a factory to set up a generic connection and check the server's certificate to
confirm the name of the server is myServer, enter (all one line):
To create a factory to set up a topic connection, check the server's certificate (but not the
name inside the certificate), and to set the ssl_auth_only parameter so that TLS is only
used by the client when creating the connection, enter (all one line):
Should server0 become unavailable, the client will connect to server1. See Fault Tolerance
for details.
tibjmsnaming://host:port
ConnectionFactory factory =
(javax.jms.ConnectionFactory)
jndiContext.lookup("ConFac");
javax.jms.Topic sampleTopic =
(javax.jms.Topic)jndiContext.lookup("topic.sample");
javax.jms.Queue sampleQueue =
(javax.jms.Queue)jndiContext.lookup("queue.sample");
topic.sample
tibemsConnectionFactory factory = NULL;
tibemsDestination sampleTopic = NULL;
tibemsDestination sampleQueue = NULL;
status = tibemsLookupContext_Lookup(context,
"ConFac",
(void**)&factory);
status = tibemsLookupContext_Lookup(context,
"sample.queue",
(void**)&sampleQueue);
status = tibemsLookupContext_Lookup(context,
"topic.sample,
(void**)&sampleTopic);
l C#
Create a ILookupContext object for the initial context, which consists of the JNDI
provider URL and the username and password to authenticate the client to the EMS
server.
ConnectionFactory factory =
(ConnectionFactory) searcher.Lookup("ConFac");
Topic sampleTopic =
(Topic)searcher.Lookup("topic.sample");
TIBCO.EMS.Queue sampleQueue =
(TIBCO.EMS.Queue)searcher.Lookup("queue.sample");
When using full URL names, you can look up objects like the following example:
For further information on how to use full URL names, refer to the tibjmsJNDIRead.java
example located in the EMS_HOME/samples/java/JNDI directory.
In this example, the port number specified for the Context.PROVIDER_URL is set to
the TLS listen port that was specified in the server configuration file tibjsmd.conf. The
value for TibjmsContext.SECURITY_PROTOCOL is set to ssl. Finally, the value of
TibjmsContext.SSL_ENABLE_VERIFY_HOST is set to "false" to turn off server
authentication. Because of this, no trusted certificates need to be provided and the
client will then not verify the server it is using for the JNDI lookup against the
server’s certificate.
l C
Create a tibemsSSLParams object and use the tibemsSSLParams_SetIdentityFile
function to establish the client identity by means of a pkcs12 file. Use the
tibemsLookupContext_CreateSSL function to create a tibemsLookupContext object
that uses a TLS connection for the initial context.
l C#
Create a ILookupContext object for the initial context over a TLS connection. The TLS
Store Info consists of a pkcs12 file that identifies the client and the client’s password,
which are stored in an EMSSSLFileStoreInfo object.
Example
The following illustrates setting up the Context.PROVIDER_URL property with the URLs of a
primary EMS server on the machine named emshost and a secondary EMS server on the
machine named backuphost.
env.put(Context.PROVIDER_URL,
"tibjmsnaming://emshost:7222,tibjmsnaming://backuphost:7222");
Assuming emshost starts out as active, if at any time it fails the JNDI provider automatically
switches to the EMS server on the host backuphost for JNDI lookups. If emshost is repaired
and restarted, it then becomes the standby EMS server.
Scope
l EMS can import and export messages to TIBCO FTL through an EMS topic.
l EMS can import messages from TIBCO FTL to an EMS queue (but queues cannot
export).
Warning: Do not configure EMS and FTL round-tripping. That is, do not send
messages from EMS to FTL and then back to EMS, or the other way around.
Message Translation
EMS and TIBCO FTL use different formats for messages and their data.
When tibemsd imports or exports a messages, it translates the message and its data to the
appropriate format; for details, see Message Translation.
Configuration
In classic EMS configuration, the tibemsd uses definitions and parameters in three
configuration files to guide the exchange of messages with TIBCO FTL. In JSON-configured
servers, all configuration options are in the same file.
Enabling
An EMS server is part of exactly one FTL realm, so all EMS transports for TIBCO FTL use the
same TIBCO FTL realm. Thus, some parameters are shared for every EMS transport
instance. These parameters are found in tibemsd.conf.
To enable EMS transports for TIBCO FTL, you must set these parameters in the
configuration file tibemsd.conf:
l tibftl_transports globally enables or disables message exchange with TIBCO FTL.
The default value is disabled. To use EMS transports for TIBCO FTL, you must
explicitly set this parameter to enabled.
l ftl_url specifies the URL at which the EMS server is connected to the FTL server. For
a TLS connection, this URL starts with https:// rather than http://.
l ftl_trustfile specifies the trust file that is used to validate the FTL server on a TLS
connection.
l module_path specifies the location of the TIBCO FTL shared library files. If the EMS
server is configured to use FTL stores, the value of this parameter is ignored and the
FTL shared library files corresponding to the hosting FTL server are used instead.
If connecting to a TIBCO FTL deployment that is configured for OAuth 2.0 authentication,
the following parameters will also need to be set in tibemsd.conf:
l ftl_oauth2_server_url specifies the URL of the OAuth 2.0 authorization server from
which access tokens will be obtained for authenticating with TIBCO FTL.
l ftl_oauth2_client_id specifies the OAuth 2.0 client ID to use when authenticating
with the OAuth 2.0 authorization server to obtain access tokens.
Additional optional parameters can be used to further configure how the EMS server and
FTL server interact. See TIBCO FTL Transport Parameters.
Transports
Transport definitions (in the configuration file transports.conf) specify the
communication protocol between EMS and TIBCO FTL.
For more information, see Configure EMS Transports for TIBCO FTL.
Destinations
Destination definitions (in the configuration files topics.conf and queues.conf) can set
the import and export properties to specify one or more EMS transport for TIBCO FTL.
l import instructs tibemsd to import messages that arrive on those transports from
TIBCO FTL, and deliver them to the EMS destination. When a destination is
configured to import a given tibftl transport and the optional
import_subscriber_name transport property is not set, tibemsd creates a single
default FTL durable for the transport with the following name:
<server name>:<transport name>. For example, if tibemsd.conf
has server = EMS-SERVER and transports.conf has a [FTL1] transport defined, the
corresponding durable name comes as EMS-SERVER:FTL1. However, if
import_subscriber_name is set, then tibemsd creates a FTL subscriber by that name
instead of the aforementioned FTL durable.
Note: An FTL administrator can monitor the status of this default FTL
durable and, if relevant, the FTL administrator can decide to configure it as
static and alter its behavior.
l export instructs tibemsd to take messages that arrive on the EMS destination, and
export them to TIBCO FTL using those EMS transports for TIBCO FTL. When a
destination is configured to export a given tibftl transport, the EMS server creates a
single FTL publisher for the transport.
Note: In TIBCO FTL, transport refers to the underlying mechanism that moves
message data between FTL publishers and subscribers.
In TIBCO Enterprise Message Service, a transport is a more narrowly defined
concept, referring specifically to the connections between an EMS server and an
external system.
The EMS server joins a TIBCO FTL realm as any other TIBCO FTL client would. EMS
transport definitions (in the file transports.conf) configure the behavior of these
connections.
All messages received from the transports for TIBCO FTL that are configured in the
transports.conf file are processed in a single TIBCO FTL event queue.
After being dispatched from the TIBCO FTL event queue, all TIBCO FTL messages that are
imported through an EMS transport are processed by the EMS server. The EMS server
creates Jakarta Messaging message copies of the incoming TIBCO FTL messages and begins
processing them as EMS messages. EMS transports for TIBCO FTL determine how the
messages are converted to EMS messages.
If the EMS server cannot keep up with the rate of incoming TIBCO FTL messages, FTL could
begin discarding messages before they have been successfully imported by EMS.
Requirements
To successfully deploy the EMS transport for TIBCO FTL, in the TIBCO FTL deployment, you
must configure transports to be server-defined / of type Auto (see the TIBCO FTL
documentation for more information on the server-defined 'Server' transport and on the
'Auto' transport type). Other types of transports are not supported.
Parameter Description
type Required. For all EMS transports for TIBCO FTL, the value must be
tibftl.
The syntax and semantics of these parameters are identical to the corresponding parameters
in TIBCO FTL clients. For full details, see the TIBCO FTL documentation set.
import_subscriber_ Optional. The name of the FTL subscriber this EMS transport for
name FTL creates when it receives messages. If not set, then an EMS
transport that receives FTL messages creates a default FTL durable
instead. See Destinations for details on the FTL durable name.
{"fieldname1":value1,...,"fieldnameN":valueN}
Parameter Description
allowed.
For example:
import_match_string =
{"Item":"Book","Title":"Outliers","Stocked":true}
If not provided, the EMS server passes NULL to the TIBCO FTL
message create call, resulting in a dynamically formatted message.
export_constant Optional. Defines fields that are always set to a constant value.
Each line adds additional constants. For example:
export_constant = constant1,value1
export_constant = constant2,value2
export_constant = constant3,value3
Example
These examples from transports.conf illustrate the syntax of EMS transport for FTL
definitions.
[FTL1]
type = tibftl
endpoint = EP1
import_subscriber_name = sub1
import_match_string = {"f1":"foo","f2":true}
export_format = format-1
export_constant = constant1,value1
export_constant = constant2,value2
export_constant = constant3,value3
[FTL2]
type = tibftl
Topics
Topics can both export and import messages. Accordingly, you can configure topic
definitions (in the configuration file topics.conf) with import and export properties that
specify one or more external transports:
import
import instructs tibemsd to import messages that arrive on those EMS transports from
TIBCO FTL, and deliver them to the EMS destination. Each named tibftl transport can be
named on only one EMS destination. That is, if the transport FTL01 is included on import
property for destination myTopics.Fiction, it cannot also be added to the destination
myTopics.Nonfiction.
export
export instructs tibemsd to take messages that arrive on the EMS destination, and export
them to TIBCO FTL using the specified EMS transport for TIBCO FTL.
Note: The EMS server never re-exports an imported message on the same topic.
(For general information about topics.conf syntax and semantics, see topics.conf. You can
also configure topics using the administration tool command addprop topic.)
Example
For example, the following tibemsadmin commands configure the topic myTopics.news to
import messages on the transports FTL01 and FTL02, and to export messages on the
transport FTL02.
TIBCO FTL messages with subject myTopics.news arrive at tibemsd over the transports
FTL01 and FTL02. EMS clients can receive those messages by subscribing to myTopics.news.
EMS messages sent to myTopics.news are exported to TIBCO FTL over transport FTL02.
TIBCO FTL clients of the corresponding daemons can receive those messages by
subscribing to the endpoint associated with myTopics.news in the FTL02 transport
definition.
Queues
Queues can import messages, but cannot export them.
Configuration
You can configure queue definitions (in the configuration file queues.conf) with the import
property to specify one or more external transports.
import instructs tibemsd to import messages that arrive on those EMS transports from
TIBCO FTL, and deliver them to the EMS destination.
(For general information about queues.conf syntax and semantics, see queues.conf. You
can also configure queues using the administration tool command addprop queue.)
Example
For example, the following tibemsadmin command configures the queue myQueue.in to
import messages on the EMS transports FTL01 and FTL02.
TIBCO FTL messages with subject myQueue.in arrive at tibemsd over the transports FTL01
and FTL02. EMS clients can receive those messages by subscribing to myQueue.in.
Message Translation
The following topics describe how a message is translated by the EMS server when either
imported from or exported to FTL.
If the export_headers property is false, then the Jakarta Messaging header fields and
their values are not included in the exported TIBCO FTL message. This includes the
destination name. That is, if export_headers = false for the transport, then the message
exported to TIBCO FTL will not contain the destination name.
When converting the Jakarta Messaging header fields to TIBCO FTL message fields, header
fields are given the prefix _emshdr:. For example, the JMSDeliveryMode header field is
assigned the field name _emshdr:JMSDeliveryMode when inserted into the TIBCO FTL
message.
The following table presents the mapping of Jakarta Messaging header fields to TIBCO FTL
message field name and types (that is, the name and type of the corresponding field in the
exported message).
Jakarta Messaging Header Name TIBCO FTL Field Name FTL Field Type
Import
When importing a TIBCO FTL message to an EMS message, tibemsd sets these EMS
properties:
l JMS_TIBCO_IMPORTED gets the value true, to indicate that the message did not
originate from an EMS client.
l JMS_TIBCO_MSG_EXT gets the value true, to indicate that the message might contain
submessage fields or array fields.
Export
TIBCO FTL messages do not have destinations or subjects, or a mandatory set of
predefined header fields. Instead, message fields and their values are set for individual
messages.
If export_properties is defined as true in the common EMS transport properties, the EMS
server converts the Jakarta Messaging properties and their values to TIBCO FTL fields and
values and adds them to the outgoing message. This allows TIBCO FTL to use content
matchers on the fields.
When converting the Jakarta Messaging properties to TIBCO FTL message fields, the
property fields are given the prefix _emsprop:. For example the JMS_TIBCO_SENDER property
would become the _emsprop:JMS_TIBCO_SENDER field.
The tibemsd server ignores any Jakarta Messaging property fields that are not set, or are
set to null—it omits them from the exported message.
You can instruct tibemsd to exclude the properties fields from the exported message by
setting the transport property export_properties = false.
Message Body
tibemsd can export messages with most Jakarta Messaging message body types to TIBCO
FTL. However, Object messages and Stream messages cannot be exported. They are
discarded with a warning.
tibemsd can import messages with any message format from TIBCO FTL.
For information about Jakarta Messaging body types, see Jakarta Messaging Message
Bodies. For information about the structure of messages, see Jakarta Messaging Message
Structure.
Import
When importing a TIBCO FTL message, tibemsd translates it to an EMS message body type
based on the TIBCO FTL message format.
l _data (bytes)
Export
When exporting an EMS message, tibemsd translates it to a TIBCO FTL message with the
following structure:
l When export_headers is enabled on the EMS transport, Jakarta Messaging header
fields are converted to TIBCO FTL message fields. See Jakarta Messaging Header
Fields. When the transport parameter export_headers is false, these fields are
omitted.
l When export_properties is enabled on the EMS transport, Jakarta Messaging
property fields are converted to TIBCO FTL message fields. See Jakarta Messaging
Property Fields. When the transport parameter export_properties is false, these
fields are omitted.
l When translating the data fields of an EMS message, the results depend on the
Jakarta Messaging body type.
BytesMessage An FTL message with one opaque field with the key of _data.
Message Fields
When tibemsd converts messages, it converts fields individually, based on field type. Some
field types are equivalent between EMS and TIBCO FTL, while converting others may result
in some information loss of data type, or require additional formatting.
The mapping of equivalent fields is bidirectional. These field types are equivalent in EMS
and TIBCO FTL, and no additional formatting is required during conversion:
tibems_long tibint64_t
tibems_double tibdouble_t
char* char*
MapMsg Message
bytes Opaque
Import
Not all TIBCO FTL field types are supported by EMS. When tibemsd imports a TIBCO FTL
message, these fields are converted into EMS sub-messages as shown below.
TIBCO FTL Field EMS Field Type Map Message Field Name
Type
l s — long, representing
seconds.
l n — long, representing
nanoseconds.
TIBCO FTL Field EMS Field Type Map Message Field Name
Type
Export
When exporting an EMS message, tibemsd translates it to a TIBCO FTL message. Not all
field types that are supported by EMS map to TIBCO FTL. When tibemsd converts these
fields, some information about data size is lost. The EMS fields are converted to TIBCO FTL
fields as shown here:
tibems_wchar tibint64_t
tibems_byte tibint64_t
tibems_short tibint64_t
tibems_int tibint64_t
tibems_float tibdouble_t
Scope
l EMS can import and export messages to an external system through an EMS topic.
l EMS can import messages from an external system to an EMS queue (but queues
cannot export).
Message Translation
EMS and Rendezvous use different formats for messages and their data. When tibemsd
imports or exports a messages, it translates the message and its data to the appropriate
format.
For more information, see Message Translation.
Configuration
tibemsd uses definitions and parameters in four configuration files to guide the exchange
of messages with Rendezvous.
Enabling
The parameter tibrv_transports (in the configuration file tibemsd.conf) globally enables
or disables message exchange with Rendezvous. The default value is disabled. To use
these transports, you must explicitly set this parameter to enabled.
The parameter module_path (in the configuration file tibemsd.conf) specifies the location
of the Rendezvous shared library files.
Transports
Transport definitions (in the configuration file transports.conf) specify the
communication protocol between EMS and the external system.
For more information, see Configure EMS Transports for Rendezvous.
Destinations
Destination definitions (in the configuration files topics.conf and queues.conf) can set
the import and export properties to specify one or more transports:
l import instructs tibemsd to import messages that arrive on those transports from
Rendezvous, and deliver them to the EMS destination.
l export instructs tibemsd to take messages that arrive on the EMS destination, and
export them to Rendezvous via those transports.
RVCM Listeners
When exporting messages on a transport configured for certified message delivery, you can
pre-register RVCM listeners in the file tibrvcm.conf .
For details, see tibrvcm.conf, and Certified Messages
Transport Definitions
transports.conf contains zero or more transport definitions. Each definition begins with
the name of a transport, surrounded by square brackets. Subsequent lines set the
parameters of the transport.
Parameter Description
Rendezvous Parameters
The syntax and semantics of these parameters are identical to the corresponding parameters
in Rendezvous clients. For full details, see the Rendezvous documentation set.
The syntax and semantics of these parameters are identical to the corresponding parameters
in Rendezvous CM clients. For full details, see the Rendezvous documentation set.
Parameter Description
EMS Parameters
Parameter Description
TIBEMS_PERSISTENT | TIBEMS_NON_PERSISTENT |
TIBEMS_RELIABLE
rv_queue_policy Set the queue limit policy for the Rendezvous queue
used by the transport to hold incoming Rendezvous
messages. This parameter has three parts:
policy:max_msgs:qty_discard
Parameter Description
can contain.
l TIBRVQUEUE_DISCARD_FIRST — discard the
first message in the queue. The first message
in the queue is the oldest message, which if
not discarded would be the next message
dispatched from the queue.
l TIBRVQUEUE_DISCARD_LAST — discard the last
message in the queue. The last message is
the most recent message received into the
queue.
rv_queue_policy=TIBRVQUEUE_DISCARD_
FIRST:10000:100
Example
These examples from transports.conf illustrate the syntax of transport definitions.
[RV01]
type = tibrv
topic_import_dm = TIBEMS_RELIABLE
queue_import_dm = TIBEMS_PERSISTENT
service = 7780
network = lan0
daemon = tcp:host5:7885
[RV02]
type = tibrv
service = 7890
network = lan0
daemon = tcp:host5:7995
temp_destination_timeout = 60
[RVCM01]
type = tibrvcm
export_headers = true
export_properties = true
rv_tport = RV02
cm_name = RVCMTrans1
ledger_file = ledgerFile.store
sync_ledger = true
request_old = true
default_ttl = 600
In the following two examples, RVCM03 is an RVCM transport which does not define a queue
limit policy, but references the RV transport RV03, which does have a queue limit policy. If
Rendezvous messages are published to a subject that in EMS has the destination property
import=RVCM03, no Rendezvous message will ever be discarded because each transport
uses its own queue. Only messages that are imported directly through the RV03 transport
will potentially be discarded, should the queue limit of 10000 messages be reached.
[RV03]
type = tibrv
service = 7890
network = lan0
daemon = tcp:host5:7995
rv_queue_policy = TIBRVQUEUE_DISCARD_LAST:10000:100
[RVCM03]
type = tibrvcm
rv_tport = RV03
cm_name = RVCMTrans2
ledger_file = ledgerFile2.store
sync_ledger = true
request_old = true
default_ttl = 600
Topics
Topics can both export and import messages. Accordingly, you can configure topic
definitions (in the configuration file topics.conf) with import and export properties that
specify one or more external transports:
import
import instructs tibemsd to import messages that arrive on those transports from
Rendezvous, and deliver them to the EMS destination.
export
export instructs tibemsd to take messages that arrive on the EMS destination, and export
them to Rendezvous via those transports.
Note: The EMS server never re-exports an imported message on the same topic.
(For general information about topics.conf syntax and semantics, see topics.conf. You can
also configure topics using the administration tool command addprop topic.)
Example
For example, the following tibemsadmin commands configure the topic myTopics.news to
import messages on the transports RV01 and RV02, and to export messages on the
transport RV02.
Rendezvous messages with subject myTopics.news arrive at tibemsd over the transports
RV01 and RV02. EMS clients can receive those messages by subscribing to myTopics.news.
EMS messages sent to myTopics.news are exported to Rendezvous over transport RV02.
Rendezvous clients of the corresponding daemons can receive those messages by
subscribing to myTopics.news.
Wildcards
Wildcards in the import property obey EMS syntax and semantics (which is identical to
Rendezvous syntax and semantics).
For more information, see Destination Name Syntax.
Certified Messages
You can import and export TIBCO Rendezvous certified messages (tibrvcm transport) to
EMS topics. Rendezvous certified transports guarantee message delivery.
RVCM Ledger
tibrvcm transports can store information about subjects in a ledger file. You can review the
ledger file using an administration tool command; see show rvcmtransportledger.
For more information about ledger files, see TIBCO Rendezvous documentation.
Subject Collisions
Subscribers to destinations that import from RVCM transports are subject to the same
restrictions that direct RVCM listeners. These restrictions are described in the TIBCO
Rendezvous documentation, and include subject collisions.
When importing messages from RV, the EMS server creates RVCM listeners using a single
name for each transport. This can result in subject collisions if the corresponding EMS
subscribers have overlapping topics.
Queues
Queues can import messages, but cannot export them.
See import and export for more information.
Configuration
You can configure queue definitions (in the configuration file queues.conf) with the import
property that specify one or more external transports.
import instructs tibemsd to import messages that arrive on those transports from
Rendezvous, and deliver them to the EMS destination.
(For general information about queues.conf syntax and semantics, see queues.conf. You
can also configure queues using the administration tool command addprop queue.)
Example
The following tibemsadmin command configures the queue myQueue.in to import
messages on the transports RV01 and RV02.
Rendezvous messages with subject myQueue.in arrive at tibemsd over the transports RV01
and RV02. EMS clients can receive those messages by subscribing to myQueue.in.
Wildcards
Wildcards in the import property obey EMS syntax and semantics (not Rendezvous syntax
and semantics).
For more information, see Destination Name Syntax.
EMS clients cannot subscribe to wildcard queues—however, you can define wildcards
queues in the EMS server for the purpose of property inheritance. That is, you can
configure a static queue named foo.* and set properties on it, so that child queues named
foo.bar and foo.baz will both inherit those properties.
If you define a queue that imports foo.*, tibemsd begins importing all matching messages
from Rendezvous. As messages arrive, tibemsd creates dynamic child queues (for example,
foo.bar and foo.baz) and delivers the messages to them. Notices that tibemsd delivers
messages to these dynamic child queues even when no consumers exist to drain them.
Import Issues
This section presents issues associated with importing messages to EMS from
Rendezvous—whether on a topic or a queue.
Field Identifiers
When importing and translating Rendezvous messages, tibemsd is only able to process
standard message field types that are identified by name in the Rendezvous program
application. Custom fields and fields identified using a field identifier cannot be imported
to EMS.
JMSDestination
When tibemsd imports and translates a Rendezvous message, it sets the JMSDestination
field of the EMS message to the value of the Rendezvous subject.
Therefore, imported destination names must be unique. When a topic and a queue share
the same name, at most one of them may set the import property. For example, if a topic
foo.bar and a queue foo.bar are both defined, only one may specify the import property.
JMSReplyTo
When tibemsd imports and translates a Rendezvous message, it sets the JMSReplyTo field
of the EMS message to the value of the Rendezvous reply subject, so that EMS clients can
reply to the message.
Usually this value represents a Rendezvous subject. You must explicitly configure tibemsd
to create a topic with a corresponding name, which exports messages to Rendezvous.
See JMSReplyTo for more information.
JMSExpiration
When tibemsd imports and translates a Rendezvous certified message, it sets the
JMSExpiration field of the EMS message to the time limit of the certified message.
Guaranteed Delivery
Note: For full end-to-end certified delivery from Rendezvous to EMS, all three of
these conditions must be true:
l Rendezvous senders must send labeled messages on RVCM transports. See
the TIBCO Rendezvous Concepts manual for more information.
l The transport definition must set topic_import_dm or queue_import_dm
(as appropriate) to TIBEMS_PERSISTENT.
l Either a durable queue or a subscriber for the EMS topic must exist.
Export Issues
This section presents issues associated with exporting messages from EMS to Rendezvous.
JMSReplyTo
Topics
Consider an EMS message in which the field JMSReplyTo contains a topic. When exporting
such a message to Rendezvous, you must explicitly configure tibemsd to import replies
from Rendezvous to that reply topic.
Temporary Topics
Consider an EMS message in which the field JMSReplyTo contains a temporary topic. When
tibemsd exports such a message to Rendezvous, it automatically arranges to import replies
to that temporary topic from Rendezvous; you do not need to configure it explicitly.
Certified Messages
RVCM Registration
When an RVCM listener receives its first labeled message, it registers to receive subsequent
messages as certified messages. Until the registration is complete, it receives labeled
messages as reliable messages. When exporting messages on a tibrvcm transport, we
recommend either of two actions to ensure certified delivery for all exported messages:
l Create the RVCM listener before sending any messages from EMS clients.
l Pre-register an RVCM listener, either with the administration tool (see create
rvcmlistener), or in the configuration file tibrvcm.conf (see tibrvcm.conf).
Guaranteed Delivery
For full end-to-end certified delivery to Rendezvous from EMS, the following condition must
be true:
l EMS senders must send persistent messages.
Message Translation
The following topics describe how a message is translated by the EMS server when either
imported from or exported to Rendezvous.
Special Cases
The following header fields are special cases:
Import
When importing a Rendezvous message to an EMS message, tibemsd does not set any
Jakarta Messaging header fields, except for the special cases noted above.
Export
When exporting an EMS message to a Rendezvous message, tibemsd groups all the Jakarta
Messaging header fields into a single submessage within the Rendezvous message. The
field JMSHeaders contains that submessage. Fields of the submessage map the names of
Jakarta Messaging header fields to their values.
The tibemsd server ignores any Jakarta Messaging header fields that are not set, or are set
to null—it omits them from the exported message.
You can instruct tibemsd to suppress the entire header submessage in the exported
message by setting the transport property export_headers = false.
The following table shows the mapping of Jakarta Messaging header fields to Rendezvous
data types (that is, the type of the corresponding field in the exported message).
JMSDeliveryMode TIBRVMSG_U8
JMSDeliveryTime TIBRVMSG_U64
JMSPriority TIBRVMSG_U8
JMSTimestamp TIBRVMSG_U64
JMSExpiration TIBRVMSG_U64
JMSType TIBRVMSG_STRING
JMSMessageID TIBRVMSG_STRING
JMSCorrelationID TIBRVMSG_STRING
JMSRedelivered TIBRVMSG_BOOL
Import
When importing a Rendezvous message to an EMS message, tibemsd sets these EMS
properties:
l JMS_TIBCO_IMPORTED gets the value true, to indicate that the message did not
originate from an EMS client.
l JMS_TIBCO_MSG_EXT gets the value true, to indicate that the message might contain
submessage fields or array fields.
Import RVCM
In addition to the two fields described above, when tibemsd imports a certified message
on a tibrvcm transport, it can also set these properties (if the corresponding information is
set in the Rendezvous message).
Property Description
Export
When exporting an EMS message to a Rendezvous message, tibemsd groups all the Jakarta
Messaging property fields into a single submessage within the Rendezvous message. The
field JMSProperties contains that submessage. Fields of the submessage map the names
of Jakarta Messaging property fields to their values.
The tibemsd server ignores any Jakarta Messaging property fields that are not set, or are
set to null—it omits them from the exported message.
You can instruct tibemsd to suppress the entire properties submessage in the exported
message by setting the transport property export_properties = false.
Message Body
tibemsd can export messages with any Jakarta Messaging message body type to TIBCO
Rendezvous. Conversely, tibemsd can import messages with any message type from TIBCO
Rendezvous.
For information about Jakarta Messaging body types, see Jakarta Messaging Message
Bodies.
For information about the structure of messages, see Jakarta Messaging Message Structure.
Import
When importing a Rendezvous message, tibemsd translates it to an EMS message body
type based on the presence of the field as seen in the following table.
JMSBytes JMSBytesMessage
JMSObject JMSObjectMessage
JMSStream JMSStreamMessage
JMSText JMSTextMessage
Note: The field names DATA and _data_ are reserved. We strongly discourage
you from using these field names in EMS and Rendezvous applications, and
especially when these two message transport mechanisms interoperate.
Note: Only standard Rendezvous fields identified by name can be imported into
EMS. Custom fields and fields identified in the Rendezvous application by field
identifiers cannot be imported.
Export
When exporting an EMS message, tibemsd translates it to a Rendezvous message with the
following structure.
l The field JMSHeaders contains a submessage; see Jakarta Messaging Header Fields.
When the transport parameter export_headers is false, this field is omitted.
l The field JMSProperties contains a submessage; see Jakarta Messaging Property
Fields. When the transport parameter export_properties is false, this field is
omitted.
l When translating the data fields of an EMS message, the results depend on the
Jakarta Messaging body type. The following table specifies the mapping.
BytesMessage The message data translates to a byte array that contains the bytes of the
original EMS message.
TextMessage The message data translates to a UTF-8 string corresponding to the text
of the original EMS message.
ObjectMessage The message data translates to a byte array containing the serialized Java
object.
StreamMessage The message data translates to a byte array that encodes the objects in
the original EMS message.
MapMessage The message data fields map directly to top-level fields in the Rendezvous
message. The fields retain the same names as in the original EMS
message.
Data Types
The mapping between EMS datatypes and Rendezvous datatypes is bidirectional, except for
the Rendezvous types that have no corresponding EMS type (for these types the mapping is
marked as unidirectional in the middle column).
Boolean TIBRVMSG_BOOL
Byte TIBRVMSG_I8
Short TIBRVMSG_I16
Integer TIBRVMSG_I32
Long TIBRVMSG_I64
Float TIBRVMSG_F32
Double TIBRVMSG_F64
MapMessage TIBRVMSG_MSG
byte[] TIBRVMSG_OPAQUE
java.lang.String TIBRVMSG_STRING
short[] TIBRVMSG_I16ARRAY
int[] TIBRVMSG_I32ARRAY
long[] TIBRVMSG_I64ARRAY
float[] TIBRVMSG_F32ARRAY
double[] TIBRVMSG_F64ARRAY
Prometheus Metrics
You can configure TIBCO Enterprise Message Service to provide Prometheus-formatted
metrics over an HTTP(S) listen port. This is the same port used to service health check
responses.
l Metrics describing overall server state and the state of all queues and topics can be
monitored at the path /metrics.
l Metrics describing the overall server state can be monitored at the path
/metrics/server.
l Metrics describing the state of all queues and topics can be monitored at the paths
/metrics/queues and /metrics/topics.
If logfile_max_count is specified, the server keeps at most the number of log files
specified by that parameter, including the current log file. When the maximum number of
log files has been reached and the server needs to back up the current log file, it deletes
the oldest log file (the ones with smallest number). If you change the parameter setting,
after the server is restarted, the next time it needs to rotate the log file it deletes however
many of the lowest sequence numbered files required to reach the logfile_max_count
maximum.
You can also dynamically force the log file to be backed up and truncated using the
rotatelog command in tibemsadmin. See Command Listing for more information about
the rotatelog command.
For other configuration parameters that affect the log file, see Tracing and Log File
Parameters.
log_trace and console_trace can be used to configure what types of messages are to go
to the log file and to the console.
Note: When you want trace messages to be sent to a log file, you must also
configure the logfile configuration parameter. If you specify log_trace, and
the logfile configuration parameter is not set to a valid file, the tracing options
are stored, but they are not used until the server is started with a valid log file.
DEFAULT Sets the trace options to the default set. This includes:
l INFO
l WARNING
l ACL
l LIMITS
l ROUTE
l ADMIN
l RVADV
l CONNECT_ERROR
l CONFIG
l MSG
FLOW Prints a message when the server enforces flow control or stops
JVMERR Prints output from custom modules running in the JVM that uses
System.err.
LOAD Prints the paths of any dynamically loaded libraries. The tibemsd
can load FTL, ActiveSpaces, and Rendezvous libraries.
Examples
The following example sets the trace log to only show messages about access control
violations.
log_trace=ACL
The next example sets the trace log to show all default trace messages, in addition to TLS
messages, but ADMIN messages are not shown.
log_trace=DEFAULT,-ADMIN,+SSL
Message Tracing
In addition to other server activity, you can trace messages as they are processed.
Trace entries for messages are only generated for destinations or messages that specify
tracing should be performed. For destinations, you specify the trace property to enable
the generation of trace messages. For individual messages, the JMS_TIBCO_MSG_TRACE
property specifies that tracing should be performed for this message, regardless of the
destination settings. The sections below describe the tracing properties for destinations
and messages.
Message trace entries can be output to either the console or the log. The MSG trace option
specifies that message trace entries should be displayed, and the DEFAULT trace option
includes the MSG option. See Trace Messages for the Server for more information about
specifying trace options.
You must set the tracing property on either destinations or messages and also set the MSG
or DEFAULT trace option on the console or the log before you can view trace entries for
messages.
Note: EMS tracing features do not filter unprintable characters from trace
output. If your application uses unprintable characters within messages
(whether in data or headers), the results of message tracing are unpredictable.
The trace property can optionally be specified as trace=body. Setting trace=body includes
the message body in trace messages. The EMS server prints up to one kilobyte of a
message string field, and up to a total message size of 8 KB. The trace message indicates if
the full message is not printed.
Setting trace without the body option specifies that only the message sequence and
message ID are included in the trace message.
When message tracing is enabled for a destination, a trace entry is output for each of the
following events that occur in message processing:
l messages are received into a destination
l messages are sent to consumers
l messages are imported or exported to/from an external system
l messages are acknowledged
l messages are sent across a destination bridge
l messages are routed
Replies to request messages are traced only when the reply destination has the trace
property. Similarly, replies to exported messages are only traced when the trace property
is set.
Monitor topics are created and maintained by the server. Monitor topics are not listed in
the topics.conf file. Users can subscribe to monitor topics but cannot create them.
Monitor Messages
You can monitor messages processed by a destination as they are sent, received, or
acknowledged.
You can also monitor messages that have prematurely exited due to expiration, being
discarded, or a maxRedelivery failure.
The $sys.monitor topic for monitor messages has the following format:
$sys.monitor.D.E.destinationName
where D is the type of destination, E is the event you wish to monitor, and destinationName
is the name of the destination whose messages you wish to monitor.
l Sent by a route
l Forwarded from another destination by way of a bridge
l Imported from transport to an external system
Property Contents
l Topic
l Queue
l Generic
l Route
l Unknown
event_action The action that caused the event. This property can have the
values listed in Event Action Property Values.
event_class The type of monitoring event (that is, the last part of the
topic name without the $sys.monitor).
Property Contents
event_reason The reason the event occurred (usually an error). The values
this property can have are described in Event Reason
Property Values.
event_route For routing, the route that the event occurred on.
l non_persistent
l reliable
source_name Name of the source object involved with the event. This
Property Contents
source_object Source object that was involved with the event. This
property can have the following values:
l producer
l consumer
l topic
l queue
l permissions
l durable
l server
l transaction
l user
l group
l connection
l message
l jndiname
l factory
l file
l limits (a limit, such as a memory limit)
l route
Property Contents
l transport
target_created Time that the consumer was created (in milliseconds since
the epoch).
target_name Name of the object that was the target of the event. This
property can have the following values:
l XID (global transaction ID)
l message_id
l connections (number of connections)
l unknown (unknown name)
l Any server property name
l the name of the user, or anonymous
Property Contents
target_object The general object that was the target of the event. This
property can have the following values:
l producer
l consumer
l topic
l queue
l durable
l server
l transaction
l user
l group
l connection
l message
l jndiname
l factory
l file
l limits (a limit, such as a memory limit)
l route
l transport
Property Contents
target_value Value of the object that was the target of the event, such as
the name of a topic, queue, and so on.
flow_engaged stored messages rise above a destination’s limit, engaging the flow
control feature
flow_disengaged stored messages fall below a destination’s limit, disengaging the flow
control feature
The admin user and members of the $admin group have permission to perform any server
action, including subscribing to monitor topics. All other users must be explicitly granted
permission to view monitor topics before the user can successfully create subscribers for
monitor topics. For example, if user BOB is not a member of the $admin group, and you
wish to allow user BOB to monitor all connection events, you can grant BOB the required
permission with the following command using the administration tool:
Bob’s application can then create a topic subscriber for $sys.monitor.connect.* and view
any connect or disconnect events.
Monitor topics publish messages of type MapMessage. Information about the event is stored
within properties in the message. Each system event has different properties. Monitor
Messages, describes each of the monitor topics and the message properties for the
messages published on that topic. Your application can receive and display all or part of a
monitor message, just as it would handle any message sent to a topic. However, there are
some ways in which monitor messages are handled differently from standard messages:
l Monitor messages cannot be routed to other servers.
l Monitor messages are not stored persistently on disk.
l Monitor messages are not swapped from process memory to disk.
You can have any number of applications that subscribe to monitor messages. You can
create different applications that subscribe to different monitor topics, or you can create
one application that subscribes to all desired monitor topics. Your topic subscribers can
also use message selectors to filter the monitor messages so your application receives only
the messages it is interested in.
Server Statistics
The TIBCO Enterprise Message Service server allows you to track incoming and outgoing
message volume, message size, and message statistics for the server overall as well as for
each producer, consumer, or route. You can configure the type of statistics collected, the
interval for computing averages, and amount of detail for each type.
Statistic tracking can be set in the server’s configuration file, or you can change the
configuration dynamically using commands in the administration tool or by creating your
own application with the administration APIs.
Statistics can be viewed using the administration tool, or you can create your own
application that performs more advanced analysis of statistics using the administration
APIs.
This section details how to configure and view statistics using the configuration files and
administration tool commands. For more information about the administration APIs, see
the description of com.tibco.tibjms.admin in the online documentation.
Note: The TIBCO Enterprise Message Service server tracks the number of
incoming or outgoing messages, but only messages sent or received by a
producer, consumer, or route are tracked. The server also sends system
messages, but these are not included in the number of messages.
However, the server can add a small amount of data to a message for internal
use by the server. This overhead is counted in the total message size, and you
may notice that some messages have a greater message size than expected.
The default interval for collecting overall server statistics is 1 second. You may wish to view
average system usage statistics over a larger interval. The server_rate_interval
configuration parameter controls the collection interval for server statistics. The parameter
can be set in the configuration file or dynamically using the set server command. This
parameter can only be set to positive integers greater than zero.
Detailed Statistics
In some situations, the default statistic gathering may not be sufficient. For example, if a
topic subscriber subscribes to wildcard topics, the total statistics for all topics that match
the wildcard are kept. You may wish to get further detail in this case and track the
statistics for each actual topic the subscriber receives.
The following situations may require detailed statistic gathering:
l Topic subscribers that subscribe to wildcard topics
l Message producers that do not specify a destination when they are created. These
message producers can produce messages for any destination, and the destination
name is specified when a message is sent.
l Routes can have incoming and outgoing messages on many different topics.
l CONSUMERS — enables detailed statistics for topic subscribers with wildcard topic
names.
l PRODUCERS — enables detailed statistics for producers that do not specify a
destination when they are created.
l ROUTES — enables detailed statistics for routes.
You can set the detailed_statistics parameter to NONE or any combination of CONSUMERS,
PRODUCERS, or ROUTES. To specify more than one type of detailed statistic gathering,
provide a comma-separated list of values. You can set the detailed_statistics parameter
in the configuration file or dynamically by using the set server command. For example, the
following set server command enables detailed statistic tracking for producers and
routes.
Collecting detailed statistics does consume memory, and can adversely affect performance
when gathering a high volume of statistics. There are two parameters that allow you to
control resource consumption when collecting detailed statistics. First, you can control the
amount of time statistics are kept, and second you can set a maximum amount of memory
for detailed statistic gathering. When application programs create many dynamic
destinations, we recommend against gathering detailed statistics.
The statistics_cleanup_interval parameter controls how long detailed statistics are
kept. This parameter can be set either in the configuration file or dynamically with the set
server command. By default, statistics are kept for 15 seconds. For example, if there is a
topic subscriber for the topic foo.*, and the subscriber receives a message on topic
foo.bar, if no new messages arrive for topic foo.bar within 15 seconds, statistics for topic
foo.bar are deleted for that consumer. You can set this parameter to 0 to signify that all
detailed statistics are to be kept indefinitely. Of course, statistics for an object only exist as
long as the object itself exists. That is, if a message consumer terminates, all detailed
statistics for that consumer are deleted from memory.
The max_stat_memory parameter controls the amount of memory used by detailed
statistics. This parameter can be set either in the configuration file or dynamically with the
set server command. By default, this parameter is set to 0 which signifies that detailed
statistics have no memory limit. If no units are specified, the value of this parameter is in
bytes. Optionally, you can specify units as KB, MB, or GB. When the specified limit is
reached, the server stops collecting new statistics. The server will only resume collecting
statistics if the amount of memory used decreases
(for example, if the statistics_cleanup_interval is set and old statistics are removed).
See show stat for more information and detailed syntax of the show stat command.
TLS Protocol
Transport Layer Security (TLS) is a protocol that provides secure authentication and
transmits encrypted data over the Internet or an internal network.
The TLS protocol is complex, and this chapter is not a complete description of TLS.
Instead, this chapter describes how to configure TLS in the TIBCO Enterprise Message
Service server and in client applications that communicate with the server. For a more
complete description of TLS, see the TLS specification at https://tools.ietf.org/html/rfc5246
and the article at https://en.wikipedia.org/wiki/Transport_Layer_Security.
TLS provides secure communication that works with other mechanisms for authentication
available in the EMS server. When authorization is enabled in the server, the connection
undergoes a two-phase authentication process. First, a TLS hand-shake between client and
server initializes a secure connection. Second, the EMS server checks the credentials of the
client using the supplied username and password. If the connecting client does not supply
a valid username and password combination, the connection fails, even if the TLS
handshake succeeded.
Implementations
The TIBCO Enterprise Message Service server and the C client libraries use OpenSSL for TLS
support.
For more information, see www.openssl.org.
EMS Java clients use JSSE (from Sun JavaSoft). JSSE is included in Java distributions.
EMS .NET Framework clients use the Microsoft implementation of TLS. The Microsoft
implementation of TLS is compatible with OpenSSL. Certificates required by the client can
either be stored in files or the Microsoft certificate store. However, Microsoft requires that
the root certificate be installed in the Microsoft Certificate Store, even when certificate files
are in use.
EMS distributions usually build and include the latest version of OpenSSL publicly available
at the time of release. For exact version numbers see the Third Party Software License
Agreements documented in the TIBCO Software Inc. End User License Agreement for TIBCO
Enterprise Message Service.
Digital Certificates
Digital certificates are data structures that represent identities. EMS uses certificates to
verify the identities of servers and clients. Though it is not necessary to validate either the
server or the client for them to exchange data over TLS, certificates provide an additional
level of security.
A digital certificate is issued either by a trusted third-party certificate authority, or by a
security officer within your enterprise. Usually, each user and server on the network
requires a unique digital certificate, to ensure that data is sent from and received by the
correct party.
In order to support TLS, the EMS server must have a digital certificate. Optionally, EMS
clients may also be issued certificates. If the server is configured to verify client certificates,
a client must have a certificate and have it verified by the server. Similarly, an EMS client
can be configured to verify the server’s certificate. Once the identity of the server and/or
client has been verified, encrypted data can be transferred over TLS between the clients
and server.
A digital certificate has two parts—a public part, which identifies its owner (a user or
server); and a private key, which the owner keeps confidential.
The public part of a digital certificate includes a variety of information, such as the
following:
l The name of the owner, and other information required to confirm the unique
identity of the subject. This information can include the URL of the web server using
the digital certificate, or an email address.
l The subject’s public key.
l The name of the certificate authority (CA) that issued the digital certificate.
l A serial number.
l The length of time the certificate will remain valid—defined by a start date and an
end date.
The most widely-used standard for digital certificates is ITU-T X.509. TIBCO Enterprise
Message Service supports digital certificates that comply with X.509 version 3 (X.509v3);
most certificate authorities, such as Verisign and Entrust, comply with this standard.
The EMS server uses OpenSSL to read private keys. It does not read Java KeyStore files.
Extension Description
.pem PEM encoded certificates and keys (allows the certificate and private key to be
stored together in the same file)
.p12 PKCS12 file (allows the certificate and private key to be stored together in the
same file)
server_root.cert.pem
server_root.key.pem
server_root.key.p8
l A server certificate and corresponding private keys in encrypted PEM and PKCS8
formats. This certificate is issued by server_root.cert.pem and is used by the
server:
server.cert.pem
server.key.pem
server.key.p8
l A root, self-signed certificate and corresponding private key in encrypted PEM and
PKCS8 formats.
client_root.cert.pem
client_root.key.pem
client_root.key.p8
l A client certificate and corresponding private key in encrypted PEM and PKCS8
formats. This certificate is issued by client_root.cert.pem and is used by the
clients:
client.cert.pem
client.key.pem
client.key.p8
client_identity.p12
listen = ssl://localhost:7243
TLS Parameters
Several TLS parameters can be set in tibemsd.conf. The minimum configuration is only
one required parameter—ssl_server_identity. However, if the server’s certificate file
does not contain its private key, then you must specify it in ssl_server_key.
TLS Server Parameters provides a complete description of the TLS parameters that can be
set in tibemsd.conf.
monitor_listen = https://servername:port
HTTPS Properties
There are a few HTTPS properties that can be set in tibemsd.conf. None are strictly
required for the HTTPS listen to work as any unset parameter results in the matching
server TLS parameter to be used in its place. For example, if monitor_ssl_identity is
unset, the configured ssl_server_identity is used in its place. HTTPS Server Parameters
provides a complete description of the TLS parameters that can be set in tibemsd.conf.
l Java KeyStore
You can also store the private key file separately from the client certificate file. If this is the
case, the certificate and private key must be stored in one of the following formats:
l PEM
l PKCS#8
The format of the client digital certificate and private key file depends on the TLS vendor
used by the client. For more information about formats, see your TLS vendor’s
documentation.
Configure TLS
A client connecting to an EMS server can configure TLS characteristics in the following
ways:
l Create a connection factory that specifies the appropriate TLS parameters and use
JNDI to lookup the connection factory. The server URL in the connection factory must
specify the TLS protocol, and the factory must specify appropriate TLS parameters.
A preconfigured connection factory is the preferred mechanism in many situations.
See Create Connection Factories for Secure Connections and Perform Secure Lookups
for details on how to create a connection factory with TLS parameters in EMS.
l Dynamically create a connection factory, as described in Dynamically Creating
Connection Factories and set the global TLS parameters locally using the TibjmsSSL
class (Java), tibemsSSLParams type (C), or EMSSSL class (C#).
Specifying any TLS parameters within a connection factory causes all global TLS
parameters set with the TibjmsSSL class, tibemsSSLParams type or EMSSSL class to be
ignored.
Note: When configuring a connection factory, EMS does not verify any file names
specified in the TLS parameters. At the time the factory is retrieved using JNDI,
the EMS server attempts to resolve any file references. If the files do not match
the supported types or the files are not found, the JNDI lookup fails with a
ConfigurationException.
The following table describes the TLS parameters that can be set in a connection factory.
For more information about each parameter, see the description of the equivalent
parameter in tibemsd.conf.
Parameter Description
ssl_vendor The vendor name of the TLS implementation that the client
uses. Since software release 8.4.0, only one vendor (JSSE) is
supported for the Java client, so use of this parameter is
optional in that context.
Example
ssl_issuer = certs\CA_root.pem
ssl_issuer = certs\CA_child1.pem
ssl_issuer = certs\CA_child2.pem
Parameter Description
ssl_private_key The client’s private key. If the key is included in the digital
certificate in ssl_identity, then you may omit this
parameter.
ssl_verify_hostname Specifies whether the client should verify the name in the
CN field of the server’s certificate. The values for this
parameter are enabled and disabled. By default, this
parameter is enabled, signifying the client should verify the
name of the connected host or the name specified in the
ssl_expected_hostname parameter against the value in the
server’s certificate. If the names do not match, the client
rejects the connection.
ssl_expected_hostname The name the client expects in the CN field of the server’s
Parameter Description
ssl_ciphers Specifies the cipher suites that the client can use.
Qualifier Description
ALL All ciphers from the list (except null ciphers). You can use this keyword to add
or remove all ciphers.
At least one cipher suite must be present, otherwise the TLS connection fails to
initialize. So, if you use -ALL, you must subsequently add the desired ciphers to
the list.
This example specifies cipher suites in the ssl_ciphers connection factory parameter in a
Java client:
-ALL:+ECDHE-RSA-AES256-GCM-SHA384:<ECDHE-RSA-AES128-GCM-SHA256
-ALL:+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:+TLS_ECDHE_RSA_WITH_AES_256_
GCM_SHA384:<SSL_RSA_WITH_3DES_EDE_CBC_SHA
Note: The syntax described in the table below only applies to TLSv1.2 cipher
suites. TLSv1.3 connections are subject only to the SECLEVEL restrictions.
TLSv1.3 cipher suites always take priority over TLSv1.2 ones.
Qualifier Description
/ When entered as the first item in the list, this option causes EMS to begin with
an empty list, and add the ciphers that follow the slash.
If the / does not prefix the cipher list, then EMS prefixes the cipher list with the
OpenSSL cipher string DEFAULT.
This modifier can only be used at the beginning of the list. If the / appears
elsewhere, the syntax of the cipher suite list will be incorrect and cause an
error.
Qualifier Description
This qualifier is used to move an existing cipher. It can not be used to add a
new cipher to the list.
- Remove the cipher from the list of ciphers. When this option is used, the cipher
can be added later on in the list of ciphers.
! Permanently disable the cipher within the list of ciphers. Use this option if you
wish to remove a cipher and you do not want later items in the list to add the
cipher to the list. This qualifier takes precedence over all other qualifiers.
ALL All ciphers from the list (except null ciphers). You can use this keyword to add
or remove all ciphers.
At least one cipher suite must be present or the TLS connection fails to
initialize. So, after using -ALL, you should add at least one cipher to the list.
ssl_server_ciphers = -ALL:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-
GCM-SHA384
ssl_server_ciphers = !ECDHE-RSA-AES128-GCM-SHA256:ALL
Note that this list is only relevant to the release of TIBCO Enterprise Message Service that
ships with the particular version of tibemsadmin that is running when the help command is
issued
Motivation
Some applications require strong or encrypted authentication, but do not require message
encryption.
In this situation, application architects could configure TLS with a null cipher. However,
this solution incurs internal overhead costs of TLS calls, decreasing message speed and
throughput.
For optimal performance, the preferred solution is to use TLS only to authenticate clients,
and then avoid TLS calls thereafter, using ordinary TCP communications for subsequent
data exchange. Message performance remains unaffected.
Preconditions
All the following preconditions must be satisfied to use TLS only for authentication:
l The server must explicitly enable the parameter ssl_auth_only in the tibemsd.conf
configuration file.
l The client program must request a connection that uses TLS for authentication only.
Clients can specify this request in factories by enabling the ssl_auth_only
parameter, or by calling:
o Java: TibjmsSSL.setAuthOnly
o C: tibemsSSLParams_SetAuthOnly
o C#: EMSSSL.SetAuthOnly
See Also
Server parameter ssl_auth_only
Client parameter ssl_auth_only
When fips140-2 is enabled, on start-up the EMS server initializes in compliance with FIPS
140-2. If the initialization is successful, the EMS server prints a message indicating that it is
operating in this mode. If the initialization fails, the server exits
(regardless of the startup_abort_list setting).
Incompatible Parameters
In order to operate in FIPS compliant mode, you must not include these parameters in the
tibemsd.conf file:
l ssl_server_ciphers
l ft_ssl_ciphers
l Java Clients
Java clients that use the Bouncy Castle FIPS provider can operate in FIPS 140-2
compliant mode. To do so, perform both of the following:
o Set the TLS vendor to bcfips before calling any other EMS methods; refer to
the EMS Java documentation for details.
o Start the JVM with -Dorg.bouncycastle.fips.approved_only=true
For backward compatibility reasons, an alternative to setting the TLS vendor to
bcfips consists of setting the com.tibco.security.FIPS property to true.
If the tibco.tibjms.ssl.debug.trace property has been set to true and the Java
client set to operate in FIPS 140-2 compliant mode, upon initializing the TLS
infrastructure the client prints a message listing BCFIPS as the FIPS Provider.
l C Clients
To enable FIPS 140-2 operations in the C client, load the required FIPS and base
OpenSSL providers before calling any EMS functions. This can be done by setting
the OPENSSL_CONF and OPENSSL_MODULES environment variables, as per the
OpenSSL 3.0 documentation.
For example:
export OPENSSL_CONF=/opt/tibco/ems/10.3/lib/openssl-client.cnf
export OPENSSL_MODULES=/opt/tibco/ems/10.3/lib
Note: The Java and C clients support FIPS compliance only on the Linux and
Windows platforms.
Fault Tolerance
The following sections describe the fault tolerance features of TIBCO Enterprise Message
Service.
Shared State
A pair of fault-tolerant servers can have access to shared state, which consists of
information about clients and persistent messages.
Note: You cannot use more than two servers in a fault-tolerant configuration.
This information enables the standby server to properly assume responsibility for those
clients and messages. The following image illustrates a fault-tolerant configuration of EMS.
Locking
To prevent the standby server from assuming the role of the active server, the active server
locks the shared state during normal operation. If the active server fails, the lock is
released, and the standby server can obtain the lock and become active.
Detection
A standby server detects a failure of the active server in either of the following ways:
Heartbeat Failure or Connection Failure.
l Heartbeat Failure—The active server sends heartbeat messages to the standby server
to indicate that it is still operating. When a network failure stops the servers from
communicating with each other, the standby server detects the interruption in the
steady stream of heartbeats. For details, see Heartbeat Parameters.
l Connection Failure—The standby server can detect the failure of its TCP connection
with the active server. When the active server process terminates unexpectedly, the
standby server detects the broken connection.
Response
When a standby server (B) detects the failure of the active server (A), then B attempts to
assume the role of active server. First, B obtains the lock on the current shared state. When
B can access this information, it becomes the new active server.
Lock Unavailable
If B cannot obtain the lock immediately, it alternates between attempting to obtain the
lock (and become the active server), and attempting to reconnect to A (and resume as a
standby server)—until one of these attempts succeeds.
Role Reversal
When B becomes the new active server, A can restart as a standby server, so that the two
servers exchange roles.
Client Transfer
Clients of A that are configured to failover to standby server B automatically transfer to B
when it becomes the new active server. B reads the client’s current state from the shared
storage to deliver any persistent messages to the client.
Client Notification
Client applications can receive notification when shared state failover occurs.
l Java
To receive notification, Java client programs set the system property
tibco.tibjms.ft.switch.exception to any value, and define an ExceptionListener
to handle failover notification; see the class com.tibco.tibjms.Tibjms in TIBCO
Enterprise Message Service Java API Reference.
l C
To receive notification, C client programs call tibems_setExceptionOnFTSwitch
(TIBEMS_TRUE) and register the exception callback in order to receive the notification
that the reconnection was successful.
l C#
To receive notification, .NET client programs call Tibems.SetExceptionOnFTSwitch
(true), and define an exception listener to handle failover notification; see the
method Tibems.SetExceptionOnFTSwitch in TIBCO Enterprise Message Service .NET
API Reference.
Message Redelivery
Qualified messages will be redelivered in a failover situation.
l Persistent
When a failure occurs, messages with delivery mode PERSISTENT, that were not
successfully acknowledged before the failure, are redelivered.
l Synchronous Mode
When using durable subscribers, EMS guarantees that a message with PERSISTENT
delivery mode and written to a store with the property mode=sync, will not be lost
during a failure.
l Delivery Succeeded
Any messages that have been successfully acknowledged or committed are not
redelivered, in compliance with the Jakarta Messaging specification.
l Topics
All topic subscribers continue normal operation after a failover.
Transactions
A (non-XA) transaction is considered active when at least one message has been sent or
received by the session, and the transaction has not been successfully committed. An XA
transaction is considered active when the XA start method is called.
After a failover, attempting to commit the active transaction results in a
javax.jms.TransactionRolledBackException. Clients that use transactions must handle
this exception, and resend any messages sent during the transaction. The standby server,
upon becoming active, automatically redelivers any messages that were delivered to the
session during the transaction that rolled back.
Queues
For queue receivers, any messages that have been sent to receivers, but have not been
acknowledged before the failover, may be sent to other receivers immediately after the
failover.
A receiver trying to acknowledge a message after a failover may receive the
javax.jms.IllegalStateException. This exception signifies that the attempted
acknowledgment is for a message that has already been sent to another queue receiver.
This exception only occurs in this scenario, or when the session or connection have been
closed. This exception cannot occur if there is only one receiver at the time of a failover,
but it may occur for exclusive queues if more than one receiver was started for that queue.
When a queue receiver catches a javax.jms.IllegalStateException, the best course of
action is to call the Session.recover() method. Your application program should also be
prepared to handle redelivery of messages in this situation. All queue messages that can be
redelivered to another queue receiver after a failover always have the header field
JMSRedelivered set to true; application programs must check this header to avoid
duplicate processing of the same message in the case of redelivery.
Note: Acknowledged messages are never redelivered (in compliance with the
Jakarta Messaging specification). The case described above occurs when the
application cannot acknowledge a message because of a failover.
Heartbeat Parameters
When the active server heartbeat stops, the standby server waits for its activation interval
(elapsed time since it detected the most recent heartbeat); then the standby server
retrieves information from shared storage and assumes the role of active server.
The default heartbeat interval is 3 seconds, and the default activation interval is 10
seconds. The activation interval must be at least twice the heartbeat interval. Both
intervals are specified in seconds. You can set these intervals in the server configuration
files. See Fault Tolerance Parameters for details.
Note: When using FTL stores, the heartbeat and activation intervals are
managed by the FTL server cluster. See Fault-Tolerance with FTL Stores for more
details.
Configuration Files
When an active server fails, its standby server assumes the status of the active server and
resumes operation. Before becoming the active server, the standby server re-reads its
configuration files.
If the two servers share configuration files, then the administrative changes to an active
server carry over to its standby once the latter becomes active.
Note: When fault-tolerant servers share configuration files, you must limit
configuration changes to the active server only. Separately reconfiguring the
standby server can cause it to overwrite the shared configuration files;
unintended misconfiguration can result.
Additionally, when a server that is a member of a fault-tolerant pair requires a
restart, both servers must be restarted to activate the change. When the active
server is shut down, the standby server does not reinitialize its properties (such
as listens, heartbeats, timeouts, and so on) or stores during activation. It does
reinitialize objects such as queues, topics, factories, routes, and so on.
Detection
Unshared state failover is initiated by the EMS client. When a client setup for unshared
state detects a lost connection to server (A), it attempts to connect to server (B), as defined
in the connection factory.
Note: Unshared state is not limited to two servers. Unlike shared state failover,
unshared state is controlled by the EMS client. The client can include more than
two URLs in its list of additional servers.
Response
Clients with unshared state connections automatically connect to B after losing the
connection to A.
When clients setup for unshared state detect lost connections to server A, they create new
connections to server B. All runtime objects from the client's connection are recreated,
including sessions, destinations, message producers, and message consumers.
Because unshared state is defined in the connection factory, B remains the current server
as long as the connection is active. If the connection to B is lost, clients attempt to connect
to another server defined in the connection factory
Message Loss
Because B does not have access to persistent messages that were not delivered or
acknowledged prior to the failover, some messages may be lost or delivered out of order
across the failover process. To prevent message loss, use shared state failover.
Unsupported Features
These features and Java classes are not supported with unshared state connections:
l XA transactions
l Durable topic subscribers
l ConnectionConsumer
l ServerSession
l ServerSessionPool
l QueueRequestor
l TopicRequestor
In this example, servers A1 and A2 share state. Servers B1 and B2 also share state.
However, A1 and A2 do not share state with B1 and B2.
The EMS clients created connections using a connection factory with A1, A2 + B1, B2. The
initial server connections were with server A1. When the connection to A1 failed, the
failover process proceeded as described in Shared State Failover Process, and the clients
connect to A2.
A2 then failed, before A1 restarted. The clients next created connections to B1, recreating
all runtime objects from the connection (as described above in Unshared State Failover
Process). B1 is now the active server. Because B1 and B2 share state, If B1 fails, B2
becomes the active server.
Shared State
For the most robust failover protection, the active server and standby server must share
the same state.
Shared state includes the following categories of information:
l persistent message data (for queues and topics)
l client connections of the active server
l metadata about message delivery
During a failover, the standby server re-reads all shared state information.
Support Criteria
If your stores are file-based, there are several options available for implementing shared
storage, using a combination of hardware and software. EMS requires that your storage
solution guarantees the following listed criteria.
Warning: Always consult your shared storage vendor and your operating system
vendor to ascertain that the storage solution you select satisfies all four criteria.
Criterion Description
Write Order The storage solution must write data blocks to shared storage in the same
order as they occur in the data buffer.
(Solutions that write data blocks in any other order (for example, to
enhance disk efficiency) do not satisfy this requirement.)
Synchronous Upon return from a synchronous write call, the storage solution guarantees
Write that all the data have been written to durable, persistent storage.
Persistence
Distributed File The EMS servers must be able to request and obtain an exclusive lock on
Locking the shared storage. The storage solution must not assign the locks to two
servers simultaneously. (See Software Options.)
Unique Write The EMS server process that has the file lock must be the only server
Ownership process that can write to the file. Once the system transfers the lock to
another server, pending writes queued by the previous owner must fail.
Hardware Options
Consider these examples of commonly-sold hardware options for shared storage:
l Dual-Port SCSI device
l Storage Area Network (SAN)
l Network Attached Storage (NAS)
NAS
NAS solutions require a CS (rather than a CFS) to satisfy the Distributed File Locking
criterion (see below).
Some NAS solutions satisfy the criteria, and some do not; you must confirm all four
requirements with your vendors.
For more information on how the EMS locks shared store files, see Managing Access to
Shared File-Based Stores.
Software Options
Consider these examples of commonly-sold software options:
l Cluster Server (CS)
A cluster server monitors the EMS server processes and their host computers, and
ensures that exactly one server process is running at all times. If that server fails, the
CS restarts it; if the CS fails to restart it, it starts the other server instead.
l Clustered File System (CFS)
A clustered file system lets the two EMS server processes run simultaneously. It even
lets both servers mount the shared file system simultaneously. However, the CFS
assigns the lock to only one server process at a time. The CFS also manages
operating system caching of file data, so the standby server has an up-to-date view of
With dual-port SCSI or SAN hardware, either a CS or a CFS might satisfy the Distributed File
Locking criterion. With NAS hardware, only a CS can satisfy this criterion (CFS software
generally does not). Of course, you must confirm all four requirements with your vendors.
These stores are fully customizable through parameters in the stores configuration file.
More information about these stores and the default configuration settings are fully
described in stores.conf.
When using file-based stores, to prevent two servers from using the same store file, each
server restricts access to its store file for the duration of the server process. For more
information on how the EMS manages shared store files, see Managing Access to Shared
File-Based Stores. When using grid stores or FTL stores, this store exclusivity is handled by
ActiveSpaces and FTL respectively.
Note: These default stores can be changed or modified. See Default Stores for
more information.
Shared State
To configure an EMS server as a fault-tolerant secondary when using file-based stores or
grid stores, set the below parameters in its main configuration file (or on the server
command line). The primary and secondary roles cannot be explicitly defined when using
FTL stores.
l server Set this parameter to the same server name in the configuration files of
both the primary server and the secondary server.
l ft_active In the configuration file of the primary server, set this parameter to the
URL of the secondary server. In the configuration file of the secondary server, set this
parameter to the URL of the active server.
When a server configured for fault tolerance starts, it attempts to connect to its peer
server. If it establishes a connection to its peer, then it enters the standby state. If it cannot
establish a connection to its peer, then it becomes the active server.
While a server is in the standby state, it does not accept connections from clients. To
administer the standby server, the admin user can connect to it using the administration
tool. Standby servers started with a JSON configuration file cannot be administered.
Note: If the two EMS Servers are not sharing a users.conf file, make sure that
you create a user with the same name as the EMS Server, and set the user's
password with the value of the "server" password.
For example, you have two EMS Servers (Server 1 and Server 2) that are named "EMS-
SERVER" and are to use a password of "mySecret", but which do not share a users.conf
file. To set the user names and passwords, start the EMS Administration Tool on each
server, as described in EMS Administration Tool, and do the following.
From the active (Server 1), enter:
For jaas authentication, the tibemsd.conf changes are still required. However, a JAAS
authentication module must be configured in lieu of the users.conf changes. See JAAS
Authentication Modules for details.
OAuth 2.0
When using oauth2 authentication (see Authentication Methods) the EMS server will
authenticate its fault-tolerant peer server by validating an OAuth 2.0 access token received
as part of the peer server’s connection request.
For OAuth 2.0 authentication to be successful between fault-tolerant peer servers, both
servers will need to be configured to authenticate incoming connections via OAuth 2.0.
Both servers will also need to be configured to procure OAuth 2.0 access tokens and
include them in their connection requests to each other.
Follow the instructions in the Authentication Using OAuth 2.0 section to enable
authentication of incoming connection requests in both servers.
The ft_oauth2_server_url, ft_oauth2_client_id and ft_oauth2_client_secret
parameters must also be configured in both servers in order for them to obtain the OAuth
2.0 access tokens required to authenticate each other. Refer to Fault Tolerance Parameters
for the full list of available parameters relating to OAuth 2.0 and fault-tolerance.
TLS
Note: TLS security for fault-tolerance related communication is configured
through FTL when using FTL stores. See Configuring and Deploying FTL Stores
for details.
You can use TLS to secure communication between a pair of fault-tolerant servers.
Parameters in the main configuration file (tibemsd.conf) affect this behavior. The relevant
parameters all begin with the prefix ft_ssl.
The server initializing a secure connection to another server uses the ft_ssl parameters
to determine the properties of its secure connection to the other server. The receiving
server validates the incoming connection against its own ssl_ parameters. For more
information about ft_ssl parameters, see Fault Tolerance Parameters. For more
information about ssl_ parameters, see TLS Server Parameters.
Reconnect Timeout
When a standby server assumes the role of the active server during failover, clients attempt
to reconnect to the standby server (that is, the new active) and continue processing their
current message state. Before accepting reconnects from the clients, the new active server
reads its message state from the shared state files.
You can instruct the server to clean up state information for clients that do not reconnect
before the time limit specified by the ft_reconnect_timeout configuration parameter. The
ft_reconnect_timeout time starts once the server has fully recovered the shared state, so
this value does not account for the time it takes to recover the store files. See
ft_reconnect_timeout for details.
Unshared State
When configuring a fault tolerant pair that does not share state, you must ensure that both
servers use identical configurations.
This is especially important for these configuration settings:
l Destinations
Both servers must support the same destinations.
l Routes
Messages must be able to arrive at the endpoints, using equivalent or identical
routes across servers.
l Access Control
Access control must be setup identically in both servers, so that the users.conf,
groups.conf, and acl.conf file settings match.
l TLS
When TLS is deployed, both servers must use the same certificate(s).
When using a JSON configuration, the same JSON file is used to manage both servers in a
fault tolerant pair. Primary and secondary server roles are determined when the servers are
started.
All but two configuration settings are shared by both EMS servers: the listen and
ft_active parameters are configured separately.
l The primary server, if elected active, listens for client connections on ports defined in
the "primary_listens" node of the configuration. If elected standby, it listens for the
secondary server on the URL that is flagged using the "ft_active" Boolean within the
"secondary_listens" node.
l Conversely, the secondary server, if elected standby, listens for the primary server on
the URL that is flagged using the "ft_active" Boolean within the "primary_listens"
node. If elected active, it listens for client connections on ports defined in the
"secondary_listens" node.
Configuration Errors
When an EMS server is started, the fault tolerance mechanism is triggered by the presence
of a URL in the "secondary_listens" node of a primary tibemsd, or by that of a URL in the
"primary_listens" node of a secondary tibemsd.
Once fault tolerance is triggered, the EMS server generates an error if it finds that the
"ft_active" Boolean was not set for any URL in its peer’s node. If CONFIG_ERRORS is present
in the startup_abort_list parameter, the tibemsd aborts startup. Otherwise, the tibemsd
cancels fault tolerance and starts without checking its peer. This results in a file lock error
for the EMS server that is started second.
serverUrl=tcp://server0:7222, tcp://server1:7344
The client attempts to connect to each URL in the order listed. If a connection to one URL
fails, the client tries the next URL in the list. The client tries the URLs in sequence until all
URLs have been tried. If the first failed connection was not the first URL in the list, the
attempts wrap to the start of the list (so each URL is tried).
For information on how to lookup a fault-tolerance URL in the EMS naming service, see
Perform Fault-Tolerant Lookups.
Note: The reconnection logic in the client is triggered by the specifying multiple
URLs when connecting to a server. If no secondary server is present, the client
must still provide at least two URLs (typically pointing to the same server) in
order for it to automatically reconnect to the server when it becomes available
after a failure.
The following examples establish a reconnection count of 10, a delay of 1000 ms and a
timeout of 1000 ms.
l Java
Use the TibjmsConnectionFactory object’s setReconnAttemptCount(),
setReconnAttemptDelay(), and setReconnAttemptTimeout() methods to establish
new reconnection failure parameters.
factory.setReconnAttemptCount(10);
factory.setReconnAttemptDelay(1000);
factory.setReconnAttemptTimeout(1000);
l C
Use the tibemsConnectionFactory_SetReconnectAttemptCount,
tibemsConnectionFactory_SetReconnectAttemptDelay, and
tibemsConnectionFactory_SetReconnectAttemptTimeout functions to establish new
reconnection failure parameters.
l C#
Use the ConnectionFactory.SetReconnAttemptCount,
ConnectionFactory.SetReconnAttemptDelay, and
ConnectionFactory.SetReconnAttemptTimeout methods to establish new
reconnection failure parameters:
factory.setReconnAttemptCount(10);
factory.setReconnAttemptDelay(1000);
factory.setReconnAttemptTimeout(1000);
Unshared state connections are created differently from shared state connections in
several important ways.
l For Java applications, a JAR file must be present in the environment CLASSPATH of
the client.
l For C applications, a header file must be included and clients must link using the
unshared state library.
l The connection must be created using an unshared state connection factory.
l The server URLs must be specified using unshared state syntax.
l C Applications
tibemsufo library and functions.
l C# Applications
TIBCO.EMS.UFO package.
Connection Recovery
When an unshared state connection fails, the connection’s ExceptionListener callback is
invoked. To recover the connection—repair it so that it is connected to an active server—
the client application calls the connection factory’s recoverConnection method or
tibemsUFOConnectionFactory_RecoverConnection function.
Note that the connection is considered broken from the point where the underlying
TCP/TLS connection fails, and until
recoverConnection or tibemsConnectionFactory_RecoverConnection successfully returns.
l Unshared State
Specify multiple servers as a list of URLs separated by plus (+) signs. For example,
to identify the first server as tcp://server0:7222, and the second server as
tcp://server1:7344, you can specify:
serverUrl=tcp://server0:7222+tcp://server1:7344
l Dual State
To combine shared state server pairs with unshared state servers, use commas to
separate the servers that share state, and plus (+) signs to separate servers that do
not share state. For example, this line specifies server a1 and a2 as a fault-tolerant
pair that share state, and servers b1 and b2 as a second pair with shared state:
serverUrl=tcp://a1:8222,tcp://a2:8222+tcp://b1:8222,tcp://b2:8222
The client attempts to connect to each URL in the order listed. If a connection to one URL
fails, the client tries the next URL in the list. The client tries the URLs in sequence until all
URLs have been tried. If the first failed connection was not the first URL in the list, the
attempts wrap to the start of the list (so each URL is tried). If none of the attempts
succeed, the connection fails.
Note: Server lookup functions do not permit unshared state syntax. That is, you
cannot separate server URLs using the plus (+) symbol during a server lookup.
See Also
The connection factory connect attempt and reconnect attempt properties are
documented in factories.conf.
The sections Set Connection Attempts, Timeout and Delay Parameters and Set
Reconnection Failure Parameters describe the use of these settings.
Routes
The following sections describe routing of messages among TIBCO Enterprise Message
Service servers.
Overview
TIBCO Enterprise Message Service servers can route messages to other servers.
l Topic messages can travel one hop or multiple hops (from the first server).
l Queue messages can travel only one hop to the home queue, and one hop from the
home queue.
You can define routes using an administrative interface (that is, configuration files,
tibemsadmin, or administration APIs).
Route
Basic Operation
l Each route connects two TIBCO Enterprise Message Service servers.
l Each route forwards messages between corresponding destinations (that is, global
topics with the same name, or explicitly routed queues) on its two servers.
l Routes are bidirectional; that is, each server in the pair forwards messages along the
route to the other server.
For example, the compact view at the top of the following image denotes a route between
two servers, A and B. The exploded view beneath it illustrates the behavior of the route.
Each server has a global topic named T1, and a routed queue Q1; these destinations
correspond, so the route forwards messages between them. In addition, server A has a
global topic T2, which does not correspond to any topic on server B. The route does not
forward messages from T2.
Global Destinations
Routes forward messages only between global destinations—that is, for topics the global
property must be set on both servers (for queues, see Routed Queues).
For more information about destination properties, See Destination Properties.
The following image illustrates a route between two servers, C and D, with corresponding
destinations T1 and T2. Notice that T1 is global on both C and D, so both servers forward
messages across the route to the corresponding destination. However, T2 is not global on
C, neither C nor D forward T2 messages to one another.
Note: Note that the configuration on the right is illegal only in a multi-hop zone;
it is legal in a one-hop zone. For further information, see Zone.
Zone
Zones restrict the behavior of routes, so you can configure complex routing paths. Zones
affect topic messages, but not queue messages.
Basic Operation
A zone is a named set of routes. Every route belongs to a zone.
A zone affects the forwarding behavior of its routes:
l In a multi-hop (mhop) zone, topic messages travel along all applicable routes to all
servers connected by routes within the zone.
l In a one-hop (1hop) zone, topic messages travel only one hop (from the first server).
l Queue messages travel only one hop, even within multi-hop zones.
For example, the following figure depicts a set of servers connected by routes within a
multi-hop zone, Z1. If a client sends a message to a global topic on server B, the servers
forward the message to A, C, D and E (assuming there are subscribers at each of those
servers). In contrast, if Z1 were a one-hop zone, B would forward the message to A, C and
D—but D would not forward it E.
The goal is to forward messages from B1 and B2 to both M and R. The routing graph seems
to contain a cycle—the path from B1 to M to B2 to R duplicates the route from B1 to R.
However, since these routes belong to the one-hop zone Z2, it is impossible for messages
to travel the longer path. Instead, this limitation results in the desired result—forwarding
from B1 to M and R, and from B2 to M and R.
Overlapping Zones
A server can have routes that belong to several zones. When zones overlap at a server, the
routing behavior within each zone does not limit routing in other zones. That is, when a
forwarded message reaches a server with routes in several zones, the message crosses
zone boundaries, and its hop count is reset to zero.
The following image illustrates an enterprise with one-hop zones connecting all the servers
in each of several cities in a fully-connected graph. Zone TK connects all the servers in
Tokyo; zone NY connects all the servers in New York; zone PA connects all the servers in
Paris. In addition, the multi-hop zone WO connects one server in each city.
When a client of server TK3 produces a message, it travels one hop to each of the other
Tokyo servers. When the message reaches TK1, it crosses into zone WO. TK1 forwards the
message to NY1, which in turn forwards it to PA1. When the message reaches NY1, it
crosses into zone NY (with hop count reset to zero); NY1 forwards it one hop to each of the
other New York servers. Similarly, when the message reaches PA1, it crosses into zone PA
(with hop count reset to zero); PA1 forwards it one hop to each of the other Paris servers.
Active-Passive Routes
When you configure a route at only one server, this asymmetry results in different
perspectives on the route.
l A route is active from the perspective of the server where it is configured. This server
actively initiates the connection to the other server, so we refer to it as the active
server, or initiating server.
l A route is passive from the perspective of the other server. This server passively
accepts connection requests from the active server, so we refer to it as the passive
server.
A server can have both active and passive routes. That is, you can configure server S to
initiate routes, and also configure other servers to initiate routes to S.
You can specify and modify the properties of an active route, but not those of a passive
route. That is, properties of routes are associated with the server where the route is
configured, and which initiates the connection.
Note: Defining a route specifies a zone as well (either implicitly or explicitly). The
first route in the zone defines the type of the route; subsequent routes in the
same zone must have the same zone type (otherwise, the server reports an
error).
Active-Active Routes
Two servers can both configure an active route one to the other. This arrangement is called
an active-active configuration.
For example, server A specifies a route to server B, and B specifies a route to A. Either
server can attempt to initiate the connection. This configuration results in only one
connection; it does not result in redundant routes.
You can promote an active-passive route to an active-active route. To promote a route, use
this command on the passive server:
The url argument is required, so that the server (where the route is being promoted) can
connect to the other server if the route becomes disconnected. See create route for more
information.
The promoted route behaves as a statically configured route—that is, it persists messages
for durable subscribers, and stores its configuration in routes.conf, and administrators
can modify its properties.
Syntax
To create a route using the administration tool, first connect to one of the servers, then use
the create route command with the following syntax:
l name is the name of the server at the other end of the route; it also becomes the
name of the route.
l URL specifies the other server by its URL—including protocol and port.
If your environment is configured for fault tolerance, the URL can be a comma-
separated list of URLs denoting fault-tolerant servers. For more information about
fault tolerance, see Fault Tolerance.
l zone_name specifies that the route belongs to the routing zone with this name. When
absent, the default value is default_mhop_zone (this default yields backward
compatibility with configurations from releases earlier than 4.0).
l The zone type is either 1hop or mhop. When omitted, the default value is mhop.
l properties is a space-separated list of properties for the route. Each property has the
syntax:
prop_name=value
For gating properties that control the flow of topics along the route, see Selectors for
Routing Topic Messages.
For properties that configure the Transport Layer Security (TLS) protocol for the
route, see Routing and TLS.
For properties that configure OAuth 2.0 authentication for the route, see
Authentication.
Example
For example, these commands on server A would create routes to servers B and C. The
route to B belongs to the one-hop zone Z1. The route to C belongs to the multi-hop zone
ZM.
Show Routes
You can display these routes using the show routes command in the administration tool:
show routes
Route T ConnID URL Zone T
B A 3 tcp://B:7454 Z1 1
C A - tcp://C:7455 ZM m
Example
l When an active server initiates a TLS connection, it sends the route’s TLS parameters
to identify and authenticate itself to the passive server. You can specify these
parameters when creating the route, or you can specify them in the route
configuration file, routes.conf.
You can configure the server to require a digital certificate only for TLS connections coming
from routes, while not requiring such a certificate for TLS connections coming from clients
or from its fault-tolerant peer.
For more information, see ssl_require_route_cert_only.
Parameter Description
Parameter Description
ssl_issuer Certificate chain member for the server. Supply the entire
chain, including the CA root certificate. The server reads
the certificates in the chain in the order they are presented
in this parameter.
Example
ssl_issuer = certs\CA_root.pem
ssl_issuer = certs\CA_child1.pem
ssl_issuer = certs\CA_child2.pem
Parameter Description
ssl_verify_host Specifies whether the server must verify the other server’s
certificate. The values for this parameter are enabled and
disabled.
ssl_verify_hostname Specifies whether the server must verify the name in the
CN field of the other server’s certificate. The values for this
parameter are enabled and disabled.
Parameter Description
restarts, it generates a new sequence of subscribers; meanwhile, the client might have
missed messages.
If the client of server B creates a durable subscriber to T1, then if the client process exits,
the entire sequence of internal subscribers remains intact; messages continue to flow
through the servers in store-and-forward fashion. When the client restarts, it can consume
all the messages that B has stored in the interim.
Server Failure
In an active-active route between servers B and M, if B fails, then M retains its internal
subscriber and continues to store messages for clients of B. When B reconnects, M forwards
the stored messages.
In an active-passive route configured on B, if B fails, then M removes its internal subscriber
and does not store messages for clients of B—potentially resulting in a gap in the message
stream. When B reconnects, M creates a new internal subscriber and resumes forwarding
messages.
In an active-passive route configured on A, if either server fails, then M retains its internal
subscriber in the same way as an active-active route. However, B does not retain its
internal state which it uses to suppress duplicate messages from A and can deliver
messages to its consumers after they have consumed them. Therefore, if it is desirable to
not lose messages and to not have duplicate messages, the route should be active-active.
Network Failure
If an active-passive connection between B and M is disrupted, M displays the same
behavior as during a server failure.
maxbytes
Combining durable subscribers with routes creates a potential demand for storage—
especially in failure situations. For example, if server B fails, then server M stores messages
until B resumes. We recommend that you set the maxbytes or maxmsgs property of the
topic (T1) on each server, to prevent unlimited storage growth (which could further disrupt
operation).
You can specify message selectors on routes to narrow the subset of topic messages that
traverse each route.
Example
The following figure illustrates an enterprise with a central server for processing customer
orders, and separate regional servers for billing those orders. For optimal use of network
capacity, we configure topic selectors so that each regional server gets only those orders
related to customers within its region.
Specifying Selectors
Specify message selectors for global topics as properties of routes. You can define these
properties in two ways:
l Define selectors when creating the route (either in routes.conf, or with the
Note: If you change the message selectors on a route, only incoming messages
are evaluated against the new selectors. Messages pending in the server are re-
evaluated only if the server is restarted.
Syntax
The message selector properties have the same syntax whether they appear in a command
or in a configuration file:
incoming_topic=topicName selector="msg-selector"
outgoing_topic=topicName selector="msg-selector"
Note: The terms incoming and outgoing refer to the perspective of the active
server—where the route is defined.
topicName is the name of a global topic.
msg-selector is a message selector string. For detailed information about
message selector syntax, see the documentation for class Message in TIBCO
Enterprise Message Service Java API Reference.
Example Syntax
As described in Example, an administrator might configure these routes on the central
order server:
[Canada]
url=ssl://canada:7222
outgoing_topic=orders selector="country='Canada'"
...
[Mexico]
url=ssl://mexico:7222
outgoing_topic=orders selector="country='Mexico'"
...
[USA]
url=ssl://usa:7222
outgoing_topic=orders selector="country='USA'"
...
Symmetry
outgoing_topic and incoming_topic are symmetric. Whether A specifies a route to B with
incoming_topic selectors, or B specifies a route to A with outgoing_topic selectors, the
effect is the same. That is, B sends only those messages that match the selector over the
route.
Active-Active Configuration
In an active-active configuration, you may specify selectors on either or both servers. If you
specify outgoing_topic selector S1 for topic T on server A, and incoming_topic selector
S2 for T on server B, then the effective selector for T on the route from A to B is (S1 AND
S2).
See also Active and Passive Routes.
Wildcards
You can specify wildcards in topic names. For each actual topic, the server uses logical AND
to combine all the selectors that match the topic.
Note: However, routing of topic messages is only reliably supported when the
subscriber's topic is a subset (or equal) of the configured global topic. Similarly,
intersections are not supported. For example, if topics.conf contains foo.* and
foo.a*, the following subscriptions are correct:
foo.*
foo.1
bar.a.b
foo.>
bar.*.b
Routed Queues
With respect to routing, queues differ from topics in several respects.
These differences can be summarized as:
l Servers route queue messages between the queue owner and adjacent servers.
l The concept of zones and hops does not apply to queue messages (only to topic
messages).
The left side of the following image depicts an enterprise with three servers—P, R and S—
connected by routes. The remainder of the image illustrates the mechanisms that routes
queue messages among servers (center) and their clients (right side).
Example
When J sends a message to Q1, server P forwards the message to the home queue—Q1 on
server R.
Now the message is available to receivers on all three servers, P, R and S—although only
one client can consume the message. Either Q1 on P receives it on behalf of K; or Q1 on S
receives it on behalf of N; or M receives it directly from the home queue.
Producers
From the perspective of producer clients, a routed queue stores messages and forwards
them to the home queue. For example, when J sends a message to Q1 on server P, P
forwards it to the queue owner, R, which delivers it to Q1 (the home queue).
The message is not available for consumers until it reaches the home queue. That is, client
K cannot consume the message directly from server P.
If server R fails, or the route connection from P to R fails, P continues to store messages
from J in its queue. When P and R resume communication, P delivers the stored messages
to Q1 on R.
Similarly, routed queues do not generate an exception when the maxbytes and maxmsgs
limits are exceeded in the routed server. Clients can continue to send messages to the
queue after the limit is reached, and the messages will be stored in the routed server until
the error condition is cleared.
Consumers
From the perspective of consumer clients, a routed queue acts as a proxy receiver. For
example, when L sends a message to Q1 on server R, Q1 on P can receive it from R on
behalf of K, and immediately gives it to K.
If server P fails, or the route connection from P to R fails, K cannot receive messages from
Q1 until the servers resume communication. Meanwhile, M and N continue to receive
messages from Q1. When P and R resume communication, K can again receive messages
through Q1 on P.
Note: Receiving messages from a routed queue using either a small timeout
(less than one second) or no wait can cause unexpected behavior. A small
timeout value increases the chances that protocol messages may not be
processed correctly between the routed servers. For example, queue receivers
may not be correctly destroyed.
Configuration
You must explicitly configure each routed queue in queues.conf—clients cannot create
routed queues dynamically.
Warning: Dynamic routed queues are not supported. In a future release, the
server will consider a routed queue with a wildcard as a misconfiguration and
will fail to start when startup_abort_list includes CONFIG_ERRORS.
You may use the administration tool or administration API to configure routed queues; see
addprop queue and create queue.
To configure a routed queue, specify the queue name and the server name of the queue
owner; for example, on server P, configure:
Q1@R
Note: It is legal to use this notation even for the home queue. The queue owner
recognizes its own name, and ignores the location designation (@R).
Browsing
Queue browsers cannot examine routed queues. That is, you can create a browser only on
the server that owns the home queue.
Transactions
TIBCO Enterprise Message Service does not support transactional consumers on routed
queues (through the use of XA or local transacted sessions).
In the above image, servers A and B both configure active routes to one another. This
scenario will be used as an example to explain authentication and authorization for routes
in the following sections.
Authentication
When a server’s authorization parameter is enabled, other servers that actively connect
to it must authenticate themselves by user name and password, or by providing an OAuth
2.0 access token, depending on the server's user_auth parameter (see Authentication
Methods).
OAuth 2.0
When using oauth2 authentication, a server will authenticate other servers trying to
connect to it by validating the OAuth 2.0 access token presented by the connecting servers.
In the scenario depicted in the image above:
l Because A enabled authorization, B must configure its route to provide an OAuth
2.0 access token when connecting to A.
l However, because B disabled authorization, A need not identify itself to B. A does
not need to configure its route to provide an OAuth 2.0 access token when
connecting to B.
The following table describes all required and optional route configuration parameters
relating to the procurement of OAuth 2.0 access tokens. These parameters will need to be
specified for any route that is connecting to an EMS server configured with OAuth 2.0
authentication.
Parameter Description
Parameter Description
Parameter Description
See Authentication Using OAuth 2.0 more information about OAuth 2.0 authentication in
EMS.
ACL
When routing a secure topic or queue, servers consult the ACL specification before
forwarding each message. The servers must grant one another appropriate permissions to
send, receive, publish or subscribe.
For example, in above image, you don’t need an ACL for messages to flow from A (where a
producer is sending to) to B (where a consumer is consuming from) because B has
authorization turned off and messages are being sent to and consumed from queues.
However, if messages were to flow from B to A (producer connects to B and consumer
connects to A), then server A's ACL should grant user B send permission on the queue Q2.
If we were to use topics in this example, then for messages to flow from A to B, you would
need A to grant B the subscribe and durable permission on the topic (global on both
servers). And for messages to flow from B to A, you would have to grant topic B publish
permission on the topic.
Also see Authentication and Permissions.
Review the TIBCO Enterprise Message Service Release Notes for details about any
obsolete parameters that were removed from the current release.
l To convert a fault tolerant pair, use the -secondaryconf option to merge the two
tibemsd.conf files of a fault tolerant pair of servers.
Syntax
To convert a EMS server configuration to JSON, use the command:
where
l source-file is the path to the tibemsd.conf to be converted. Sub-file names and
locations are derived from the content of the tibemsd.conf file. When converting
servers in a fault tolerant pair, specify the configuration file for the primary server.
l ft-source-file is the path to the server configuration file for the second server in a fault
tolerant pair. Specify this path with the -secondaryconf option to convert a fault
tolerant pair.
l character-set-name is the name of the character set that was used to encode the
source-file (and ft-source-file, if given). Any character encoding supported by the Java
SE platform can be specified. Specify the encoding using the Canonical Name for
java.lang API.
When omitted, the expected encoding is UTF-8. Note that the output JSON file is
always encoded with UTF-8.
l output-file is the name and location of the new JSON file. This file must have the
.json extension. For example, tibemsd.json. If no path is specified, the file is
created in the current working directory.
l Alternately, specify -console to display the JSON output to the screen rather than
saving to file.
Examples
Example 1
Example 2
Monitor Messages
This section lists all the topics on which the server publishes messages for system events.
The message properties for messages published on each topic are also described.
See Monitor Server Events for more information about monitor topics and messages.
Property Contents
l Topic
l Queue
l Generic
l Route
l Unknown
Property Contents
event_action The action that caused the event. This property can have the
values listed in Event Action Property Values.
event_class The type of monitoring event (that is, the last part of the
topic name without the $sys.monitor).
event_reason The reason the event occurred (usually an error). The values
this property can have are described in Event Reason
Property Values.
event_route For routing, the route that the event occurred on.
l non_persistent
l reliable
Property Contents
source_name Name of the source object involved with the event. This
property can have the following values:
l XID (global transaction ID)
l message_id
l connections (number of connections)
l unknown (unknown name)
l Any server property name
l the name of the user, or anonymous
source_object Source object that was involved with the event. This
property can have the following values:
l producer
l consumer
l topic
l queue
l permissions
l durable
l server
l transaction
Property Contents
l user
l group
l connection
l message
l jndiname
l factory
l file
l limits (a limit, such as a memory limit)
l route
l transport
target_created Time that the consumer was created (in milliseconds since
the epoch).
Property Contents
target_name Name of the object that was the target of the event. This
property can have the following values:
l XID (global transaction ID)
l message_id
l connections (number of connections)
l unknown (unknown name)
l Any server property name
l the name of the user, or anonymous
target_object The general object that was the target of the event. This
property can have the following values:
l producer
l consumer
l topic
l queue
l durable
l server
l transaction
l user
l group
l connection
l message
l jndiname
l factory
Property Contents
l file
l limits (a limit, such as a memory limit)
l route
l transport
target_value Value of the object that was the target of the event, such as
the name of a topic, queue, and so on.
flow_engaged stored messages rise above a destination’s limit, engaging the flow
control feature
flow_disengaged stored messages fall below a destination’s limit, disengaging the flow
control feature
Resolution The resolution indicates possible recovery actions that administrators should
consider.
Errors These strings represent all instances of the error, as they appear in EMS
server code. Some categories have many error instances; others have only
one. These strings can include formatting characters.
Description An admin tool or program using the admin API attempted an operation that
failed for the given reason.
Resolution The admin tool or admin API provides the failure reason. The user of the tool
or API should examine the error and correct the syntax, parameter or
configuration that is causing the failure.
%s: create %s failed: conflicting zone: existing consumer has a different zone
%s: create %s failed: detected duplicate durable subscription [%s] for topic
[%s].
Authentication error
Resolution Ensure the user is defined to EMS by one of the methods allowed by the
user_auth parameter in the main configuration file. The user is either
specified by the application or in the TLS certificate. If the user is defined,
reset the password and try again.
LDAP authentication failed for user '%s', LDAP server not found.
Resolution Change the value of the named parameter to an acceptable value; for
information about tibemsd command line parameters, see EMS
documentation.
Cannot open pathmap file '%s': file not found or permission denied.
Server heartbeat client should be non-zero and no more than a third of the
client timeout server connection
Server heartbeat server should be non-zero and no more than a third of the
server timeout server connection
Client heartbeat server should be non-zero and no more than a third of the
server timeout client connection
Fault tolerant connection failed, fault tolerant mode not supported on '%s'.
Startup aborted.
Unable to bind storage thread for store '%s' to Processor Id: %d. Exiting!
Configuration error: Mixing of grid, FTL, and/or file stores is not supported,
please configure only one type.
Configuration error: FTL server trust file, admin user and password are
required for secure setup.
Compaction failed
Resolution The most likely cause of this error is running out of memory. Shut down
tibemsd and see remedies for Out of memory.
Errors Compaction of store '%s' failed: %d (%s). Please shutdown and restart
Compaction failed
tibemsd.
Description The durables configuration file specifies a durable with a given name and
client identifier with attributes that are different from the identically named
durable found in the meta.db file.
Resolution Correct the durables configuration file to match the durable defined in the
meta.db file or administratively delete the durable and re-define it.
Errors Configured durable '%s' differs from durable in storage, storage version used.
Create of global routed topic failed: not allowed to create dynamic topic
Description A server received an interest notification from another server that does not
match the allowed topics in its configuration.
Resolution This only is printed when the trace includes ROUTE_DEBUG. If the server's
topic definitions are as expected, this statement can be ignored or remove
the ROUTE_DEBUG trace specification to prevent printing.
Errors Create of global routed topic failed: not allowed to create dynamic topic [%s].
Description A warning indicating that a tibemsd with a route to this daemon has a queue
configured to be global but this daemon does not permit the creation of that
queue dynamically.
Resolution Add the specified queue or a pattern that includes it to this daemon if you
want the queue to be accessible from this daemon, otherwise the warning
can be ignored.
Errors Create of routed queue failed: not allowed to create dynamic queue [%s].
Resolution Send details of the error and the situation in which it occurred to TIBCO
Support.
Resolution Check your database server vendor and database administrator for failures
occuring during writes,deletes,reads of different records, for failures occuring
during database store open check with the database administrator for
permissions and the existence of the database. For failures occuring during a
FT setup where all the stores are database stores, please check with the
database server vendor or database administrator. In the case where both
are active, we recommend shutting down both the servers and investigating
the problem.
Failed to write valid msg record in store [%s]: [ ESTATUS = %d, ERRSTR = %s
]
Durable consumer was found in the store file for a route that does not exist
Description On server startup a durable consumer was found in the store file for a route
that is not listed in the routes.conf file. This happens if the routes.conf file
is manually edited.
Errors Discarding durable '%s' for route '%s' because the route does not exist.
Resolution Module loading is affected by the presence of shared libraries in the module
path. Use the +load tracing flag to get more information about how the
server is loading modules. See the section on Starting the EMS Server for
more details.
Loaded %s
Unable to locate %s
Description Warning generated when tibemsd receives a message with a message id that
matches another message's message id.
The server will attempt to trace warnings about destinations that are growing
unbounded above %lld bytes or %lld messages.
The server will attempt to trace warnings about destinations that are growing
unbounded above %lld %s.
Resolution Examine the appropriate configuration file and correct the syntax error.
Errors Configuration warning: file=%s, line=%d: route '%s' does not have a user
configured for authorization.
Configuration error: file=%s, line=%d: ignored alias '%s' for %s '%s' because
such alias already exists
Configuration error: The specified file '%s' is empty or does not exist
Configuration error: file=%s, line=%d: multiple bridge entries for the same
destination '%s' are not allowed.
Configuration error: file=%s, line=%d: Ignoring durable, route does not allow
clientid, selector or nolocal.
Configuration error: file=%s, line=%d: Route '%s' does not exist for configured
durable.
Configuration error: file=%s, line=%d: ignored alias '%s' for factory because
such alias already exists
Configuration error: file=%s, line=%d: ignored route '%s' because route has
invalid zone information.
Configuration error: file=%s, line=%d: ignored route '%s' because route with
such name or URL already exists.
TLS Configuration error: file=%s, line=%d: invalid private key file name,
unknown extension or invalid encoding specification
Configuration warning: monitor_listen is set more than once, using last value
in the file
Configuration error: file=%s, line=%d: errors in line, some options may have
been ignored
Fault standby lock check error: file=%s, line=%d: invalid property value
Configuration error: file=%s, line=%d: ignoring invalid value '%s' for property
'%s'
Configuration error: file=%s, line=%d: invalid line syntax or line out of order
Configuration error: file=%s, line=%d: invalid value '%s' for parameter '%s'
Configuration error: file=%s, line=%d: value less than allowed minimum, reset
to 0
Configuration error: file=%s, line=%d: Invalid value or value does not fall
between %d and %d
Configuration error: file=%s, line=%d: channel '%s', invalid address: port must
be in the range 1 to 65535
Configuration error: file=%s, line=%d: channel '%s', ttl must be in the range 1
to 255
Configuration error: file=%s, line=%d: Error parsing the RV Queue Limit Policy
value '%s'. Defaulting to TIBRVQUEUE_DISCARD_NONE policy
Attempting to change the type of existing store '%s' from '%s' to '%s'. Store
type changes are not permitted.
Only stores of type 'file' are permitted. Unable to create store '%s' of type
'%s'
Errors Error writing commit request, errors already occurred in this transaction.
Description tibemsd was unable to update one of its configuration files following a
configuration change.
Resolution Check that the user that started the tibemsd has permission to change the
configuration files and that there is sufficient disk space on the device.
Error occurred while updating main configuration file '%s'. Configuration has
not been saved.
Description tibemsd was unable to write data to one of its store files.
Resolution Ensure that the directory containing the store files is mounted and accessible
to the tibemsd, and that there is free space available on the device
Failed writing purge state for queue '%s': I/O error or out of disk space.
Failed writing purge state for topic consumer: I/O error or out of disk space.
Description The system resources are inadequate for timely processing of server
activities.
Resolution Increase the specified resource or reduce the workload on this server.
Errors WARNING: Slow clock tick %d seconds, delayed messaging and timeouts may
occur. System appears overloaded.
Missed transfer of global lock before a slow operation was reported. Last
offender grabbed lock around %d milliseconds ago.
WARNING: Slow write to store (%s) (valid rec %g) lasted around %lld
milliseconds.
WARNING: Slow write to store (%s) (%d %s recs) lasted around %lld
milliseconds.
WARNING: Slow write to store (%s) (%lld tombstones and %lld msg recs size
%lld) lasted around %lld milliseconds.
WARNING: Slow write to store (%s) (removing %lld recs) lasted around %lld
milliseconds.
Resolution Shutdown process that is using the port or change the value of the 'listen'
parameter in the server's tibemsd.conf file to a port that is not in use.
Resolution Check that the path name is correct and the directory exists, the user that
started tibemsd has permission to read the specified directory and path, the
file exists if it isn't one that the tibemsd can create, the file is not being used
by another tibemsd or some other process.
Unable to truncate file '%s': Length is less than the header record
Description An error occurred while starting or running the server in FIPS 140-2 compliant
mode.
Resolution Check the configuration of TLS related parameters to make sure that no
incompatible ciphers or operations are requested.
Resolution Correct the FTL transport in the EMS configuration and/or the Application in
the FTL server.
Constants (none).
Exception Summary: %s
Exception:\n%s
The FTL application for this transport was administratively disabled. Please
restart this server to re-enable this FTL transport.
Username: %s
Password: %s
Trust File: %s
Missing ftl_trustfile value. Trusting any FTL server without verifying trust in its
certificate. This is not secure.
Log Level: %s
Application Name: %s
Discard Policy: %s
Discard Amount: %d
FTL Advisory:
Unable to initialize FTL Transport (%s). For more information, enable FTL
tracing.
Conversion from EMS message type (%d) to a FTL message is not supported.
Endpoint: %s
Import Parameters
Match String: %s
Subscriber Name: %s
Export Parameters
Format: %s
Internal error
Resolution Send the error statement and a description of the environment to TIBCO
Support.
Internal error
Problem trying to recover routed consumer for queue %s: setting recover
message. Error: %s
Handling of route flow stall recovery request from %s failed: unable to get
message property %s: %s
Handling of route flow stall recovery request failed: Unable to get message
properties:%s
Failed to send acknowledge to the stall recover request of server %s, will try
later. Error: %s
Internal error
Internal error
Invalid connection
Invalid connection
messages across a route to another tibemsd but was unable to find the
connection for that route.
Errors Recovery flow stall for destination %s failed: invalid route connection
Invalid destination
Errors %s: create %s failed: Not permitted to use reserved queue [%s].
Description The server could not parse the listen parameter in the tibemsd.conf file
Resolution Correct the listen parameter to match the form [protocol]://[url] as specified
in the manual.
Invalid session
Description tibemsd received a request that referred to a session that doesn't currently
exist.
Resolution Send details of the error and the situation in which it occurred to TIBCO
Support.
Resolution Examine the error code printed by the messaging server and consult the
manual for the external LDAP server.
Errors Filter '%s' contains an illegal type substitution character, only %%s is
allowed
Filter '%s' contains too many occurrences of %%s, max allowed is: %d
Missing %s parameter
LICENSE WARNING
Resolution This error only occurs with the evaluation version of the server or in an
embedded form. To correct this error either replace your evaluation version
with a production version or contact the vendor who supplied the embedded
version.
Missing configuration
Resolution Change the tibemsd.conf file so that a value for the attribute is provided.
Missing transaction
Description A client application attempted to change the state of a transaction that the
tibemsd does not have in its list of current transactions.
Resolution Check tibemsd trace logs to see if the transaction had been committed or
rolled back by an administrator, if not then check the client code to see if it
or its transaction manager are calling the transaction operations in the
correct order.
Description Indicates that a multicast channel's allotted bandwidth has been exceeded.
Resolution Either slow down the publisher(s), enable flow control, or increase the
multicast channel's allotted bandwidth by increasing the channel's maxrate
property or increasing the server's multicast_reserved_rate property.
Resolution Check the configuration of the Multicast Daemon and Server, as well as the
health of the network.
Statistics disabled.
Interface IP address: %s
Tracing enabled.
Tracing disabled.
%s, status=%s
Channel configuration from server does not match existing channel \'%s\'
Description General multicast errors that can occur in the Server and Multicast Daemon.
Resolution Check the configuration of the Multicast Daemon and Server, as well as the
health of the network.
Resolution
Missing grid trust file value. Trusting any grid without verifying trust in its
certificate. This is not secure.
Missing grid user name and/or user password value, so will attempt grid
connection without credentials. This is not secure.
Unable to retrieve user name and/or user password value from file, so will
attempt grid connection without credentials. This is not secure.
Missing FTL store trust file value. Trusting any FTL server without verifying
trust in its certificate. This is not secure.
Missing FTL store user name and/or user password value, so will attempt FTL
store connection without credentials. This is not secure.
Unable to retrieve user name and/or user password value from file, so will
attempt FTL store connection without credentials. This is not secure.
Out of memory
Resolution Check how much memory the server process is using according to the
operating system. Compare this with how much memory and swap space the
host actually has. If there are sufficient memory and swap space, check the
operating system limits on the server process to determine if this is the
cause. If the limits are set to their maximum and this error occurs, reduce the
load on this server by moving some topics and queues to another server.
Error during routed queue configuration, can not create routed queue
Out of memory
consumer
Error during route configuration, can not create routed queue consumer,
err=%s
No memory.
No memory: %s.
Out of memory
Out of memory
Out of memory
Out of memory
Out of memory
Out of memory
Description The tibemsd received an XA End instruction from the third party Transaction
Manager which referred to a different transaction from the one currently in
use by the session.
Resolution This error is most likely caused by an external transaction manager that
allowed two separate client applications to use the same XA transaction
identifier (XID). Consult the manual for the transaction manager or report this
to the transaction manager vendor.
Errors Cannot process xa start for a session when another transaction is already
active on that session. connID=% PRINTF_LLFMT d sessID=% PRINTF_LLFMT d
%s
All clients participating in the same global transaction must use the same
protocol, connID=% PRINTF_LLFMT d
Invalid xa start (resume) request: the session was not previously suspended.
connID=% PRINTF_LLFMT d sessID=% PRINTF_LLFMT d %s
Invalid xa end request: the session was neither associated with a transaction
nor suspended. connID=% PRINTF_LLFMT d sessID=% PRINTF_LLFMT d %s
Resolution Send details of the error and the situation in which it occurred to TIBCO
Support.
Unable to serve the flow stall recover request from server %s, invalid request.
Unable to server the flow stall recover request from server %s, invalid
consumer.
Invalid %s message
No closure.
Recovery errors
Resolution If you are not able to fix the problem and need to restart the system, make a
backup of the store files and restart the server with the '-forceStart'
command line parameter. The server will then attempt to start regardless of
errors (except out-of-memory errors). In this mode, application messages
and/or internal records causing problems (due to file corruption or other) will
be deleted. Therefore, dataloss is likely to occur, so this command line
parameter should be used with extreme caution and only after understanding
the consequences. A copy of the store files can be sent to TIBCO Support for
post-mortem analysis.
Errors The recovery process stopped while processing a '%s' record (id=% PRINTF_
LLFMT d), error: %d - %s. Check the section 'Error Recovery Policy' from
chapter 'Running the EMS Server' in the User Guide before attempting to
restart the server
The recovery process stopped while processing a '%s' record (id=% PRINTF_
LLFMT d) due to an out-of-memory condition. Ensure that the system can
allocate sufficient memory to the EMS Server process before restarting it
Recovery errors
Zone '%s' is defined as type '%s' in configuration but also is defined as type
'%s' in meta.db
Recovery errors
Description A client application attempted to connect to the server's TCP port using the
TLS protocol.
Resolution Change the client application's URL from ssl to tcp or change the server's
listen parameter from tcp to ssl. To activate a change of the server listen
parameter requires a restart of the server.
Description A client application attempted to connect to the server's TLS port using the
TCP protocol.
Resolution Change the client application's URL from tcp to ssl or change the server's
listen parameter from ssl to tcp. To activate a change of the server listen
parameter requires a restart of the server.
Description The multi-hop route support of the server does not support configuring a
cycle. However, it detected a configuration that would create a cycle.
Resolution See Rendezvous documentation for details of what the error means and how
to remedy it.
Errors Unable to create dispatcher for import event for %s '%s' on transport '%s',
error is %s
Unable to create inbox for import event for %s '%s' on transport '%s'
Unable to queue the request type: %d. Transport '%s', destination '%s', CM
Sender '%s', CM Sequence % PRINTF_LLFMT u . Error: %d (%s)
Unable to queue the request type: %d. Transport '%s', destination '%s'. Error:
%d (%s)
Unable to restart the CM Listener for %s '%s' (RVCM Transport '%s'). Error
code: %d '%s'
Unable to create the timer for the restart of the CM Listener for %s '%s'
(RVCM Transport '%s'). Error code: %d '%s'
Unable to stop the CM Listener for %s '%s' (RVCM Transport '%s'). Error code:
%d '%s'
Description Seen when tibemsd starts up and detects that the zone for a route as
specified in routes.conf has been changed.
Resolution Either delete the route or change its zone back and restart the tibemsd.
Errors Restoring consumer failed: Conflicting zone for route to [%s]: The route was
initially zone \%s\ type %s, but now \%s\ type %s. Zone change not allowed
while there are durable subscribers. Please delete the route first and create
new one.
Description Warnings indicating that the tibemsd has run out of memory and is now
using its reserve memory
Resolution Check the status of both servers (primary, secondary). In case of both active,
the file store data may be corrupted already and we recommend shutting
down both servers and investigating the situation.
The active EMS server does not hold the lock on meta store
The standby EMS server could not find the specified meta store.
The active EMS server name is %s while the standby EMS server name is %s.
The names must be the same
A standby EMS server (%s) is already connected to the active EMS server
Cannot determine which server should be active because both servers have
been forced to start separately. Please force one of them to start (\forcestart\
tibemsadmin command). The other server will discard its data.
This standby server is joining an active server and both have previously been
forced to start. This server is discarding its data.
Store '%s' on the active server has a different file name than on the standby
server
The configuration used on startup is incompatible with the one sent by the
active server. Exiting!
Resolution Examine the OpenSSL error and the EMS User Guide chapter describing the
use of TLS.
Failed to initialize TLS: can not load certificates and/or private key and/or
CRL file(s) and/or ciphers.
Description The store files specified were created from a different version of EMS that is
not supported by this version.
Resolution Revert to use the version of EMS that created the store file or locate the store
file conversion tool and use it to convert the store file to this version.
Resolution Report the error to your system administrator and ask them to remedy the
problem.
Errors Accept() failed: too many open files. Please check per-process and system-
wide limits on the number of open files.
Could not resolve hostname '%s'. Possibly default hostname is not configured
properly while multiple network interfaces are present.
Resolution Send details of the error and the situation in which it occurred to TIBCO
Support.
Errors Cannot request second state change for transaction while the first
request is in progress (%d, %d) %s.
Transaction timeout.
Transaction timeout.
Resolution Most likely, transaction manager error prevented it from advancing this
transaction in a timely manner. Verify correct operation of the transaction
manner.
Resolution Send details of the error and the situation in which it occurred to TIBCO
Support.
Unrecognized option
Resolution Run the server with the -help option and compare it with the command line
containing the unrecognized option.
Monitoring issues
Resolution Various.
Description An attempt to authenticate a client using the external OAuth server failed.
Resolution Examine the error code printed by the messaging server and consult the
manual for the external OAuth server.
Product-Specific Documentation
The following documentation for this product is available on the TIBCO Enterprise Message
Service™ Product Documentation page:
l TIBCO Enterprise Message Service™ Release Notes
l TIBCO Enterprise Message Service™ Installation
l TIBCO Enterprise Message Service™ User Guide
l TIBCO Enterprise Message Service™ C and COBOL Reference
l TIBCO Enterprise Message Service™ Java API Reference
l TIBCO Enterprise Message Service™ .NET API Reference
l TIBCO Rendezvous®
l TIBCO® EMS Client for z/OS (CICS)
l TIBCO® EMS Client for z/OS (MVS)
l TIBCO® EMS Client for IBM i
USE OF CLOUD SG SOFTWARE AND CLOUD SERVICES IS SUBJECT TO THE TERMS AND CONDITIONS
OF AN AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED AGREEMENT, OR, IF THERE IS NO
SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER AGREEMENT WHICH IS DISPLAYED WHEN
ACCESSING, DOWNLOADING, OR INSTALLING THE SOFTWARE OR CLOUD SERVICES (AND WHICH IS
DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH LICENSE AGREEMENT OR CLICKWRAP
END USER AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE
OF THIS DOCUMENT IS SUBJECT TO THOSE SAME TERMS AND CONDITIONS, AND YOUR USE HEREOF
SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME.
This document is subject to U.S. and international copyright laws and treaties. No part of this
document may be reproduced in any form without the written authorization of Cloud Software
Group, Inc.
TIBCO, the TIBCO logo, the TIBCO O logo, TIBCO Cloud Integration, TIBCO Flogo Apps, TIBCO Flogo,
TIB, Information Bus, TIBCO Enterprise Message Service, Rendezvous, and TIBCO Rendezvous are
either registered trademarks or trademarks of Cloud Software Group, Inc. in the United States and/or
other countries.
Java Platform Enterprise Edition (Java EE), Java 2 Platform Enterprise Edition (J2EE), and all Java-
based trademarks and logos are trademarks or registered trademarks of Oracle Corporation in the
U.S. and other countries.
All other product and company names and marks mentioned in this document are the property of
their respective owners and are mentioned for identification purposes only. You acknowledge that all
rights to these third party marks are the exclusive property of their respective owners. Please refer to
Cloud SG’s Third Party Trademark Notices (https://www.cloud.com/legal) for more information.
This document includes fonts that are licensed under the SIL Open Font License, Version 1.1, which is
available at: https://scripts.sil.org/OFL
Copyright (c) Paul D. Hunt, with Reserved Font Name Source Sans Pro and Source Code Pro.
Cloud SG software may be available on multiple operating systems. However, not all operating
system platforms for a specific software version are released at the same time. See the “readme” file
for the availability of a specific version of Cloud SG software on a specific operating system platform.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
This and other products of Cloud SG may be covered by registered patents. For details, please refer
to the Virtual Patent Marking document located at https://www.tibco.com/patents.