| Author |
Message
|
| missing_link |
 Posted: Thu Jun 21, 2012 3:06 am Post subject: WMB and SSL |
 |
|
Acolyte
Joined: 08 Jan 2004
Posts: 60
|
If i have two key entries in my broker keystore (say aliases A and B), how does the broker know which keys to use when it makes the HTTPS call to the separate remote web services?
cheers
ash. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu Jun 21, 2012 3:09 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
What's it going to use the key for?
Asserting it's own identity? Or validating the identity of the other side?
   |
|
| Back to top |
|
|
| missing_link |
| Posted: Thu Jun 21, 2012 3:21 am Post subject: |
|
|
Acolyte
Joined: 08 Jan 2004
Posts: 60
|
The one I'm adding is to identify itself to an (internally hosted) web service - we are setting this up for mutual authentication given the sensitive nature of the data that it is accessing. We've done the cert exchange and added the remote hosts cert into the brokers truststore and this is working quite happily.
I'm not too clear on the history of the original - although this setup is working in production for approx 2 years.
I should add that this WMB 6.1. And I think i'm setting it up correctly  or at least it works!! (create keypair in broker keystore, extract and give cert to remote host, add remote host cert into broker truststore)
thanks
ash. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jun 21, 2012 3:26 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So you're trying to give Broker two entirely separate identities? such that one webservice thinks that Broker is cert A and one webservice thinks that Broker is cert b?
 |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jun 21, 2012 3:38 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| missing_link wrote: |
The one I'm adding is to identify itself to an (internally hosted) web service - we are setting this up for mutual authentication given the sensitive nature of the data that it is accessing. We've done the cert exchange and added the remote hosts cert into the brokers truststore and this is working quite happily.
I'm not too clear on the history of the original - although this setup is working in production for approx 2 years.
I should add that this WMB 6.1. And I think i'm setting it up correctly or at least it works!! (create keypair in broker keystore, extract and give cert to remote host, add remote host cert into broker truststore)
thanks
ash. |
This is where self signed certs hit the usability barrier. It is often of better advantage to use a CA signed cert, even with an internal CA (no cost) and check as well the SSL Peer values...
This being said, and if my memory serves me well, all you need is an adequate cert in the truststore. Java is supposed to figure out which cert to use on the receiving end.... Now I'd look at configurable services to set up the cert at the sending end... 
_________________
MQ & Broker admin
Last edited by fjb_saper on Thu Jun 21, 2012 3:45 am; edited 1 time in total |
|
| Back to top |
|
|
| missing_link |
| Posted: Thu Jun 21, 2012 3:43 am Post subject: |
|
|
Acolyte
Joined: 08 Jan 2004
Posts: 60
|
I don't know if its correct assumption, which is why I started thinking how the hell does this work. I have a feeling that the key currently in the keystore should have been imported as a trusted cert into brokers truststore, but that was before my time.
Although the InfoCentre does state:
"Put all private keys and public key certificates (PKC) in the keystore"
I maybe mis-interpreting that but that sounds to me that you can have multiple keys in this keystore. And therefore if it has multiples how does it know which to use?
I have setup broker (and mq) before to use SSL, although its been a while, but haven't looked at doing mutual authentication before.
ash. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jun 21, 2012 3:50 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| missing_link wrote: |
I don't know if its correct assumption, which is why I started thinking how the hell does this work. I have a feeling that the key currently in the keystore should have been imported as a trusted cert into brokers truststore, but that was before my time.
Although the InfoCentre does state:
"Put all private keys and public key certificates (PKC) in the keystore"
I maybe mis-interpreting that but that sounds to me that you can have multiple keys in this keystore. And therefore if it has multiples how does it know which to use?
I have setup broker (and mq) before to use SSL, although its been a while, but haven't looked at doing mutual authentication before.
ash. |
The cert being checked on the receiving end just has to be in the truststore. Java will then figure out which one it is on its own. If you have a lot of them, this may take more time as the SSL will iterate between the certs until it finds a suitable one... This is why using a CA signed cert (internal CA) makes things easier as the trusted CA cert is the same for everybody and speeds up the SSL handshake... All you have to do on the receiving end then is to check the SSL PEER values sent by the sender... and those should be relatively unique to the purpose of the cert... and certainly unique to the sender... (CN=...)
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jun 21, 2012 3:53 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
At least at 6.1, I'm quite positive that an EG can only have a single key in it's keystore.
I mean, you'll end up with multiple signer certs, but only one private key.
There's nothing that stops you from putting more in there, it's just only ever going to use one... |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jun 21, 2012 4:00 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqjeff wrote: |
At least at 6.1, I'm quite positive that an EG can only have a single key in it's keystore.
I mean, you'll end up with multiple signer certs, but only one private key.
There's nothing that stops you from putting more in there, it's just only ever going to use one... |
You mean to say that @ 6.1 you cannot choose the location of the keystore / truststore in a configurable service and pass the identity referring to that service in the node? I would have thought that this allows you to impersonate any sender if you have the right certs and private key in the keystore...(one keystore and keystore file per identity)
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| missing_link |
| Posted: Thu Jun 21, 2012 4:17 am Post subject: |
|
|
Acolyte
Joined: 08 Jan 2004
Posts: 60
|
An internal CA would be nice
I looked at setting this up at the execution group level. Use mqsichangeproperties to point the EG to the key/trust store. Simple.
But the docs for setting the passwords say use the same commands as setting the broker keystore passwords (ie mqsisetdbparms). These commands are the same format (or at least as documented) as setting the broker jks passwords.
That confused me, because then wouldn't you be changing the passwords the broker already uses, or is the intent that you use the same passwords for all the keystores? Or do you use a slightly different syntax in this instance?
thanks
ash. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jun 21, 2012 4:23 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I thought the passwords were specific to the configurable service...
Now it certainly is a possibility to use the same password for multiple keystores / truststores if they are all to be used by the same e.g... whether this is advisable is a different question...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
