| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL Certificates for People |
View previous topic :: View next topic |
| Author |
Message
|
| pfarrel |
 Posted: Thu Jan 16, 2014 7:56 am Post subject: SSL Certificates for People |
 |
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I am thinking of creating SSL certificates for individual people who access MQ. Each person would have their own certificate. When they connect to MQ the queue manager will know who it is by looking at the certificate, since only one person would have that specific certificate.
I am wondering if this is a good idea, or if I will run into problems. The issue we are trying to address is the fact that MQ doesn't check passwords. I know I can inspect a certificate and assert a server side userid with Channel Authentication. Can I store something unique ( such as the persons payroll number ) in the distinguished name ? How do I protect the certificate from being accessed/copied by another person ? I was thinking that if the owner of the certificate put a password on the certificate repository on their client system, then that would do it. I'm assuming I will need both a CMS and a JKS repository on each client. What if an MQ program is not designed to present a Cipherspec ? Does that mean that I won't be able to use that particular program ? |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Thu Jan 16, 2014 4:09 pm Post subject: Re: SSL Certificates for People |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| pfarrel wrote: |
| The issue we are trying to address is the fact that MQ doesn't check passwords. |
But there is a solution (MQAUSX) in the MQ market that does solve this problem.
| pfarrel wrote: |
| I know I can inspect a certificate and assert a server side userid with Channel Authentication. |
Hopefully, each application will have its own UserID and then you use MQ's OAM to perform authorization.
| pfarrel wrote: |
| Can I store something unique ( such as the persons payroll number ) in the distinguished name ? |
Why don't you just use their UserID?
| pfarrel wrote: |
| How do I protect the certificate from being accessed/copied by another person ? I was thinking that if the owner of the certificate put a password on the certificate repository on their client system, then that would do it. |
Hopefully, you are not talking about a Desktop PC.
| pfarrel wrote: |
| What if an MQ program is not designed to present a Cipherspec ? Does that mean that I won't be able to use that particular program ? |
Then you are SOL. If you are lucky, you may be able to run the program via a CCDT file and CCDT file will contain your SSL info.
Here are some MQ SSL disadvantages:
- SSL Certificates must be purchased yearly at a cost of roughly $400 USD each.
- SSL certificates expire, requiring regular repurchase, renewal and then the MQAdmin needs to deploy the SSL certificates.
- There is no logging capability to see who accessed which queue manager.
- This form of security is only as secure as the integrity of the client side certificates. Anyone who possesses a copy of the certificate will have full access (It is extremely easy to copy a keystore on a Windows Server).
- SSL is Node-to-Node security and NOT End-to-End security. Node-to-Node security that any application running on the server can connect to the queue manager. It is far better to control each application that is connecting to a queue manager (i.e. End-to-End).
- SSL cannot stop an application from connecting with a blank or “mqm” UserID (must use CHLAUTH)
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
