| Author |
Message
|
| Partha.Baidya |
 Posted: Tue Jan 23, 2018 8:18 am Post subject: SOAPInput (One way SSL)accepts any certificates from SOAPUI |
 |
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
We have a provider flow hosted in IIBv10 using SOAP Input/SOAP Reply nodes using HTTPS protocol. HTTPS has been implemented using TLS v1.2 One way SSL.
We have followed the steps mentioned in https://www.ibm.com/support/knowledgecenter/en/SSMKHH_10.0.0/com.ibm.etools.mft.doc/ap34021_.htm
We have done the followings apart from setting PKI at the Integration Node level using Key store jks file.
mqsichangeproperties integrationNodeName -e integration_server_name -o HTTPSConnector -n explicitlySetPortNumber -v port_number
mqsichangeproperties integrationNodeName -b httplistener -o HTTPSConnector -n clientAuth -v false
mqsichangeproperties integrationNodeName -e integration_server_name -o HTTPSConnector -n sslProtocol -v TLSv1.2
Once the above has been setup, we have used a IIB consumer flow, if the consumer flow uses any other signer certificate other than the correct certificate it get authentication failure.
But this is not the case while testing using SOAPUI tool. In SOAPUI if the trust store is not setup, it gets authentication error. But if the trust store contains any certificate which is not a correct certificate for the provider flow, SOAPUI does not get authentication failure and able to call the service successfully.
We are not sure how SOAPUI is able to authenticate sucessfully without having the proper client side certificate. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Jan 23, 2018 8:21 am Post subject: Re: SOAPInput (One way SSL)accepts any certificates from SOA |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Partha.Baidya wrote: |
| We are not sure how SOAPUI is able to authenticate sucessfully without having the proper client side certificate. |
Are you asking us how SoapUI works? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Partha.Baidya |
| Posted: Tue Jan 23, 2018 8:37 am Post subject: |
|
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
I am not asking how SOAPUI works.
I am asking how IIB v10 is successfully authenticate a SOAP request without having proper signer certificates.
If this is case then anyone using SOAPUI can violate the security with IIB provider services in Production. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 23, 2018 8:47 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Partha.Baidya wrote: |
I am not asking how SOAPUI works.
I am asking how IIB v10 is successfully authenticate a SOAP request without having proper signer certificates.
If this is case then anyone using SOAPUI can violate the security with IIB provider services in Production. |
Well it's unusual to have IIB directly facing out without some kind of intermediate proxy that changes the SSL topology but that's not directly relevant to your point.
If you're confident that SoapUI doesn't have access to the correct certificate, then it's PMR time because clearly the mechanism as described in the InfoCenter works (because your consumer flow is denied) but some bug is not correctly handling the SSL handshake with SoapUI and letting it through. That's going to be buried deep in the listener code.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Armageddon123 |
| Posted: Tue Jan 23, 2018 2:15 pm Post subject: |
|
|
Acolyte
Joined: 11 Feb 2014
Posts: 61
|
| I believe you are mistaken. you mentioned one way SSL and with clentAuth as false, then I think the SOAPUI doesnot need to present any certs to Provider. |
|
| Back to top |
|
|
| Partha.Baidya |
| Posted: Tue Jan 23, 2018 3:18 pm Post subject: |
|
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
|
| Back to top |
|
|
| souciance |
| Posted: Wed Jan 24, 2018 12:51 am Post subject: |
|
|
Disciple
Joined: 29 Jun 2010
Posts: 169
|
|
| Back to top |
|
|
|
|
