ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Question regarding WMB keystore and truststore

Post new topic  Reply to topic
 Question regarding WMB keystore and truststore « View previous topic :: View next topic » 
Author Message
tucanen
PostPosted: Mon Sep 13, 2010 4:15 am    Post subject: Question regarding WMB keystore and truststore Reply with quote

Novice

Joined: 27 Jun 2005
Posts: 22
Location: Sweden
Hi,

Questions below.

Background
In the WMB 6.1 InfoCenter, section "Setting up a public key infrastructure", the documentation states the following:

Quote:
You can configure keystores and truststores at either broker level (one keystore, one truststore, and one personal certificate for each broker) or at execution group level (one keystore, one truststore, and one personal certificate for each execution group).


I'm not sure how to interpret this with one personal certificate.

I have experimented with configuring the HTTPSConnector of an execution group to make possible to expose a web service facade via HTTPS using SSL (using SOAP nodes). It is working fine.

I have configured a keystore and truststore on the broker level.

- The keystore contains my self-signed test certificate that is used for SSL encryption.

- The truststore contains a trusted certificate used when doing secure LDAP authentication (not part of the scope of the question).

Questions

1. Why is there a limitation of one personal certificate?

It appears to be possible to import several certificates into the keystore.
My tests indicate that the HTTPSConnector of the execution group uses the certificate last added. It is however possible to specify which of the certificates to be used by the exe. group HTTPSConnector by setting the KeyAlias property. This seems to work fine.

However, as I understand from the documentation, it doesn't look like the KeyAlias can be specified for the broker level httplistener HTTPSConnector (used by the HTTP nodes). Is this the reason why only one personal certificate can be used?

2. Isn't there a need to have more than one personal certificate in the keystore for a broker when both using a certificate for HTTPS purpose and also certificate(s) used for message part encryption or message signing?

How can this be achieved?

Thankful for all thoughts and answers.

Kind regards,
contact admin
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Sep 13, 2010 4:59 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447
It means that each EG or each broker can only assert that it is a single known entity. You can only use one single certificate to identify the broker or the EG, that's what the personal certificate is - the cert that represents "me".

So if you need to use Cert A to establish your identity with partner 1, and Cert B to establish your identity with partner 2, then you need to use separate EGs or separate brokers (depending on the nature of the transport in use).

I'm not sure where you're going with using separate identities for transport encryption and message encryption.
Back to top
View user's profile Send private message
tucanen
PostPosted: Mon Sep 13, 2010 5:17 am    Post subject: Reply with quote

Novice

Joined: 27 Jun 2005
Posts: 22
Location: Sweden
mqjeff, thank you for clarifying!

I'm not sure either

I just thought that it could be good to leave the door open for the possibility that, for some reason, there might be a need to use different certificates for different purposes.

Maybe that scenario is not very probable because of the way personal certificates are typically used.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Sep 13, 2010 5:50 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447
The only reason I could think that you would have a separate personal certificate for transport level encryption then for message level encryption is if you were essentially acting as two separate entities - one that is producing and encrypting business data, and one that is acting as an assured and secured transport provider. It would be a bit odd to have these same processes running inside the same logical container... but it's also something you could probably handle with TAM or WMQ ESE or another advanced security product that plugs into broker.

Particularly at Broker v7, you get a lot more flexibility in these areas.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Question regarding WMB keystore and truststore
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.