| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| A couple of observations from some recent MQ PMRs |
« View previous topic :: View next topic » |
| Author |
Message
|
| tczielke |
 Posted: Wed Apr 27, 2016 1:24 pm Post subject: A couple of observations from some recent MQ PMRs |
 |
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
Here are a few things that I ran across recently with two MQ PMRs, that were not obvious to me. I thought I would mention them, in case it would help anyone else out.
1) SSLPEER affects SSLCAUTH. If you have SSLCAUTH(OPTIONAL) but values set for the SSLPEER, MQ will still require that a certificate is sent from the client. You need both SSLCAUTH(OPTIONAL) and SSLPEER to be blank, for the client certificate to not be required.
2) CDPCheckExtensions affects OCSP. CDP and OCSP are two different types of certificate revocation checks. I was working with a certificate that did not have any OCSP certificate extensions (nor any other places in the qmgr where an OCSP server was defined), but did have a CDP certificate extensions. I turned on the CDPCheckExtensions=YES in the qm.ini file to test out the CDP check, and then my connection started failing with an OCSP check failure. When you turn on CDP checking, this also apparently turns on OCSP checking. Since the default for OCSPAuthentication=REQUIRED and MQ could not successfully make a positive OCSP check (since there was no OCSP server to check!), the connection failed. To get around this behavior for this use case, you need to have CDPCheckExtensions=YES and OCSPAuthentication NOT set to REQUIRED.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
 |
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
