| Author |
Message
|
| sanjoo |
 Posted: Thu Jun 28, 2007 7:21 am Post subject: SSL cert selction |
 |
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
Hi,
I am having a queue manager to whom 10 different apps connects. I want to make them connect over SSL svrconn channels and I want them to represent different unique certs.
So all 10 app key repositories will have same queue manager cert but my queue manager key repository will have 10 different certs, one from each app.
My question is how queue manager will know which cert to use for handshake when a connection request comes?
Please let me know if you need more background info on this.
Thanks.
_________________
Sanjoo
Keep smiling
 |
|
| Back to top |
|
 |
| oz1ccg |
| Posted: Thu Jun 28, 2007 10:38 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
The queuemanager get the DN presented and knows which one to load from it's keystore.
I've colected some SSL links here:
http://mrmq.dk/links.htm half way down.
Like:
SSL configuration of the Websphere MQ Java/JMS client - Alex Fehners IBM
WebSphere MQ SSL Tutorial
- Configuring SSL Connections between JMS Clients and the WebSphere MQ JMS Provider - Kareem Yusuf IBM
Just to menthion some.
I hope it helps.
-- Lock it or Lose it -- 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu Jun 28, 2007 11:10 am Post subject: Re: SSL cert selction |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| sanjoo wrote: |
My question is how queue manager will know which cert to use for handshake when a connection request comes?
Please let me know if you need more background info on this.
|
QMGR will use their cert from keystore which alias name is ibmwebspheremq<qmgr_name_lowercase> during handshake.
Then in your configuration QMGR compares sent app public cert with certs from kestore.
PS. Have you considered using standard PKI with CA rather than self-signed cert ?
_________________
Marcin |
|
| Back to top |
|
|
| sanjoo |
| Posted: Thu Jun 28, 2007 7:00 pm Post subject: |
|
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
thanks a lot. That helps.
Quick question... let say if i choose cert from third party CA like verisign.
All the certs signed by verisign will have same private key?
_________________
Sanjoo
Keep smiling
|
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu Jun 28, 2007 10:32 pm Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| sanjoo wrote: |
thanks a lot. That helps.
Quick question... let say if i choose cert from third party CA like verisign.
All the certs signed by verisign will have same private key? |
No, No, No
Private key is "private" key. It is only yours.
All certs signed by the same CA will be different.
_________________
Marcin |
|
| Back to top |
|
|
|
|
