| Author |
Message
|
| zpat |
 Posted: Fri Jan 23, 2009 8:25 am Post subject: Easiest way to use SSL with WMQ? |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Assume that we want to start using SSL for internal WMQ connections between QMs and also between QMs and MQ clients.
What's the simplest way to start doing this?
Would it be self-signed certificates?
What would be the advantage of using CA-signed certificates?
Appreciate some simple a, b, c - tips! |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Jan 23, 2009 8:33 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Self-Signed certs is easiest for getting started, but hardest for maintaining. Every qmgr needs every cert.
Being your own local CA is relatively easy and cheap. You may need an external CA to create certs if you're doing business partner communications.
Always make sure to remove any and all CA Signer Certs that you aren't actively using from every qmgr. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Jan 23, 2009 8:47 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Excuse my ignorance (and I have tried reading the manuals).
Take a simple scenario of four spoke qm managers, all inter-connected via one hub qm and and a number of MQ clients some of which will connect only to one QM (client apps) and some to any QM (mq admins).
What would be the simplest SSL set up? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jan 23, 2009 9:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
A long long time ago, there was an excellent presentation by not-yet-MQ-Architect Morag Hughson at T&M that covered SSL basics for those who had no idea how to spell SSL. Remnants of this may have managed to come through to other presentations that you may have from IMPACT.
Without going into that a whole lot, here's the basics of what you need.
You need one certificate for each unique role that your client apps are going to act in. Ideally, this is a unique certificate for each client app, under a proper Distinguished Name scheme that you can leverage from SSLPEER.
You need one certificate for each qmgr.
Each certificate is going to be signed by something. Every qmgr needs to have the certificate that signs any certificates that the qmgr wants to accept as valid.
In the case of self-signed certificates, this means that every qmgr needs every other certificate.
In the case of CA signed certificates, whether it's a public CA that you pay money to, or an internal CA that you don't, each qmgr needs only the CA signer cert.
In your case, the simplest solution is this:
1) internal CA that signs all certs.
2) a single certificate for MQ Admins
3) a single certificate for each client application role (not each app)
4) a certificate for each qmgr
Then import the CA signer cert into each qmgr, each qmgr's individual private cert, and delete all other certs from the keyring.
Then you need each client app to connect to a specific SVRCONN, one for each role, that has an MCAUSER on it that matches the role priviledges needed. And SSLPEER to enforce that only the right client cert can connect to that SVRCONN. So you'd have a dedicated admin svrconn, that had MCAUSER of mqm, and an SSL Peer that *only* matched your admin certificate Distinguished Name.
There are steps to do these things outlined fully and completely in the manuals. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Jan 23, 2009 9:56 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
zpat, Are you looking for SSL on QMs inside your firewal for authentication of whose connecting? Or for encryption of the data as it flows over the channel? Or both?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Jan 23, 2009 11:42 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Primarily for authentication purposes. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Jan 23, 2009 1:49 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Just so you're aware of all options to accomplish what you need:
I personally am green to SSL, and had a terrible time getting SSL Certs created acting as my own CA. If your company has an Internal Certificate Authority, and has SSL folks willing to work with you, you'll find the MQ part of SSL not that difficult. Its just getting the certs and managing them going forward (they should be set up to expire regularly) that I found to be a bear.
If you go the SSL route, and use a single CA (probably your own) you should remove all the other root certificates that you will find by default from other CAs, just to insure a SSL cert signed by one of those other CAs that otherwise matches your SSLPEER values can't get through. This is not supposed to happen, but why risk it.
But if all you are after is Authentication, perhaps consider using a Security Exit, like Roger's MQAUSX. It will authenticate for you, works on all channel types, does not periodically expire like SSL certs do/should, has a very thorough manual, and an excellent support record. It would allow you to not have to rely on the "SSL guys". Anytime I can accomplish the same thing with fewer areas involved, I'm happier.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| zhanghz |
| Posted: Sat Jan 24, 2009 10:12 am Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| Try building some QMGRs, creating some self-signed certs, or getting some time-limited free CA signed certs, and try. At the same time, read manuals and some excellent ppt materials on SSL on WMQ. And then try again. It will take some time, but give you some hands-on experience, so that it will be easier when you really implement it in either TEST or PRODUCTION environment. That's how I came through it. |
|
| Back to top |
|
|
| zpat |
| Posted: Sat Jan 24, 2009 11:16 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Thanks for advice. The platform is AIX MQ v6 by the way. |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Jan 25, 2009 3:01 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
|
| Back to top |
|
|
| masteringmq |
| Posted: Sun Jan 25, 2009 6:01 pm Post subject: |
|
|
Master
Joined: 20 Oct 2008
Posts: 200
|
If you ask me, I would say in the SIT environment I would use the Self-Signed certs for testing purpose. But for the PRD environment I would use the 3rd party CA certs. This is a good practice  |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sun Jan 25, 2009 7:11 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
A properly administered internal Certificate Authority is perfectly acceptable, and some would say preferred over a 3rd party, even for Production, if all the QMs and Clients are in house.
That aside, different kinds of certs in your various environments can lead to surprises in production.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 26, 2009 12:50 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| masteringmq wrote: |
| If you ask me, I would say in the SIT environment I would use the Self-Signed certs for testing purpose. |
You wouldn't say that if you had more than a few environments, or an environment with a large number of queue managers. Self signed quickly become cumbersome and an adminstrative hedache.
| masteringmq wrote: |
| But for the PRD environment I would use the 3rd party CA certs. This is a good practice |
If you can get the budget for them. It's often cheaper (and easier) to become your own CA.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
