| Author |
Message
|
| PeterPotkay |
 Posted: Thu Jul 23, 2009 10:23 am Post subject: SSL for WMB - generating the certs |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I'm all searched out....every link starts off with importing the certs. My question is how do you get the cert to begin with? When generating the certificate request do you do that step as if you are requesting a cert for the QM, and it will just work for the Broker? Or are there specific naming standards and steps required for generating a certificate request for WMB?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| chanduy9 |
| Posted: Tue Jul 28, 2009 7:57 am Post subject: |
|
|
Disciple
Joined: 28 Nov 2001
Posts: 177
Location: USA
|
Your CA authority will issue the certs, or you can generate dummy certs for testing purpose with keytool command. Hope it answered your question.
Thanks,
Chandra.
_________________
Chandra,
IBM WebSphere MQ Certified. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Jul 28, 2009 12:56 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I know a CA creates certs, and that I can create my own self signed certs. My question was about creating the certificate requests.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| broker_new |
| Posted: Tue Jul 28, 2009 8:02 pm Post subject: |
|
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
In my case, we have a separate security team, they provided certain guideliness for creating the certificate requests like the CN name, label name....has to be provided as per the standards.
They sign it using the Root certificates and provide it to us.
We had a problem when submitting the cert request for configuring on queue manager, they asked us to assign the lable name as the host name which doesn't work for MQ as it always accept only "ibmwebspheremq+queuemanager name".
In this case we had a conflict and set up the Self signed cert and applied on the queue managers. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 28, 2009 8:05 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| broker_new wrote: |
In my case, we have a separate security team, they provided certain guideliness for creating the certificate requests like the CN name, label name....has to be provided as per the standards.
They sign it using the Root certificates and provide it to us.
We had a problem when submitting the cert request for configuring on queue manager, they asked us to assign the lable name as the host name which doesn't work for MQ as it always accept only "ibmwebspheremq+queuemanager name".
In this case we had a conflict and set up the Self signed cert and applied on the queue managers. |
You could have used mqipt... works fine with the host name. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| broker_new |
| Posted: Thu Jul 30, 2009 6:45 pm Post subject: |
|
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
I always learn by posting from masters like you  |
|
| Back to top |
|
|
| murdeep |
| Posted: Tue Aug 04, 2009 1:35 pm Post subject: |
|
|
Master
Joined: 03 Nov 2004
Posts: 211
|
| In IBM Key Mgmt, open your cert store and from the Personal Cert Requests drop down list box option select New to create a request. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Aug 05, 2009 9:28 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Let me ask this another way...For MQ the cert is associated with the QM, or with the Client. Assuming for the moment the QM does not and will not use SSL for its channels, what is the cert asscciated with in WMB? The Broker, the server, the QM supporting the broker?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Mut1ey |
| Posted: Tue Aug 18, 2009 1:06 pm Post subject: |
|
|
Acolyte
Joined: 07 Oct 2005
Posts: 74
Location: England
|
| PeterPotkay wrote: |
| Let me ask this another way...For MQ the cert is associated with the QM, or with the Client. Assuming for the moment the QM does not and will not use SSL for its channels, what is the cert asscciated with in WMB? The Broker, the server, the QM supporting the broker? |
A good question. I do not know the exact answer, but a look in the manual states that there are only three points where SSL can be used. Well two really, because the RealTime node is non-standard SSL protocol. That leaves two:
1) HTTP Listener for HTTP traffic.
2) Java MQ Client.
So I deduce, based on this information that you would associate the Cert with one of these two.
But I would say, that I do not tend to think in terms of what a cert is associated with, but rather, what will "use" that cert. Because when all is said and done, what SSL gives you, to my mind, is a proof that you have a connection from something that has been signed by your mutual CA, and can therefore be trusted.
HTH |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Aug 18, 2009 4:00 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
For a Broker call ABC123, we ended up creating the cert with a label of BK_ABC123.
If we need to create a cert for the ABC123 Queue Manager that supports the broker, we would create the lable as ibmwebspheremqabc123.
In this case each cert would live in its own keystore...the BK_ABC123 cert would live in the Broker's keystore and the ibmwebspheremqabc123 cert would live in the QM's keystore.
If we configure SSL at the Execution Group level, for an Execution Group called EG1, we would create a cert called BK_ABC123_EG1, and that cert would live in the keystore for EG1.
Since an SSL cert uniquely identifies an entity, we wouldn't want to share the same cert between the QM, the Broker and the Execution Group, assuming all 3 needed to be locked down with SSL. Maybe an obvious statement to some, but we are just getting started with SSL.
I'm finishing up my doc now, but I think I'll post the contents here of what we did to get SSL self signed certs going for the Broker. Maybe it will help someone else, and maybe you guys can spot something wrong if it needs to be corrected.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Mut1ey |
| Posted: Wed Aug 19, 2009 10:48 am Post subject: |
|
|
Acolyte
Joined: 07 Oct 2005
Posts: 74
Location: England
|
| You can store multiple certs in one keystore, and they can all be for different purposes. Even more reason to, given that you are using MQ and Broker - underpinned by GSK7 - i.e. IBM. So by all means share the key store and add your three certs into it - will save having to maintain three passwords at the very least. Btw - that is why the MQ certs have to have that stupid prefix - so the qmgr / client can identify that it is for MQ, and not, for example an app server cert. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 19, 2009 2:31 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Peter,
Just remember that the broker has a bindings connection to its qmgr.
As such there is no SSL between the broker and the messages picked up from the input queue.
The only reason to do SSL would be for the https connection and/or for the JMS nodes (setting up a client connection).
Now you can secure the broker's qmgr with SSL on all channels ...
Hope that clarifies some of it.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Aug 19, 2009 6:14 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Mut1ey wrote: |
| You can store multiple certs in one keystore, and they can all be for different purposes. Even more reason to, given that you are using MQ and Broker - underpinned by GSK7 - i.e. IBM. So by all means share the key store and add your three certs into it - will save having to maintain three passwords at the very least. Btw - that is why the MQ certs have to have that stupid prefix - so the qmgr / client can identify that it is for MQ, and not, for example an app server cert. |
Yes, good point. As long as each of our certs has a unique label, why not share the keystore. 
What about the truststore? We created a seperate trust store for the Broker and a seperate keystore. Should we just combine the 2 into one?
In all the MQ documentation that I can recall at the moment, I don't remember them ever saying the MQ needed / could have a seperate trust store from the key store. But the Broker does offer it (or require it?) Why the diff?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Aug 19, 2009 6:16 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| fjb_saper wrote: |
Peter,
Just remember that the broker has a bindings connection to its qmgr.
As such there is no SSL between the broker and the messages picked up from the input queue.
The only reason to do SSL would be for the https connection and/or for the JMS nodes (setting up a client connection).
Now you can secure the broker's qmgr with SSL on all channels ...
Hope that clarifies some of it. |
Yup, SSL for MQ for incoming or outgoing MQ channels.
SSL for the Broker level http listener for all HTTP(s) Input Nodes.
And SSL for the Execution Group level listeners for Soap Input nodes that want SSL.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Aug 20, 2009 1:58 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
Yup, SSL for MQ for incoming or outgoing MQ channels.
SSL for the Broker level http listener for all HTTP(s) Input Nodes.
And SSL for the Execution Group level listeners for Soap Input nodes that want SSL. |
And SSL at broker level for JMSInput or JMSOutput nodes that may need it.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
