| Author |
Message
|
| bcostacurta |
 Posted: Mon Jan 04, 2010 12:54 am Post subject: SSLPEER name setup |
 |
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
Hello,
I have the following certificate installed for a client connection (via svrconn and clntconn channels) :
openssl pkcs12 -nokeys -in SQDE.p12
MAC verified OK
Bag Attributes
friendlyName: ibmwebspheremqsqde
localKeyID: 00 00 00 00
subject=/C=FR/ST=IDE/L=Paris/O=CSC/OU=SECURITY/CN=MQSAGSQDE
issuer=/O=Credit Agricole/OU=Infrastructure PKI/CN=CA Credit Agricole interne
-----BEGIN CERTIFICATE-----
...etc...etc...
-----END CERTIFICATE-----
So which value should I indicate as a SSLPEER ?
I tried CN=MQ* on both channels, but got an error 2393.
If SSLPEER value is empty '' no error is received.
Thanks for help.
Bye,
Bruno |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Mon Jan 04, 2010 2:10 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
start channels with empty ssl peer, then check channel status and you see the peer values from the client connection. then you can decide what from that information (or all) you would like to include in the sslpeer attribute.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| mvic |
| Posted: Mon Jan 04, 2010 2:50 am Post subject: Re: SSLPEER name setup |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| bcostacurta wrote: |
So which value should I indicate as a SSLPEER ?
I tried CN=MQ* on both channels, but got an error 2393.
If SSLPEER value is empty '' no error is received. |
Get your security architect to tell you what they want in that field. Don't just invent values. And don't expect us to tell you, we don't know your company's security requirements. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 04, 2010 6:07 am Post subject: Re: SSLPEER name setup |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mvic wrote: |
| bcostacurta wrote: |
So which value should I indicate as a SSLPEER ?
I tried CN=MQ* on both channels, but got an error 2393.
If SSLPEER value is empty '' no error is received. |
Get your security architect to tell you what they want in that field. Don't just invent values. And don't expect us to tell you, we don't know your company's security requirements. |
To all points.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bcostacurta |
| Posted: Mon Jan 04, 2010 7:02 am Post subject: |
|
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
Dears,
the SSLPEER value is based on Distinguished Name (DN) fields present in the certficate and which identify it uniquely.
In my certificate I have the following :
subject=/C=FR/ST=IDE/L=Paris/O=CSC/OU=SECURITY/CN=MQSAGSQDE
That why I suppose from these values I should be able to obtain a valid SSLPEER value.
Is this correct ?
Thanks.
Bye,
Bruno |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 04, 2010 7:16 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bcostacurta wrote: |
| That why I suppose from these values I should be able to obtain a valid SSLPEER value. |
Why suppose? Why not ask your security guy as previously suggested?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
