| Author |
Message
|
| Karan |
 Posted: Wed Oct 06, 2010 6:40 am Post subject: MB SSL ClientAuth |
 |
|
Apprentice
Joined: 21 Oct 2009
Posts: 29
|
I need to do a POC on SSL -->
I created two brokers say B1 and B2
On B1 I deployed a request(client) flow (HTTP Request node)
On B2 I deployed a server flow (HTTP Input , HTTP reply nodes)
I have created keystore and truststore for both brokers and enabled SSL on them
For ServerAuth ->
I created a self signed certificate in keystore of B2 and imported it in truststore of B1. This works fine. When the certificate is there in truststore of B1 , the request reaches the server and when it is removed from truststore the request fails.
For ClientAuth ->
I enabled clientAuth on B2.
I created a selfsigned certificate in keystore of B1 and imported it in truststore of B2. It works fine. But when I remove the certificate from trusrstore of B2 then also it works(request reaches server) !!
Im confused as to how the clientAuth is happening
I have tried enabling client on B1 too (unjustified logic) . Either ways(clientauth=true) even with client certificate not in servers truststore , request reaches the server flow. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Oct 06, 2010 6:44 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Can you provide more specific information about how you have configured the SSL on B2?
Have you disabled the HTTPConnector and only left the HTTPS connector active?
have you ensured that the HTTPRequest node has "use SSL" checked? |
|
| Back to top |
|
|
| Karan |
| Posted: Wed Oct 06, 2010 8:18 am Post subject: |
|
|
Apprentice
Joined: 21 Oct 2009
Posts: 29
|
B2 is the broker with server flow.
Configured it using the foll commands
1. mqsichangeproperties broker_name
-o BrokerRegistry
-n brokerKeystoreFile
-v "C:\Program Files\IBM\MQSI\jre15\lib\security\keyst.jks"
2. Similarly created truststore
3. Stopped broker. Setdbparams for the passwords. Started broker
4. Enable SSL
mqsichangeproperties broker name
-b httplistener -o HTTPListener
-n enableSSLConnector -v true
5. Enable clientAuth
mqsichangeproperties broker_name -b httplistener -o HTTPSConnector
-n clientAuth -v true
Also the HTTPrequest node(on broker B1) does not have USE SSL (HTTPInput node on B2 does and I have ticked it.) . HTTP request has a follow HTTPS redirection and proxy locn. Not touched those.
The SSL tab has Protocol property which is set to SSL (default). Allowed ciphers is left blank(Docs say node will use any or all of the available ciphers)
Have you disabled the HTTPConnector and only left the HTTPS connector active?
---Am I supposed to do that ? and how ? |
|
| Back to top |
|
|
| Karan |
| Posted: Wed Oct 06, 2010 9:12 am Post subject: |
|
|
Apprentice
Joined: 21 Oct 2009
Posts: 29
|
Each broker has its own keystore and truststore(keystore and truststore and different)
It seems that no matter what I try the client is always authenticated. |
|
| Back to top |
|
|
| Karan |
| Posted: Thu Oct 07, 2010 7:29 am Post subject: |
|
|
Apprentice
Joined: 21 Oct 2009
Posts: 29
|
Any suggestions ?
When I try to demonstrate the same using Nettool , while trying for serverauth , nettool doesent seem to use its keystore. There is a server certificate which is not in nettool's keystore, inspite of that connection is established. |
|
| Back to top |
|
|
| crossland |
| Posted: Fri Oct 08, 2010 1:28 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
| On your server flow, does the HTTP Input node have "Use HTTPS" set? |
|
| Back to top |
|
|
| Karan |
| Posted: Fri Oct 08, 2010 11:50 am Post subject: |
|
|
Apprentice
Joined: 21 Oct 2009
Posts: 29
|
|
| Back to top |
|
|
|
|
