| Author |
Message
|
| DFranke |
 Posted: Wed Jan 12, 2011 11:51 am Post subject: MQ Client SSL from app running under IIS |
 |
|
Novice
Joined: 25 Dec 2003
Posts: 13
|
Hopefully a quick question.
We are in the process of adding SSL to our Client Connection Channels.
Our application is a .NET Web Service that runs under IIS.
The application currently connects from the Web Server to our MQ Server using the MQ Client and the Client connection table amqclchl.tab file.
In a test environment I have successfully setup and tested the Client Connection SSL using amqsputc and running it interactively while logged on to the server.
Question is this - What userid do I use when creating the Client Certificate?
For my test I used my ID since I was logged on to the server. In Production the call will be made from the application in IIS. Do we use aspnet, IIS_WPG, etc.
Any help is appreciated.
Dave |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Jan 12, 2011 2:03 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Use the userid under which the .NET application runs (have on created if necessary) and if that's NETWORK SERVICE tough, you'll have to get it changed - and don't let the developers tell you it can't be done because it can.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| DFranke |
| Posted: Wed Jan 12, 2011 2:15 pm Post subject: |
|
|
Novice
Joined: 25 Dec 2003
Posts: 13
|
Thanks for the reply
The webservices running under IIS allow anonymous access using the IUSR_xxxxx account.
Each Service also has an application pool assigned to it that is currently running as "Network Service".
I am assuming by your comment that "Network Service" will not work and that the ID I will need to change is the one assigned to the application pool.
Correct? |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jan 12, 2011 2:24 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Try punching in NETWORK SERVICE as part of a label name and see what happens...
I recently had a project that did much the same thing as you are doing and had a few fights with the developers, whom despite being told at the beginning that they couldn't run it under anything but an identifiable userid ignored it, so get in early and make sure they do the needful and get it right.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| DFranke |
| Posted: Thu Jan 13, 2011 11:29 am Post subject: |
|
|
Novice
Joined: 25 Dec 2003
Posts: 13
|
Just as a follow up for those that may be doing the same thing.
I tried using "Network Service" for the userid for the client certificate and that failed.
I then tried the IUSR_xxxxxx ID associated with the Web Server and that succeeded. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jan 13, 2011 1:49 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| DFranke wrote: |
| I then tried the IUSR_xxxxxx ID associated with the Web Server and that succeeded. |
And anything else that that particular user runs also now has access to WMQ...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
