| Author |
Message
|
| hopsala |
 Posted: Sun May 08, 2011 8:26 am Post subject: WMB 7 \ SSL auth setup - one cert per flow |
 |
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
Greets,
Say I've got a site with many message flows, and say I want to make sure only client A calls message flow A, only client B calls MFB, etc. Say that I don't want to change anything about my applications, either in client or wmb side. I want the payload to be plain data, no signatures, no passwords.
Now, in mq this is no problem; I just give each client a different certificate, all signed by one or more CAs, and I assign each a SVRCONN channel with a different SSLPEER parameter. And lo and behold, I can make sure each client (or group of clients) only accesses the queues it should.
The question is, is this possible with HTTP/SOAP nodes on WMB? What I need is a way to say "this flow will only accept this DN or this certificate".
Oh, and having a seperate EG for each flow, with a different truststore won't work here; there are way too many flows for this solution to be viable. Using what's called "message flow security" won't work either, because it demands quite a bit of coding in both the client and wmb side.
So, any ideas?
Many thanks!  |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Sun May 08, 2011 8:58 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| HTTP Proxy Servlet and whatever config is needed to accomplish this at the HTTP Server on the other side of the proxy servlet. |
|
| Back to top |
|
|
| hopsala |
| Posted: Wed May 18, 2011 4:13 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
I don't see any reference to how this can be done using the HTTP Proxy Servlet. There is no appropriate config parameter, and since it's a single servlet which redirects to different URLs, I can't configure WAS to somehow accept a different certificate for each URL.
Of course, I can always open the servlet WAR and start refactoring, but I really don't want to go there.. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed May 18, 2011 4:17 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I didn't say that the ProxyServlet would handle this.
I said you would configure the HTTPServer on the other side of the WAS container running ProxyServlet to authenticate certs against URLs.
At least, I assume that HTTP Servers in general can handle this kind of URL/Cert mapping. It would seem very odd if they couldn't. |
|
| Back to top |
|
|
| hopsala |
| Posted: Sun May 22, 2011 3:03 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
Yes, I was mislead by one of our WAS admin who claimed this isn't possible, but after a bit of reading we're thinking this can be done.
For the record, the process is to first extract a username from the certificate (usually done using the DN, otherwise it's possible to code a filter), which is verified against the LDAP server. Second, this user is assigned a role, and this role is then assigned specific URL patterns. All this is done by WAS, if it's configured properly. In short, the chain is:
Certificate > User > Role > URL
At least that's the theory. We're still unsure if we'll implement it. Much obliged as usual, jeff. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon May 23, 2011 2:53 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| I'd still think that the HTTP container itself might be able to do this as well, rather than using JEE security. It *might* be simpler. |
|
| Back to top |
|
|
| hopsala |
| Posted: Thu May 26, 2011 2:12 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| Possibly, but I can't say that I know how to do this, nor do the local WAS admins. I'm open to suggestions.. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu May 26, 2011 4:39 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Well, first it probably depends on what you're using for your HTTP server?
I suspect that IIS is going to have different configurations in this area than Apache or IBM HTTP Server...
And I didn't say I knew how it could be done, just that I believe it can be done.
But some quick poking suggests this:
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#certauthenticate
in particular the bit about SSLRequire
| Quote: |
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
|
|
|
| Back to top |
|
|
| hopsala |
| Posted: Mon May 30, 2011 10:38 pm Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
Found a guy who knows Apache HTTP and he says that it is possible. However, if I understand you and him correctly, this means that I have yet another node in my system - I've got the broker, WAS or Tomcat running my servlet, and an Apache HTTPServer or other with the cert/url setup; I can't run the servlet on an HTTP server and I can't connect the httpserver directly to WMB without the servlet, right?
If this is the case, I'm not sure it's worth it. I'll try and open a requirement with IBM for WMB to be able to handle url/cert mapping by itself and see what happens. Or maybe I'll just wait for Datapower to make its way into the site and have it to do the job. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue May 31, 2011 10:14 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| hopsala wrote: |
| Found a guy who knows Apache HTTP and he says that it is possible. However, if I understand you and him correctly, this means that I have yet another node in my system - I've got the broker, WAS or Tomcat running my servlet, and an Apache HTTPServer or other with the cert/url setup; I can't run the servlet on an HTTP server and I can't connect the httpserver directly to WMB without the servlet, right? |
You could connect the HTTP server directly to WMB without the servlet.
You will just need to perform all of the necessary tasks to indentify all of the message flow URLs and the relevant port numbers and network addresses of the relevant broker HTTP listeners manually, and manually configure the HTTP server to know the right ports for the right URLS and how to load balance. The proxy servlet handles this work for you.
Whether or not this is less work than configuring the Tomcat container to do the URL/cert mapping is a separate question.
One typically finds an HTTP front-end server in front of WAS/TOMCAT anyway. WAS in particular makes it bog easy to export the was configuration into an IBM HTTPServer was plugin config file. |
|
| Back to top |
|
|
| hopsala |
| Posted: Sun Jun 05, 2011 2:58 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
K, did some more checking and you're spot on. I can use Apache to connect directly and even load balance, as long as I configure the server how to forward each incoming URL.
From what I've seen so far there are two advantages of Apache HTTP Server over using the Proxy Servlet on Tomcat or WAS: First, Apache can load balance, where the servlet can only fail over to another QM; Second, using Apache means no MQ traffic. However, Apache takes a lot more configuration than the servlet - both initially and every time you add a flow.
As far as URL/cert mapping and having a single port is concerned, they seem to be equivalent. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sun Jun 05, 2011 7:28 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| hopsala wrote: |
| However, Apache takes a lot more configuration than the servlet - both initially and every time you add a flow. |
I have been advocating for mqsiexporthttpconfig for several years now. |
|
| Back to top |
|
|
| hopsala |
| Posted: Wed Jun 08, 2011 7:49 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| mqjeff wrote: |
| mqsiexporthttpconfig |
Which yields no google results other than this thread? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jun 08, 2011 9:36 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| hopsala wrote: |
| mqjeff wrote: |
| mqsiexporthttpconfig |
Which yields no google results other than this thread? |
I said I'd been advocating for it.
I didn't say that anything had been done in response to my advocation. |
|
| Back to top |
|
|
| hopsala |
| Posted: Sun Jun 12, 2011 12:19 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| Well, you've got my vote.. |
|
| Back to top |
|
|
|
|
