| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Does MBV7 ws-security support multi web service consumers? |
« View previous topic :: View next topic » |
| Author |
Message
|
| hummingbird1974 |
 Posted: Tue Dec 06, 2011 6:37 pm Post subject: Does MBV7 ws-security support multi web service consumers? |
 |
|
Newbie
Joined: 06 Dec 2011
Posts: 3
|
Hi guys,
We use ws-security for message part protection(signature and encryption). We have realized such a configuration in WMB with a secnario of 1 we service consumer and 1 web service provider(MB msg flow act as a web service provider).
However, there are many web service clients need to interact with the web service provider with WS-Security enabled. That means the clients will send messages with signature and encryption and the provider will response the messages with signature and encryption too.
But we found each we can only specifically bind 1 client CA certification in the Policy Set Binding of Broker, hence only support 1 client's accessing.
The question are:
1. If we use Encryption of message, does this mean we must import all the clients CA certification into the keystore of Broker in provider end?
2. Does MBV7 support multi clients' ws-security? If it's truth, how to config?
We're using MBV7003, Thanks all the responses!! |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Dec 06, 2011 7:03 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Each client should have their own certificate.
Each client's certification should be signed by a CA. One or more client certs are all signed by a single CA.
The CA's certificate should be imported into broker in a way that indicates that broker should TRUST the CA, and then TRUST that all of the clients who present certs signed by that CA are who they say they are.
If you need to accept client certs from multiple independent CAs, you may possibly need to deploy your application to multiple EGs or brokers, and thus have separate URLS. You *may*, *possibly* have to do this. I haven't double-checked the documentation.
You can also consider using something like DataPower to handle the incoming security and normalize the connections to Broker. |
|
| Back to top |
|
|
| hummingbird1974 |
| Posted: Tue Dec 06, 2011 7:54 pm Post subject: |
|
|
Newbie
Joined: 06 Dec 2011
Posts: 3
|
| mqjeff wrote: |
Each client should have their own certificate.
Each client's certification should be signed by a CA. One or more client certs are all signed by a single CA.
The CA's certificate should be imported into broker in a way that indicates that broker should TRUST the CA, and then TRUST that all of the clients who present certs signed by that CA are who they say they are.
If you need to accept client certs from multiple independent CAs, you may possibly need to deploy your application to multiple EGs or brokers, and thus have separate URLS. You *may*, *possibly* have to do this. I haven't double-checked the documentation.
You can also consider using something like DataPower to handle the incoming security and normalize the connections to Broker. |
Thanks Jedi!!
The single CA you mentioned, can support signatures from multi-clients. But can the single CA support to encryption/decryption for multi-clients? |
|
| Back to top |
|
|
| hummingbird1974 |
| Posted: Wed Dec 07, 2011 5:35 pm Post subject: |
|
|
Newbie
Joined: 06 Dec 2011
Posts: 3
|
Anybody knows the answer?
Acturally I've tried to sign several certificates using the same CA certificates(I'm using openssl), and imported the singal CA into the trusstore of borker, but seems it can not trust the certificate it signed. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
