| Author |
Message
|
| flytang1 |
 Posted: Wed Dec 07, 2011 6:09 pm Post subject: Do MQ server side need to install the CA cert chain? |
 |
|
Newbie
Joined: 20 Apr 2011
Posts: 9
|
Dear all,
these days i was asked a question from client about the SSL. There is MQ server currently, and the client want to connect to MQ server via MQ client application under SSL. I checked a lots of doc and still get some confuse:
My question is:
MQ client need to install the "CA cert chain" in the signer tab, MQ server need to install "CA cert" in personal cert chain, but, do MQ server required to install the "CA cert chain"?
many thanks for your reply! |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Dec 08, 2011 1:39 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
It's no different than if it was queue-manager-to-queue-manager, except that the key store type may differ for the client may differ depending on the client type, e.g. a java-based client would use a key store of type jks.
The queue manager key store will require a copy of the CA certificate used to sign the client 'personal' certificate, and the client key store will require a copy of the CA certificate used to sign the queue manager 'personal' certificate. If there are multiple CA certificates, i.e. a certificate chain, then all certificates in that chain must be present within a key store.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| flytang1 |
| Posted: Sat Dec 17, 2011 12:43 am Post subject: |
|
|
Newbie
Joined: 20 Apr 2011
Posts: 9
|
| Thanks exerk, sorry i have been in vocation last week so i didn't see your reply. For my case it is only one-way authentication, which is, the Server side don't require to verify the certificate of the client. In this case, I just need to install the CA chain of the server side to client key database, and install the certificate in server side as personal certificate(not require the CA chain which sign the certificate), am i right? |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Dec 17, 2011 5:42 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| flytang1 wrote: |
| ...For my case it is only one-way authentication, which is, the Server side don't require to verify the certificate of the client... |
So why bother with SSL? Allowing 'anonymous' connections is never a good thing.
| flytang1 wrote: |
| ...In this case, I just need to install the CA chain of the server side to client key database... |
Correct.
| flytang1 wrote: |
| ...and install the certificate in server side as personal certificate(not require the CA chain which sign the certificate), am i right? |
Incorrect. You need the full chain. Try receiving the CA-signed certificate into the queue manager key store without the required CA certificates and see what the result is.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sat Dec 17, 2011 3:27 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| exerk wrote: |
| flytang1 wrote: |
| ...For my case it is only one-way authentication, which is, the Server side don't require to verify the certificate of the client... |
So why bother with SSL? Allowing 'anonymous' connections is never a good thing. |
With one way SSL you still get:
The client knows they are connecting to the correct server.
The communication is encrypted.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Dec 17, 2011 4:36 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| PeterPotkay wrote: |
| ...The client knows they are connecting to the correct server... |
But is it the correct client?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Sat Dec 17, 2011 5:13 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| PeterPotkay wrote: |
| ...The client knows they are connecting to the correct server... |
But is it the correct client? |
It's valid for some business cases for a client to know you're transmitting to an authoritative source, and for those transmissions to be encrypted.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Dec 18, 2011 1:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Vitor wrote: |
| exerk wrote: |
| PeterPotkay wrote: |
| ...The client knows they are connecting to the correct server... |
But is it the correct client? |
It's valid for some business cases for a client to know you're transmitting to an authoritative source, and for those transmissions to be encrypted. |
Not to forget that the client still needs the trustore with the cert chain of the server 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Dec 18, 2011 3:13 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| Not to forget that the client still needs the trustore with the cert chain of the server |
True. At least GSKit8 doesn't auto-populate anymore...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sun Dec 18, 2011 6:12 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| exerk wrote: |
| PeterPotkay wrote: |
| ...The client knows they are connecting to the correct server... |
But is it the correct client? |
Understood.
But not relevant in some cases.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
