| Author |
Message
|
| withKappa |
 Posted: Mon Jan 02, 2012 1:12 am Post subject: |
 |
|
Novice
Joined: 01 Jan 2012
Posts: 11
|
| mqjeff wrote: |
The only way to identify which key in a given keystore is presented by an application is using the *label* of the certificate, not the distinguished name. This is the label you have generated like ibmwebspheremquser_test. |
ok, are you saying that the clientes identify the certs by the label (ibmwebspheremquser_test) and not by the DN?
Thx,
Mark |
|
| Back to top |
|
 |
| exerk |
| Posted: Mon Jan 02, 2012 3:41 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| withKappa wrote: |
| mqjeff wrote: |
The only way to identify which key in a given keystore is presented by an application is using the *label* of the certificate, not the distinguished name. This is the label you have generated like ibmwebspheremquser_test. |
ok, are you saying that the clientes identify the certs by the label (ibmwebspheremquser_test) and not by the DN? |
The default behaviour for clients is to use the certificate bearing their name, e.g. if the client runs under a user named mytestuser it will expect a certificate with the label of ibmwebspheremqmytestuser, and if it's not found, SSL fails. I don't know if that's true of Java (I'm decidedly shaky on anything Java related, but someone more enlightened will be along to confirm/refute soon I'm sure) but out of habit, and to maintain uniformity, I have always used the prescribed convention when working with JKS key stores.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| withKappa |
| Posted: Mon Jan 02, 2012 4:08 am Post subject: |
|
|
Novice
Joined: 01 Jan 2012
Posts: 11
|
| exerk wrote: |
The default behaviour for clients is to use the certificate bearing their name, e.g. if the client runs under a user named mytestuser it will expect a certificate with the label of ibmwebspheremqmytestuser, and if it's not found, SSL fails. I don't know if that's true of Java (I'm decidedly shaky on anything Java related, but someone more enlightened will be along to confirm/refute soon I'm sure) but out of habit, and to maintain uniformity, I have always used the prescribed convention when working with JKS key stores. |
ok perfect
thx
Mark |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jan 02, 2012 7:19 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
| exerk wrote: |
The default behaviour for clients is to use the certificate bearing their name, e.g. if the client runs under a user named mytestuser it will expect a certificate with the label of ibmwebspheremqmytestuser, and if it's not found, SSL fails. I don't know if that's true of Java (I'm decidedly shaky on anything Java related, but someone more enlightened will be along to confirm/refute soon I'm sure) but out of habit, and to maintain uniformity, I have always used the prescribed convention when working with JKS key stores. |
Mostly... not quite.
I believe the rule goes more like
If the client runs under a user named mytestuser it will expect a certificate label of ibmwebspheremqmytestuser. If it is not found it will attempt to use the default certificate. If no default certificate is found SSL will fail... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jan 02, 2012 9:32 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| exerk wrote: |
The default behaviour for clients is to use the certificate bearing their name, e.g. if the client runs under a user named mytestuser it will expect a certificate with the label of ibmwebspheremqmytestuser, and if it's not found, SSL fails. I don't know if that's true of Java (I'm decidedly shaky on anything Java related, but someone more enlightened will be along to confirm/refute soon I'm sure) but out of habit, and to maintain uniformity, I have always used the prescribed convention when working with JKS key stores. |
Mostly... not quite.
I believe the rule goes more like
If the client runs under a user named mytestuser it will expect a certificate label of ibmwebspheremqmytestuser. If it is not found it will attempt to use the default certificate. If no default certificate is found SSL will fail... |
Thank you for the clarification - I wasn't sure whether the rule applied to Java clients; for some reason I had it in the back of my head that they could use any certificate they wanted or found in the key store.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jan 02, 2012 11:39 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
| exerk wrote: |
| Thank you for the clarification - I wasn't sure whether the rule applied to Java clients; for some reason I had it in the back of my head that they could use any certificate they wanted or found in the key store. |
Sorry I wasn't specific. I believe you're right for Java. The rule I wanted to clarify was for the cms type store.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jan 02, 2012 5:48 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7723
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jan 02, 2012 8:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
Thanks for the authorative document Peter.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| withKappa |
| Posted: Tue Jan 03, 2012 12:21 am Post subject: |
|
|
Novice
Joined: 01 Jan 2012
Posts: 11
|
ok thx to all  .
If I have other questions I will post here again.
Mark |
|
| Back to top |
|
|
|
|
