| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Does SSL Cert for MQ SDR/RCVR chnl relies on phy hostname? |
« View previous topic :: View next topic » |
| Author |
Message
|
| neutron |
 Posted: Tue Apr 17, 2012 7:31 pm Post subject: Does SSL Cert for MQ SDR/RCVR chnl relies on phy hostname? |
 |
|
Novice
Joined: 25 Aug 2008
Posts: 21
|
Hi,
we are doing a physical machine change for our current QMgr. But the current QMGR contains SSL channel with external QMgr. We are retaining every info hence all QMID / QM data remains unchanged except that the machine that the QM will be residing on will be different.
SSL cert we are using is Entrust.
Regards
Dingshan |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Apr 17, 2012 8:15 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The real question here is what is the value of the Common Name on the cert.
I sure hope it to be the qmgr name and not the hostname...
Moving to security forum
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Apr 17, 2012 11:56 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
The host name should not matter.
The common name won't change if you use the same certificates (or indeed the same keystore). Even then it's only used by the peer checking at the other end (which can be changed if needed). You can check whatever CN value you like (it's an arbitrary value). So even if it is the hostname, you don't have to change it.
The certificate label needs to be correct for the QM name. So the real question is - does the QM name change? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 18, 2012 4:58 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
The host name should not matter.
The common name won't change if you use the same certificates (or indeed the same keystore). Even then it's only used by the peer checking at the other end (which can be changed if needed). You can check whatever CN value you like (it's an arbitrary value). So even if it is the hostname, you don't have to change it.
The certificate label needs to be correct for the QM name. So the real question is - does the QM name change? |
I agree, except that if you look at https (web site certificates) where typically the CN is the website url and gets checked during the SSL authentication...
For MQ having the CN to be the qmgr name is a good idea. It allows you to differentiate between 2 qmgrs on the same box and ensures you change the cert if you change the qmgr name...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
