| Author |
Message
|
| fatherjack |
 Posted: Thu Feb 14, 2013 11:16 am Post subject: SSL Keystore requirement for HTTP and SOAP Request nodes |
 |
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Thu Feb 14, 2013 11:20 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
When you make calls from HTTPRequest or SOAPRequest that use http instead of https in the url, SSL is not used (and therefore no truststore needed). Request nodes do not use keystores in either case.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Feb 14, 2013 11:21 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Please make effort to notice the version number supplied with that.
It's possible that v6.0 included a truststore that was populated with a sufficient number of "well known" CA certs that you didn't need to create a new truststore and populate it.
It's entirely worth the time necessary to review the current infocenter for the version of the product you are actually using. |
|
| Back to top |
|
|
| fatherjack |
| Posted: Thu Feb 14, 2013 1:33 pm Post subject: |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
| lancelotlinc wrote: |
| When you make calls from HTTPRequest or SOAPRequest that use http instead of https in the url, SSL is not used (and therefore no truststore needed). |
Yeah - I'm happy with the non SSL bit.
| lancelotlinc wrote: |
| Request nodes do not use keystores in either case. |
So are you saying that the statement in the presentation that "the ONLY thing that HAS to be done is to specify a web service URL that begins "https://" to get my SOAPRequest node to communicate over SSL is correct (network and firewall restrictions notwithstanding)? I don't have to create or populate a keystore or a truststore and I don't have to do mqsichangeproperties to point my broker or execution group to a keystore or truststore?
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
| fatherjack |
| Posted: Thu Feb 14, 2013 1:42 pm Post subject: |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
| mqjeff wrote: |
| Please make effort to notice the version number supplied with that. |
I did. It's V6. Same as mine. I know. I know. We are going to upgrade - honest.
| mqjeff wrote: |
| It's possible that v6.0 included a truststore that was populated with a sufficient number of "well known" CA certs that you didn't need to create a new truststore and populate it. |
It does come with a pre-populated cacerts file but that;s only relevant if you do a mqsichangeproperties to tell your broker this is the truststore. Isn't it? Or have I missed something.
| mqjeff wrote: |
| It's entirely worth the time necessary to review the current infocenter for the version of the product you are actually using. |
I did and it appears to contradict the presentation I pointed to. The doc suggests you need to create a PKI infrastructure (keystore, truststore, personal certs etc.) whereas the presentation states "the ONLY thing that HAS to be done is to specify a web service URL that begins "https://"
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Thu Feb 14, 2013 2:08 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| fatherjack wrote: |
| lancelotlinc wrote: |
| Request nodes do not use keystores in either case. |
So are you saying that the statement in the presentation that "the ONLY thing that HAS to be done is to specify a web service URL that begins "https://" to get my SOAPRequest node to communicate over SSL is correct (network and firewall restrictions notwithstanding)? I don't have to create or populate a keystore or a truststore and I don't have to do mqsichangeproperties to point my broker or execution group to a keystore or truststore? |
As mqjeff informed me, keystores identify you to the rest of the world, and hence only apply to SOAPInput or HTTPInput nodes. Truststores enumerate which systems you trust, and then apply only to SOAPRequest or HTTPRequest nodes. If no node has https (SSL) turned on, then you can operate these without configuration of the properties you described.
I believe my statements to be true. (Although, I have been wrong before.)
If you publish a message flow with a SOAPInput node set to accept HTTPS, then yes, you must configure SSL parameters for your keystore. Likewise, for SOAPRequest for HTTPS urls, you must configure the truststore.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mgk |
| Posted: Thu Feb 14, 2013 3:33 pm Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
| Quote: |
| keystores identify you to the rest of the world, and hence only apply to SOAPInput or HTTPInput nodes |
Almost. The Keystore is needed by a SOAPRequest or HTTPRequest node if you require mutual-authentication, but if not then it is not needed for the request nodes. Also, by default, the Java JDK truststore is used by the ExecutionGroup which means if a request node is talking to a site whose certificate is signed by one of the big vendors in this space (verisign etc) then it should work without needing any further configuration. If you are talking to a site with a cert not trusted by the default truststore (self-signed for example) then you will need to add their cert to the truststore. So the article seems correct for the simple basic case, but not for more complicated cases...
Hope this helps...
Regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| fatherjack |
| Posted: Fri Feb 15, 2013 3:09 am Post subject: |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
| mgk wrote: |
| by default, the Java JDK truststore is used by the ExecutionGroup which means if a request node is talking to a site whose certificate is signed by one of the big vendors in this space (verisign etc) then it should work without needing any further configuration. |
Thanks mgk. That clarifies things. I deleted and recreated my broker and deleted my keystore and truststore and expected my HTTPS SOAPRequest to fail with an SSL problem. But it didn't. So obviously the necessary signer cert is in the default JKS.
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Feb 15, 2013 5:49 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I express my condolences for you having to work with v6.0.
I expect you may find that the default truststore that comes with a v6.0 installation may contain certificates for the major CA suppliers that are outdated and have expired.
This may cause a significant production impact *even* when your broker is *only* talking to *internal systems*. |
|
| Back to top |
|
|
| fatherjack |
| Posted: Wed Feb 20, 2013 9:26 am Post subject: |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
| mqjeff wrote: |
I express my condolences for you having to work with v6.0.
I expect you may find that the default truststore that comes with a v6.0 installation may contain certificates for the major CA suppliers that are outdated and have expired.
This may cause a significant production impact *even* when your broker is *only* talking to *internal systems*. |
Thanks mqjeff. I'll probably create my own truststore and load the required CA certs into that.
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
|
|
