ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SIngle certificate for all QMGRs

Post new topic  Reply to topic
 SIngle certificate for all QMGRs « View previous topic :: View next topic » 
Author Message
wskibum
PostPosted: Mon Mar 10, 2014 5:54 pm    Post subject: SIngle certificate for all QMGRs Reply with quote

Apprentice

Joined: 03 Jul 2008
Posts: 38
Location: Northern California

Is is practical or even possible to use a single certificate for all my qmgrs?
Is there any documentation on the process?

Currently I am running 7.0.3 on Linux

Thanks
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Mar 10, 2014 10:00 pm    Post subject: Re: SIngle certificate for all QMGRs Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

wskibum wrote:
Is is practical or even possible to use a single certificate for all my qmgrs?
Is there any documentation on the process?

Currently I am running 7.0.3 on Linux

Thanks

Each qmgr should have its own certificate
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Mon Mar 10, 2014 10:46 pm    Post subject: Re: SIngle certificate for all QMGRs Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

wskibum wrote:
Is is practical or even possible to use a single certificate for all my qmgrs?

Crack one queue manager and they're all cracked...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Tue Mar 11, 2014 4:42 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA

How would you uniquely identify each Qmgr by it's certificate?
You cannot just trust who it says it is even with a valid certificate.
Back to top
View user's profile Send private message AIM Address
PeterPotkay
PostPosted: Tue Mar 11, 2014 5:17 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

Potential use case:
You have 4 queue managers that together all provide the same functionality, and back each other up.

All you want to know is you are talking with one of these four, so you want one certificate to represent all 4.

Yes, you can/should have a unique cert for each, and then make sure you can deal with all 4. But I can see how it might be easier and might be "secure 'nuff'" to just know you are dealing with one of the 4.

Change the '4' to '400' and the benefit becomes clearer.

Is copying the same certificate around all over the place a good idea? Probably not...

If the bad guy gets a hold of it and tags his bad QM with that SSL cert, the 401st QM is now in the mix and you have no SSL way to keep #401 out while still allowing 1 thru 400.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Mar 11, 2014 5:21 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

PeterPotkay wrote:
Potential use case:
You have 4 queue managers that together all provide the same functionality, and back each other up.

All you want to know is you are talking with one of these four, so you want one certificate to represent all 4.

Yes, you can/should have a unique cert for each, and then make sure you can deal with all 4. But I can see how it might be easier and might be "secure 'nuff'" to just know you are dealing with one of the 4.

Change the '4' to '400' and the benefit becomes clearer.

Is copying the same certificate around all over the place a good idea? Probably not...

If the bad guy gets a hold of it and tags his bad QM with that SSL cert, the 401st QM is now in the mix and you have no SSL way to keep #401 out while still allowing 1 thru 400.



And when that one certificate gets revoked...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » SIngle certificate for all QMGRs
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.