| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| OCSPAuthentication=optional ...or what? |
« View previous topic :: View next topic » |
| Author |
Message
|
| Robert_JR |
 Posted: Wed Jul 23, 2014 8:33 am Post subject: OCSPAuthentication=optional ...or what? |
 |
|
Newbie
Joined: 02 May 2013
Posts: 2
|
Hello there,
I'm using
SSL:
OCSPAuthentication=optional
in my qm.ini files, as I was experiencing a lot of SSL errors (the certificate issuer servers were not reachable). But this 'optional' tells me: 'try to check it, but ignore it if you cannot check'.
Now my qmgrs are being moved to a new environment, where -unfortunatelly- the CA servers are reachable directly from the MQ servers.
I want to be 100% sure that the qmgrs will not check for cert revocation (will not check anything on the CA servers).
Is there any option here which can disable this? e.g.
OCSPAuthentication=no
OCSPAuthentication=disabled
or similar? I found 'optional' and 'warn', probably there are other options here.
Or does this guarantee that the qmgr will not check anything on the CA servers?
SSL:
OCSPCheckExtensions=No
OCSPAuthentication=optional
Thanks in advance. |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Jul 23, 2014 11:22 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
It's pretty explicit in the KB, that for OCSPCheckExtensions:
| Quote: |
| NO: SSL and TLS channels do not try to check OCSP servers. |
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Jul 23, 2014 11:48 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
Also, in the "SSL and TLS stanza of the queue manager configuration file" -> http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.con.doc/q019040_.htm?lang=en
I would take note of this warning for these ini attributes, in case you were not aware:
| Quote: |
| In each of the following cases, if the value supplied is not one of the valid values listed, then the default value is taken. No error messages are written mentioning that an invalid value is specified. |
I am not sure if the OCSPAuthentication or OCSPCheckExtensions values are case sensitive or not, but the values are listed as upper case in the manual. |
|
| Back to top |
|
|
| Robert_JR |
| Posted: Wed Jul 23, 2014 8:52 pm Post subject: |
|
|
Newbie
Joined: 02 May 2013
Posts: 2
|
I'll build a test environment with these lines in the qm.ini files.
SSL:
CDPCheckExtensions=NO
OCSPAuthentication=OPTIONAL
OCSPCheckExtensions=NO
Then I'll tell the security guys to revoke my test cert.
Thanks guys for the tip. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
