ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » IIB 9 - client-authenticating an individual certificate

Post new topic  Reply to topic
 IIB 9 - client-authenticating an individual certificate « View previous topic :: View next topic » 
Author Message
hopsala
PostPosted: Sat Aug 16, 2014 10:48 am    Post subject: IIB 9 - client-authenticating an individual certificate Reply with quote

Guardian

Joined: 24 Sep 2004
Posts: 960

Hey there,
So we all know (that IIB can client-authenticate HTTPS clients against a CA certificate which is in its trust store.
What I'm wondering, is how I can make sure that only a single certificate (or a finite number) from a single CA can connect, while other certificates from the same CA cannot.

This is similar to the functionality of SSLPEER in MQ - although I'd rather have a feature that allows me to supply a list of trusted certificate. At first I thought I'd just put the only the individual consumer public certificates in my trust store, without the CA certificate. But, as these certificates are signed by the CA, I doubt that IIB will accept them without having the whole signing-chain in its trust store - in which case I'm back to square one. Or am I wrong about this?

So, any ideas? The only solution I found involved splicing some code into all my message flows to authenticate the client certificate (http://www.ibm.com/developerworks/websphere/library/techarticles/1307_norton/1307_norton.html) , but I need a way to do this via configuration, without changing the code, if possible.

Thanks!
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Sat Aug 16, 2014 5:17 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

I feel your pain:
http://www.mqseries.net/phpBB2/viewtopic.php?t=50760&highlight=ssl

Look at these RFEs and please vote.
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=35426

http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=46825

I don't understand why these have such low vote totals. I mean one of them has only 1 vote, and its mine. I didn't open it! How can you not vote for your own RFE?

SSLPEER like functionality on the HTTPS Input Node seems like such a basic requirement.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sun Aug 17, 2014 12:32 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

added my vote
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
JosephGramig
PostPosted: Mon Aug 18, 2014 7:09 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

This is exactly what DataPower does... $500,000 a pop but this is probably what you really need if your security conscious.
Back to top
View user's profile Send private message AIM Address
fjb_saper
PostPosted: Mon Aug 18, 2014 7:22 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Well the alternative is to manage the certificates of your partners in the broker's truststore...
This is why you probably want to be able to filter by DN and signer DN..., although it might make the policies go crazy...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
mqjeff
PostPosted: Mon Aug 18, 2014 7:27 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

The alternative is put something in front of Broker that handles this.

Or set up something like TFIM that can validate this from securityPEP or etc.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Mon Aug 18, 2014 12:35 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

JosephGramig wrote:
This is exactly what DataPower does... $500,000 a pop but this is probably what you really need if your security conscious.


You need to get a new sales rep if that's what they are charging you.

But that's what we ended up doing by the way. We finally said any HTTP(s) traffic bound for the Brokers goes thru DataPower first, where it can deal with SSL certs properly. Meanwhile our WMB Broker's Trust stores only contain one set of certs, the public halves of our DataPower certs. No other certs will be accepted by WMB because the trust stores are otherwise empty.

I don't like adding yet ANOTHER hop in the transaction flow, but until WMB/IIB supports SSLPEER, it seemed like the easiest way.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Aug 19, 2014 4:31 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

PeterPotkay wrote:
JosephGramig wrote:
This is exactly what DataPower does... $500,000 a pop but this is probably what you really need if your security conscious.


You need to get a new sales rep if that's what they are charging you.




You might also want to see if he's bought rather more new yachts than you'd expect.

PeterPotkay wrote:
But that's what we ended up doing by the way. We finally said any HTTP(s) traffic bound for the Brokers goes thru DataPower first, where it can deal with SSL certs properly. Meanwhile our WMB Broker's Trust stores only contain one set of certs, the public halves of our DataPower certs. No other certs will be accepted by WMB because the trust stores are otherwise empty.


We do exactly the same thing.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » IIB 9 - client-authenticating an individual certificate
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.