| Author |
Message
|
| hopsala |
 Posted: Sat Aug 16, 2014 10:48 am Post subject: IIB 9 - client-authenticating an individual certificate |
 |
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
Hey there,
So we all know (that IIB can client-authenticate HTTPS clients against a CA certificate which is in its trust store.
What I'm wondering, is how I can make sure that only a single certificate (or a finite number) from a single CA can connect, while other certificates from the same CA cannot.
This is similar to the functionality of SSLPEER in MQ - although I'd rather have a feature that allows me to supply a list of trusted certificate. At first I thought I'd just put the only the individual consumer public certificates in my trust store, without the CA certificate. But, as these certificates are signed by the CA, I doubt that IIB will accept them without having the whole signing-chain in its trust store - in which case I'm back to square one. Or am I wrong about this?
So, any ideas? The only solution I found involved splicing some code into all my message flows to authenticate the client certificate (http://www.ibm.com/developerworks/websphere/library/techarticles/1307_norton/1307_norton.html) , but I need a way to do this via configuration, without changing the code, if possible.
Thanks!  |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Sat Aug 16, 2014 5:17 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Aug 17, 2014 12:32 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
added my vote 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Mon Aug 18, 2014 7:09 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| This is exactly what DataPower does... $500,000 a pop but this is probably what you really need if your security conscious. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Aug 18, 2014 7:22 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well the alternative is to manage the certificates of your partners in the broker's truststore...
This is why you probably want to be able to filter by DN and signer DN..., although it might make the policies go crazy...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Aug 18, 2014 7:27 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The alternative is put something in front of Broker that handles this.
Or set up something like TFIM that can validate this from securityPEP or etc. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Aug 18, 2014 12:35 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| JosephGramig wrote: |
| This is exactly what DataPower does... $500,000 a pop but this is probably what you really need if your security conscious. |
You need to get a new sales rep if that's what they are charging you.
But that's what we ended up doing by the way. We finally said any HTTP(s) traffic bound for the Brokers goes thru DataPower first, where it can deal with SSL certs properly. Meanwhile our WMB Broker's Trust stores only contain one set of certs, the public halves of our DataPower certs. No other certs will be accepted by WMB because the trust stores are otherwise empty.
I don't like adding yet ANOTHER hop in the transaction flow, but until WMB/IIB supports SSLPEER, it seemed like the easiest way.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Aug 19, 2014 4:31 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| PeterPotkay wrote: |
| JosephGramig wrote: |
| This is exactly what DataPower does... $500,000 a pop but this is probably what you really need if your security conscious. |
You need to get a new sales rep if that's what they are charging you. |
You might also want to see if he's bought rather more new yachts than you'd expect.
| PeterPotkay wrote: |
| But that's what we ended up doing by the way. We finally said any HTTP(s) traffic bound for the Brokers goes thru DataPower first, where it can deal with SSL certs properly. Meanwhile our WMB Broker's Trust stores only contain one set of certs, the public halves of our DataPower certs. No other certs will be accepted by WMB because the trust stores are otherwise empty. |
We do exactly the same thing.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
