| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL cert labels confusion |
« View previous topic :: View next topic » |
| Author |
Message
|
| pintrader |
 Posted: Sat Aug 30, 2014 5:36 pm Post subject: SSL cert labels confusion |
 |
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
hi
I have some queries on cert labels and hope you can guide me.
I have installed MQ client on C1. I have also a qmgr QM1 already configured with a SVRCONN channel and with SSL (with CA certs). On C1, i will create self sign cert. In the document, it was mentioned that "when connecting from MQ client application, the SSL or TLS client sends a certificate only if it has one a certificate with the label ibmwebspheremq, followed by username of the user running the client application process."
What does it mean by "client application process"? And who is the user? Does this user have to be created on C1? I asked because on QM1, i created a user called "user1" and did a chlauth to map "user1" to this SVRCONN channel and this user1 has permission to +connect,+dsp,+inq on QM1. And on C1, i logged in as mqm, and did a amqsbcg connection to QM1. I only have MQSERVER variable set according to what was described in the docs (CHANNEL/TCP/IP(PORT). I manage to get connected. There was no user called "user1" on C1.
So with respect to the above, on C1 , when i create the Self sign cert what would be the "user" ? "ibmwebsphereuser1" ? Does it always have to start with "ibmwebpshere" ? Can i name it with something custom , eg "myclientpublic"
On QM1, if I add this C1 cert to the repository, I can use a custom label as well , right? Doesn't have to be "ibmwebspheremqqm1" right?
thanks. |
|
| Back to top |
|
 |
| exerk |
| Posted: Sun Aug 31, 2014 12:47 am Post subject: Re: SSL cert labels confusion |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| pintrader wrote: |
| ...On C1, i will create self sign cert... |
If you're going to use self-signed certificates, hopefully only for testign purposes, you will also have to create one for the queue manager, extract the client certificate and add it to the queue manager key store, and do the same for the queue manager certificate for addition to the client key store.
| pintrader wrote: |
| ...What does it mean by "client application process"? And who is the user? Does this user have to be created on C1?... |
The userid under which the client application process will run, e.g. if you used amqsputc to test, it would run under the userid under which you are logged in as, so if you want to use a particular user for a CHLAUTH user to map to, then that userid has to be flowed down the channel, ergo, it has to exist at the source of the client invocation - or exist within a domain (whether ldap or AD, or whatever flavour you're using).
| pintrader wrote: |
| ...I asked because on QM1, i created a user called "user1" and did a chlauth to map "user1" to this SVRCONN channel and this user1 has permission to +connect,+dsp,+inq on QM1. And on C1, i logged in as mqm, and did a amqsbcg connection to QM1. |
Effectively, your 'user1' is being used as an implicit MCAUSER on the server hosting the queue manager, you could have called the user anything you liked.
| pintrader wrote: |
| ...I only have MQSERVER variable set according to what was described in the docs (CHANNEL/TCP/IP(PORT). I manage to get connected. There was no user called "user1" on C1... |
So no SSL is then being used, and if you achieved connection as mqm (which you imply above), and I suspect it was using amqsbcgc, that implies that CHLAUTH is disabled.
| pintrader wrote: |
| ...So with respect to the above, on C1 , when i create the Self sign cert what would be the "user" ? "ibmwebsphereuser1" ?... |
Correct.
| pintrader wrote: |
| ...Does it always have to start with "ibmwebpshere" ? Can i name it with something custom , eg "myclientpublic"... |
Read THIS.
| pintrader wrote: |
| ...On QM1, if I add this C1 cert to the repository, I can use a custom label as well , right? Doesn't have to be "ibmwebspheremqqm1" right?... |
When you add a CA certificate, which is effectively what a self-signed certificate is, you can give it any label name you wish.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Aug 31, 2014 8:55 am Post subject: Re: SSL cert labels confusion |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| exerk wrote: |
| pintrader wrote: |
| ...So with respect to the above, on C1 , when i create the Self sign cert what would be the "user" ? "ibmwebsphereuser1" ?... |
Correct. |
Wrong the label should be ibmwebspheremquser1
| exerk wrote: |
| pintrader wrote: |
| ...Does it always have to start with "ibmwebpshere" ? Can i name it with something custom , eg "myclientpublic"... |
Read THIS. |
pintrader did not specify the version of MQ he was running on. Being able to use the label of your choosing is a new feature introduced in V8!
| exerk wrote: |
| pintrader wrote: |
| ...On QM1, if I add this C1 cert to the repository, I can use a custom label as well , right? Doesn't have to be "ibmwebspheremqqm1" right?... |
When you add a CA certificate, which is effectively what a self-signed certificate is, you can give it any label name you wish. |
Right. When adding a cert to the TRUSTSTORE you can give it any label you like. Remember that all labels in your store (personal + trust) have to be unique though 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Aug 31, 2014 9:08 am Post subject: Re: SSL cert labels confusion |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| exerk wrote: |
| pintrader wrote: |
| ...So with respect to the above, on C1 , when i create the Self sign cert what would be the "user" ? "ibmwebsphereuser1" ?... |
Correct. |
Wrong the label should be ibmwebspheremquser1 |
It is Sunday and I'm allowed one typo surely? (dammit! two, I just spotted another one!).
| fjb_saper wrote: |
| exerk wrote: |
| pintrader wrote: |
| ...Does it always have to start with "ibmwebpshere" ? Can i name it with something custom , eg "myclientpublic"... |
Read THIS. |
pintrader did not specify the version of MQ he was running on. Being able to use the label of your choosing is a new feature introduced in V8! |
I have yet to 'play around' with this aspect for CLNTCONN/SVRCONN channels at that version, but will find the time to do so, but is there a use-case for a client userid to use different certificates?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Aug 31, 2014 9:45 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well the main reason for the use case is to allow you to switch out obsolete certs without changing the store.
So for the server there is a new parameter that allows you to specify the label to be used by the mq server.
In the same way there is a use case to allow a channel to present a particular server cert (different from the default qmgr's cert). This is to allow for different certs for the qmgr (mainly internal, with internal CA; and external with public CA).
However I believe this channel use case so far supports only non java/JMS clients. (8.0.0.0).
Of interest is also the JMS2.0 standard being now supported... and of course all the new stuff around authentication!
Have fun with V8.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
