| Author |
Message
|
| vasilev |
 Posted: Wed Nov 26, 2014 1:08 am Post subject: wildcard certificate for Qmanager in v8 |
 |
|
Acolyte
Joined: 31 Oct 2014
Posts: 71
Location: Germany
|
Hello guys, how are you:)
i have one problem with many servers - more than 400.. and each 2 years we have to renew the certificates for the qmanagers.
i was thinking what to do, and searching if in v8 we can use wildcard for the label:
example: ibmwebspheremq*
there is a new configuration - CERTLABL() in v8.
so i created one keystore with this label, the CN name is again with wildcard.
the question is - is this good and is it supported officially, because i didnt find any information about wildcard for Qmanager, only for SSLPEER.. which is different.
thanks |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Nov 26, 2014 6:22 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Seems to me like you are missing the point.
V8 allows you to use a certificate for the queue manager that is not labelled ibmwebspheremq<qmgr> ... That is the whole point of the certlabel field. It is not about having a different keystore...
This way you can prepare and switch at the relevant date by just changing the value of the certlabl and issuing a refresh security type(ssl)..
The CN name should identify your qmgr. Remember each qmgr needs its own cert and the DN for each qmgr needs to be unique (at least during the cert validity period).
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| vasilev |
| Posted: Wed Nov 26, 2014 6:29 am Post subject: |
|
|
Acolyte
Joined: 31 Oct 2014
Posts: 71
Location: Germany
|
i understood this.
but the main point is why i cannot use wildcard in the keystore for this label ?
why Qmanager needs it own CN..
why not MQ.PROD.*.LAN or something.
for the label - yes - ibmwebspheremqall or allqm or whatever.
but i am talking for the cert - this label is pointing to cer 
i am asking because we have 400 Qmanagers and you can imagine what is happening when there is a time to renew them... |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Nov 26, 2014 6:44 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| vasilev wrote: |
| ...i am asking because we have 400 Qmanagers and you can imagine what is happening when there is a time to renew them... |
So stage the renewals, they don't all have to be done at the same time, or switch to using an internal CA for all non-outward-facing queue managers, i.e. those that are purely internal - simples.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| vasilev |
| Posted: Wed Nov 26, 2014 6:48 am Post subject: |
|
|
Acolyte
Joined: 31 Oct 2014
Posts: 71
Location: Germany
|
all qmanagers are internal
but .. the procedure for renewal is hard.
i have one script that can create .. as much certs as you want for seconds, but cannot use it here..
that is why i am searching for alternatives. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Nov 26, 2014 6:53 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Why can't you use the script there?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| vasilev |
| Posted: Wed Nov 26, 2014 6:57 am Post subject: |
|
|
Acolyte
Joined: 31 Oct 2014
Posts: 71
Location: Germany
|
.. because the whole procedure is different for creation of certs
and we should use the procedure. but it is not .. optimized for more than one certificate. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 26, 2014 8:27 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| vasilev wrote: |
.. because the whole procedure is different for creation of certs
and we should use the procedure. but it is not .. optimized for more than one certificate. |
So use some tool to script it.
Once the security team gets the request for the 400 certs they have to sign, they'll change their tune fast to help accommodate you... Or they'll tell you they need 400 days....
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| vasilev |
| Posted: Wed Nov 26, 2014 11:41 pm Post subject: |
|
|
Acolyte
Joined: 31 Oct 2014
Posts: 71
Location: Germany
|
i opened a PMR .. and i understood that i can use this method so i will use it
thanks. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Nov 27, 2014 2:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| vasilev wrote: |
i opened a PMR .. and i understood that i can use this method so i will use it
thanks. |
<SARCASM>And at the same time why not name all your key stores key.kdb, saves on changing the SSLKEYR attribute too. And of course all channel SSLPEER values will be the same, so that saves you a load more work...</SARCASM>
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Last edited by exerk on Thu Nov 27, 2014 5:16 am; edited 1 time in total |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Nov 27, 2014 5:02 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
exerk,
Perhaps you meant to use sarcasm tags instead of irony?
I suspect vasiev wants his SSL Cert to allow him to know he is connecting to one of his legitimate queue managers, but doesn't necessarily care which one, from an SSL perspective, so why not give them all the same cert and label. Its debatable on whether that is a good idea or not. It really depends on the security requirements. Consider three QMs that are all identically configured. For client traffic, they sit behing an IP Load Balancer. For MQ message traffic, they are all in an MQ cluster. Other than the QM name, all 3 are EXACTLY the same. It could be argued why not give them the EXACT same SSL details too.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Nov 27, 2014 5:09 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
| Consider three QMs that are all identically configured. For client traffic, they sit behing an IP Load Balancer. For MQ message traffic, they are all in an MQ cluster. Other than the QM name, all 3 are EXACTLY the same. It could be argued why not give them the EXACT same SSL details too. |
Because that would prevent them from ever communicating with SSL between themselves unless you set a different SSL cert onto the channel.
Remember the DN has to be unique for SSL to work...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Nov 27, 2014 5:17 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| PeterPotkay wrote: |
exerk,
Perhaps you meant to use sarcasm tags instead of irony? |
Duly noted, and changed 
It was a long night in the bar last night... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
