| Author |
Message
|
| fjb_saper |
 Posted: Mon Jun 01, 2015 8:09 am Post subject: |
 |
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You may want to create a self signed cert for your keystore. Make sure to export the corresponding public cert to your truststore... and provide it to your customer.... (DEV/QA)
For production you usually put in a cert request and get a signed cert from your favorite certification authority.
_________________
MQ & Broker admin |
|
| Back to top |
|
 |
| orman |
| Posted: Mon Jun 01, 2015 8:01 pm Post subject: |
|
|
Apprentice
Joined: 08 Aug 2013
Posts: 40
|
Well
I lately used ssl in SOAP nodes and yesterday it worked with client and server authentication
some thinks that use should you did well
1 .create jks with relevant CA and
2. configure in IIB the listener (is it wide or embedded ? default for HTTP is wide .. )
2.1 the key-store
2.2 the trust-store
2.2 the pass name ("nickname")
2.3 set the "nickname" value - mqsisetdbparms
2.4 about clientAuth - i think you want to use no client authentication, so maybe try to make it false
2.5 if it is not false I think you got to fill the keyAlias value as your "friendlykey" name or label of your cert
3. after all this you should reload you broker
4. be sure that the client as you cert CA - and if it self-signed you - the cert it self |
|
| Back to top |
|
|
| grasher134 |
| Posted: Mon Jun 01, 2015 8:34 pm Post subject: |
|
|
Acolyte
Joined: 22 Oct 2014
Posts: 62
|
Thank you for your help! But my case is a bit different. But I'll try to do all of these, cos I'm out of variants.
| Quote: |
and provide it to your customer.... (DEV/QA)
|
Hmm.. My problem is - I'm the customer) I make requests to this https address and I doubt they will accept some kind of self-signed certificate.
| Quote: |
| 4. be sure that the client as you cert CA - and if it self-signed you - the cert it self |
And again, I'm not creating some web service, protected by SSL. I need to connect to some https://login.live.com (for example, I provided real address above) and make some POST request. Do I need to create self-signed certificate for this purpose? Or get some CA cert? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 02, 2015 2:12 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Think about the fact that your browser most likely has a cert. I believe that one would be self signed... but what do I know about browsers?
In case of a self signed, the public cert will be flowed on the connection.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| joebuckeye |
| Posted: Tue Jun 02, 2015 4:44 am Post subject: |
|
|
Partisan
Joined: 24 Aug 2007
Posts: 365
Location: Columbus, OH
|
| grasher134 wrote: |
| And again, I'm not creating some web service, protected by SSL. I need to connect to some https://login.live.com (for example, I provided real address above) and make some POST request. Do I need to create self-signed certificate for this purpose? Or get some CA cert? |
You do not need a self-signed cert if all you are doing is making a call to an HTTPS endpoint.
You need to get the Root cert of the endpoint you are trying to connect to.
Typically you can get this if you put the URL you are trying to call into a browser and then clicking to the left of the URL in your browser to show you the certificate chain. The chain should show you the host cert and the chain of certs leading back to a Root CA. You can then get the Root CA cert and put that cert into your trust store. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jun 02, 2015 4:44 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You need to take the appropriate steps to ensure that your client application making the POST has a useful way of adding the necessary information to it's trust store.
In the case of a browser, the browser itself will come with a truststore filled with a large number of CA public keys. |
|
| Back to top |
|
|
| orman |
| Posted: Tue Jun 02, 2015 1:59 pm Post subject: |
|
|
Apprentice
Joined: 08 Aug 2013
Posts: 40
|
| grasher134 wrote: |
Thank you for your help! But my case is a bit different. But I'll try to do all of these, cos I'm out of variants.
| Quote: |
and provide it to your customer.... (DEV/QA)
|
Hmm.. My problem is - I'm the customer) I make requests to this https address and I doubt they will accept some kind of self-signed certificate.
| Quote: |
| 4. be sure that the client as you cert CA - and if it self-signed you - the cert it self |
And again, I'm not creating some web service, protected by SSL. I need to connect to some https://login.live.com (for example, I provided real address above) and make some POST request. Do I need to create self-signed certificate for this purpose? Or get some CA cert? |
have you tried using SoapUI http requests?
there you can configure a cert in a keystore and check WMB ssl configuration
start with it and then move to other tools and browsers .. |
|
| Back to top |
|
|
|
|
