| Author |
Message
|
| enup12 |
 Posted: Thu Feb 18, 2016 4:31 am Post subject: WS-Security Implementation |
 |
|
Newbie
Joined: 18 Feb 2016
Posts: 5
|
Hi All,
Can you please suggest if WS-Security(policy sets) can be configured for multiple clients in same flow(broker V7)?
Will appreciate your response.
Thanks, |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Feb 18, 2016 5:11 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
What have you tried so far? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| enup12 |
| Posted: Thu Feb 18, 2016 6:42 am Post subject: |
|
|
Newbie
Joined: 18 Feb 2016
Posts: 5
|
I have created Policy Set, Policy Binding and security profile for one client using X.509.
Now I have got another client which need to be on-boarded on the same flow. I am planning to use the Same CA for generating the certificate for second client. But unsure how policy set will be configured for second client in same flow. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Feb 18, 2016 6:47 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Have you confirmed that the policy set does have to be configured differently for the second client?
Have you explained to management exactly how unsupported Broker v7 is?
Have you reviewed your options to change what policy set is going to be used by setting properties in the message tree?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| enup12 |
| Posted: Thu Feb 18, 2016 6:56 am Post subject: |
|
|
Newbie
Joined: 18 Feb 2016
Posts: 5
|
I can propose the same policy set configuration which is currently being used. But, I am wondering if same configuration will work for second client as certificate( public keys) and security profile will be different.
Please suggest some pointer. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Feb 18, 2016 8:32 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| enup12 wrote: |
| Please suggest some pointer. |
Well firstly:
| mqjeff wrote: |
| Have you explained to management exactly how unsupported Broker v7 is? |
Secondly:
| mqjeff wrote: |
| Have you reviewed your options to change what policy set is going to be used by setting properties in the message tree? |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| enup12 |
| Posted: Fri Mar 11, 2016 5:51 am Post subject: |
|
|
Newbie
Joined: 18 Feb 2016
Posts: 5
|
Hi Vitor/mqjeff
Please see the below details.
Have you explained to management exactly how unsupported Broker v7 is?
-- They are moving to higher version soon..However they want WS-Security implementation in next 2-3 weeks to support the client demand.
Secondly:
mqjeff wrote:
Have you reviewed your options to change what policy set is going to be used by setting properties in the message tree?
---I have to perform digital signature verification. For that, I have created the policy set and binding, and digital signature verification is working correctly for single client. But, when I add details (KeyInformation- PrivateKey and Public Key etc) for second client, it is not working so wanted to know if it is possible to configure more than one client details in same policy set and binding. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Mar 11, 2016 9:26 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| enup12 wrote: |
Hi Vitor/mqjeff
Please see the below details.
Have you explained to management exactly how unsupported Broker v7 is?
-- They are moving to higher version soon..However they want WS-Security implementation in next 2-3 weeks to support the client demand.
Secondly:
mqjeff wrote:
Have you reviewed your options to change what policy set is going to be used by setting properties in the message tree?
---I have to perform digital signature verification. For that, I have created the policy set and binding, and digital signature verification is working correctly for single client. But, when I add details (KeyInformation- PrivateKey and Public Key etc) for second client, it is not working so wanted to know if it is possible to configure more than one client details in same policy set and binding. |
It should be. You'd just have to specify that the client cert is to be found in the certstore. Of course this means that all the clients that do sign the message need to have their key in the certstore.
If you need to compare the content of the message against some of the X509 values i.e. make sure paul did not send a message for mary and signed it... you will need to use a security node...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| enup12 |
| Posted: Fri Mar 11, 2016 7:57 pm Post subject: |
|
|
Newbie
Joined: 18 Feb 2016
Posts: 5
|
Thanks.. I have added all client certificates in TrustStore and broker's private key in Keystore. When I add multiple clients detail in PolicySet and PolicySetBindings, I get runtime an exception like below.
CWSS5270E- Required message part in not signed.
However, when I try to run by creating separate policyset for each client, it is working fine. |
|
| Back to top |
|
|
|
|
