| Author |
Message
|
| md7 |
 Posted: Tue May 24, 2016 7:05 pm Post subject: Multiple SSL certificates on queue manager |
 |
|
Apprentice
Joined: 29 Feb 2012
Posts: 49
Location: Sydney.AU
|
Hi All
I am moving from TLS 1.0 to TLS 1.2. However there is an external queue manager that connects that does not support 1.2 and requires an MQ upgrade. Is it possible to have different SSL certificates for different channels on the same queue manager.
I am using MQ 7.5 on Windows |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue May 24, 2016 7:49 pm Post subject: Re: Multiple SSL certificates on queue manager |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| md7 wrote: |
Hi All
I am moving from TLS 1.0 to TLS 1.2. However there is an external queue manager that connects that does not support 1.2 and requires an MQ upgrade. Is it possible to have different SSL certificates for different channels on the same queue manager.
I am using MQ 7.5 on Windows |
You need MQ8 for that...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| md7 |
| Posted: Tue May 24, 2016 11:16 pm Post subject: Re: Multiple SSL certificates on queue manager |
|
|
Apprentice
Joined: 29 Feb 2012
Posts: 49
Location: Sydney.AU
|
| fjb_saper wrote: |
| md7 wrote: |
Hi All
I am moving from TLS 1.0 to TLS 1.2. However there is an external queue manager that connects that does not support 1.2 and requires an MQ upgrade. Is it possible to have different SSL certificates for different channels on the same queue manager.
I am using MQ 7.5 on Windows |
You need MQ8 for that... |
Grr.. thanks for that |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 25, 2016 1:20 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
But it is possible at your level to have a different cipherspec/ciphersuite per channel, using the same certificate.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| md7 |
| Posted: Wed May 25, 2016 3:23 pm Post subject: |
|
|
Apprentice
Joined: 29 Feb 2012
Posts: 49
Location: Sydney.AU
|
| fjb_saper wrote: |
But it is possible at your level to have a different cipherspec/ciphersuite per channel, using the same certificate.
Have fun |
Thought the certificate had to match the cipher spec used on the channel |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu May 26, 2016 2:09 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| md7 wrote: |
| fjb_saper wrote: |
But it is possible at your level to have a different cipherspec/ciphersuite per channel, using the same certificate.
Have fun |
Thought the certificate had to match the cipher spec used on the channel |
Indeed the cert has to enable the cipher spec you choose. However a single cert does allow for more than 1 cipher spec.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu May 26, 2016 11:34 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
I see many people on these forums with the misconception that an SSLCIPH that has SHA2 in the name implies that the queue manager certificate has to be SHA2 signed, or vice versa. They are completely separate things. Perhaps the OP was confused on that point.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu May 26, 2016 12:49 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I don't see the connection between the certificate and the cipherspec.
Surely these are not inter-dependent?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu May 26, 2016 2:08 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| zpat wrote: |
I don't see the connection between the certificate and the cipherspec.
Surely these are not inter-dependent? |
For the elliptical cryptography, the SSLCIPH and certificate can be dependent on each other. There may be other cases I am not aware of, too. But for SHA2, if your SSLCIPH has SHA2 in it, it means that the encrypted data packets that the MQ channel will be sending will be digitally signed using SHA2. If your qmgr certificate was signed with SHA2, it means the CA digitally signed your cert with SHA2. In this case, the two are not related.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu May 26, 2016 2:54 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
I don't see the connection between the certificate and the cipherspec.
Surely these are not inter-dependent? |
Yes and no. Nowadays certificates have to satisfy certain conditions to allow certain cipherspecs. For instance it is no longer possible to obtain a FIPS compliant cipherspec if the cert key size is below 2048 (RSA/SHA).
The key type (ECC, RSA, DSA, ...) can determine if some cipherspecs are made available or not...
So is there a connection? Yes but it is not always an evident one...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Sun May 29, 2016 7:25 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
|
|
