ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Multiple SSL certificates on queue manager

Post new topic  Reply to topic
 Multiple SSL certificates on queue manager « View previous topic :: View next topic » 
Author Message
md7
PostPosted: Tue May 24, 2016 7:05 pm    Post subject: Multiple SSL certificates on queue manager Reply with quote

Apprentice

Joined: 29 Feb 2012
Posts: 49
Location: Sydney.AU

Hi All

I am moving from TLS 1.0 to TLS 1.2. However there is an external queue manager that connects that does not support 1.2 and requires an MQ upgrade. Is it possible to have different SSL certificates for different channels on the same queue manager.

I am using MQ 7.5 on Windows
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue May 24, 2016 7:49 pm    Post subject: Re: Multiple SSL certificates on queue manager Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

md7 wrote:
Hi All

I am moving from TLS 1.0 to TLS 1.2. However there is an external queue manager that connects that does not support 1.2 and requires an MQ upgrade. Is it possible to have different SSL certificates for different channels on the same queue manager.

I am using MQ 7.5 on Windows

You need MQ8 for that...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
md7
PostPosted: Tue May 24, 2016 11:16 pm    Post subject: Re: Multiple SSL certificates on queue manager Reply with quote

Apprentice

Joined: 29 Feb 2012
Posts: 49
Location: Sydney.AU

fjb_saper wrote:
md7 wrote:
Hi All

I am moving from TLS 1.0 to TLS 1.2. However there is an external queue manager that connects that does not support 1.2 and requires an MQ upgrade. Is it possible to have different SSL certificates for different channels on the same queue manager.

I am using MQ 7.5 on Windows

You need MQ8 for that...


Grr.. thanks for that
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed May 25, 2016 1:20 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

But it is possible at your level to have a different cipherspec/ciphersuite per channel, using the same certificate.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
md7
PostPosted: Wed May 25, 2016 3:23 pm    Post subject: Reply with quote

Apprentice

Joined: 29 Feb 2012
Posts: 49
Location: Sydney.AU

fjb_saper wrote:
But it is possible at your level to have a different cipherspec/ciphersuite per channel, using the same certificate.

Have fun


Thought the certificate had to match the cipher spec used on the channel
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu May 26, 2016 2:09 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

md7 wrote:
fjb_saper wrote:
But it is possible at your level to have a different cipherspec/ciphersuite per channel, using the same certificate.

Have fun


Thought the certificate had to match the cipher spec used on the channel

Indeed the cert has to enable the cipher spec you choose. However a single cert does allow for more than 1 cipher spec.


_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
tczielke
PostPosted: Thu May 26, 2016 11:34 am    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

I see many people on these forums with the misconception that an SSLCIPH that has SHA2 in the name implies that the queue manager certificate has to be SHA2 signed, or vice versa. They are completely separate things. Perhaps the OP was confused on that point.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
zpat
PostPosted: Thu May 26, 2016 12:49 pm    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

I don't see the connection between the certificate and the cipherspec.

Surely these are not inter-dependent?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
tczielke
PostPosted: Thu May 26, 2016 2:08 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

zpat wrote:
I don't see the connection between the certificate and the cipherspec.

Surely these are not inter-dependent?


For the elliptical cryptography, the SSLCIPH and certificate can be dependent on each other. There may be other cases I am not aware of, too. But for SHA2, if your SSLCIPH has SHA2 in it, it means that the encrypted data packets that the MQ channel will be sending will be digitally signed using SHA2. If your qmgr certificate was signed with SHA2, it means the CA digitally signed your cert with SHA2. In this case, the two are not related.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu May 26, 2016 2:54 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

zpat wrote:
I don't see the connection between the certificate and the cipherspec.

Surely these are not inter-dependent?

Yes and no. Nowadays certificates have to satisfy certain conditions to allow certain cipherspecs. For instance it is no longer possible to obtain a FIPS compliant cipherspec if the cert key size is below 2048 (RSA/SHA).
The key type (ECC, RSA, DSA, ...) can determine if some cipherspecs are made available or not...

So is there a connection? Yes but it is not always an evident one...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Sun May 29, 2016 7:25 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

zpat wrote:
I don't see the connection between the certificate and the cipherspec.

Surely these are not inter-dependent?

They are inter-dependent. There is no one certificate that can be used with EVERY possible cipherSpec (any more).

Read Digital certificates and CipherSpec compatibility in IBM MQ

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Multiple SSL certificates on queue manager
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.