ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportSecurity Certificates

Post new topicReply to topic
Security Certificates View previous topic :: View next topic
Author Message
inMo
PostPosted: Tue Aug 01, 2017 1:26 pm Post subject: Security Certificates Reply with quote

Master

Joined: 27 Jun 2009
Posts: 211
Location: NY

Any insight/direction would be appreciated: If IIB is acting as an endpoint for different https calls using different URLS, and holds security certificates for each
domain, how does IIB know which security certificate to present to the caller?
Back to top
View user's profile Send private message
inMo
PostPosted: Wed Aug 02, 2017 5:30 am Post subject: Reply with quote

Master

Joined: 27 Jun 2009
Posts: 211
Location: NY

To be clearer, the question looks like the following:

https://www.abc.com/endpoint1 --> IIB NODE A EG 1
https://www.xyz.com/endpoint2 --> IIB NODE A EG 1

IIB NODE A EG 1 holds CA signed certs for abc.com and xyz.com.

How does IIB NODE A EG 1 return the certs when either call is made?
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Wed Aug 02, 2017 6:05 am Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1143
Location: Derby City, USA

By your question, it would seem you have not setup your Key Store. How many X.509 certs have you put in the Key Store JKS? Do you know the default behavior of a JKS Key Store that contains more than one X.509 certificate pair?
Back to top
View user's profile Send private message AIM Address
inMo
PostPosted: Wed Aug 02, 2017 6:32 am Post subject: Reply with quote

Master

Joined: 27 Jun 2009
Posts: 211
Location: NY

How I appreciate the response, thank you!

The Key Store is stated to be setup. I see a statement in IIB docs:

Quote:
The keystore file contains the personal certificate for the broker or for the integration server. You can have only one personal certificate in the keystore.


I guess this suggests the problem is that a single node single eg cannot act as if it is abc.com & xyz.com. Am I close?

Quote:
Do you know the default behavior of a JKS Key Store that contains more than one X.509 certificate pair?


I fully admit I don't.

Again, thank you for taking time to assist & educate.
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Wed Aug 02, 2017 10:18 am Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1143
Location: Derby City, USA

Very good. In reading the documents, you have answered your questions.

I suggest you create and maintain your Key and Trust Stores with the GS Kit that comes with MQ (since you most likely have that installed).

The name of the command is runmqckm and if you run it it will will echo what you can do. As you add more to the command, it will echo more specifically what you can do.

I have made several posts on this subject one these forums (as many others have also done).

Best of luck.

By the way, you can have more than one personal certificate in the key store, but Java will return the first one (so the doc is not strictly correct).
Back to top
View user's profile Send private message AIM Address
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportSecurity Certificates
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.