ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ File Transfer Edition » MQFTE Client not connecting in two way SSL authenication.

Post new topic  Reply to topic
 MQFTE Client not connecting in two way SSL authenication. « View previous topic :: View next topic » 
Author Message
Northsider
PostPosted: Tue Nov 28, 2017 5:54 am    Post subject: MQFTE Client not connecting in two way SSL authenication. Reply with quote

Novice

Joined: 09 Mar 2005
Posts: 16

Hi,

Its a specific MQFTE SSL question, but could be a generic MQ question.

We want to setup a MQFTE Agent (FTEAG01) mq v9 to an (QMGR1) MQ FTE Concentrator Queue Manager mq v7.5

QMGR1 will have the following certificates :
Certificates found
* default, - personal, ! trusted, # secret key
! "Hanky Panky CA"
! "Something Else CA"
- ibmwebspheremqQMGR1 (personal key, signed by "Hanky Panky CA")

Now I want to connect with an MQ FTE Agent (FTEAG01) which is signed by "Something Else CA"

FTEAG01 will have the following certificates :
Certificates found
* default, - personal, ! trusted, # secret key
! "Hanky Panky CA"
! "Something Else CA"
- ibmwebspheremqmqm (personal key for FTEAG01, signed by "Something Else CA")

Will this work? - or does QMGR1 also need to have personal signed key by "Something Else CA" ?

I would assume, that QMGR1 doesn't need to be signed by "Something Else CA" to have the MQFTE Agent working. But maybe I'm missing something?
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Nov 28, 2017 6:25 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

You'd never have 2 personal certificates, or a personal certificate signed by 2 CAs.

Each queue manager simply needs to trust the CA that didn't sign it's personal certificate.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Northsider
PostPosted: Tue Nov 28, 2017 7:11 am    Post subject: Reply with quote

Novice

Joined: 09 Mar 2005
Posts: 16

Thank you, Vitor for the clear statement.

I got mixed up, I think by "over"-reading. (but below information is about qmgr to qmgr)

for your information:

https://developer.ibm.com/recipes/tutorials/configuration-of-multiple-certificates-per-qmgr-using-ibm-mq-v8-0/

quote : However, since a queue manager can only have One Certificate, with releases prior to V8 of MQ, you were forced into having two queue managers, one using each certificate. Now, imagine if I have 10+ Business Partners using 10+ different CAs, I need to have 10+ different Qmgrs connecting to their respective Business Partners which is definitely not an practical solution!
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Nov 28, 2017 7:17 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

SSL is a minefield

In the scenario in the document, I would have not used CA1 & CA2 but Verisgn, trusted that and accepted only personal certificates from the distinguished name I was expecting for the queue managers in question.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ File Transfer Edition » MQFTE Client not connecting in two way SSL authenication.
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.