ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SOAPInput (One way SSL)accepts any certificates from SOAPUI

Post new topic  Reply to topic
 SOAPInput (One way SSL)accepts any certificates from SOAPUI « View previous topic :: View next topic » 
Author Message
Partha.Baidya
PostPosted: Tue Jan 23, 2018 8:18 am    Post subject: SOAPInput (One way SSL)accepts any certificates from SOAPUI Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 97

We have a provider flow hosted in IIBv10 using SOAP Input/SOAP Reply nodes using HTTPS protocol. HTTPS has been implemented using TLS v1.2 One way SSL.
We have followed the steps mentioned in https://www.ibm.com/support/knowledgecenter/en/SSMKHH_10.0.0/com.ibm.etools.mft.doc/ap34021_.htm

We have done the followings apart from setting PKI at the Integration Node level using Key store jks file.
    mqsichangeproperties integrationNodeName -e integration_server_name -o HTTPSConnector -n explicitlySetPortNumber -v port_number
    mqsichangeproperties integrationNodeName -b httplistener -o HTTPSConnector -n clientAuth -v false
    mqsichangeproperties integrationNodeName -e integration_server_name -o HTTPSConnector -n sslProtocol -v TLSv1.2


Once the above has been setup, we have used a IIB consumer flow, if the consumer flow uses any other signer certificate other than the correct certificate it get authentication failure.
But this is not the case while testing using SOAPUI tool. In SOAPUI if the trust store is not setup, it gets authentication error. But if the trust store contains any certificate which is not a correct certificate for the provider flow, SOAPUI does not get authentication failure and able to call the service successfully.
We are not sure how SOAPUI is able to authenticate sucessfully without having the proper client side certificate.
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Jan 23, 2018 8:21 am    Post subject: Re: SOAPInput (One way SSL)accepts any certificates from SOA Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Partha.Baidya wrote:
We are not sure how SOAPUI is able to authenticate sucessfully without having the proper client side certificate.


Are you asking us how SoapUI works?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Tue Jan 23, 2018 8:37 am    Post subject: Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 97

I am not asking how SOAPUI works.
I am asking how IIB v10 is successfully authenticate a SOAP request without having proper signer certificates.
If this is case then anyone using SOAPUI can violate the security with IIB provider services in Production.
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Jan 23, 2018 8:47 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Partha.Baidya wrote:
I am not asking how SOAPUI works.
I am asking how IIB v10 is successfully authenticate a SOAP request without having proper signer certificates.
If this is case then anyone using SOAPUI can violate the security with IIB provider services in Production.


Well it's unusual to have IIB directly facing out without some kind of intermediate proxy that changes the SSL topology but that's not directly relevant to your point.

If you're confident that SoapUI doesn't have access to the correct certificate, then it's PMR time because clearly the mechanism as described in the InfoCenter works (because your consumer flow is denied) but some bug is not correctly handling the SSL handshake with SoapUI and letting it through. That's going to be buried deep in the listener code.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Armageddon123
PostPosted: Tue Jan 23, 2018 2:15 pm    Post subject: Reply with quote

Acolyte

Joined: 11 Feb 2014
Posts: 61

I believe you are mistaken. you mentioned one way SSL and with clentAuth as false, then I think the SOAPUI doesnot need to present any certs to Provider.
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Tue Jan 23, 2018 3:18 pm    Post subject: Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 97

Yes, this is a One way SSL.
But in one way also we need to create a Trust store containing Server's signer certificate.
Now in this case a program without having Server's signer certificate are able to get reply message.
The client program has a trust store with a different signer certificate.

Is this how One way SSL should be working.
The IBM documentation says Server Key store and Client Trust store should have the certificates from same CA.

https://www.ibm.com/support/knowledgecenter/SSRMWJ_6.0.0.18/com.ibm.isim.doc/securing/cpt/cpt_ic_security_ssl_scenario.htm

Needs inside of SSL One way.
Back to top
View user's profile Send private message
souciance
PostPosted: Wed Jan 24, 2018 12:51 am    Post subject: Reply with quote

Disciple

Joined: 29 Jun 2010
Posts: 169

Partha.Baidya wrote:
Yes, this is a One way SSL.
But in one way also we need to create a Trust store containing Server's signer certificate.
Now in this case a program without having Server's signer certificate are able to get reply message.
The client program has a trust store with a different signer certificate.

Is this how One way SSL should be working.
The IBM documentation says Server Key store and Client Trust store should have the certificates from same CA.

https://www.ibm.com/support/knowledgecenter/SSRMWJ_6.0.0.18/com.ibm.isim.doc/securing/cpt/cpt_ic_security_ssl_scenario.htm

Needs inside of SSL One way.


Doesn't one-way imply that only server needs to present cert and not client? Which means any client can call the server..because server does not validate the identity of the client. To do that you need two-way ssl.

This link has better info then the IBM one.
https://stackoverflow.com/questions/8230541/one-way-ssl-is-one-way-encryption
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SOAPInput (One way SSL)accepts any certificates from SOAPUI
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.