| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Mutual auth using client certs signed by the same CA |
« View previous topic :: View next topic » |
| Author |
Message
|
| prasadpav |
 Posted: Thu Feb 01, 2018 3:48 am Post subject: Mutual auth using client certs signed by the same CA |
 |
|
Centurion
Joined: 03 Oct 2004
Posts: 142
|
Hi,
I'm using IIB 10.0.0.9 and we are hosting REST API based services using HTTPInput nodes. These services are configured to be mutually authenticated and using TLSv1.2 protocol. The certificates are provided by our in-house Crypto team who has root CA and Issuing CA. They have distributed certificates to each application and are signed by the same Issuing CA. Within the broker we have imported public certs for only 2 other internal applications. But when we tested mutual authentication, broker is allowing all internal clients certificates who are signed by the same issuing CA not just the 2 clients whose public certs are imported into our trust store.
1) Is this correct behaviour? TLSv1.2 specific behaviour?
2) Can we enforce somehow to trust only those 2 clients and not everyone signed by the same authority?
Thanks in advance. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Feb 01, 2018 6:07 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You need to set up a policy and bindings that references those 2 certs in your truststore... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| prasadpav |
| Posted: Thu Feb 01, 2018 12:47 pm Post subject: |
|
|
Centurion
Joined: 03 Oct 2004
Posts: 142
|
| Quote: |
| You need to set up a policy and bindings that references those 2 certs in your truststore... |
As far as I know, those are required for setting WS-Security which I'm not using (happy to be corrected). I'm using HTTPInput nodes and global "httplistener". Please note that if the client uses a certificate that is signed by a different CA, then it fails mutual authentication as one would expect. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Feb 01, 2018 12:55 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| prasadpav wrote: |
| Quote: |
| You need to set up a policy and bindings that references those 2 certs in your truststore... |
As far as I know, those are required for setting WS-Security which I'm not using (happy to be corrected). I'm using HTTPInput nodes and global "httplistener". Please note that if the client uses a certificate that is signed by a different CA, then it fails mutual authentication as one would expect. |
Standard HTTPS, even with client authentication, does not care who the client is... as long as the issuing cert chain is present in the trust store.
You might have to use propagation and verify the DN...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
