ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportMutual auth using client certs signed by the same CA

Post new topicReply to topic
Mutual auth using client certs signed by the same CA View previous topic :: View next topic
Author Message
prasadpav
PostPosted: Thu Feb 01, 2018 3:48 am Post subject: Mutual auth using client certs signed by the same CA Reply with quote

Centurion

Joined: 03 Oct 2004
Posts: 138

Hi,
I'm using IIB 10.0.0.9 and we are hosting REST API based services using HTTPInput nodes. These services are configured to be mutually authenticated and using TLSv1.2 protocol. The certificates are provided by our in-house Crypto team who has root CA and Issuing CA. They have distributed certificates to each application and are signed by the same Issuing CA. Within the broker we have imported public certs for only 2 other internal applications. But when we tested mutual authentication, broker is allowing all internal clients certificates who are signed by the same issuing CA not just the 2 clients whose public certs are imported into our trust store.

1) Is this correct behaviour? TLSv1.2 specific behaviour?
2) Can we enforce somehow to trust only those 2 clients and not everyone signed by the same authority?

Thanks in advance.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Feb 01, 2018 6:07 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19544
Location: LI,NY

You need to set up a policy and bindings that references those 2 certs in your truststore...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
prasadpav
PostPosted: Thu Feb 01, 2018 12:47 pm Post subject: Reply with quote

Centurion

Joined: 03 Oct 2004
Posts: 138

Quote:
You need to set up a policy and bindings that references those 2 certs in your truststore...


As far as I know, those are required for setting WS-Security which I'm not using (happy to be corrected). I'm using HTTPInput nodes and global "httplistener". Please note that if the client uses a certificate that is signed by a different CA, then it fails mutual authentication as one would expect.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Feb 01, 2018 12:55 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19544
Location: LI,NY

prasadpav wrote:
Quote:
You need to set up a policy and bindings that references those 2 certs in your truststore...


As far as I know, those are required for setting WS-Security which I'm not using (happy to be corrected). I'm using HTTPInput nodes and global "httplistener". Please note that if the client uses a certificate that is signed by a different CA, then it fails mutual authentication as one would expect.


Standard HTTPS, even with client authentication, does not care who the client is... as long as the issuing cert chain is present in the trust store.

You might have to use propagation and verify the DN...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportMutual auth using client certs signed by the same CA
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.