ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportSSL for Executon Group HTTPSConnector or ComIbmJVMManager

Post new topicReply to topic
SSL for Executon Group HTTPSConnector or ComIbmJVMManager View previous topic :: View next topic
Author Message
PeterPotkay
PostPosted: Tue Nov 19, 2013 1:44 pm Post subject: SSL for Executon Group HTTPSConnector or ComIbmJVMManager Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7523

For settting and reporting on keystore & truststore details for an Executon Group

This says to use -o ComIbmJVMManager
http://pic.dhe.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.doc/ac56640_.htm?resultof=%22%6b%65%79%73%74%6f%72%65%46%69%6c%65%22%20%22%6b%65%79%73%74%6f%72%65%66%69%6c%22%20

This example uses -o ComIbmJVMManager
http://pic.dhe.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.samples.wssecsamp.doc/doc/setup_keystores.htm?resultof=%22%6b%65%79%73%74%6f%72%65%46%69%6c%65%22%20%22%6b%65%79%73%74%6f%72%65%66%69%6c%22%20

But then there is -o HTTPSConnector which you can set at the execution group level
http://pic.dhe.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.doc/an09148_.htm?resultof=%22%6b%65%79%73%74%6f%72%65%46%69%6c%65%22%20%22%6b%65%79%73%74%6f%72%65%66%69%6c%22%20


So which are we supposed to use to set and report on keystore & truststore details for an Executon Group, -o HTTPSConnector or -o ComIbmJVMManager? SOAP nodes and HTTP Nodes with SSL will be in this Execution Group.

client Auth and explicitlySetPortNumber are only available for HTTPSConnector.

I can't find anything in the Infocenter that says use ComIbmJVMManager in this scenario and use HTTPSConnector for that scenario when setting certificate store details at the execution group level.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Nov 20, 2013 3:22 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

I'd guess that the file locations and passwords can be set using either component, and they both change the same thing...

but that's just a guess.

If that's not true, then my tendency would be to use the HTTPSConnector for everything.

But I'd still open a PMR and clarify.

On second consideration, it might be for the case where you need to have a different keystore/truststore for HTTP SSL than you have for other SSL.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Wed Nov 20, 2013 6:35 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7523

Setting the cert store location, password, etc for one doesn't reflect in the other's mqsireport output, so it seems this allows you to use different certificate details in different scenarios. Unclear yet on why you might want to set these to different values.

I opened a PMR. Will let y'all know what I find out.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Nov 20, 2013 6:39 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

you receive TCP/IP messages from internal networks using a private CA, and you want to ensure that you only accept connections that are trusted by that private CA.

You receive HTTP from a more customer-facing side and need to accept connections that are trusted by more public CAs.

Different keystores/truststores let you keep that separate.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Wed Nov 20, 2013 6:45 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7523

mqjeff wrote:
you receive TCP/IP messages from internal networks using a private CA, and you want to ensure that you only accept connections that are trusted by that private CA.

You receive HTTP from a more customer-facing side and need to accept connections that are trusted by more public CAs.

Different keystores/truststores let you keep that separate.

Exactly what I was thinking earlier this week. With the lack of SSLPEER like functionality in WMB I wish I was able to have a front side truststore with very limited trust (i.e. only have my private CA certs in there) and a backside trust store for when the execution group was acting the role of the SSL Client, and so it would be easiest to have all the public CAs in THAT trust store.

However, the problem would remain on how you would tell Message Flow A in Execution Group1 to use Trust Store A and tell Message Flow B in Execution Group 1 to use Trust Store B.

I am hoping that the PMR comes back with something obvious that explains:
When do we set the cert store details for HTTPSConnector.
When do we instead set it for ComIbmJVMManager.
Why is clientAuth and explicitlySetPortNumber only available for HTTPSConnector.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
ghoshly
PostPosted: Sun Mar 22, 2015 8:24 am Post subject: Could you please share the outcome of PMR Reply with quote

Master

Joined: 10 Jan 2008
Posts: 280

I am trying to dig this old post because would be interested to know the result/ response from IBM for the PMR.

I am trying to enable clientAuth for some execution group / port for specific clients however allow traffic via https through a different port without authenticating their client certs.

Thanks in advance.
Back to top
View user's profile Send private message
IIB_Intel
PostPosted: Thu Jan 17, 2019 8:03 am Post subject: Invoking this old thread. Reply with quote

Apprentice

Joined: 07 May 2015
Posts: 44

Trying to clarify few this on this.
1. For inbound connections to IIB (httpInput & SoapInput nodes) using mutual auth which command should we use to set the KS & TS at the EG/Integration server level?

mqsichangeproperties BRK -e EG1 -o HTTPSConnector -n keystoreFile -v <path to keystore file>
OR
mqsichangeproperties BRK -e EG1 -o ComIbmJVMManager -n keystoreFile -v <path to keystore file>

2. What advantage one command (as mentioned above) over the other?

My understanding is that we should use the first command as 2nd command can be used to set different KS (having different keys) for other outbound connections from IIB which needs mutual Auths.

The scenario that I am trying to address is:

A client sends a request message to a message flow containing SOAPInput/HTTPInput node using https with mutual authentication. The message flow is deployed to execution group EG1 under broker BRK. It processes and sends the message downstream into the flow. The message is propagated to the SOAPRequest/HTTPRequest node in the same message flow that sends a request using https with mutual authentication to a third party service provider (which uses a self signed cert for mutual auth).

In this case If I use command 1 for setting the KS for inbound connections and command 2 for setting the KS for outbound connections. I may be able to address it.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportSSL for Executon Group HTTPSConnector or ComIbmJVMManager
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.