ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Default Certificate Question

Post new topic  Reply to topic
 Default Certificate Question « View previous topic :: View next topic » 
Author Message
Jeff.VT
PostPosted: Fri Mar 15, 2019 7:46 am    Post subject: Default Certificate Question Reply with quote

Acolyte

Joined: 02 Mar 2017
Posts: 68

Several years ago, before my queue managers were exposed to the filthy internet, I saw it coming and decided to learn a bit about how Certificates work with IBM MQ.

I set up a self-signed cert, set it to default, and connected some queue managers together with it, just playing around.

Years later, I set up an inbound certificate-secured channel, created a 'real' cert, whole 9 yards... Everything was fine. But a few days ago, that 'default' self-signed certificate that I never used for any connections after I was done playing with it expired.

That caused the inbound connection that was using a completely different, non-expired cert to start giving off SSL errors and not connect. I removed the expired cert, and made the 'real' cert the default, and the problem was resolved. No non-certificate secured channels were impacted. And no outbound certificate-secured channels were impacted.

But my question is this... Sure the expired cert was 'default', but it never was used for anything. Why would the 'default' certificate expiring cause problems for a non-expired certificate?
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Mar 15, 2019 1:56 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

One question - why did you set your 'real' cert to be the default? You should need to ever set any certificate to be the default. A default certificate may well get picked up when you don't intend it to be used if no certificate of the requested label is found.

If you have a certificate for a queue manager it should be labeled in the same way that the CERTLABL field on the queue manager is set. If this is not the case, the default certificate could be used.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Jeff.VT
PostPosted: Tue Mar 19, 2019 1:04 pm    Post subject: Reply with quote

Acolyte

Joined: 02 Mar 2017
Posts: 68

hughson wrote:
One question - why did you set your 'real' cert to be the default? You should need to ever set any certificate to be the default. A default certificate may well get picked up when you don't intend it to be used if no certificate of the requested label is found.

If you have a certificate for a queue manager it should be labeled in the same way that the CERTLABL field on the queue manager is set. If this is not the case, the default certificate could be used.

Cheers,
Morag


It sounds like I'm being a bit too careful and that caused this problem... Wouldn't be the first time.

The Queue Manager 'Certificate Label' QMGR CERTLABL:
Say it was, "SELFSIGNED.QMGR.NAME"

I had a self-signed cert called 'SELFSIGNED.QMGR.NAME' in the key repository, and it was set to Default.

No channels referenced SELFSIGNED.QMGR.NAME

I also have a REAL.CERT.FOR.THIRD.PARTY.PROD and REAL.CERT.FOR.THIRD.PARTY.TEST also in the key repository. And they are referenced in those respective channels (THIRDPARTY.PROD, THIRDPARTY.TEST).

SOMETHING.QMGR.NAME expired. The other certs did not expire. But yet THIRDPARTY.PROD & THIRDPARTY.TEST channels failed with Cert errors.

-----------------

I figured that if I do set up other third parties, I'm probably just going to use the same cert anyway, so to resolve it, I deleted the SOMETHING.QMGR.NAME, and renamed the REAL.CERTS to "QMGR.NAME.PROD" and "QMGR.NAME.TEST", set the Prod one to Default, and set it to the QMGR CERTLABL() value. Then refreshed SSL, and it all started working (including test).

--------------

It sounds like if I hadn't set the SELFSIGNED.QMGR.NAME to default, this wouldn't have happened?

I didn't think it would have been a problem since it wasn't really used anywhere (well... anywhere other than the CERTLABL()...)

Always new things to learn.
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Mar 19, 2019 1:46 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Interesting, in your first post you suggested that the certificate that expired was the one that was set as the default. Can you check that you're describing the same problem? You now seem to be suggesting that the CERTLABL referenced certificate was the one that expired.

Is SELFSIGNED.QMGR.NAME and SOMETHING.QMGR.NAME actually the same certificate in this description? Feel free to edit your post to correct to avoid confusion for other readers. I'll remove this sentence if need be if you do.

Jeff.VT wrote:
I didn't think it would have been a problem since it wasn't really used anywhere (well... anywhere other than the CERTLABL()...)


Anyway, whatever, don't use default in queue manager key repository, use correctly labeled certificates.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Default Certificate Question
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.