| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Multiple Queue Managers using same certificate |
« View previous topic :: View next topic » |
| Author |
Message
|
| dextermbmq |
 Posted: Thu Jun 18, 2020 4:56 pm Post subject: Multiple Queue Managers using same certificate |
 |
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Hi All,
I have a query around using the same certificate across different Queue Managers. I need to build a MQ Cluster with ~5-6 Queue Managers. There is a requirement to have all the MQ
specific communication encrypted i.e. MQ <--> MQ clustered/distributed communication would be encrypted along with application <--> MQ communication.
One option is to have separate key.kdb files for each queue manager, create an individual csr for each queue manager and setup the key.kdb file individually.
This would mean that every Queue Manager repository should have the public certificate of every other queue manager in cluster also it means, similar efforts every time there is a renewal activity.Adding any new queue manager in the cluster would also require similar certificate exchange activity. Similarly the applications would need to add the certificates of all the queue managers its communicating to, in the trustore. Again, same changes during certificate renewal.Not to forget the cost
The other option however is to use the same key.kdb across all the Queue Managers(get the certificates generated for a specific CN , use certlabl attribute to map the CN of the certificate with the Queue Managers).This would save us the efforts of adding certificates of all the other cluster queue managers in the certificate key repositories. Same goes for the applications. One drawback which I could think of is that the renewal activity would have to be performed for all the queue managers at the same time, however, its a new build. even if I request different certificates for all the queue managers , it would be requested in one request hence they will anyways expire at the same time.
Any thoughts if approach 2 can be followed ? I got a link for MQ Appliance which states that using the same certificate by different Queue managers is possible(although unconventional and I would not be working on appliance)
https://www.ibm.com/mysupport/s/question/0D50z000062l0iZCAQ/can-a-single-personal-certificate-be-configured-for-multiple-queue-managers-on-the-mq-appliance
Regards |
|
| Back to top |
|
 |
| hughson |
| Posted: Thu Jun 18, 2020 7:07 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Neither approach that you mention is appropriate. How about this one instead.
Have separate key.kdb files for each queue manager, create an individual csr for each queue manager and setup the key.kdb file individually. In each repository place the certificate for the queue manager and the CA certificate that signed all the other queue manager certificates - that's it.
When you add a new queue manager to the cluster you only need the CA certificate and the queue manager certificate. That's it.
At renewal time, you are only replacing the queue manager certificate in one place.
Using CA signed certificates is the recommended approach.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jun 19, 2020 4:22 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
If your communication is internal only, and your security department allows it, an internal CA could be used.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
