ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityMultiple Queue Managers using same certificate

Post new topicReply to topic
Multiple Queue Managers using same certificate View previous topic :: View next topic
Author Message
dextermbmq
PostPosted: Thu Jun 18, 2020 4:56 pm Post subject: Multiple Queue Managers using same certificate Reply with quote

Acolyte

Joined: 26 Jul 2014
Posts: 66

Hi All,

I have a query around using the same certificate across different Queue Managers. I need to build a MQ Cluster with ~5-6 Queue Managers. There is a requirement to have all the MQ
specific communication encrypted i.e. MQ <--> MQ clustered/distributed communication would be encrypted along with application <--> MQ communication.

One option is to have separate key.kdb files for each queue manager, create an individual csr for each queue manager and setup the key.kdb file individually.
This would mean that every Queue Manager repository should have the public certificate of every other queue manager in cluster also it means, similar efforts every time there is a renewal activity.Adding any new queue manager in the cluster would also require similar certificate exchange activity. Similarly the applications would need to add the certificates of all the queue managers its communicating to, in the trustore. Again, same changes during certificate renewal.Not to forget the cost

The other option however is to use the same key.kdb across all the Queue Managers(get the certificates generated for a specific CN , use certlabl attribute to map the CN of the certificate with the Queue Managers).This would save us the efforts of adding certificates of all the other cluster queue managers in the certificate key repositories. Same goes for the applications. One drawback which I could think of is that the renewal activity would have to be performed for all the queue managers at the same time, however, its a new build. even if I request different certificates for all the queue managers , it would be requested in one request hence they will anyways expire at the same time.

Any thoughts if approach 2 can be followed ? I got a link for MQ Appliance which states that using the same certificate by different Queue managers is possible(although unconventional and I would not be working on appliance)

https://www.ibm.com/mysupport/s/question/0D50z000062l0iZCAQ/can-a-single-personal-certificate-be-configured-for-multiple-queue-managers-on-the-mq-appliance

Regards
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jun 18, 2020 7:07 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1434
Location: Bay of Plenty, New Zealand

Neither approach that you mention is appropriate. How about this one instead.

Have separate key.kdb files for each queue manager, create an individual csr for each queue manager and setup the key.kdb file individually. In each repository place the certificate for the queue manager and the CA certificate that signed all the other queue manager certificates - that's it.

When you add a new queue manager to the cluster you only need the CA certificate and the queue manager certificate. That's it.

At renewal time, you are only replacing the queue manager certificate in one place.

Using CA signed certificates is the recommended approach.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
exerk
PostPosted: Fri Jun 19, 2020 4:22 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6168



If your communication is internal only, and your security department allows it, an internal CA could be used.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityMultiple Queue Managers using same certificate
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.