| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Level of check for SSLCAUTH(REQUIRED) |
« View previous topic :: View next topic » |
| Author |
Message
|
| marc.CH |
 Posted: Fri May 09, 2025 12:04 am Post subject: Level of check for SSLCAUTH(REQUIRED) |
 |
|
Novice
Joined: 23 Apr 2024
Posts: 10
Location: Geneva,CH
|
Hello,
Can we enforce extra checks when SSLCAUTH(REQUIRED) is set on a SVRCONN channel.
I understand that IBM natively checks :
- Validity against the Certification Authority (CA) root
- Certification Revocation List (CRL) on an LDAP server
- CRL/OCSP
- The keysize of the certificate is too small for the configured limit.
What if I would like to enforce fingerprint check on the certifcate presented by the client ?
Thanks for your help,
Marc |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri May 09, 2025 7:28 am Post subject: Re: Level of check for SSLCAUTH(REQUIRED) |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20762
Location: LI,NY
|
| marc.CH wrote: |
Hello,
Can we enforce extra checks when SSLCAUTH(REQUIRED) is set on a SVRCONN channel.
I understand that IBM natively checks :
- Validity against the Certification Authority (CA) root
- Certification Revocation List (CRL) on an LDAP server
- CRL/OCSP
- The keysize of the certificate is too small for the configured limit.
What if I would like to enforce fingerprint check on the certifcate presented by the client ?
Thanks for your help,
Marc |
Hi Marc,
For a fingerprint check you would need a security exit. However the SSLPEER and SSLISSUER checks are standard via CHLAUTH records for channels.
Note that the serial number can be checked in SSLPEER
Hope it helps 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Mon May 12, 2025 7:23 pm Post subject: Re: Level of check for SSLCAUTH(REQUIRED) |
|
|
Padawan
Joined: 09 May 2013
Posts: 1964
Location: Bay of Plenty, New Zealand
|
| marc.CH wrote: |
| What if I would like to enforce fingerprint check on the certificate presented by the client ? |
Is the fingerprint check something that is part of the certificate, i.e. part of what is sent up to the queue manager, or is the finger print check something that is done on the client machine in order to access the certificate, i.e. the certificate is stored on a finger print protected dongle or some such?
Or are you referring to something like this: How to check a certificate's thumbprint
Or something else?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| marc.CH |
| Posted: Tue May 13, 2025 1:56 am Post subject: Re: Level of check for SSLCAUTH(REQUIRED) |
|
|
Novice
Joined: 23 Apr 2024
Posts: 10
Location: Geneva,CH
|
| hughson wrote: |
Or something else?
|
Customer (MQ client) is checking our MQ server certificate fingerprint to authenticate the server.
As we would like to automatically renew the MQ server certificate without noticing our customers, it will break the MTLS.
| fjb_saper wrote: |
For a fingerprint check you would need a security exit. However the SSLPEER and SSLISSUER checks are standard via CHLAUTH records for channels.
Note that the serial number can be checked in SSLPEER
|
Thanks, that also my conclusion. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
