| Author |
Message
|
| ralu |
 Posted: Thu Nov 18, 2004 4:01 am Post subject: MQ-SSL bidirectional connection |
 |
|
Apprentice
Joined: 17 Nov 2004
Posts: 26
Location: Switzerland
|
I've 2 QManager to connect with SSL Channel.
Bidirectional (one channel for each direction).
I would like to use SSL with mutual connection (client authentication).
Do i have to integrate Server and Client certificate on each site ?
Or is it enough to import only Server certificates on both sites ?
Thanks and regards
Ralu |
|
| Back to top |
|
 |
| hguapluas |
| Posted: Thu Nov 18, 2004 8:21 am Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
| That would be like saying that you only want to put the Private keys on each end. You need to have the public key to complete the connection. Yes, you will need a Server-Client (Private-Public) match up of keys. |
|
| Back to top |
|
|
| Anirud |
| Posted: Thu Nov 18, 2004 11:30 am Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
For a two way authentication, you will have to add the client's personal certificate to the key database on the server side and vice versa.
Before doing that make sure you add the CA Root certificates to the key database (as signer certificates), if you are getting the certificate from a third party.
Also, set SSLCAUTH(REQUIRED) on the receiver side of the channel. |
|
| Back to top |
|
|
| ralu |
| Posted: Fri Nov 19, 2004 2:05 am Post subject: |
|
|
Apprentice
Joined: 17 Nov 2004
Posts: 26
Location: Switzerland
|
Ok, thanks for answering
I'm not sure understanding it in the right way. I think i've a problem with the terminologies.
In Anirud advice he spoke from personal certificate.
Is it right to say for mutual authentication (client authentication) and bidirectional messaging:
I must have ...
1. CA- Certificates on both sites
2. QManager1 personal certificate ('common name' webspheremq<qmgrs1> on both sites
3. QManager2 personal certificate ('common name' webspheremq<qmgrs2> on both sites
Is that right ?
What I don't understand is the different between Server and Client certification in these context (see first posting).
For getting certificates from an CA do I have to order Server or Client certificates ?
If i have to order Server and Client certificates, what is the "common name" to differ each other ?
Thanks for further advice
Ralu |
|
| Back to top |
|
|
| Anirud |
| Posted: Fri Nov 19, 2004 9:11 am Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
From your comments
| Quote: |
| Do i have to integrate Server and Client certificate on each site ? |
I thought your communication was between an MQ Server and an MQ Client.
Sorry if I misunderstood what you were trying to say.
I might have confused you with my post.
Could you be more specific about what you are trying to do?
I mean...
1)Are you trying to use SSL Certificates between two queue managers?
2)Are you trying to use Self Signed Certificates?
3)Your environment (UNIX or Windows etc.,) |
|
| Back to top |
|
|
| ralu |
| Posted: Sat Nov 20, 2004 6:04 am Post subject: |
|
|
Apprentice
Joined: 17 Nov 2004
Posts: 26
Location: Switzerland
|
| Anirud wrote: |
From your comments
| Quote: |
| Do i have to integrate Server and Client certificate on each site ? |
I thought your communication was between an MQ Server and an MQ Client.
Sorry if I misunderstood what you were trying to say.
I might have confused you with my post.
Could you be more specific about what you are trying to do?
I mean...
1)Are you trying to use SSL Certificates between two queue managers?
2)Are you trying to use Self Signed Certificates?
3)Your environment (UNIX or Windows etc.,) |
Sorry but my english isn´t very well. 
1) Yes, I would like to connect 2 QManager in both direction (2 channel)
2) No i have to request the certificates from an external CA
3) Systems are AIX 5.x, MQ 5.3 CSD07
Client-authentication required for both directions (mutual authentication).
Which certificates do I have to order ?
Due to MQSeries documentation I have to order a personal QManager certificate and have to integrate they on both sites. Also do i have do integrate the CA-Certificates on both sites.
Is that right ?
Thanks
Ralu |
|
| Back to top |
|
|
| Anirud |
| Posted: Mon Nov 22, 2004 8:01 am Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
Assuming that you have created the key database, here is what you will have to do for communication between QM1 and QM2...
1) Create a "Personal Certificate Request" on both the queue managers.
2) Send the respective files to the Certification Authority.
3) After you receive the certificate from the CA, first add the CA's root certificates to the key database of both the queue managers as "Signer Certificates".
4) Receive the certificates as "Personal Certificates" into the key database of the respective queue managers (Note: These are the certificates you received from the CA). It will ask for a label name and this is very important as this is UNIX environment. The label should be ibmwebspheremq<queuemanagername>.
5) Start your channels.
Refer MQ Security Manual for better understanding of the concepts.
Let us know if you have any more questions. |
|
| Back to top |
|
|
|
|
