| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL and RACF - Are PKI Services required? HTTP Server? |
« View previous topic :: View next topic » |
| Author |
Message
|
| kubotaPete |
 Posted: Mon Dec 12, 2005 7:11 am Post subject: SSL and RACF - Are PKI Services required? HTTP Server? |
 |
|
Newbie
Joined: 08 Dec 2004
Posts: 4
|
I've read a lot of material on setting up SSL in MQ, including several of Morag Hughson's documents, and it seems that creating, exporting and connecting certificates, creating keyring, etc. seems straightforward. At least the commands seem simple. I also saw that some work may need to be performed on the CHININIT's userid, which also does not seem to be too complicated.
I am being told by our system's group that SSL on z/os is handled by PKI Services, and requires installation and configuration of the z/os HTTP server, the RACF LDAP server, some RACF changes, OMVS changes, TCP/IP customization, WLM customization and OCEP customization. None of these are installed or customized for SSL in our shop.
We do have MQSeries running on z/os and connecting to AIX and Windows, and have been for several years. This is the first time I have heard of these extra requirements.
Is all of this needed? What is the minimum requirement, in terms of additional z/os components and customization, for a z/os MQSeries server to require and validate incoming SSL identify/certificates, and to provide its own certificate to any partner MQSeries (Wintel or AIX) servers?
If real-time use of CRLs is required, what additional, at minimum, components are required on z/os? In both cases, the CA is on Windows.
Thanks in advance. |
|
| Back to top |
|
 |
| interactivechannel |
| Posted: Wed Dec 14, 2005 1:59 pm Post subject: |
|
|
Voyager
Joined: 20 May 2003
Posts: 94
Location: uk
|
I haven't been aware of all the extra services you list being needed. Perhaps you could review the documentation you have with the people who disagree.
For a basic SSL service using a Windows CA, you need system SSL on z/OS and to do the documented config including requesting a personal certificate.
If you're considering using the Windows certificate services to host the CRL, forget it as it isn't compatible with MQ. |
|
| Back to top |
|
|
| kubotaPete |
| Posted: Fri Dec 16, 2005 8:11 am Post subject: |
|
|
Newbie
Joined: 08 Dec 2004
Posts: 4
|
Thank you. Perhaps that is why the z/os systems programmer is talking about the z/os PKI Services, because that will handle CRLs?
I have looked at the RACF System Administrator Guide, and saw only a couple of references to PKI services in the chapter on SSL and certificates. It looks like PKI Services is optional, and is meant to be a web-based application for managing certificates. The only other mentions of PKI Services in that manual are in a chapter describing the callable services (for programmatic access to RACF functions, especially dealing with certificates). While it mentioned PKI Services, it did not state that PKI Services was the only user of these routines, or that PKI Services is required for any kind of RACF management of digital certificates.
When I looked at the PKI Services manual ( I have not read all of it), it looks like it is an optional service or facility to manage certificates - for managing large numbers of certificates, and/or for using a z/os-based certificate authority - neither of which describes my requirements for holding only a few certificates for MQ chanel SSL configuration.
However, I have yet to find a clear and definitive statement in either of these manuals that says RACF management of digital certificates can be done without PKI Services.
Can someone from IBM chime in here?
Also, I'd like to go forward without real-time CRL verification. I hope my company security policy will not require it (instead rely on the certificate's own expiration date). If I must use CRLs, based on your statement above, MQ cannot contact a CRL server in real time for verification. I imagine that an MQ channel exit or security exit could be used for this, but it would have to handle an independent communication to the server, which sounds complicated. |
|
| Back to top |
|
|
| interactivechannel |
| Posted: Fri Dec 16, 2005 9:21 am Post subject: |
|
|
Voyager
Joined: 20 May 2003
Posts: 94
Location: uk
|
My understanding is PKI services for z/OS - there's a redbook on it - are not required for MQ to use SSL on the channels. The easiest way to find out if you have what you need is to get the Sysprog to try some of the RACDCERT commands.
If company policy requires CRL checking, the security team should host the service. MQ can check CRL servers, but there is an issue with the address to get to Windows Certificate Services. Sorry I can't remember the exact details. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
