| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL Question, Client without certificate |
« View previous topic :: View next topic » |
| Author |
Message
|
| ovasquez |
 Posted: Thu Dec 14, 2006 5:02 pm Post subject: SSL Question, Client without certificate |
 |
|
Centurion
Joined: 09 Dec 2005
Posts: 141
Location: Lima, Peru
|
In WMQ, Can i have a WMQ Client connection to WMQ server on SSL, but don't have Client Certificate?, i'd like have certificate only in WMQ Server but don't have in Client, is possibled? OR is necessary have Certificate Client in Client and Certificate Server in Sever...(two certificates), for example in WebSite(HTTP) you can have a Certificate in Server only, in Client isn't necessary.
And in Connection WMQ Server to WMQ Server on SSL, is equal?
Thanks!
_________________
Oscar Vásquez Flores |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Dec 14, 2006 6:49 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
In HTTP, you do need a certificate on the client.
You need the certificate of the Signing Authority, in order to verify that the server is who it says it is.
In theory, you could probably do this with an MQ client as well - I don't know how, though.
But in practice, why would you? Why would the server side allow you to connect without verifying that you are who you say you are?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Tibor |
| Posted: Thu Dec 14, 2006 10:12 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| jefflowrey wrote: |
| But in practice, why would you? Why would the server side allow you to connect without verifying that you are who you say you are? |
In this case the network traffic is encrypted, but anyone can connect to this queue manager who knows the necessary informations (host, port, channel, qmgr name).
ovasquez:
I have tried this connection, but not used in production.
Tibor |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Dec 15, 2006 4:34 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| Tibor wrote: |
| In this case the network traffic is encrypted, but anyone can connect to this queue manager who knows the necessary informations (host, port, channel, qmgr name). |
Again, why?
I can't imagine anyone opening up their queue manager to the entire Internet in this manner.
So what value does it bring to the security of an enterprise to have an open queue manager - but at least noone can snoop the network traffic. They can CONNECT all they want, and presumably do anything they want. But they can't see the network traffic from someone else.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Tibor |
| Posted: Fri Dec 15, 2006 4:56 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| jefflowrey wrote: |
| Again, why? |
I've already seen security regulation for encrypted intranet traffic - for all TCP communication. Otherwise a lot of resource works in this manner, e.g. SSH, Oracle, and so on.
Tibor |
|
| Back to top |
|
|
| ovasquez |
| Posted: Fri Dec 15, 2006 6:16 am Post subject: |
|
|
Centurion
Joined: 09 Dec 2005
Posts: 141
Location: Lima, Peru
|
Correct, i'd like proteccion in transportation layer(confidentiality,integrity,authentication{for server only}), but i don't like have Digital Certificate Client in each client , because i have a lot of clients(about 3,000).
Thanks for suggestions, How do?
_________________
Oscar Vásquez Flores |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Dec 15, 2006 6:30 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If you can't trust your employees not to snoop your network, you can't trust them not to abuse your queue manager in other ways.
That said, start by looking in the Security manual in the sections on SSL.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Dec 15, 2006 3:49 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| ovasquez wrote: |
Correct, i'd like proteccion in transportation layer(confidentiality,integrity,authentication{for server only}), but i don't like have Digital Certificate Client in each client , because i have a lot of clients(about 3,000).
Thanks for suggestions, How do? |
Depending on the concentration of clients and the location you might want to look at MQIPT support pack...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
