| Author |
Message
|
| thindk00 |
 Posted: Wed Jun 27, 2007 12:53 pm Post subject: Restrictions using self signed SSL certs through firewall |
 |
|
Voyager
Joined: 16 May 2001
Posts: 75
Location: UK
|
Hi,
We're on V6 and V5.3 WMQ installation bases on a number of platforms, predominantly Windows, HP, Sun, AIX and OS/400. We're planning on using SSL on Server Requester channel pairs when connecting between two servers as well as Server Connection channels when connecting clients to a server. The certificates will be self generated.
Are there any known issues/restrictions when using SSL certificates in these two modes when the client (using server connection channel) or server (using server/requester channel) connect to the central server through a firewall? Is there any special configuration we need to put in place?
TIA,
Kulbir. |
|
| Back to top |
|
 |
| marcin.kasinski |
| Posted: Wed Jun 27, 2007 1:00 pm Post subject: Re: Restrictions using self signed SSL certs through firewal |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
I would say there is no technical restrictions, but...
In my opinion the better way is to use self-signed cert for DEV environment.
I wouldn't trust self-signed cert on PRD.
It is better to have private cert signed by proper CA.
_________________
Marcin |
|
| Back to top |
|
|
| thindk00 |
| Posted: Wed Jun 27, 2007 1:06 pm Post subject: Why not self signed? |
|
|
Voyager
Joined: 16 May 2001
Posts: 75
Location: UK
|
Judging by my question I'm sure you've worked out I'm no security expert 
Could you please explain why self signed may not be a good idea when working with external parties? Is it because they are easier to hack? |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Wed Jun 27, 2007 11:04 pm Post subject: Re: Why not self signed? |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| thindk00 wrote: |
Judging by my question I'm sure you've worked out I'm no security expert
Could you please explain why self signed may not be a good idea when working with external parties? Is it because they are easier to hack? |
Hm,
I don't know if it is good example:
1.
Let's imagine you have 20 servers comunicating each other.
In my opinion it is better to have in your trust store ony one CA public key rather than public key of every server.
2.
What you wil have do to if youe cert pair is about to expire ?
Having standard PKI infastructure with CA you will have to renew only cert pair on host machine.
Having self signed cert you will have to renew cert pair on host machine and install new public key on all remote hosts.
_________________
Marcin |
|
| Back to top |
|
|
| thindk00 |
| Posted: Wed Jun 27, 2007 11:16 pm Post subject: Further clarification please |
|
|
Voyager
Joined: 16 May 2001
Posts: 75
Location: UK
|
Thanks for the responses.
Our WMQ architecture is hub and spoke and we would generate the self certified SSL certificates for the hub and distribute to the external parties. So updates to certificates are controlled by us, rather than all external parties certificates needing to be on our store.
Number 2 is a valid point, thanks. We're looking to use long expiry times for these certificates and as we're in control we would look to coordinate updates (install new certificate in hub, rollout to all external parties (or other SSL client users) and then remove the old certificate once we know all are onto the latest certficate. We would allow a few months for this distribution to take place and don't expect to have large volume of users using SSL. I'm interested to know how third party products make the management simpler, is there something you could point me to?
Thanks a lot. |
|
| Back to top |
|
|
|
|
