| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL with selfsigned certs on Clustered environments |
« View previous topic :: View next topic » |
| Author |
Message
|
| jhidalgo |
 Posted: Fri Jan 16, 2009 10:17 am Post subject: SSL with selfsigned certs on Clustered environments |
 |
|
Disciple
Joined: 26 Mar 2008
Posts: 161
|
Hi all,
Thinking about using SSL channels (with selfsigned certs cause I don't need to pay for my internal boxes to talk) on a clustered environment, the problem I see is that I should add the signer certificates between ALL the servers in the cluster (or at least the ones I know will talk directly).
From that perspective it doesn't seem to be a good idea, so I will like to ask this forum about the factibility of that, that experiences you had, etc.
thanks. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Jan 16, 2009 10:20 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| You can just as easily create your own internal private CA signer, as use self-signed certs. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jan 16, 2009 2:22 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqjeff wrote: |
| You can just as easily create your own internal private CA signer, as use self-signed certs. |
Don't forget to add the CA signer certificate to your trustore.
You can then handle the CA signed certificates like if they had been issued by VeriSign or any public certification authority...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jhidalgo |
| Posted: Mon Jan 19, 2009 11:18 am Post subject: |
|
|
Disciple
Joined: 26 Mar 2008
Posts: 161
|
| so... nobody using SSL +selfsigned certs + clustering ? |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jan 19, 2009 11:26 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
If you use self signed certs in a cluster with 20 QMs, each QM needs its own cert plus the other 19. If QM #21 comes in, you have to go to all the other 20 QMs and add QM21's cert in. This is an administrative burden, especially when the certs come up for renewal.
Contrast that with using a Certificate Authority. It doesn't have to be an external one that costs you money. You can be your own internal CA if you are only dealing with SSL between QMs inside your domain. If you use a CA, internal or external, the only certs you need on each QM is its own and the CA cert. If QM21 comes in, you don't need to touch the other 20 QMs. Just make sure QM21 has its own cert and the CA cert and it is good to go.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
