| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Is SSL enabled ... or is it not? |
« View previous topic :: View next topic » |
| Author |
Message
|
| mqnomad |
 Posted: Tue May 04, 2010 2:14 pm Post subject: Is SSL enabled ... or is it not? |
 |
|
Acolyte
Joined: 18 Mar 2010
Posts: 53
|
Looked thru a large customer's object definitions (these were provided by the WMQ team, I do not have an ID).
My understanding is that if a RCVR or SVRCONN channel has SSLCAUTH coded as REQUIRED, then it has to be authenticating via SSL.
So I requested the output of the SAVEQMGR listing, as well as the output of "dis chstatus(*) all".
-The customer claim that they had to back out SSL because their certs expired and they were getting errors.
- the SSLCAUTH for some of the RCVR and SVRCONN's show REQUIRED
- the DIS CHSTATUS(*) ALL did not show any SSL feedback on any of the SSL fields.
qm.ini does have a directory to the certs - looks like out of the box.
What's up ... is there a way to have the SSLCAUTH(REQUIRED) on the channels and to have SSL disabled ... I have looked at the QMGR settings and qm.ini but do not see away to 'enable' or 'disable' SSL
Any comments welcome - the channels are running. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue May 04, 2010 2:29 pm Post subject: Re: Is SSL enabled ... or is it not? |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqnomad wrote: |
Looked thru a large customer's object definitions (these were provided by the WMQ team, I do not have an ID).
My understanding is that if a RCVR or SVRCONN channel has SSLCAUTH coded as REQUIRED, then it has to be authenticating via SSL. |
Not quite. It needs to also have a cipherspec.
| mqnomad wrote: |
So I requested the output of the SAVEQMGR listing, as well as the output of "dis chstatus(*) all".
-The customer claim that they had to back out SSL because their certs expired and they were getting errors.
- the SSLCAUTH for some of the RCVR and SVRCONN's show REQUIRED
- the DIS CHSTATUS(*) ALL did not show any SSL feedback on any of the SSL fields.
qm.ini does have a directory to the certs - looks like out of the box.
What's up ... is there a way to have the SSLCAUTH(REQUIRED) on the channels and to have SSL disabled ... I have looked at the QMGR settings and qm.ini but do not see away to 'enable' or 'disable' SSL
Any comments welcome - the channels are running. |
There is no enabling/disabling SSL at qmgr level.
If the qmgr has the keyring defined correctly you can run SSL channels.
For the channels to mandate SSL you should have:
SSLCipherSpec and SSLPeerName(optional) set.
As for the required attribute, read up and experiment.
Remember to verify the cipherspec. A null cipher is not exactly SSL.
Hope this helps. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqnomad |
| Posted: Tue May 04, 2010 2:50 pm Post subject: |
|
|
Acolyte
Joined: 18 Mar 2010
Posts: 53
|
Thank you fjb. I have not set up SSL, am hoping to get some time to do it in one of the boxes in the lab, but needed to figure out what the customer had done.
Main concern was, how come the channels were running with the REQUIRED parm.
I went back and checked for SSLCIPH in all the server side on the channel definitions- and it was all blank. So if I now understand correctly:
- just because SSLCAUTH is REQUIRED, if SSLCIPH is blank, the channel startup won't fail -
so when they 'disabled' SSL, they probably did it by making SSLCIPH blank ... (?) |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 05, 2010 7:02 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqnomad wrote: |
Thank you fjb. I have not set up SSL, am hoping to get some time to do it in one of the boxes in the lab, but needed to figure out what the customer had done.
Main concern was, how come the channels were running with the REQUIRED parm.
I went back and checked for SSLCIPH in all the server side on the channel definitions- and it was all blank. So if I now understand correctly:
- just because SSLCAUTH is REQUIRED, if SSLCIPH is blank, the channel startup won't fail -
so when they 'disabled' SSL, they probably did it by making SSLCIPH blank ... (?) |
Yes if SSLCIPH is blank the channel will not use SSL.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed May 05, 2010 8:43 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| so when they 'disabled' SSL, they probably did it by making SSLCIPH blank |
Hmmm, a subtle and obsecure method of disabling SSL. SSL(NO) on the channel def would be easier to spot.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
