| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL + OAM setup with MQ |
« View previous topic :: View next topic » |
| Author |
Message
|
| chris boehnke |
 Posted: Tue Jun 07, 2011 4:33 pm Post subject: SSL + OAM setup with MQ |
 |
|
Partisan
Joined: 25 Jul 2006
Posts: 369
|
Hi,
We are using MQ v7.0.1.4 on Linux and MQExplorer v 7.0.1.4 on desktop(windows 7).
We want to use MQExplorer(from desktop) in managing MQ running on remote machines(Linux). For this, I came with the below approach:
There are 2 user groups created. mqadmin (administrators are added to this group), mqdev(developers are added here). mqadmin group is provided with full permissions and mqdev with view/ read access with setmqaut.
SVRCONN channels:
ADMIN.SVRCONN - for administrator (full permissions) - MCAUSER filled with admin id which is part of mqadmin group.
DEVELOPER.SVRCONN - for developer (view/ read access) - MCAUSER filled with devl id which is part of mqdev group.
We are using self signed certificates between Qmgr machine and MQExplorer machine.
Created a self signed cert on QMgr machine and added it to MQExplorer keydb and vice versa.
Question:
The developer is able to do all the admin activities by using same SSL keystore(authentication) if he uses the admin channel (ADMIN.SVRCONN) in connecting to MQ from his Explorer.
How to resctrict/ seperate the Admin, developer roles with SSL & OAM?.
Thanks. |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Tue Jun 07, 2011 5:51 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7716
|
Every MQExplorer user should have their own unique SSL Certificate.
Then research the SSLPEER attribute of a SVRCONN channel, and set it differently and appropriately for the Admin channel versus the Developer channel.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 07, 2011 8:11 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
Remember using SSLPeer you can define multiple OU entries and thus cater for your groups in a hierarchical fashion.
Also remember using the command tool from the gskit to not use "O=xxx, OU=yyy" but 'O=xxx,OU=yyy,OU=yy2,OU=yy3" i.e. no space between comma and next DN identifier.
Last but not least there are some rules with multiple OU entries
- From Windows to Unix or Unix to Windows
List SSLPEER values in reverse order from appearance on certificate
- From Unix to Unix
List SSLPEER values in the order they appear on the certificate
- From windows to Linux and Linux to windows
Don't know, need to test, might depend on whether both machines have the same endianness
- On the qmgr end of the channel
Enter the SSLPeer attributes of the client's certificate
- On the client end of the channel
Enter the SSLPeer attributes of the qmgr's certificate
Remember to use ibmwebspheremqusername for client certificates label,
usually we set the user name also into the CN identifier....
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
