| Author |
Message
|
| withKappa |
 Posted: Sun Jan 01, 2012 4:10 am Post subject: security on Server connection channel |
 |
|
Novice
Joined: 01 Jan 2012
Posts: 11
|
Hi all,
I have 2 clients (clientA and clientB) that use differents queues.
I defined 2 server connection (SvrA and SvrB) channel with 2 differents mcauser (userA and userB). UserA is authorized on clientA's queues and userB is authorized on clientB's queues.
All works fine but I have a question:
If clientA uses Server Connection Channel of clientB (SvrB) it can access to clientB's queues. Is possible to avoid this?
Thx
Mark |
|
| Back to top |
|
 |
| exerk |
| Posted: Sun Jan 01, 2012 4:23 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Yes, with SSL; SSL restricts who can connect, and an MCAUSER restricts what that connection can do. Exits can also be used to limit even more, e.g. BlockIP2 can restrict which IP Addresses can originate connection, but if you move to V7.1 then that same functionality is built in with channel authentication records.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| withKappa |
| Posted: Sun Jan 01, 2012 4:32 am Post subject: |
|
|
Novice
Joined: 01 Jan 2012
Posts: 11
|
| exerk wrote: |
| Yes, with SSL; SSL restricts who can connect, and an MCAUSER restricts what that connection can do. Exits can also be used to limit even more, e.g. BlockIP2 can restrict which IP Addresses can originate connection, but if you move to V7.1 then that same functionality is built in with channel authentication records. |
OK thx a lot.
Can you suggest me some documentation about SSL on MQ? |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Jan 01, 2012 4:39 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Hit the SupportPac site and look at MH03 (V6.0) and MO04 (V7.0), and MQ01 may also be of use to you depending on your set up. The Info Centre applicable to your version will also be of use.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Jan 01, 2012 6:53 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| exerk wrote: |
| Hit the SupportPac site and look at MH03 (V6.0) and MO04 (V7.0), and MQ01 may also be of use to you depending on your set up. The Info Centre applicable to your version will also be of use. |
Looks like if you want to get to MQ01 you will have to open a PMR. The redirects are not accessible at this point. I get permission denied...for the pdf and the .zip files... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| withKappa |
| Posted: Sun Jan 01, 2012 8:47 am Post subject: |
|
|
Novice
Joined: 01 Jan 2012
Posts: 11
|
Hi all,
I read a lot of documentation about ssl.
I created a key repository and I added a self signed personal certificate (we will use CA but now a self signed is accpted).
I configured MQ to use my new key repository.
On server connection channel attributes I can't specify my self signed personal certificate... I can only specify cipherSpec. I selected NULL_MD5 because we don't care about encryption.
Now, how can I specify which (only) clients can use a server connection channel?
Thx
Mark |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Jan 01, 2012 9:17 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
You'll need client key stores (read very carefully about the Common Name (CN) requirements for a client), and a Client Channel Definition Table (CCDT) file. Depending on your client language, e.g. C, or DotNet, you can specify that in a number of ways - which information is contained within the Info Centre appropriate to version.
EDIT: Java, I always forget Java - that may have to be done within the app using the appropriate System.setProperty stanzas (or whatever they're called in Java).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| withKappa |
| Posted: Sun Jan 01, 2012 12:10 pm Post subject: |
|
|
Novice
Joined: 01 Jan 2012
Posts: 11
|
| exerk wrote: |
You'll need client key stores (read very carefully about the Common Name (CN) requirements for a client), and a Client Channel Definition Table (CCDT) file. Depending on your client language, e.g. C, or DotNet, you can specify that in a number of ways - which information is contained within the Info Centre appropriate to version.
EDIT: Java, I always forget Java - that may have to be done within the app using the appropriate System.setProperty stanzas (or whatever they're called in Java). |
Thx a lot,
we use Java, only Java  . Platform is windows.
what do you mean by "client key store"?
I just created a key repository. I read that key repository must be the same for the 2 sides (server and clients).
I specified the location of client's key repository setting the environment variable MQSSLKEYR.
set MQSSLKEYR='C:\Program Files\IBM\WebSphere MQ\Qmgrs\QM1\ssl\key
The location of queue manager's key repository is the default... so it's the same of client's key repository:
C:\Program Files\IBM\WebSphere MQ\Qmgrs\QM1\ssl\key.
It's right?. Did I make any mistakes?
I created 2 self-signed certificates:
1) One for qm called ibmwebspheremqqm1
2) One for client called ibmwebspheremquser_test
The Client Channel Definition Table (CCDT) is located to
C:\Program Files\IBM\WebSphere MQ\qmgrs\QM1\@ipcc
and the file is:
AMQCLCHL.TAB (the default)
Do I need other things? I will not develope the Java client but I have to know if I have to do something else on server side.
Thx,
Mark |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sun Jan 01, 2012 1:34 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can use the SSLPEER value to specify a fully qualified or partial Distinguished Name pattern to determine whether a given certificate is allowed to connect to a specific SVRCONN or not.
The only way to identify which key in a given keystore is presented by an application is using the *label* of the certificate, not the distinguished name. This is the label you have generated like ibmwebspheremquser_test. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sun Jan 01, 2012 1:35 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7716
|
| withKappa wrote: |
Now, how can I specify which (only) clients can use a server connection channel? |
Research the SSLPEER attribute. It will allow to only allow specific SSL certs per channel, even if all your certs across multiple channels are all signed by the same Certificate Authority. This assumes you set up the certs the right way so that you can filter them.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Jan 01, 2012 2:14 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| withKappa wrote: |
| what do you mean by "client key store"? |
The key store containing the 'personal' certificate of the client.
| withKappa wrote: |
| I just created a key repository. I read that key repository must be the same for the 2 sides (server and clients). |
It does not, and should not, be the same. The queue manager should have its own key store, and clients should have their own key stores. The CA signer certificates of each of the client and queue manager certificates should be in the key store/trust store.
| withKappa wrote: |
| It's right?. Did I make any mistakes? |
None at all, but bear in mind that it's a test set up. Also, take very good note of the advice my most esteemed colleagues have given.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Jan 02, 2012 12:27 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
|
| Back to top |
|
|
| withKappa |
| Posted: Mon Jan 02, 2012 12:57 am Post subject: |
|
|
Novice
Joined: 01 Jan 2012
Posts: 11
|
| zpat wrote: |
| Is the keystore a JKS? |
yes |
|
| Back to top |
|
|
| withKappa |
| Posted: Mon Jan 02, 2012 1:03 am Post subject: |
|
|
Novice
Joined: 01 Jan 2012
Posts: 11
|
| PeterPotkay wrote: |
| withKappa wrote: |
Now, how can I specify which (only) clients can use a server connection channel? |
Research the SSLPEER attribute. It will allow to only allow specific SSL certs per channel, even if all your certs across multiple channels are all signed by the same Certificate Authority. This assumes you set up the certs the right way so that you can filter them. |
OK thx you very much.
I set up SSLPEER to:
CN=myTest,OU=unitTest,O=orgTest,C=countrTest
So, only the certificates with this attribues are accepted.
The locality (L) is not specified so certificates with:
CN=myTest,OU=unitTest,O=orgTest,C=countrTest, L=locTest1
CN=myTest,OU=unitTest,O=orgTest,C=countrTest, L=locTest2
will be accepted. It's right? |
|
| Back to top |
|
|
| withKappa |
| Posted: Mon Jan 02, 2012 1:06 am Post subject: |
|
|
Novice
Joined: 01 Jan 2012
Posts: 11
|
| exerk wrote: |
| t does not, and should not, be the same. The queue manager should have its own key store, and clients should have their own key stores. The CA signer certificates of each of the client and queue manager certificates should be in the key store/trust store. |
OK, I created 2 repositories:
- One for the queue manager.
- One for the clients.
thx a lot
Mark |
|
| Back to top |
|
|
|
|
