| Author |
Message
|
| zbyszanna |
 Posted: Fri Feb 03, 2012 6:36 am Post subject: Choosing certificate |
 |
|
Novice
Joined: 03 Feb 2012
Posts: 23
|
Hello,
is there any way to change default MQ Client behavior in regards to choosing certificate from a repository?
We have this problem, that many users from a certain group have access to the application and so in a standard situation there would be need to create a distinct certificate for every and each one of them (named ibmwebspheremqxxx).
Is there any way to change this behavior and for example tie all these users with just single certificate? Is there any way to configure this programmatically?
And I really mean ANY 
We use channel definition table files and MQ v7 on AIX 6.
Regards
Zbigniew Malec |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Feb 03, 2012 6:47 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Do you do this same thing with certificates used for ssh? Or do you make sure that you can rely on the certificate to uniquely identify the actual end user?
If you want to present a fixed service ID to the MQ layer, you need to take steps to ensure that all users end up running the application as that fixed service id, rather than as themselves. But then you have now way of knowing that Dave performed Action A and Bob performed Action B.
Think about what your *real* needs are. Then take steps to ensure that your infrastructure is mature enough to meet those needs without placing an undue burden on the staff. That's the point of IT in the first place! |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Feb 03, 2012 9:08 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
|
| zbyszanna |
| Posted: Fri Feb 03, 2012 10:56 am Post subject: |
|
|
Novice
Joined: 03 Feb 2012
Posts: 23
|
| PeterPotkay wrote: |
http://www-01.ibm.com/support/docview.wss?uid=swg21245474
Read and heed the Warning, but here is an option. |
Thank you for your help. This looks exactly like what we need. We understand the danger and are not very pleased by this solution, but we have to work in given environment and cannot change it that much. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Feb 03, 2012 11:07 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| zbyszanna wrote: |
| PeterPotkay wrote: |
http://www-01.ibm.com/support/docview.wss?uid=swg21245474
Read and heed the Warning, but here is an option. |
Thank you for your help. This looks exactly like what we need. We understand the danger and are not very pleased by this solution, but we have to work in given environment and cannot change it that much. |
Changing it to SSLCAUTH(OPTIONAL) solves the problem. And does so in a smarter way than using a default certificate. |
|
| Back to top |
|
|
|
|
