ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere DataPower » Self Signed Cert and your browser

Post new topic  Reply to topic
 Self Signed Cert and your browser « View previous topic :: View next topic » 
Author Message
PeterPotkay
PostPosted: Mon Jul 01, 2013 7:20 am    Post subject: Self Signed Cert and your browser Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

I have a self signed cert configured on the Web Management Service on two Datapower appliances in our lab. The certificate is for encrypting the traffic, not uniquely identifying any one appliance so they both use the same self signed certificate.

When I use Internet Explorer 8 or Firefox 5 to hit this interface they both complain about the unknown certifcate and this is expected. You can get past the warning in both but I would like to set it up the right way in my browsers. Using Firefox I grabbed a copy of the public side of the certificate. Tools...Page Info...Security...View Certificate...Details...Export. I saved it to my local drive letting the file type default to X.509 Certificate (PEM). The file is saved without an extension though. The file name is somevalue.ourdomain.com and that's it.

Internet Explorer
I figured I could just import this file into Tools...Internet Options...Content..Certifcates..Trusted Root Certifcates. But that's not enough. I also have to go to Tools...Internet Options...Advanced... and turn off "Warn about certificate address mismatch". Only when I did both do I not get the warning when I first hit the Web Management Service. Why is that? Why is not just adding the certificate to my browser's cert store enough?

Firefox
No combination of what I do manually under Tools...Options...Advanced...Encryption..View Certificates solves the Firefox warning. I added the certificate into the Authorities tab and I added it to the Servers tab (server = *), but it doesn't work. If from the warning page I go to I understand the Risks...Add Exception...Confirm Security Exception (Permanently store this exception) that does work. That process adds the cert into the Authorities Tab, it adds the specific appliance to the Servers tab (server name = the actual appliance name) but apperently it does something else. What?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jul 02, 2013 4:26 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

Hi Peter,

There is a little twist when you use certificates over https.
One of them is that the CN is supposed to match the URL https://something
where the something is the URL the cert is for.

So using the same self signed cert for 2 different URLS will give you grief at least on one of them. For MQ we use the qmgr name in the CN.

The only way this would work without the warning would be if the cert was for a type of load balanced URL and be set up at each of the endpoints. i.e. regardless of which endpoint you hit the URL will match the CN of the cert.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
PeterPotkay
PostPosted: Mon Jul 08, 2013 5:02 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

Thanks fjb_saper, that makes sense now. The CN for this certificate is a abstract one that doesn't match the actual URL used to access these Lab appliances, and so the browser is warning me there is a mismatch between the CN of the cert and the URL in the browser address bar.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere DataPower » Self Signed Cert and your browser
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.