| Author |
Message
|
| wskibum |
 Posted: Mon Mar 10, 2014 5:54 pm Post subject: SIngle certificate for all QMGRs |
 |
|
Apprentice
Joined: 03 Jul 2008
Posts: 38
Location: Northern California
|
Is is practical or even possible to use a single certificate for all my qmgrs?
Is there any documentation on the process?
Currently I am running 7.0.3 on Linux
Thanks |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Mar 10, 2014 10:00 pm Post subject: Re: SIngle certificate for all QMGRs |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| wskibum wrote: |
Is is practical or even possible to use a single certificate for all my qmgrs?
Is there any documentation on the process?
Currently I am running 7.0.3 on Linux
Thanks |
Each qmgr should have its own certificate 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Mar 10, 2014 10:46 pm Post subject: Re: SIngle certificate for all QMGRs |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| wskibum wrote: |
| Is is practical or even possible to use a single certificate for all my qmgrs? |
Crack one queue manager and they're all cracked...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Mar 11, 2014 4:42 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
How would you uniquely identify each Qmgr by it's certificate?
You cannot just trust who it says it is even with a valid certificate. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Mar 11, 2014 5:17 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Potential use case:
You have 4 queue managers that together all provide the same functionality, and back each other up.
All you want to know is you are talking with one of these four, so you want one certificate to represent all 4.
Yes, you can/should have a unique cert for each, and then make sure you can deal with all 4. But I can see how it might be easier and might be "secure 'nuff'" to just know you are dealing with one of the 4.
Change the '4' to '400' and the benefit becomes clearer.
Is copying the same certificate around all over the place a good idea? Probably not...
If the bad guy gets a hold of it and tags his bad QM with that SSL cert, the 401st QM is now in the mix and you have no SSL way to keep #401 out while still allowing 1 thru 400.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Mar 11, 2014 5:21 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| PeterPotkay wrote: |
Potential use case:
You have 4 queue managers that together all provide the same functionality, and back each other up.
All you want to know is you are talking with one of these four, so you want one certificate to represent all 4.
Yes, you can/should have a unique cert for each, and then make sure you can deal with all 4. But I can see how it might be easier and might be "secure 'nuff'" to just know you are dealing with one of the 4.
Change the '4' to '400' and the benefit becomes clearer.
Is copying the same certificate around all over the place a good idea? Probably not...
If the bad guy gets a hold of it and tags his bad QM with that SSL cert, the 401st QM is now in the mix and you have no SSL way to keep #401 out while still allowing 1 thru 400. |
And when that one certificate gets revoked...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
