| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Configure WMB outbound SOAP request over TLS without trust |
« View previous topic :: View next topic » |
| Author |
Message
|
| woody weaver |
 Posted: Tue Jan 06, 2015 1:37 pm Post subject: Configure WMB outbound SOAP request over TLS without trust |
 |
|
Newbie
Joined: 06 Jan 2015
Posts: 2
|
We are trying to configure WMB for an outbound SOAP request over TLS, but want to disable any security checking on the server certificate. The problem is that while the presented cert is mostly ok, we are talking to a system that is outside our network, and the cert's SAN refers to things we can't verify, we can't pull the entire trust chain, can't check a CRL, etc...
There are lots of docs on how to configure WMB correctly, how can I do it so it doesn't do the checking? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Jan 07, 2015 6:28 am Post subject: Re: Configure WMB outbound SOAP request over TLS without tru |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| woody weaver wrote: |
We are trying to configure WMB for an outbound SOAP request over TLS, but want to disable any security checking on the server certificate. The problem is that while the presented cert is mostly ok, we are talking to a system that is outside our network, and the cert's SAN refers to things we can't verify, we can't pull the entire trust chain, can't check a CRL, etc...
There are lots of docs on how to configure WMB correctly, how can I do it so it doesn't do the checking? |
The question should rather be: How do I set up my environment so that it passes the checking...
As with all http type servers the target certificate will identify it's addess in the CN (mandatory). You now will need to make sure you invoke this address in the request call...
You may need to play with /etc/hosts for ip name resolution... Good luck!
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| woody weaver |
| Posted: Wed Jan 07, 2015 7:37 am Post subject: Re: Configure WMB outbound SOAP request over TLS without tru |
|
|
Newbie
Joined: 06 Jan 2015
Posts: 2
|
Thanks for the response, saper.
| fjb_saper wrote: |
| The question should rather be: How do I set up my environment so that it passes the checking... |
Yes, I get that. This whole thing is chewing gum and duct tape -- and I'd love to start at the top and do it right. And in a month or so, I can try to go back to the client and say "hey, your enterprise PKI is all screwed up -- you aren't compliant with mandatory standards, and you've built it as if it were a private PKI but you need to interface with external entities, and ..."
But that would be too distracting now. I just need to get something working.
One guy I'm talking to says "no, you either get full TLS or nothing." That doesn't seem to be correct, since two breaths later he admits we can turn off host entity checking. I don't want host entity checking, I don't want CRL checking, I don't want signature validation, I don't want any cert validation... I want the equivalent of 'wget --no-check-certificates' .
Not possible? |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
