| Author |
Message
|
| BBM |
 Posted: Tue Mar 03, 2015 5:23 pm Post subject: .NET MQ client SSL repository |
 |
|
Master
Joined: 10 Nov 2005
Posts: 217
Location: London, UK
|
Hi,
We are SSL enabling our existing 7.0.1.x .NET MQ clients for a new implementation to connect to a v7.5 queue manager
I have researched the MQEnvironment.SSLKeyrepository property and have found conflicting information about what is required.
Depending on what version of the infocenter you look at IBM mandates that you use with the windows certificate store to hold the keys or a separate KDB file created with GSkit. From what I've read it's not clear what the preferred option is. I'd like to pin down the best practice option as we are going to be deploying to thousands of workstations.
We are also slightly non-standard in that we do not require mutual authentication, we are only importing the CA signer cert to the client keystore as we do not require a personal cert for the client. Presumably we don't have to worry about certificate labels as the only cert in the keystore will be a signer cert.
Thanks,
BBM |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Mar 04, 2015 5:47 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The infocenter is quite clear on that. The ability to use the windows certstore is an MQ8 feature. Any prior version, use the kdb store. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| BBM |
| Posted: Wed Mar 04, 2015 2:28 pm Post subject: |
|
|
Master
Joined: 10 Nov 2005
Posts: 217
Location: London, UK
|
| Thanks for that - appreciated. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 04, 2015 3:54 pm Post subject: Re: .NET MQ client SSL repository |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| BBM wrote: |
| ...I have researched the MQEnvironment.SSLKeyrepository property and have found conflicting information about what is required... |
You could also use the mqclient.ini file to specify the key store name and location.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Mar 04, 2015 11:10 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Or the MQSSLKEYR environment variable.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Mar 05, 2015 1:11 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
| Or the MQSSLKEYR environment variable. |
Isn't that a bit 'so last century'?  After all, isn't the mqclient.ini file a lot more 'powerful' than a bunch of environment variables?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| BBM |
| Posted: Thu Mar 05, 2015 1:57 am Post subject: |
|
|
Master
Joined: 10 Nov 2005
Posts: 217
Location: London, UK
|
| Thanks - we're trying to minimise the files we're deploying down so we'd like to hardcode it as it should be a one-off deployment. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Mar 05, 2015 2:09 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| BBM wrote: |
| Thanks - we're trying to minimise the files we're deploying down so we'd like to hardcode it as it should be a one-off deployment. |
And then things will change in the future, undoubtedly after the people have changed too and all the knowledge has faded or disappeared completely, and trying to get a change window to deploy the recompiled app will be a pain, and so on, and so on...
Apart from the 'best practice' aspect of nothing being hard-coded that could change, you will have to deploy the app, the key store files, and any other dependencies - what's the problem with one more file?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
