| Author |
Message
|
| ghoshly |
 Posted: Wed Apr 08, 2015 9:40 am Post subject: SSL Peer name matching for SOAP Web services |
 |
|
Partisan
Joined: 10 Jan 2008
Posts: 325
|
Hello,
My current environment is WMB 8.0.0.4 in AIX 7.1 with WMQ 7.5.0.1
We have both inbound and outbound SOAP based web service interactions with different applications via HTTPS.
We had enabled client authentication parameter both at broker level and execution group level and thought (lack of knowledge) this way certificate from the clients would be matched and verified. In reality we found, any client with valid CA certificate can invoke our service because at this time broker is only validating the authenticity of the CA.
In order to restrict further so that specific application with certificate and host can invoke our service, we have the concept of SSLPEER distinguished name matching through MQ channels. Should we do the same for web services?
Appreciate your help. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Apr 08, 2015 7:50 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Does your policy require the matched client cert? You may need to add the client cert into the truststore... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ghoshly |
| Posted: Wed Apr 08, 2015 8:33 pm Post subject: |
|
|
Partisan
Joined: 10 Jan 2008
Posts: 325
|
Hi fjb,
Certificate in trust store does not guaranty the application / host match.
T Rob Wyatt has explained in detail in his article.
In most of the articles, Queue Manager exit and channel's SSLCAUTH parameter usage is mentioned. I am trying t understand, should we do the same for message broker interfaces where external clients are not directly connecting via MQ listeners or channels rather via ports. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 08, 2015 8:48 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Seems to me you are trying to mix 2 things: MQ SSL set up and broker SSL setup. They are different.
The broker's SSL setup is done by letting the broker / eg know where to find its key and truststore, plus stating the policy on the node.
So what policy have you set up if any? If you did not set up a policy you have a one way authentication.
Your policy will say find matching cert in cert store. This means that if the client cert is not present in the broker's cert store the access is denied...
I am not aware that the SSLPEER RFE has been delivered for the broker.
Now if you need to be more precise, by propagating the cert information you can gain access to the DN. You should find all the information you need in the infocenter.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ghoshly |
| Posted: Wed Apr 08, 2015 9:04 pm Post subject: |
|
|
Partisan
Joined: 10 Jan 2008
Posts: 325
|
Certainly I was mixing up between MQ SSL and Broker SSL because I was thinking they would work in the same way.
Definitely I need to learn about the policy setup in broker / eg for this security. Would you please give me the pointer of infocenter. |
|
| Back to top |
|
|
|
|
