ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportWS-Security Implementation

Post new topicReply to topic
WS-Security Implementation View previous topic :: View next topic
Author Message
enup12
PostPosted: Thu Feb 18, 2016 4:31 am Post subject: WS-Security Implementation Reply with quote

Newbie

Joined: 18 Feb 2016
Posts: 5

Hi All,

Can you please suggest if WS-Security(policy sets) can be configured for multiple clients in same flow(broker V7)?


Will appreciate your response.

Thanks,
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Feb 18, 2016 5:11 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20056
Location: LI,NY

What have you tried so far?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
enup12
PostPosted: Thu Feb 18, 2016 6:42 am Post subject: Reply with quote

Newbie

Joined: 18 Feb 2016
Posts: 5

I have created Policy Set, Policy Binding and security profile for one client using X.509.

Now I have got another client which need to be on-boarded on the same flow. I am planning to use the Same CA for generating the certificate for second client. But unsure how policy set will be configured for second client in same flow.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Thu Feb 18, 2016 6:47 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Have you confirmed that the policy set does have to be configured differently for the second client?

Have you explained to management exactly how unsupported Broker v7 is?

Have you reviewed your options to change what policy set is going to be used by setting properties in the message tree?
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
enup12
PostPosted: Thu Feb 18, 2016 6:56 am Post subject: Reply with quote

Newbie

Joined: 18 Feb 2016
Posts: 5

I can propose the same policy set configuration which is currently being used. But, I am wondering if same configuration will work for second client as certificate( public keys) and security profile will be different.

Please suggest some pointer.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Feb 18, 2016 8:32 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25776
Location: Ohio, USA

enup12 wrote:
Please suggest some pointer.


Well firstly:

mqjeff wrote:
Have you explained to management exactly how unsupported Broker v7 is?


Secondly:

mqjeff wrote:
Have you reviewed your options to change what policy set is going to be used by setting properties in the message tree?

_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
enup12
PostPosted: Fri Mar 11, 2016 5:51 am Post subject: Reply with quote

Newbie

Joined: 18 Feb 2016
Posts: 5

Hi Vitor/mqjeff

Please see the below details.
Have you explained to management exactly how unsupported Broker v7 is?
-- They are moving to higher version soon..However they want WS-Security implementation in next 2-3 weeks to support the client demand.

Secondly:
mqjeff wrote:
Have you reviewed your options to change what policy set is going to be used by setting properties in the message tree?

---I have to perform digital signature verification. For that, I have created the policy set and binding, and digital signature verification is working correctly for single client. But, when I add details (KeyInformation- PrivateKey and Public Key etc) for second client, it is not working so wanted to know if it is possible to configure more than one client details in same policy set and binding.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Mar 11, 2016 9:26 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20056
Location: LI,NY

enup12 wrote:
Hi Vitor/mqjeff

Please see the below details.
Have you explained to management exactly how unsupported Broker v7 is?
-- They are moving to higher version soon..However they want WS-Security implementation in next 2-3 weeks to support the client demand.

Secondly:
mqjeff wrote:
Have you reviewed your options to change what policy set is going to be used by setting properties in the message tree?

---I have to perform digital signature verification. For that, I have created the policy set and binding, and digital signature verification is working correctly for single client. But, when I add details (KeyInformation- PrivateKey and Public Key etc) for second client, it is not working so wanted to know if it is possible to configure more than one client details in same policy set and binding.

It should be. You'd just have to specify that the client cert is to be found in the certstore. Of course this means that all the clients that do sign the message need to have their key in the certstore.
If you need to compare the content of the message against some of the X509 values i.e. make sure paul did not send a message for mary and signed it... you will need to use a security node...

_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
enup12
PostPosted: Fri Mar 11, 2016 7:57 pm Post subject: Reply with quote

Newbie

Joined: 18 Feb 2016
Posts: 5

Thanks.. I have added all client certificates in TrustStore and broker's private key in Keystore. When I add multiple clients detail in PolicySet and PolicySetBindings, I get runtime an exception like below.

CWSS5270E- Required message part in not signed.

However, when I try to run by creating separate policyset for each client, it is working fine.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportWS-Security Implementation
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.