ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportMQ 8 SSL and CRL

Post new topicReply to topic
MQ 8 SSL and CRL View previous topic :: View next topic
Author Message
marcin.kasinski
PostPosted: Wed Nov 02, 2016 6:29 am Post subject: MQ 8 SSL and CRL Reply with quote

Sentinel

Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw

I set up MQ channels with ssl and it works perfect.
I set up ssl with CRL and it works, I mean channels are running.

I can see in my LDAP logs that connection to LDAP from MQ is established.

Unfortunately I can not see in LDAP logs any query from MQ .

I was expected to see query for CRL result.

I think that my ldap configuration is ok because I've tested 2 scenarios.

1. Correct LDAP hostname -> channels are running
2. Incorrect LDAP hostname -> channels are retrying

Now every cert is ok for MQ server.

My questions are:

1. Is there any additional configuration I need to check cert from second side in LDAP CRL ?

2. Why during ssl handshake there is only LDAP binding from MQ with no LDAP query ?
_________________
Marcin
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Fri Nov 04, 2016 9:26 am Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 911
Location: Illinois, USA

Validating that the channel started and then didn't start when changing the LDAP was probably a pretty good test that things are working. From my personal experience, it was difficult to validate that things like OCSP and CRLs were working, since MQ ostensibly hides the details of how it works. For example, even if you turn on tracing, must of this CRL functionality appears to run under the SSL trace file with is left unformatted, even after running dspmqtrc. You may have to open a PMR with IBM and have them validate that things are working as expected, if you don't have an easy way of testing this yourself (e.g. revoking your certificate in the CRL and validating it is detected as revoked by MQ).
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportMQ 8 SSL and CRL
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.