| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQFTE Client not connecting in two way SSL authenication. |
« View previous topic :: View next topic » |
| Author |
Message
|
| Northsider |
 Posted: Tue Nov 28, 2017 5:54 am Post subject: MQFTE Client not connecting in two way SSL authenication. |
 |
|
Novice
Joined: 09 Mar 2005
Posts: 16
|
Hi,
Its a specific MQFTE SSL question, but could be a generic MQ question.
We want to setup a MQFTE Agent (FTEAG01) mq v9 to an (QMGR1) MQ FTE Concentrator Queue Manager mq v7.5
QMGR1 will have the following certificates :
Certificates found
* default, - personal, ! trusted, # secret key
! "Hanky Panky CA"
! "Something Else CA"
- ibmwebspheremqQMGR1 (personal key, signed by "Hanky Panky CA")
Now I want to connect with an MQ FTE Agent (FTEAG01) which is signed by "Something Else CA"
FTEAG01 will have the following certificates :
Certificates found
* default, - personal, ! trusted, # secret key
! "Hanky Panky CA"
! "Something Else CA"
- ibmwebspheremqmqm (personal key for FTEAG01, signed by "Something Else CA")
Will this work? - or does QMGR1 also need to have personal signed key by "Something Else CA" ?
I would assume, that QMGR1 doesn't need to be signed by "Something Else CA" to have the MQFTE Agent working. But maybe I'm missing something? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Nov 28, 2017 6:25 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
You'd never have 2 personal certificates, or a personal certificate signed by 2 CAs.
Each queue manager simply needs to trust the CA that didn't sign it's personal certificate.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Northsider |
| Posted: Tue Nov 28, 2017 7:11 am Post subject: |
|
|
Novice
Joined: 09 Mar 2005
Posts: 16
|
Thank you, Vitor for the clear statement.
I got mixed up, I think by "over"-reading. (but below information is about qmgr to qmgr)
for your information:
https://developer.ibm.com/recipes/tutorials/configuration-of-multiple-certificates-per-qmgr-using-ibm-mq-v8-0/
quote : However, since a queue manager can only have One Certificate, with releases prior to V8 of MQ, you were forced into having two queue managers, one using each certificate. Now, imagine if I have 10+ Business Partners using 10+ different CAs, I need to have 10+ different Qmgrs connecting to their respective Business Partners which is definitely not an practical solution! |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Nov 28, 2017 7:17 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
SSL is a minefield
In the scenario in the document, I would have not used CA1 & CA2 but Verisgn, trusted that and accepted only personal certificates from the distinguished name I was expecting for the queue managers in question.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
