ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Certificates and securing MQ

Post new topic  Reply to topic
 Certificates and securing MQ « View previous topic :: View next topic » 
Author Message
andres
PostPosted: Sat Mar 18, 2023 7:41 am    Post subject: Certificates and securing MQ Reply with quote

Apprentice

Joined: 12 Apr 2013
Posts: 27
Hi,
IM planning the deploy of MQ on OPenshift, and after "fighting" with certificates, etc, im good to go.

My questions is how to planify certificates for MQ MAnager, Clients and web console.

We have a private CA, and im thinking if is a good idea to use wildcard certs.

CN=qmanangername.mq.mydomain.org

or one for all qms
CN=*.mq.mydomain.org

For MQ Manager, lets say i create a cert with our ca. should the files crt and key be in the same certificate label?

For client authentication, i dont want to use MQ port, so i want to connect all via https. is it enought to use LDAP user auth plus MQ manager cert in the clients? (clients can be MQ Explorer, ERP, etc).

I believe i dont need mutual TLS if im using ldap auth, so i guess is it fine with a single CA cert?

For web console, is it fine to use MQ Manager cert or should i deploy another cert? looks like i can use LDAP too and point to an specific label in the config.

thanks
I b
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Mar 20, 2023 10:11 am    Post subject: Re: Certificates and securing MQ Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
andres wrote:
For client authentication, i dont want to use MQ port, so i want to connect all via https. is it enought to use LDAP user auth plus MQ manager cert in the clients? (clients can be MQ Explorer, ERP, etc).

Why don't you want to use the MQ listener? How do you plan to get MQ clients such as MQ Explorer to connect if you don't?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
andres
PostPosted: Mon Mar 20, 2023 2:48 pm    Post subject: Reply with quote

Apprentice

Joined: 12 Apr 2013
Posts: 27
HI,

I probably forgot to mention than in a OpenShift deployments, we create HTTPS routes that "route" the traffic to whatever listener port.

The other way is to open the listener ports. In a HA environment required to open the ports in each OpenShift node (a node could be hosting something else than MQ), but we dont want that.

Still not sure if i will have clients that can not use HTTPS/SSL, but this will be the prefered method.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Certificates and securing MQ
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.