X-Report-Abuse-To: spam-RAvZ+8ubYLwZD488Lvc0IA6ISnHq+hSGQ0cMyQF+***@public.gmane.org
X-Filter-Fingerprint: IFrWXGses7OKB5S5G8/dJdF8bCbRCAhGucQF+2hmonpA3cTUQ1R++keuE7RDJ8Kg79NdR28zbq2F
/faLXf3Ie42yBDDCqrY/jYvGqOg9lVfoeRKedGP1vfa5HRtXlXk1aFNZKY+2JfgNYuBanXA5/V1d
tvOCOBNutIG8EQ7PL1I1xhr7YSippDt4qVjTvwRz9aAFlFWcZ7bUo8s0KP9nIKHvqOeYjbLjOj4M
DvjqiJSkRsGGYTTGTCicYOI9qTNtzdVFJoGb9cj0jXkqhJvi5xf6vO+VemmvMcVXvjXFMI+lXwAu
zCu99GC8lYQdsAec14NOVDblYXAjpGV26BzagltwS3g6AxGX91C9mUxH0oAiS5Z9JQxX4gRrOIMo
JQQlTAgg1Nd9QxhRJoS+ShAxmENBRISw69vwPrB7utzMtVg58plX1V5qQ59AaUtC9cN5pmXqwM8c
I73XrLhavWzNk1RvD9NzI+K5BsOjgwv8At4X-Originating-IP: 184.154.225.7
X-SpamExperts-Domain: siteground247.com
X-SpamExperts-Username: 184.154.225.7
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.01)
X-Recommended-Action: accept
X-PMX-Version: 6.1.0.2415318, Antispam-Engine: 2.7.2.2107409,
Antispam-Data: 2014.8.22.134220
X-PMX-Spam: Gauge=IIIIIIIII, Probability=9%, Report=' AT_TLD 0.1,
FROM_NAME_ONE_WORD 0.05, HTML_00_01 0.05, HTML_00_10 0.05,
SUPERLONG_LINE 0.05, BODY_SIZE_10000_PLUS 0,
CT_TEXT_PLAIN_UTF8_CAPS 0, DATE_TZ_NA 0, FORGED_MUA_OUTLOOK 0,
URI_ENDS_IN_HTML 0, WEBMAIL_SOURCE 0, WEBMAIL_XOIP 0,
WEBMAIL_X_IP_HDR 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0,
__BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0,
__CT_TEXT_PLAIN 0, __FORWARDED_MSG 0, __FRAUD_CONTACT_NUM 0,
__FRAUD_VIPS 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILER 0,
__IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0,
__OUTLOOK_MUA 0, __OUTLOOK_MUA_1 0, __PHISH_PHRASE2 0,
__PHISH_PHRASE3 0, __SANE_MSGID 0, __STOCK_PHRASE_8 0,
__SUBJ_ALPHA_NEGATE 0, __TO_MALFORMED_2 0, __URI_NS ,
Sender: MQSeries List <MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
In-Reply-To: <MQSERIES%201408221520355705.09C9-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
Precedence: list
List-Help: <http://listserv.meduniwien.ac.at/cgi-bin/wa?LIST=MQSERIES>,
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?body=INFO%20MQSERIES>
List-Unsubscribe: <mailto:MQSERIES-unsubscribe-request-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
List-Subscribe: <mailto:MQSERIES-subscribe-request-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
List-Owner: <mailto:MQSERIES-request-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
List-Archive: <http://listserv.meduniwien.ac.at/cgi-bin/wa?LIST=MQSERIES>
Archived-At: <http://permalink.gmane.org/gmane.network.mq.devel/18126>
I do not have time to look it up right now but if you search the list archives for "CA Browser Forum" you will find some emails from me discussing this issue. The CABF is the industry consortium who determine the rules that commercial CAs follow. They changed their regulations some time ago to require a Fully Qualified Domain Name (FQDN)in the Common Name field. I posted to the list the links to their announcement of the rule change.
The immediate result of this was that people who had previously used the QMgr name, or anything other than a FQDN where the domain was one they could provably own, had to replace rather than renew their commercial CA-issued certs. The cost differential for shops with thousands of certs was so significant that many gave up altogether and started their own internal CA. The proliferation of mind-numbingly unsecure internal CAs was what prompted me to write the "How To Build and Operate a CA Center of Mediocrity" presentation. (http://iopt.us/CACOM)
The primary requirements are a) that your Common Name include a verifiable FQDN; and b) that the ORG and related fields *exactly* match the WHOIS listing for that domain. So if the domain address is your corporate HQ in NY and the server physically resides in the California NOC, guess what your ORG fields need to say... the HQ address.
On the other hand, they do not verify anything in the FQDN except the domain name, and that the CN you provide is unique. So the FQDN you give them can be internal and not visible to the Internet. But if it's a web server or anything that validates the CN, you now cannot use an internal, unregistered domain name for your Dev, Test, QA and other staging environment. Requiring the CN to be in FQDN format and that the DN in the FQDN must be a registered domain essentially forces you to provide the CA the topology of all your internal network nodes for which they issue a cert. That's not too terrible but it is also a disincentive to ever using revocation capabilities, because then those internal node names show up on the public revocation list. Awesome.
My recommendation is to guarantee uniqueness by specifying multiple subdomains where one is MQ and the other is the QMgr name. For example, venus.mq.example.com for the VENUS QMgr in the example.com domain. (DNS names are case-insensitive by definition so I stuck with the convention of writing it in lower case, even though the QMgr name is UPPER.) This naming convention prevents a situation where a QMgr and a web app server compete for the same CN (i.e. CN=payroll.example.com). This assumes the enterprise reserves the mq subdomain for the mq team, of course.
It used to be a SWIFT standard that some of their CN fields were based on an account number or something, depending on which CA you used and the SWIFT service to which you subscribed. I was never able to find out what changes SWIFT made to accommodate the CABF rule change but if I remember correctly, they also ran their own CA. I'd be interested if anyone knows what happened there.
Kind regards,
-- T.Rob
T.Robert Wyatt, Managing partner
IoPT Consulting, LLC
+1 704-443-TROB
https://ioptconsulting.com
https://twitter.com/tdotrob
Post by Ian Alderson-----Original Message-----
Of Ian Alderson
Sent: Friday, August 22, 2014 9:20 AM
Subject: Re: requesting a SSL cert for a qmgr and the cert admin is asking
for a URL as the common name of cert?
Damian,
A url specified in the CN (Common Name) is normally used for certificates
in web servers so that a browser can validate the domain name to the value
in the certificate's CN field. There is no concept in MQ whereby MQ
honours a validation between the host and a url stored in the certificate.
So a mandatory url in the CN for SSL certs looks to me like a rule they
have set up for web server certs but have not fully thought through or
understood how MQ SSL mutual authentication works.
For MQ you have the SSLPEER field in the channel definition which can
validate any of the fields in the DN (Distinguished Name), including the
CN. And from MQ 7.1 you also have CHLAUTH rules which can give you a lot
more options in securing channels based on the certificate. But there is
nothing like a dns reverse lookup like you would get in a browser.
As I would expect that you already have Qmgr certs signed by this CA
(Certificate Authority), then you may well find that you have a precedent
or standard for what goes in the CN and follow that. You can put anything
(i) The CN value should ideally have some meaning or relationship to the
Queue Manager it will be used with
(ii) A CA will likely have a policy of enforcing uniqueness of a CN when
signing a certificate. So if you use something like a FQDN of where the
Qmgr runs, be aware that you may need to adapt that to have unique CNs for
2 or more queue managers running on the same host
(iii) The value in the CN is not to be confused with the label of the
certificate in the CMS key DB. The certificate's label must be specified
in a very specific format for the Queue manager to pick it up, but does
not care what the CN field is set to
(iv) when formulating SSLPEER matching (Channel definition or CHLAUTH
rule) to validate a partner's certificate, keep in mind that the value of
the CN will almost certainly form part of that check, if not the whole DN
So I think you have two options. Go along with the mandatory format your
CA is imposing, or argue your case that a mandatory url has no meaning to
MQ and that you can just as easily set up your channel authentication
based on any meaningful unique value.
Hope that helps,
Ian
Ian Alderson
MQ Technical Architect
DL 0203 003 3055
--------------------------------------------------------------------
Ignis Asset Management
Fixed Income | Equities |Real Estate |Advisors |Solutions
150 Cheapside | London | EC2V 6ET
http://www.ignisasset.com
http://twitter.com/IgnisAM
http://www.linkedin.com/companies/ignis-asset-management
-----Original Message-----
Of Costa, D. (Damian)
Sent: Friday, August 15, 2014 11:56 AM
Subject: requesting a SSL cert for a qmgr and the cert admin is asking for
a URL as the common name of cert?
HI all,
Filling in forms for getting a SSL cert for one of our qmgrs and the
Cert admin wants a mandatory URL as the common name for the SSL cert I am
requesting.
What do I put in as the common URL if it is just for a qmgr? Does an IP address cut it?
thanks
********************
Nedbank Limited Reg No 1951/000009/06. The following link displays the
names of the Nedbank Board of Directors and Company Secretary.
[ http://www.nedbank.co.za/terms/DirectorsNedbank.htm ] This email is
confidential and is intended for the addressee only.
The following link will take you to Nedbank's legal notice.
[ http://www.nedbank.co.za/terms/EmailDisclaimer.htm ]
********************
message body (not the subject), write: SIGNOFF MQSERIES Instructions for
managing your mailing list subscription are provided in the Listserv
General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
**************************************************************
The information contained in this email (including any attachments
transmitted within it) is confidential and is intended solely for the use
of the named person.
The unauthorised access, copying or re-use of the information in it by any
other person is strictly forbidden.
If you are not the intended recipient please notify us immediately by
Internet communication is not guaranteed to be timely, secure, error or
virus free. We accept no liability for any harm to systems or data, nor
for personal emails. Emails may be recalled, deleted and monitored.
Ignis Asset Management is the trading name of the Ignis Asset Management
Ignis Asset Management Limited (Registered in Scotland No. SC200801),
Ignis Investment Services Limited* (Registered in Scotland No. SC101825)
Ignis Fund Managers Limited* (Registered in Scotland No. SC85610) Scottish
Mutual Investment Managers Limited* (Registered in Scotland No. SC88674)
Registered Office: 50 Bothwell Street, Glasgow, G2 6HR, Tel: 0141-222-8000
and Scottish Mutual PEP & ISA Managers Limited* (Registered in England No.
971504) Registered Office: 150 Cheapside, London, EC2V 6ET and Ignis
Investment Management Limited (Registered in England No. 5809046)
Registered Office: 150 Cheapside, London, EC2V 6ET Tel: 020 3003 3000.
Scottish Mutual is a registered trade mark of Scottish Mutual Assurance
Limited
*Authorised and regulated in the United Kingdom by the Financial Conduct Authority.
Ignis Asset Management Limited and its subsidiaries are part of the
Standard Life Investments group (Standard Life Investments (Holdings)
Limited and its subsidiaries).
**************************************************************
message body (not the subject), write: SIGNOFF MQSERIES Instructions for
managing your mailing list subscription are provided in the Listserv
General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES