Potkay, Peter M (CTO Architecture + Engineering)
2013-11-13 18:32:14 UTC
WMB 8.0.0.3
I'm looking at the various things we can set related to SSL at the Broker Level or the Execution Group level for the non MQ connections. While we do have the ability to require the incoming SSL Client to present a cert to the Execution Group (clientAuth = true), I don't see any way to filter on the SSL Client's cert. For example:
DEV
SSLClientA talks to WMB1
QA
SSLClientB talks to WMB2
PROD
SSLClientC talks to WMB3
The SSL Clients used Verisign certs for all 3 of their. All are signed by the same CA. All 3 have unique Distinguished Names. But how do I tell WMB2 to distinguish between A, B and C? If SSLClient A or C tries to talk to WMB2, it will be allowed because WMB2 will accept their valid Verisign certs.
I don't see any way to filter the incoming certs like I can with SSLPEER in MQ.
Is there a solution in WMB 8 for this? I first ran into this at 6.1 and unless I'm searching incorrectly in the InfoCenter, this appears to still be a gap.
Creating an execution group for each individual message flow, creating a dedicated trust store per execution group, using a self signed cert per client and purging the trust store of all signer certs other than the one specific self signed one for that flow / execution group is one way I suppose, but obviously doesn't scale.
Peter Potkay
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
I'm looking at the various things we can set related to SSL at the Broker Level or the Execution Group level for the non MQ connections. While we do have the ability to require the incoming SSL Client to present a cert to the Execution Group (clientAuth = true), I don't see any way to filter on the SSL Client's cert. For example:
DEV
SSLClientA talks to WMB1
QA
SSLClientB talks to WMB2
PROD
SSLClientC talks to WMB3
The SSL Clients used Verisign certs for all 3 of their. All are signed by the same CA. All 3 have unique Distinguished Names. But how do I tell WMB2 to distinguish between A, B and C? If SSLClient A or C tries to talk to WMB2, it will be allowed because WMB2 will accept their valid Verisign certs.
I don't see any way to filter the incoming certs like I can with SSLPEER in MQ.
Is there a solution in WMB 8 for this? I first ran into this at 6.1 and unless I'm searching incorrectly in the InfoCenter, this appears to still be a gap.
Creating an execution group for each individual message flow, creating a dedicated trust store per execution group, using a self signed cert per client and purging the trust store of all signer certs other than the one specific self signed one for that flow / execution group is one way I suppose, but obviously doesn't scale.
Peter Potkay
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html