T.Rob
2013-06-10 23:09:40 UTC
Hi Listers,
I wanted to toss around some hypothetical ideas about cert management. It's
probably the biggest impediment I see to enabling TLS channels across the
board so I'd like to start mapping the territory by kicking off a dialog
about where the gaps are and in what form they might be filled.
One of the MQ enhancements I've been lobbying for is TOFU - Trust On First
Use. An example of this is the warning you get when using SSH or SCP when
it says something along the lines of "Hey, this is a new certificate. Here
are the details. Do you want to trust it?"
Of course, with WMQ there's no trusting the certificate without putting it
into the KDB and running REFRESH SECURITY TYPE(SSL) so I would not expect
that this process would be automatic for existing queue managers. It might
instead store the certificate in a temporary queue and an Explorer plug-in
or command-line utility would interrogate the queue to tell the admin what
certs are pending.
There are a few problems I'm trying to solve here. One is that deployment
of a new cluster should be easy to do with TLS enabled. WAS ND creates a
lightweight CA, generates certificates and distributes keys throughout the
cluster, all without user involvement. I'd like that level of simplicity in
WMQ clusters. For a new QMgr, it would be fairly easy to do since the cert
would be generated prior to the QMgr starting up - so no REFRESH SECURITY in
most cases. If the repository was also the CA, it would not need a REFRESH
SECURITY since it would not need the cluster member's cert, but rather just
the static signer. The certs would include the cluster name and the
repository's signer. If you had taken the trouble to provision a non-admin
user ID for the MCAUSER, the appropriate CHLAUTH rules and SSLPEER would be
added as well.
The other problem I'd like to solve is where you have a 3rd party interface.
The business partner can usually tell you their cert is Verisign (or
whatever) but not necessarily *which* signer chain and root cert. Then it's
up to you to hunt around for the right signer on the CA's web site. Good
luck with that. On the other hand, it would be possible to capture the
signer cert from the inbound connection and either display its attributes or
even load it directly to the KDB. There are, of course, a few issues with
loading whatever cert is presented. The first issue being that the root CA
certs are distributed with GSKit (and Windows, and Mozilla, and Safari,
etc.) for a reason. I could create a root CA signer cert with a
DN="VeriSign Class 3 Public Primary Certification Authority - G5" and a
signer with the appropriate DN. If I could get my QMgr between you and your
business partner, and if all you checked was the DN and not the fingerprint
or serial number, then you might trust *my* cert thinking it's Verisign.
Not good. If the cert you are accepting is expected to have been signed by
a commercial CA it would be best to fetch the signer chain from the source.
Or maybe to compare the one received to the ones distributed with GSKit so
you know you have a good one before loading it. After verifying that the
cert received is signed by a "known good" cert, the only thing left is to
make sure the Distinguished Name is the one you are expecting.
Finally, we are probably all familiar by now with the issue where the remote
site's certificate expires and the channels die. It's pretty tough to
diagnose this remotely and you get no warning. On the other hand, it's
possible to inspect the other side's cert during the TLS handshake and parse
the expiration date. With that information it would be possible to write an
error log entry, send a PCF event message, send an email or whatever,
notifying the local admin "hey the cert on the other side of channel X.Y.Z
expires soon!" This might avert an occasional outage, yes?
All of this can be automated to some degree or another. I'm curious how
useful people think it would be to do this. Assuming it is considered
useful, then what type of security controls would you need before, for
example, adding the remote cert signer chain to your KDB? Would you want
the information about the remote side's signer chain so you could manually
download and add the appropriate certs from the commercial CA? Would you
want the typical TOFU message (hey, I'm being presented with an unknown
certificate do you want to trust it?) followed by the utility adding the
cert signer chain for you? If so does that require an Explorer dialog,
command line utility or both?
All of this is hypothetical. There may or may not be similar functionality
planned for a future release, frankly I don't know. What I'm more
interested in is to map out the missing function and then flesh it out a bit
in terms of how it might be implemented. Then I'd like to stand up a
prototype that we could build on and which would get us even further down
the road. Anyone interested?
-- T.Rob
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
I wanted to toss around some hypothetical ideas about cert management. It's
probably the biggest impediment I see to enabling TLS channels across the
board so I'd like to start mapping the territory by kicking off a dialog
about where the gaps are and in what form they might be filled.
One of the MQ enhancements I've been lobbying for is TOFU - Trust On First
Use. An example of this is the warning you get when using SSH or SCP when
it says something along the lines of "Hey, this is a new certificate. Here
are the details. Do you want to trust it?"
Of course, with WMQ there's no trusting the certificate without putting it
into the KDB and running REFRESH SECURITY TYPE(SSL) so I would not expect
that this process would be automatic for existing queue managers. It might
instead store the certificate in a temporary queue and an Explorer plug-in
or command-line utility would interrogate the queue to tell the admin what
certs are pending.
There are a few problems I'm trying to solve here. One is that deployment
of a new cluster should be easy to do with TLS enabled. WAS ND creates a
lightweight CA, generates certificates and distributes keys throughout the
cluster, all without user involvement. I'd like that level of simplicity in
WMQ clusters. For a new QMgr, it would be fairly easy to do since the cert
would be generated prior to the QMgr starting up - so no REFRESH SECURITY in
most cases. If the repository was also the CA, it would not need a REFRESH
SECURITY since it would not need the cluster member's cert, but rather just
the static signer. The certs would include the cluster name and the
repository's signer. If you had taken the trouble to provision a non-admin
user ID for the MCAUSER, the appropriate CHLAUTH rules and SSLPEER would be
added as well.
The other problem I'd like to solve is where you have a 3rd party interface.
The business partner can usually tell you their cert is Verisign (or
whatever) but not necessarily *which* signer chain and root cert. Then it's
up to you to hunt around for the right signer on the CA's web site. Good
luck with that. On the other hand, it would be possible to capture the
signer cert from the inbound connection and either display its attributes or
even load it directly to the KDB. There are, of course, a few issues with
loading whatever cert is presented. The first issue being that the root CA
certs are distributed with GSKit (and Windows, and Mozilla, and Safari,
etc.) for a reason. I could create a root CA signer cert with a
DN="VeriSign Class 3 Public Primary Certification Authority - G5" and a
signer with the appropriate DN. If I could get my QMgr between you and your
business partner, and if all you checked was the DN and not the fingerprint
or serial number, then you might trust *my* cert thinking it's Verisign.
Not good. If the cert you are accepting is expected to have been signed by
a commercial CA it would be best to fetch the signer chain from the source.
Or maybe to compare the one received to the ones distributed with GSKit so
you know you have a good one before loading it. After verifying that the
cert received is signed by a "known good" cert, the only thing left is to
make sure the Distinguished Name is the one you are expecting.
Finally, we are probably all familiar by now with the issue where the remote
site's certificate expires and the channels die. It's pretty tough to
diagnose this remotely and you get no warning. On the other hand, it's
possible to inspect the other side's cert during the TLS handshake and parse
the expiration date. With that information it would be possible to write an
error log entry, send a PCF event message, send an email or whatever,
notifying the local admin "hey the cert on the other side of channel X.Y.Z
expires soon!" This might avert an occasional outage, yes?
All of this can be automated to some degree or another. I'm curious how
useful people think it would be to do this. Assuming it is considered
useful, then what type of security controls would you need before, for
example, adding the remote cert signer chain to your KDB? Would you want
the information about the remote side's signer chain so you could manually
download and add the appropriate certs from the commercial CA? Would you
want the typical TOFU message (hey, I'm being presented with an unknown
certificate do you want to trust it?) followed by the utility adding the
cert signer chain for you? If so does that require an Explorer dialog,
command line utility or both?
All of this is hypothetical. There may or may not be similar functionality
planned for a future release, frankly I don't know. What I'm more
interested in is to map out the missing function and then flesh it out a bit
in terms of how it might be implemented. Then I'd like to stand up a
prototype that we could build on and which would get us even further down
the road. Anyone interested?
-- T.Rob
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html