ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportTwo keys in IIB v 10 keystore

Post new topicReply to topic
Two keys in IIB v 10 keystore View previous topic :: View next topic
Author Message
Esa
PostPosted: Wed Dec 04, 2019 6:54 am Post subject: Two keys in IIB v 10 keystore Reply with quote

Grand Master

Joined: 22 May 2008
Posts: 1387
Location: Finland

I need to use a separate key for for https client connections to an external endpoint.

Two keys can be put in the broker keystore and a policy can be used to tell what key label to use for the https connection. But I cannot find a way to tell IIB itself what label to choose. It seems to like selecting the wrong label. You cannot set the alias in Broker Registry. Is there a way to make IIB use a named key?

Or does IIB use some rule for selecting the label? Not alphabetical order, anyway, but maybe IIB selects the one that is added last?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Dec 04, 2019 9:09 pm Post subject: Re: Two keys in IIB v 10 keystore Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20382
Location: LI,NY

Esa wrote:
I need to use a separate key for for https client connections to an external endpoint.

Two keys can be put in the broker keystore and a policy can be used to tell what key label to use for the https connection. But I cannot find a way to tell IIB itself what label to choose. It seems to like selecting the wrong label. You cannot set the alias in Broker Registry. Is there a way to make IIB use a named key?

Or does IIB use some rule for selecting the label? Not alphabetical order, anyway, but maybe IIB selects the one that is added last?

You should be able to specify the key label on the HTTP request node that you are hopefully using for your connection to the endpoint.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Esa
PostPosted: Thu Dec 05, 2019 1:25 am Post subject: Reply with quote

Grand Master

Joined: 22 May 2008
Posts: 1387
Location: Finland

Yes, but if I for example open IIB web admin with https, the certificate that is sent may be the wrong one.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Thu Dec 05, 2019 4:37 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7623

Esa wrote:
Yes, but if I for example open IIB web admin with https, the certificate that is sent may be the wrong one.


And so the software the SSL Client is relying on (in your example, the browser) must inspect the presented certificate and determine if its valid.
Are its dates still valid?
Is it signed by a Certificate Authority we trust?
Is it not revoked by that Certificate Authority?
Does it contain the hostname in the SAN field that matches the hostname I addressed?

Do not pin an SSL partner's individual leaf certificate into your trust store. It does not scale. At some point you have to trust the design of a PKI when using SSL.

If you are using self signed certificates, you have no choice but to pin.
If you and your SSL partner do not share a mutually trusted Certificate Authority, you have no choice but to pin.
But otherwise avoid storing SSL partners' individual leaf certificates.

Esa wrote:
the certificate that is sent may be the wrong one.

The same concern should be present even if you decided to pin the leaf. How do you know the cert you are about to pin is the correct one? All the things you would check for (and more!) can and should be done by the software when using a PKI and certificates signed by mutually trusted Certificate Authorities.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Esa
PostPosted: Thu Dec 05, 2019 6:22 am Post subject: Reply with quote

Grand Master

Joined: 22 May 2008
Posts: 1387
Location: Finland

Suppose your IIB has a key that is signed by a trusted CA and you add a self-signed certificate that supposed to be used only when the IIB acts as a https client for a specific external service.

Then, after a restart the node pics up the key with the self-signed certificate an starts using it when serving its own clients. That is the problem that Im facing.

My question is if there is a way to tell IIB what key to use for its own server identity instead of picking a key in random.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Thu Dec 05, 2019 8:22 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7623

Create two cert stores.
A Keystore for the Broker to identify itself. Will only contain its private key chain.
A Truststore for trusting SSL partners. Will only contain the Root/Intermediate certs of trusted CAs. No leafs. No signer certs for CAs that aren't invited to the party.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Dec 06, 2019 3:10 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20382
Location: LI,NY

Is there no (key)label available in the mqsichangeproperties when you enable the node or integration server to use https? I would expect that to be the cert presented by the broker by default.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Esa
PostPosted: Sun Dec 08, 2019 11:34 pm Post subject: Reply with quote

Grand Master

Joined: 22 May 2008
Posts: 1387
Location: Finland

fjb_saper wrote:
Is there no (key)label available in the mqsichangeproperties when you enable the node or integration server to use https? I would expect that to be the cert presented by the broker by default.


Oh yes, there is keyAlias parameter that you can set for HTTPSConnector object. I have missed it for some reason. Thanks!
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportTwo keys in IIB v 10 keystore
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.