ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQ AMS and existing certificates

Post new topic  Reply to topic
 MQ AMS and existing certificates « View previous topic :: View next topic » 
Author Message
zpat
PostPosted: Mon Mar 14, 2022 7:13 am    Post subject: MQ AMS and existing certificates Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Our MQ infrastructure means that each MQ client already has a certificate issued by our own CA.

Clients might be C based or Java/JMS based. Typically Linux hosted.

Our MQ QMs likewise have a certificate issued by our own CA.

QMs in this case are mainly z/OS based (but might be distributed).

Let's assume MQ v9.0 or higher will be used.

The keystores (or keyrings) will hold both one "personal" certificate and the internal CA signer certificates (trusted signers).

So far so good, so we can use TLS 1.2 on all MQ channels internally.

Now we want some applications to use AMS to either sign or encrypt messages on certain queues, between client app A and client app B.

Do we need to obtain more certificates to do this? Or can we re-use the certificates we already have?

Is there an idiots guide or presentation on this anywhere please?

Am I right to think that the QM cert is not involved with this AMS aspect since both ends are client applications?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Mar 14, 2022 8:13 pm    Post subject: Re: MQ AMS and existing certificates Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

zpat wrote:
Now we want some applications to use AMS to either sign or encrypt messages on certain queues, between client app A and client app B.

Do we need to obtain more certificates to do this? Or can we re-use the certificates we already have?


No - you can use the same ones, but you will have to put client app A's certificate into client app B's keystore and vice versa - no certificate delivery efficiency gained from CA certificates here because no "handshake".

zpat wrote:
Am I right to think that the QM cert is not involved with this AMS aspect since both ends are client applications?


You are correct.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Mon Mar 14, 2022 11:27 pm    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Thanks.

OK, so they need to add each other's personal certificates into their keystores.

It that a simple case of "export" and "import" using the MQ key management tool?

I get confused about exporting/importing private/public keys.

Of course we will need to renew the certs everywhere as well - another dimension to worry about.

How does one enable AMS on a MQ client application? Is it automatic if the queue in question has a policy set up?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Mar 15, 2022 1:26 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

zpat wrote:
How does one enable AMS on a MQ client application? Is it automatic if the queue in question has a policy set up?

You may find the following tutorials in the IBM Docs helpful in this regard, User scenarios for AMS.

There is a Windows and Unix Quick start and a Java Quick start. It should cover all you need, including enabling AMS on the client and the "extract" and "add" commands you need for the certificates.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Wed Apr 06, 2022 6:11 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Yes, this is a key paragraph

Quote:
Share the certificates between the two key databases so that each user can successfully identify the other. This is done by extracting each user's public certificate to a file, which is then added to the other user's key database.

Note: Take care to use the extract option, and not the export option. Extract gets the user's public key, whereas export gets both the public and private key. Using export by mistake would completely compromise your application, by passing on its private key.


I had someone trying to tell me that we needed different certificates (from our normal MQ client ones) for AMS because the other end had to hold the sender's cert. However that is missing the point of PKI entirely.

However the KC examples are using self-signed certificates. My question is about using AMS with CA signed certificates.

Is it still necessary to extract the public key from the personal cert or is the CA signer cert all that is needed at the recipient end?

If the latter - what stops anyone with the CA signer cert reading the message?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Apr 07, 2022 8:00 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

zpat wrote:
Is it still necessary to extract the public key from the personal cert or is the CA signer cert all that is needed at the recipient end?

The CA signer cert plays no part in AMS encryption at all.

The public key is needed for the specific DN in the policy in order to encrypt the message so that only the owner of that matching private key can decrypt.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Fri Apr 08, 2022 8:31 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

OK, I thought PKI meant encrypt with private key and decrypt with public key (like web pages).

But you are saying encrypt with the public key of the recipient and then they can decrypt with their private key.

What happens if a AMS message is allowed to be read by multiple recipients?

It's slightly unfortunate that all the examples I can find use self-signed certificates.

We seem to be on the verge of adopting AMS for a number of reasons (including use of cloud hosting) and the subsequent key/cert management has the potential to become a nightmare.

I am hoping we can use our existing (Internal CA issued) certs, but it sounds like at cert renewal time it will mean updating copies of their public keys all over the place.

In a 24x7 environment with large numbers of customers, that is quite daunting - when do I retire again?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Apr 08, 2022 8:59 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

zpat wrote:
OK, I thought PKI meant encrypt with private key and decrypt with public key (like web pages).

But you are saying encrypt with the public key of the recipient and then they can decrypt with their private key.

What happens if a AMS message is allowed to be read by multiple recipients?

It's slightly unfortunate that all the examples I can find use self-signed certificates.

We seem to be on the verge of adopting AMS for a number of reasons (including use of cloud hosting) and the subsequent key/cert management has the potential to become a nightmare.

I am hoping we can use our existing (Internal CA issued) certs, but it sounds like at cert renewal time it will mean updating copies of their public keys all over the place.

In a 24x7 environment with large numbers of customers, that is quite daunting - when do I retire again?


Same as when you have a list of selfsigned certs. The system uses (I believe a DH algo) to go over all keys and then encrypts the message with the resulting key. This means that all recipients can decrypt...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Fri Apr 08, 2022 12:24 pm    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Clever stuff.

Not sure if I should view the resulting application keystore maintenance as a nightmare or as "job security".

It's not so bad on distributed as they give MQ admins free rein on those platforms, but on Ye Olde mainframes we have to ask security nicely for keyring changes at some ungodly hour of the night.


_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQ AMS and existing certificates
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.