ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » How good is this SSL setting for clients?

Post new topic  Reply to topic
 How good is this SSL setting for clients? « View previous topic :: View next topic » 
Author Message
pcelari
PostPosted: Fri Aug 09, 2019 12:29 pm    Post subject: How good is this SSL setting for clients? Reply with quote

Chevalier

Joined: 31 Mar 2006
Posts: 411
Location: New York

Greetings.

I recently inherited a SSL setting for clients that use MQClient to connect to our service queues. There're hundreds of such clients. The current setting is like this: I make a copy of the qmgr's kdb files including password stash file, remove the qmgr certificate with the label 'ibmwebspheremqqmgrname', but keep all the Signer Chain of certificates in the kdb; then distribute these files together with the CCTD and related files to all clients.

It is my understanding, when I create a certificate request, a secret key is generated. But when the clients receives the package of kdb files, there is no secret key among the signer chain. The only thing that can be trusted is the client is in possession of the signer chain, and nothing more. If someone gives the same package to another party, in theory that party would be able to connect to our qmgr.

I'm not knowledge enough to judge if this is a secure setting. Of course I can also see, if we start creating a certreq for each client, get it signed and receive it into the kdb, each client will have a secret key. But we would end up being responsible for hundred of clients' certificate maintenance - an impossible task.

So overall, how good is such a SSL setting? Any comment would be appreciated.
_________________
pcelari
-----------------------------------------
- a master of always being a newbie
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Aug 09, 2019 12:45 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Are they actually trying to authenticate the clients, or just encrypt the traffic?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
pcelari
PostPosted: Fri Aug 09, 2019 2:48 pm    Post subject: Reply with quote

Chevalier

Joined: 31 Mar 2006
Posts: 411
Location: New York

I just don't see there can be any authentication. There is of course a one-sided one, as the clients can be sure they are sending to the right destination. On the other hand, anyone with the set of kdb files will be able to send encrypted message to us. But isn't that dangerous? On the other hand, isn't that the way web pages communicate with web servers?

I'd like to know if there is anything really bad with this setting?
_________________
pcelari
-----------------------------------------
- a master of always being a newbie
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Aug 09, 2019 9:00 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

It all depends on your signer chain. If your cert is CA signed that means the whole world can communicate with you. You might want to require Client Authentication and add records for SSLPEER and Issuer DN into the channel authentication...
Now that seems not really feasible when you have hundreds of clients, or rather looks like a Herculean task. However if you do not add the serial number you should be good until the signer chain changes even though the client renewed their cert...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Mon Aug 12, 2019 5:06 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

pcelari wrote:
I just don't see there can be any authentication. There is of course a one-sided one, as the clients can be sure they are sending to the right destination.


That was kinda the point of my question. Depending on their risk appetite / network security / site rules / message content they might just be trying to encrypt the data on the understanding that messages from bad actors are excluded by other means.

I'm not judging the fitness of the solution because I don't know all the facts, but it's plausible that if they have messages with low sensitivity on a network with good external controls, the risk / benefit calculation might have led them to save a little maintenance money with this layout.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » How good is this SSL setting for clients?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.