Author |
Message
|
Esa |
Posted: Wed Dec 04, 2019 6:54 am Post subject: Two keys in IIB v 10 keystore |
|
|
Grand Master
Joined: 22 May 2008 Posts: 1387 Location: Finland
|
I need to use a separate key for for https client connections to an external endpoint.
Two keys can be put in the broker keystore and a policy can be used to tell what key label to use for the https connection. But I cannot find a way to tell IIB itself what label to choose. It seems to like selecting the wrong label. You cannot set the alias in Broker Registry. Is there a way to make IIB use a named key?
Or does IIB use some rule for selecting the label? Not alphabetical order, anyway, but maybe IIB selects the one that is added last? |
|
Back to top |
|
|
fjb_saper |
Posted: Wed Dec 04, 2019 9:09 pm Post subject: Re: Two keys in IIB v 10 keystore |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20729 Location: LI,NY
|
Esa wrote: |
I need to use a separate key for for https client connections to an external endpoint.
Two keys can be put in the broker keystore and a policy can be used to tell what key label to use for the https connection. But I cannot find a way to tell IIB itself what label to choose. It seems to like selecting the wrong label. You cannot set the alias in Broker Registry. Is there a way to make IIB use a named key?
Or does IIB use some rule for selecting the label? Not alphabetical order, anyway, but maybe IIB selects the one that is added last? |
You should be able to specify the key label on the HTTP request node that you are hopefully using for your connection to the endpoint. _________________ MQ & Broker admin |
|
Back to top |
|
|
Esa |
Posted: Thu Dec 05, 2019 1:25 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008 Posts: 1387 Location: Finland
|
Yes, but if I for example open IIB web admin with https, the certificate that is sent may be the wrong one. |
|
Back to top |
|
|
PeterPotkay |
Posted: Thu Dec 05, 2019 4:37 am Post subject: |
|
|
Poobah
Joined: 15 May 2001 Posts: 7717
|
Esa wrote: |
Yes, but if I for example open IIB web admin with https, the certificate that is sent may be the wrong one. |
And so the software the SSL Client is relying on (in your example, the browser) must inspect the presented certificate and determine if its valid.
Are its dates still valid?
Is it signed by a Certificate Authority we trust?
Is it not revoked by that Certificate Authority?
Does it contain the hostname in the SAN field that matches the hostname I addressed?
Do not pin an SSL partner's individual leaf certificate into your trust store. It does not scale. At some point you have to trust the design of a PKI when using SSL.
If you are using self signed certificates, you have no choice but to pin.
If you and your SSL partner do not share a mutually trusted Certificate Authority, you have no choice but to pin.
But otherwise avoid storing SSL partners' individual leaf certificates.
Esa wrote: |
the certificate that is sent may be the wrong one. |
The same concern should be present even if you decided to pin the leaf. How do you know the cert you are about to pin is the correct one? All the things you would check for (and more!) can and should be done by the software when using a PKI and certificates signed by mutually trusted Certificate Authorities. _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
|
Esa |
Posted: Thu Dec 05, 2019 6:22 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008 Posts: 1387 Location: Finland
|
Suppose your IIB has a key that is signed by a trusted CA and you add a self-signed certificate that supposed to be used only when the IIB acts as a https client for a specific external service.
Then, after a restart the node pics up the key with the self-signed certificate an starts using it when serving it’s own clients. That is the problem that I’m facing.
My question is if there is a way to tell IIB what key to use for it’s own server identity instead of picking a key in random. |
|
Back to top |
|
|
PeterPotkay |
Posted: Thu Dec 05, 2019 8:22 am Post subject: |
|
|
Poobah
Joined: 15 May 2001 Posts: 7717
|
Create two cert stores.
A Keystore for the Broker to identify itself. Will only contain its private key chain.
A Truststore for trusting SSL partners. Will only contain the Root/Intermediate certs of trusted CAs. No leafs. No signer certs for CAs that aren't invited to the party. _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
|
fjb_saper |
Posted: Fri Dec 06, 2019 3:10 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20729 Location: LI,NY
|
Is there no (key)label available in the mqsichangeproperties when you enable the node or integration server to use https? I would expect that to be the cert presented by the broker by default. _________________ MQ & Broker admin |
|
Back to top |
|
|
Esa |
Posted: Sun Dec 08, 2019 11:34 pm Post subject: |
|
|
Grand Master
Joined: 22 May 2008 Posts: 1387 Location: Finland
|
fjb_saper wrote: |
Is there no (key)label available in the mqsichangeproperties when you enable the node or integration server to use https? I would expect that to be the cert presented by the broker by default. |
Oh yes, there is keyAlias parameter that you can set for HTTPSConnector object. I have missed it for some reason. Thanks! |
|
Back to top |
|
|
|