|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
|
|
Best practices for TLS |
« View previous topic :: View next topic » |
Author |
Message
|
blorro |
Posted: Thu Jun 24, 2021 3:58 am Post subject: Best practices for TLS |
|
|
Acolyte
Joined: 09 Jan 2014 Posts: 57 Location: Sweden
|
What kind of strategies are you implementing in your MQ Shops for handling TLS ?
-Are you using anonymous authentication for simplicity and using SSLPEER or are you all going on mutual authentication all the way ? Both Client to QM and QMtoQM connections ?
Where can we be smart, making it manageable (140+ Queuemanagers atm, running z, A400 and Windows )?
Pointers , advice, past experiences will be gratefully accepted _________________ "Anything is possible, all the time." |
|
Back to top |
|
|
RogerLacroix |
Posted: Fri Jun 25, 2021 9:44 am Post subject: Re: Best practices for TLS |
|
|
Jedi Knight
Joined: 15 May 2001 Posts: 3258 Location: London, ON Canada
|
blorro wrote: |
Are you using anonymous authentication for simplicity and using SSLPEER or are you all going on mutual authentication all the way ? |
From what my customers are telling, that use SSL/TLS, almost all are using server-side (anonymous) authentication.
blorro wrote: |
Where can we be smart, making it manageable (140+ Queuemanagers atm, running z, A400 and Windows )? |
Don't forget to include asking about SSL/TLS management of the certificates. SSL/TLS certificates expire yearly. I don't know how long it would take to push/renew certificates for 140 queue managers with new certificates but it is NOT a 5 minute job.
Now if you go with mutual authentication then now you have to update all MQ clients (thousands??) and the 140 queue managers each year. You definitely will need to make sure your management is up to speed on the number of man/woman hours or days needed to conmplete the yearly task.
<Vendor_Plug>
An alternative to SSL/TLS is to use Capitalware's MQ Channel Encryption solution. There is no yearly SSL/TLS certificate management.
If you prefer an end-to-end encryption solution then have a look at MQ Message Encryption.
</Vendor_Plug>
Regards,
Roger Lacroix
Capitalware Inc. _________________ Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
Back to top |
|
|
blorro |
Posted: Fri Jul 02, 2021 5:43 am Post subject: Re: Best practices for TLS |
|
|
Acolyte
Joined: 09 Jan 2014 Posts: 57 Location: Sweden
|
RogerLacroix wrote: |
blorro wrote: |
Are you using anonymous authentication for simplicity and using SSLPEER or are you all going on mutual authentication all the way ? |
From what my customers are telling, that use SSL/TLS, almost all are using server-side (anonymous) authentication.
blorro wrote: |
Where can we be smart, making it manageable (140+ Queuemanagers atm, running z, A400 and Windows )? |
Don't forget to include asking about SSL/TLS management of the certificates. SSL/TLS certificates expire yearly. I don't know how long it would take to push/renew certificates for 140 queue managers with new certificates but it is NOT a 5 minute job.
Now if you go with mutual authentication then now you have to update all MQ clients (thousands??) and the 140 queue managers each year. You definitely will need to make sure your management is up to speed on the number of man/woman hours or days needed to conmplete the yearly task.
<Vendor_Plug>
An alternative to SSL/TLS is to use Capitalware's MQ Channel Encryption solution. There is no yearly SSL/TLS certificate management.
If you prefer an end-to-end encryption solution then have a look at MQ Message Encryption.
</Vendor_Plug>
Regards,
Roger Lacroix
Capitalware Inc. |
Thank you for your reply, it provides big value for me.! _________________ "Anything is possible, all the time." |
|
Back to top |
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|