ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SSL for WMB - generating the certs

Post new topic  Reply to topic Goto page Previous  1, 2
 SSL for WMB - generating the certs « View previous topic :: View next topic » 
Author Message
Mut1ey
PostPosted: Thu Aug 20, 2009 3:01 pm    Post subject: Reply with quote

Acolyte

Joined: 07 Oct 2005
Posts: 74
Location: England
Quote:
What about the truststore? We created a seperate trust store for the Broker and a seperate keystore. Should we just combine the 2 into one?

In all the MQ documentation that I can recall at the moment, I don't remember them ever saying the MQ needed / could have a seperate trust store from the key store. But the Broker does offer it (or require it?) Why the diff?


Logical Keystore - for your cert and private key
Logical Trustore - your CA certs

Merely semantics. GSK7 allows you store both in the same underlying physical "store". Logically, the keystore is used when you "send". The truststore when you authenticate "receipt". I think the distinction and logical seperation has arisen from the half-way-house security of non-mutual authentication - one-way authentication ? From the broker 6.1 manuals:

"A client requires a personal certificate only if the client must authenticate to the server when mutual authentication is enabled.

To allow a client to authenticate to a server, a server keystore file contains the private key and the certificate of the server and the certificates of its CA. A client truststore file must contain the signer certificates of the CAs of each server to which the client must authenticate. "

So if the client does not have it's own certificate (so no need for a keystore), it can kind of authenticate the servers it connects to, if and only if, they contain the same CA certs as the client holds in it's truststore. You will notice that the above extract from the manuals states that the server keystore will contain personal cert, private key AND CA certs. In this respect they are, I believe, referring to the physical keystore - confused yet?

So if you are going mutual authentication all the way then yes I would combine them. And if you are not going mutual all the way I would expect you can still combine them.

Mut
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SSL for WMB - generating the certs
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.