|  | 
 
  
    | RSS Feed - WebSphere MQ Support | RSS Feed - Message Broker Support |  
 
  
	|    |  |  
  
	| Question regarding WMB keystore and truststore | « View previous topic :: View next topic » |  
  	| 
		
		
		  | Author | Message |  
		  | tucanen | 
			  
				|  Posted: Mon Sep 13, 2010 4:15 am    Post subject: Question regarding WMB keystore and truststore |   |  |  
		  | Novice
 
 
 Joined: 27 Jun 2005Posts: 22
 Location: Sweden
 
 | 
			  
				| Hi, 
 Questions below.
 
 Background
 In the WMB 6.1 InfoCenter, section "Setting up a public key infrastructure", the documentation states the following:
 
 
 
   
	| Quote: |  
	| You can configure keystores and truststores at either broker level (one keystore, one truststore, and one personal certificate for each broker) or at execution group level (one keystore, one truststore, and one personal certificate for each execution group). |  
 I'm not sure how to interpret this with one personal certificate.
 
 I have experimented with configuring the HTTPSConnector of an execution group to make possible to expose a web service facade via HTTPS using SSL (using SOAP nodes). It is working fine.
 
 I have configured a keystore and truststore on the broker level.
 
 - The keystore contains my self-signed test certificate that is used for SSL encryption.
 
 - The truststore contains a trusted certificate used when doing secure LDAP authentication (not part of the scope of the question).
 
 Questions
 
 1. Why is there a limitation of one personal certificate?
 
 It appears to be possible to import several certificates into the keystore.
 My tests indicate that the HTTPSConnector of the execution group uses the certificate last added. It is however possible to specify which of the certificates to be used by the exe. group HTTPSConnector by setting the KeyAlias property. This seems to work fine.
 
 However, as I understand from the documentation, it doesn't look like the KeyAlias can be specified for the broker level httplistener HTTPSConnector (used by the HTTP nodes). Is this the reason why only one personal certificate can be used?
 
 2. Isn't there a need to have more than one personal certificate in the keystore for a broker when both using a certificate for HTTPS purpose and also certificate(s) used for message part encryption or message signing?
 
 How can this be achieved?
 
 Thankful for all thoughts and answers.
 
 Kind regards,
 contact admin
 |  |  
		  | Back to top |  |  
		  |  |  
		  | mqjeff | 
			  
				|  Posted: Mon Sep 13, 2010 4:59 am    Post subject: |   |  |  
		  | Grand Master
 
 
 Joined: 25 Jun 2008Posts: 17447
 
 
 | 
			  
				| It means that each EG or each broker can only assert that it is a single known entity.  You can only use one single certificate to identify the broker or the EG, that's what the personal certificate is - the cert that represents "me". 
 So if you need to use Cert A to establish your identity with partner 1, and Cert B to establish your identity with partner 2, then you need to use separate EGs or separate brokers (depending on the nature of the transport in use).
 
 I'm not sure where you're going with using separate identities for transport encryption and message encryption.
 |  |  
		  | Back to top |  |  
		  |  |  
		  | tucanen | 
			  
				|  Posted: Mon Sep 13, 2010 5:17 am    Post subject: |   |  |  
		  | Novice
 
 
 Joined: 27 Jun 2005Posts: 22
 Location: Sweden
 
 | 
			  
				| mqjeff, thank you for clarifying! 
 I'm not sure either
   
 I just thought that it could be good to leave the door open for the possibility that, for some reason, there might be a need to use different certificates for different purposes.
 
 Maybe that scenario is not very probable because of the way personal certificates are typically used.
 |  |  
		  | Back to top |  |  
		  |  |  
		  | mqjeff | 
			  
				|  Posted: Mon Sep 13, 2010 5:50 am    Post subject: |   |  |  
		  | Grand Master
 
 
 Joined: 25 Jun 2008Posts: 17447
 
 
 | 
			  
				| The only reason I could think that you would have a separate personal certificate for transport level encryption then for message level encryption is if you were essentially acting as two separate entities - one that is producing and encrypting business data, and one that is acting as an assured and secured transport provider.  It would be a bit odd to have these same processes running inside the same logical container... but it's also something you could probably handle with TAM or WMQ ESE or another advanced security product that plugs into broker. 
 Particularly at Broker v7, you get a lot more flexibility in these areas.
 |  |  
		  | Back to top |  |  
		  |  |  
		  |  |  |  
  
	|    |  | Page 1 of 1 |  
 
 
  
  	| 
		
		  | 
 
 | You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 |  |  |  |