ibm mq - SSL/TLS handshake between Websphere MQ Server and Client -


i'm debugging ssl errors between websphere mq server , client using t.rob's suggestions , need understanding ssl handshake (ssl connect mq using .net mq client sslv3?).

my wmq 7.5 client application c code , uses keystore (.kdb). utilizing chltab provided websphere admin. wmq server running java , channel defined mutual authentication.

the article states in ssl/tls handshake, server sends public certificate in response connections request. client must validate certificate first checking signature , validity date, looking in trust store thing signed certificate.

here's confusion: since keystore on client side has application personal cert, how client validate public certificate sent server? have provided common name of application cert websphere server admin nothing more that.

thanks in advance clarification!

the bit "my keystore on client side has application personal cert" troubling. won't work. client kdb must have server's public key. if mq server has sslcauth(optional) the server's public cert that's required in kdb connection succeed.

the first part of tls handshake client validates server's certificate. use of public/private key pairs how authenticity of thing on other side assured. in order happen server must have own personal certificate , client must have public key of root of signer chain. in case of self-signed certificates public portion of personal cert must trusted client. in case of ca-signed certs ca root must trusted client. whichever 1 is, client must trust used sign server's personal cert or cert can't validated.

the tls handshake symmetrical second part works same first roles reversed. therefore, in cases mutual authentication enabled client must have own personal cert (because contains private key) , server must trust whatever signed client's matching public key. if client cert self-signed qmgr has trust it. if client's cert ca-signed, qmgr must trust signer. either way, qmgr has have cert validate client in kdb.

following logic, anonymous client connections required parts personal certificate in qmgr's keystore (because contains qmgr's private key), , matching trusted certificate in client's kdb or java trust store. neither of these optional.

if client authenticated still need same 2 certs anonymous clients because part of handshake has complete before client authenticated. in addition, need client have own personal certificate (because contains client's private key) , qmgr needs trust whatever signed client's certificate - client cert if self-signed or signer root if ca-signed.


as side note, there confusion in post because says "my wmq 7.5 client application c code , wmq server running java." there nothing in queue manager uses java on server side. there java components installed things manage jndi objects , run sample code. in modern mq versions java runs web console. there no java components in qmgr , no java components in path of incoming channel connection request. that's habdled qmgr's listener, agent, , other internal processes. i'm not @ sure being referred there other notion of java running on mq server side , participating in tls handshake might source of of confusion mentioned in post. ;-)


Comments

Popular posts from this blog

ios - MKAnnotationView layer is not of expected type: MKLayer -

ZeroMQ on Windows, with Qt Creator -

unity3d - Unity SceneManager.LoadScene quits application -