IBM MQ Little Gem #14: SSLCERTI

View Only

IBM MQ Little Gem #14: SSLCERTI

By Morag Hughson posted Sun July 24, 2016 05:12 PM

Like

This is part of a series of small blog posts which will cover some of the smaller, perhaps less likely to be noticed, features of IBM MQ. Read other posts in this series.

Inspect Certificate WebSphere MQ V5.3 introduced the SSL feature to MQ channels, and since that version you have been able to view, and match against, some of the details of your partner's certificate by using the SSLPEER attribute which was initially on a Channel definition and passed to a security exit (in MQCD SSLPeerNamePtr field) for matching, and on channel status for viewing. In WebSphere MQ V7.1 when CHLAUTH was introduced SSLPEER was also available in those rules for matching.

However, SSLPEER only showed you some of the details from the partner's certificate, specifically it showed you the Subject's Distinguished Name.

In WebSphere MQ V6.0, SSLPEER was joined by SSLCERTI on channel status and in security exits (in MQCXP SSLRemCertIssNamePtr field). Now you could see both the Subject's Distinguished Name and the Issuer's Distinguished Name; and in IBM MQ V8 CHLAUTH rules were updated to be able to use SSLCERTI as well.

Why is SSLCERTI not on the channel definition?

SSLCERTI was not added to the channel definition for very good reason. When the SSL feature was first implemented, CHLAUTH rules didn't exist. Matching on the Distinguished Name of the certificate was however a required feature, so the SSLPEER attribute of the channel was introduced for this purpose. It was a limited form of matching though, because although you could use wildcards, you only had one pattern available.

When CHLAUTH rules were created, everything you could previously do in the single SSLPEER attribute of the channel you could also do with a CHLAUTH rule, so in essence the SSLPEER attribute was superseded. It still works so that existing use of it wasn't broken, but you are strongly encouraged to use CHLAUTH instead.

For example, this:-

DEFINE CHANNEL(SVRCONN.SSL) CHLTYPE(SVRCONN) +
       SSLCIPH(…) +
       SSLPEER('CN=Morag Hughson,O=MQGem Software') +
       MCAUSER('hughson')

Can be replaced with this:-

SET CHLAUTH(SVRCONN.SSL) TYPE(SSLPEERMAP) +
    SSLPEER('CN=Morag Hughson,O=MQGem Software') +
    MCAUSER('hughson')

But where previously that SVRCONN channel could only be used by that certificate, with CHLAUTH rules, you can have another Distinguished Name match on the same channel, thus:-

SET CHLAUTH(SVRCONN.SSL) TYPE(PEERMAP) +
    SSLPEER('CN=Paul Clarke,O=MQGem Software') +
    MCAUSER('clarkep')

What does SSLCERTI give me?

The addition of SSLCERTI to the MQ product gives you greater visibility and control over your channels using SSL/TLS. You can see both the Subject's Distinguished Name and the Issuer's Distinguished Name in your channel status displays.

AMQ8417: Display Channel Status details.
   CHANNEL(SVRCONN.SSL)                    CHLTYPE(SVRCONN)
   CONNAME(127.0.0.1)                      CURRENT
   SSLCERTI(CN=MQGem CA,O=MQGem Software)
   SSLPEER(SERIALNUMBER=23:46:BF:42:AF:CB:3D:FA,CN=Morag Hughson,O=MQGem Software)
   STATUS(RUNNING)                         SUBSTATE(RECEIVE)

When creating CHLAUTH rules for matching against certificate details you can now make use of both the Subject's Distinguished Name and the Issuer's Distinguished Name. This allows you to fully qualify a certificate so there is no doubt about which certificate you are referring to. It is theoretically possible to have two certificates with the same Subject's Distinguished Name, especially if you are in the game of allowing users to generate their own Distinguished Names through some internal certificate service and don't make appropriate checks on what they request. Now you can ensure that the certificate you are looking for is exactly the right one.

SET CHLAUTH('SVRCONN.SSL') TYPE(SSLPEERMAP) +
    SSLPEER('CN=Morag Hughson,O=MQGem Software') +
    SSLCERTI('CN=MQGem CA,O=MQGem Software') +
    MCAUSER('hughson') +
    DESCR('Only allow my MQGem certificate to connect')

You can also be more generic than before, allowing any certificate signed by a particular Issuer's Distinguished Name to use a channel.

SET CHLAUTH('SVRCONN.SSL') TYPE(SSLPEERMAP) +
    SSLPEER('CN=*') +
    SSLCERTI('CN=MQGem CA,O=MQGem Software') +
    MCAUSER('mqgemusr') +
    DESCR('Allow any MQGem signed certificate to connect')

Both these fields are also available in a security exit where you could also make checks for things like self-signed certificates - that is when the Subject's Distinguished Name and the Issuer's Distinguished Name are the same (less the SERIALNUMBER). This is a test you can't make via CHLAUTH rules.

So remember, there is more information in your certificate, and the certificate presented by your partner than can be seen just in the SSLPEER field. Look to the SSLCERTI field as well for a more complete view.

Morag Hughson is an MQ expert. She spent 18 years in the MQ Devt organisation before taking on her current job writing MQ Technical education courses with MQGem. She also blogs for MQGem. You can connect with her here on IMWUC or on Twitter and LinkedIn.

#Little-Gem
#IBMMQ
#ChampionsCorner

0 comments

20 views

MQ