Have setup MQTT using SSL on port 8883. Have set 'SSL Authentication' required. The 'SSL Key repository' is setup. I am using a server cert that was signed by the same CA as the client cert. Everything works fine.

My question is, can I limit what clients have access by something in their client cert? The company elected to use the same CA to sign the client certs that are connecting to me and other unrelated client certs. So if someone knows what to do, they can use another unrelated client cert to try and connect.

------------------------------
Earle Ake
------------------------------

Hi Earle,

I was thinking along the lines of channel authentication rules but unfortunately SSLPEER and MQ channel authentication is not supported for MQTT channels.

I suggest you raise an enhancement request with something like "MQTT channels need to become "proper" MQ channels".

https://integration-development.ideas.ibm.com/?project=MESNS

------------------------------
Regards,

Martin Evans
IBM MQ Technical Product Manager
------------------------------

Original Message:
Sent: Tue December 13, 2022 09:20 AM
From: Earle Ake
Subject: MQTT SSL limit access based on client cert

Have setup MQTT using SSL on port 8883. Have set 'SSL Authentication' required. The 'SSL Key repository' is setup. I am using a server cert that was signed by the same CA as the client cert. Everything works fine.

My question is, can I limit what clients have access by something in their client cert? The company elected to use the same CA to sign the client certs that are connecting to me and other unrelated client certs. So if someone knows what to do, they can use another unrelated client cert to try and connect.

------------------------------
Earle Ake
------------------------------