A note on using SSL/TLS for authentication. SSL was NOT designed to prevent access to a server. In fact, that is the last thing that it was supposed to accomplish. SSL was designed to authenticate the server to the client (not vice versa) as well as to encrypt transmitted data (i.e. Credit Card info). In order for the Queue Manager to authenticate incoming certificates, two things must be in place:
- Client Authentication must be enabled: SSLCAUTH(REQUIRED)
- Certificate Filtering may need to be enabled: SSLPEER('SERIALNUMBER=w,CN=x,O=y,OU=z, ...')
Unless you require client authentication, MQ will only authenticate an incoming certificate if it is presented. If no certificate is provided, then access will be allowed without authentication. Not Good. This is, of course, exactly what the bad guys will do. So, when using SSL/TLS for authentication:
Always set SSLCAUTH(REQUIRED)
Even with client authentication enabled, ALL certificates issued by any of the trusted CA certificates will be granted access with the User ID that they claim to be. If you're using a third party CA, this means that you're willing to let a lot of people gain access to MQ using whatever ID that they assert. Unless you have an internal CA that has issued only a small number of certificates, or a self-signed certificate that has "issued" only one certificate (itself), you need to restrict the incoming certificate. A trusted certificate that states "I'm a bad guy, don't let me in" should be allowed access. To restrict unwanted certificates, there are only two approaches:
- Restrict the population of trusted certificates to a very small number using an internal CA or self-signed certificates.
- Use the SSLPEER parameter to specify which trusted certificates will be allowed entry.
Since it never hurts, at worst will add documentational support and at best save your MQ network:
Always set SSLPEER('CN=x,O=y,OU=z')
If you remember one thing from this, remember that SSL was designed to permit access, not to deny it. You have to take positive action as an administrator to prevent incoming SSL channels. Otherwise, your only encrypting the bad guys, not denying them entry.
Regards,
Glen Brumbaugh