I am using SSL self signed certificates to connect MQTT in rabbit MQ broker. Now I need to update them runtime without restarting server. Rabbit MQ trust store gives good solutions for this, but it read only CA certificate from local whitelisted folder or http endpoint. I need to take server certificate and server key from external whitelisted folder or http endpoint. Can I do this using rabbitmq-trust-store plugin or else have any other solution for this.
No need to restart server. Put the new certificate in correct place and wait for a few minutes. Certificates automatically update.
Related
Is it possible to use Kafka with SSL encryption but with no server verification nor client authentication?
I know that by default the latter is disabled, but is it possible to also disable the former?
I encountered the similar problem. Since kafka is a java process, it will load the default jdk certs when running, which is under /usr/local/jdk/jre/lib/security/cacerts. if your server is trusted there, (in my scenario, my kakfa server is MSK, and is trusted already), then you don't have to config all the keys and certs.
So all in all, I only added kafka config of security.protocol=SSL and it worked.
We have an application running in WAS 8.5 server. The application has two external Service invocations, hitting 2 different third-party systems, in which one Service (Service2/Server2) requires Client Authentication.
Please refer the diagram for reference.
Server2 <-- Client --> Server1 Handshake Diagram
For Server1, we have shared a Client Certificate with them and the handshaking is perfect.
For Server2, which doesn't required Client Aunthentication, fails during handshaking. What we could find out that, during handshaking the server tries to authenticate the Client (Assuming that Client Authentication is SUPPORTED at Server2, but not REQUIRED). Since the Client KeyStore has the Client Certificate, it's being used for handshaking process, which is failing because this client certificate is not present at the Server2 Truststore.
My question is, whether is it possible to not send the Client Certificate to the Server2 even if the Server supports Client Authentication.
Hope this question is understandable.
Note1: We don't have any control over Server1 or Server2 and we don't expect any changes from these third-party Services to make this work.
Note2: Service2 works perfectly without Client Certificate in the Client Keystore. Please refer the diagram for Serer2-Client SSL Handshaking, which is perfectly working.
Client --> Server2 Handshake Diagram
Expecting help from someone who is proficient in Websphere SSL configurations.
Thank you,
Sanooj
In short:
You have to create 2 separate dynamic outbound SSL configs (see here for details) assuming your 2 external services have different URLs. The one that needs CertAuth will have cert in the keystore, the other will not have (you need 2 different SSL Configs).
I have a use case where I am trying to connect to an HTTPS server. Initially I was thinking to use JRE cacert file for SSL handshaking and server certificate validation.
But now this seems not possible and I have to create my own user-defined truststore/keystore.
Can anybody let me know how to create a truststore/keystore to be used while communicating with an HTTPS server?
Once the truststore/keystore is created I should be able to install a self-signed server certificate and if needed remove it from the store programmatically using the class keystore.
Regards,
Mano
I have been trying to get my MSMQ to pass messages over HTTPS without success. All outgoing messages sit in a queue with status "Waiting to connect".
This is not the case for messages over HTTP, they are received without issue.
I've created a Certificate Authority on the receiving machine, downloaded the cert chain and CA cert, installing under Trusted Root (Local Computer and Current User profiles).
I then exported the CA cert and installed that on the sending machine (under TRCA - Local Computer and Current User)
I have been able to navigate to the target MSMQ using internet explorer, this usually give a 501 not implemented error.
I don't really know why this isn't working and it's pretty fraustrating.
What other approaches can I take to get this to work??
Cheers
Niall
The screenshot shows that the server isn't properly accepting the HTTPS connection from the client.
You'll need to add more information to your question, including details of how you attempted to bind the Server Authentication certificate to the endpoint on which your server is listening.
I am trying to write a java application connecting to server connection channel with SSL enabled.
So far, I have been successfully connected to the channel by setting authentication to 'optional'. However, when I set it to be 'required', the connection fails.
Here is what I did:
Create key db for queue manager and keystore for the java client user.
Create key/self-signed certificates for the queue manager and the client user, with names prefixed ibmwebspheremq.
Export, exchange and import certificates for the queue manager and the client. (I did answered 'yes' when being asked whether I trust the queue manager cert).
The location and password to the truststore and keystore are set to point to the same keystore at the client side, where the orgininal created client user key and the imported queue manager key are.
With other settings being the same, if I switch back to 'optional' authentication, the connection works.
I think there is something I understand incorrectly about this ssl authenticaion but cannot figure out what.
Could someone kindly help me?
I beat my head against that wall for a couple of weeks. IBM L2 Support eventually clued me in. My issue here was that keytool will use DSA algorithm unless you specify RSA. This results in keys of length 1022 instead of 1024, which WMQ doesn't like. The fix was to specify -sigalg RSA when generating the certificate and everything works.
I've asked the IBM WMQ team and WMQ FTE team to add this to their Infocenter documentation.