I didn't get a reply on this. Maybe the scenario is to complicated.
The basic question is:
Should WebSphereMQ start an SSL channel which is authenticated in both
directions when one partner does not have a SITE certificate for the other
partner or a CA certificate from the issuing CA?
Thanks,
George Sproull
[EMAIL PROTECTED]
---------------------- Forwarded by George Sproull/HQ/SSO on 09/23/2002
01:06 PM ---------------------------
George Sproull
09/20/2002 03:54 PM
To: [EMAIL PROTECTED]
cc:
Subject: SSL Certificate processing on Z/OS
We have two QMs attempting to communicate over an SSL channel. QM1 has
a key ring that contains its own certificate plus QM2s self signed
certificate as a trusted site certificate. QM2 has a keyring containing
ONLY its certificate. The channel definition for QM1.QM2 (QM2 is the
server) has the same cipherspec on both sides and neither side has a value
for SSLPEER. The RECEIVE channel definition on QM2 specifies that QM1 must
send a certificate also.
When the QM1.QM2 SENDER channel is started, the connection completes.
QM2 says only that the SSL certificate received has no associated userid,
so the CHIN user id will be used.
Shouldn't the connection fail if QM2 does not have a trusted site copy
of QM1's self signed certificate (or a certificate from the issuing CA) on
its key ring? How can it verify the signature on QM1's certificate?
I am trying to understand the SSL handshake, so any insight would be
appreciated.
Thanks,
George Sproull
[EMAIL PROTECTED]
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
