Auditting SSL Connections
Looking at using channel exits to perform audits of connections coming into an MQ manager, is there any way to inquire/access the actual distinguished name values (SSL Peer) of the verified partner? Here's the scenario: We'd like to setup to allow multiple clients to connect to the same SVRCONN channel using PKI certificates. We can control who gets access via that channel by configuring what issuing certificate authorities are trusted and using wildcarded SSL PEER settings. But we have a requirement to audit the connections. We have a channel security exit that records some values. We'd like to enhance it to capture the specifics of the SSL certs. Is this possible and what are the specific fields we'd need to access? Thanks. -tom Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Auditting SSL Connections
All are in the MQCD - see below: The following fields in this structure are not present if Version is less than MQCD_VERSION_7. SSLCipherSpec (MQCHAR32) SSL CipherSpec is an optional field. This parameter is valid for all channel types. It is supported on AIX, HP-UX, Linux, OS/400, Solaris, Windows, and z/OS. It is valid only for channel types of a transport type (TRPTYPE) of TCP. This is an input field to the exit. The length of this field is given by MQ_SSL_CIPHER_SPEC_LENGTH. The field is not present if Version is less than MQCD_VERSION_7. SSLPeerNamePtr (MQPTR) Address of the SSL peer name. This is an input field to the exit. The field is not present if Version is less than MQCD_VERSION_7. SSLPeerNameLength (MQLONG) Length of SSL peer name. This is the length in bytes of SSL peer name pointed to by SSLPeerNamePtr. This is an input field to the exit. The field is not present if Version is less than MQCD_VERSION_7. SSLClientAuth (MQLONG) Determines whether SSL client authentication is required. The value is one of the following: MQSCA_REQUIRED Client authentication required. MQSCA_OPTIONAL Client authentication optional. This is an input field to the exit. The field is not present if Version is less than MQCD_VERSION_7. Dave Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Auditting SSL Connections
Yes there is. The SSLPEER parameter is set to the remote Distinguished Name. But you must wait to the INIT-SEC phase.. Tom Fox [EMAIL PROTECTED]To: [EMAIL PROTECTED] .COMcc: Sent by: MQSeriesSubject: Auditting SSL Connections List [EMAIL PROTECTED] n.AC.AT 11/19/2003 10:24 AM Please respond to MQSeries List Looking at using channel exits to perform audits of connections coming into an MQ manager, is there any way to inquire/access the actual distinguished name values (SSL Peer) of the verified partner? Here's the scenario: We'd like to setup to allow multiple clients to connect to the same SVRCONN channel using PKI certificates. We can control who gets access via that channel by configuring what issuing certificate authorities are trusted and using wildcarded SSL PEER settings. But we have a requirement to audit the connections. We have a channel security exit that records some values. We'd like to enhance it to capture the specifics of the SSL certs. Is this possible and what are the specific fields we'd need to access? Thanks. -tom Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of J.P. Morgan Chase Co., its subsidiaries and affiliates. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
