DataPower is the SSL Client, initiating the connection with the remote system that acts the role of the SSL Server.
In this scenario, the SSL Server are our Active Directory Domain Controllers. DataPower addresses them via a Load Balancer Group.
We want to use TLS 1.2 on this connection, to use LDAPS.
The SSL Server is not requiring mutual SSL Authentication, so this is "one-way" SSL.
We will build an SSL Client Profile to use on the Authentication and Credential Mapping tabs of the RBM settings.
In this scenario, what should the SSL Client (in this case DataPower) do for validating the SSL Server's certificates (in this case, the Active Directory servers)?
A. We could set "Validate server certificate" to Off on the SSL Client Profile
B. We could leave "Validate server certificate" as on, and create a Validation Credential that has only the signer cert(s) from the Certificate Authority that provided the SSL Server their certs. And set Certificate Validation Credentials to Full certificate chain checking (PKIX)
C. We could leave "Validate server certificate" as on, and create a Validation Credential that has the specific public cert(s) presented by the SSL Server. And set Certificate Validation Credentials to Match Exact Cert.
I'm not going with A - seems wrong to blindly accept any cert and not check it in any way.
So its a choice between B and C.
C means we would only complete the handshake if we matched up on the specific cert in our Validation Credential. Seems the most secure, but doesn't smell right. We are forever dependent on the SSL Server side to proactively tell us anytime they replace their cert. They have hundreds of systems coming to them. There is no way we can expect them to reliable tell us they are changing their certs.
So B seems like a good compromise. But then we are allowing the connection with any SSL cert signed by the Certificate Authority. That also seems wrong. When I act the role of SSL Client when surfing the web, when I hit a website at least the browser checks that the URL matches the cert provided. In MQ, we can use the SSLPEER parameter on the channel to match very specifically or broadly on fields in the cert. But DataPower seems to lack these features.
What is the correct thing to do as an SSL Client? Option B seems a little to loose, and Option C seems like a guaranteed outage in the future when the SSL Server side updates their cert for whatever reason and doesn't tell the 100s of SSL Clients. I don't blame them, if I am an SSL Server and using a CA signed cert, its not my job to baby sit every SSL Client coming to me forever after.