Node and cluster security overview
Nodes and clusters include security features such as secure messaging, HTTPS, and system certificates that you need to understand before you install AS4 Microservice.
Secure messaging
You can use the Transport Layer Security (TLS) protocol without encryption with client authentication to provide all of the benefits of HMAC (hash message authentication code), in addition to handling the authentication and hashing without requiring a shared passphrase across different applications.
Restriction: Although you can use either the TLS or Secure Sockets
Layers (SSL) protocol with AS4 Microservice,
IBM recommends that you use SSL only for backward compatibility due to security vulnerabilities. For
more information, see the IBM Product Security
Incident Response Blog.
Important: If you are using a custom system certificate using SHA-1, you
must replace it with a certificate that uses SHA-2. TLS 1.2 and SHA-2 is the default for use with
MQ. Do not use either SHA-1 or MD5 signature hashes. TLS 1.1 and 1.0 andare still supported for
trading partners who require these protocols. If specified, TLS 1.2 is enforced as the minimum level
of security for any resources using it.
HTTPS
By default, HTTPS ports are enabled on all four member types, including the informational member
that you use to access the AS4 Microservice
user interface.
Important: These ports are secured with TLS 1.0, 1.1, or
1.2. Using TLS 1.2 is recommended to best secure the interfaces.
Restriction: You cannot use an HTTP port or change an HTTPS port number. HTTPS is more
secure than HTTP and other parts of the AS4 Microservice depend on the default HTTPS port
numbers.
HTTPS endpoints use a disk-based keystore file. You can update the keystore with a command that
uses an alias value to retrieve the associated certificates from the identity keystore. The AS4 Microservice user interface and the Java™ Management Extensions (JMX) tool use the same keystore and
presents the same certificate for server authentication.
Restriction: Only server
authentication is supported in AS4 Microservice. Client authentication is not supported, so you cannot add certificate authority (CA)
certificates for client authentication in the keystore to support HTTPS on the user interface. You
can use CA certificates only for server authentication. If you access the AS4 Microservice user interface by using a browser
that has the root certificate of the issuer, it can say that the web page is safe to access.
Otherwise, it can warn users. This setup is used by most secured websites that are using
HTTPS.
The following table shows the default
numbers for HTTPS ports:
| Member | HTTPS Port |
|---|---|
| Operational | 9443 |
| Informational | 19443 |
| Catalog | 17443 |
| Container | 18443 |
System Certificate
When you install AS4 Microservice, the Installation Manager prompts
you for information about a PKCS12 file. This file contains a private key and an X.509 certificate
that are used by the AS4 Microservice user
interface. This certificate is the certificate that is used by the JMX and HTTPS ports.
Important: To best secure the AS4 Microservice user interface and JMX interfaces,
use certificates with a SHA-2 hash. Do not use either SHA-1 or MD5 signature hashes.