Trust settings in MQIPT
A key ring contains a personal certificate that includes the signer certificate or chain of signer certificates.
- Certificate Authority (CA) key ring
- This key ring contains trusted CA certificates that are used to validate certificates belonging
to a remote peer. These CA certificates help to determine whether the remote peer is trustworthy.
MQIPT supports both PKCS
#12 format key ring files, and cryptographic hardware key stores that support the PKCS #11
interface, for storing CA certificates. The MQIPT
CA key ring files are identified by the SSLClientCAKeyRing and
SSLServerCAKeyRing route properties. Use of
cryptographic hardware to access CA certificates is enabled by setting the
SSLClientCAKeyRingUseCryptoHardware and
SSLServerCAKeyRingUseCryptoHardware properties.
The CA key ring on the SSL/TLS client side should contain a list of trusted CA certificates that will be used to authenticate the certificate sent from the server. If a SSL server route is configured for client authentication, the CA key ring on the SSL/TLS server side should contain a list of trusted CA certificates that will be used to authenticate the certificate sent from the client.
- Personal certificate key ring
- This key ring contains personal certificates that MQIPT uses to identify itself to a remote peer. When you
generate a self-signed certificate or request a CA-signed certificate, you should do so by using the
personal certificate key ring. MQIPT supports both PKCS #12 format key ring files, and
cryptographic hardware key stores that support the PKCS #11 interface, for storing personal
certificates. In MQIPT, personal certificate key
ring files are identified by the SSLClientKeyRing and
SSLServerKeyRing route properties. Use of
cryptographic hardware to access personal certificates is enabled by setting the
SSLClientKeyRingUseCryptoHardware and
SSLServerKeyRingUseCryptoHardware properties.
The key ring on the SSL/TLS server side, should contain the MQIPT server's personal certificate. If client authentication is needed on an SSL client route, the key ring on the SSL/TLS client side should contain the client's personal certificate.
If you need client authentication, you must enable the SSLServerAskClientAuth property on the server side. The key ring on the client side should contain the client's personal certificate. The MQIPT key ring on the server side, identified by the SSLServerCAKeyRing property, should contain a list of trusted CA certificates that will be used to authenticate the client.
If you do not configure a CA key ring for a route, MQIPT will search for CA certificates in the personal certificate key ring instead, if one is configured. For example, if no value is set for SSLServerCAKeyRing, MQIPT will search for CA certificates in the key ring identified by SSLServerKeyRing.
As an alternative to using certificates signed by a trusted CA, you can use self-signed
certificates. You can find an example of a self-signed certificate in the
sslSample.pfx sample key ring file provided with MQIPT in the samples/ssl subdirectory. To
open the sample PKCS#12 key ring files, you must use the password mqiptSample.
Self-signed certificates can be useful in test scenarios where you must ensure SSL/TLS connectivity without paying a CA for a certificate. However, you should not use self-signed certificates in production environments. To create a CA-signed certificate, see Creating a key ring file.
You can use a utility called mqiptkeyman, which is provided with MQIPT, to manage digital certificates and key stores. See mqiptKeyman and mqiptKeycmd in MQIPT for installation instructions and further information.
You must protect any key ring files and password files by using the security features of the operating system to prevent unauthorized access to them.