Sunday, June 10, 2012

MQ Adapter and SSL - Part 1

Oracle MQ Series Adapter enables applications to connect to MQ Series queue managers and enqueue/dequeue messages to/from the Queues. MQ Series supports secure communication through the use of SSL. SSL stands for Secure Socket Layer. Oracle MQ Series Adapter can be easily configured to support SSL to secure the data-communication between Adapter and Server.

The article further explains some general concepts of SSL on MQ Adapter and points how you can enable SSL on Oracle MQ Adapter.

There are 2 types of SSL that can be configured on MQ Adapter:

One-Way SSL: 
In this SSL pattern, only the server gets authenticated. This ensures that the server to which MQ adapter is connecting is valid and correct. When MQ Adapter connects to MQ server, it requests the MQ server-certificate. On providing the certificate by MQ server, MQ Adapter verifies and matches it against the list of certificates available with it in its store. If the certificate match is found, the certificate is considered valid and the SSL connection is established.

Two-Way SSL:
In two-way SSL, both Client and Server are authenticated. The connection process is very similar to One-way SSL except that client is also authenticated in two-way SSL. When MQ Adapter connects to MQ server, it requests the server-certificate. MQ server provides the appropriate certificate. This certificate is verified by the MQ Adapter against the list of certificates available with it. After this certficate is validated by MQ Adapter (client), MQ server (server) then requests the client certificate to ensure that the requesting client is also valid. MQ Adapter, then, presents its certificate to MQ server which is verified by the server against the list of certificates available with it. If both the client and server certificates are found valid, SSL connection is established.

Two-way SSL is always enforced by the server. Hence, to enable two-way SSL on MQ Series, MQ Server needs to enforce Two-way SSL on incoming channel. On the server side, set the property Authentication of Parties initiating connection to Required as shown in the screenshot. This will enforce the clients connecting to it to present their certificates for validation before an SSL connection can be established.

Also ensure that this channel must be of Server-connection type. Contact your MQ Server Administrator to confirm this.


Further, to configure One-way or Two-way SSL on MQ Adapter and simultaneously keeping this post short and sweet, follow another post Enabling SSL on MQ Series Adapter - Part 2.

1 comment: