Configure the ADMIN and CLUSTER service connections to be SSL
Can you configure the ADMIN and CLUSTER service connections to be SSL
rather than tcp?
I was wondering about the present or future ability to secure other
connection services with SSL. Can you now or are there future plans
to configure the ADMIN and CLUSTER service connections to be SSL
rather than tcp? I suppose I should add the PORTMAPPER to that list.
My primary interest is for an SSLCLUSTER service in the case where
two brokers are connected over a non-trusted network. It may
not be too difficult to secure all the services the same way, but
perhaps that is on the TODO list.
A related question is if there are plans to add SSL with client
authentication as a stronger authentication mechanism than 'simple'
username and password. I believe you could get the username from
the client certificate's DN and continue to use the same LDAP user
repository for access control. I think this is similar to the way
that BEA's Weblogic server does it.
Finally should it be possible to deploy the HTTP tunnel servlet to
a webserver (such as iPlanet Web Server) configured to do SSL with
client authentication as a work-around to get stronger authentication
with the current release of the product? Or am I perhaps missing some
obvious and important detail? :) I guess I would like to know it's been
done already or is at least possible before I try and do it myself.
3 scenarios involving SSL are:
1: JMS client<- SSL ->iMQ broker
2: iMQ admin<- SSL ->iMQ broker
3: iMQ broker<- SSL ->iMQ broker (i.e clusters)
(1) is currently supported in iMQ 2.0
(2) and (3) is not supported in iMQ 2.0. No concrete plans yet to support
it in the near future but we'll definitely consider doing it if we
hear a lot of demand for it.
]A related question is if there are plans to add SSL with client
]authentication as a stronger authentication mechanism than 'simple'
]username and password. I believe you could get the username from
]the client certificate's DN and continue to use the same LDAP user
]repository for access control. I think this is similar to the way
]that BEA's Weblogic server does it.
This is on our todo list, but due to other more pressing issues we
have not been able to address it. We will continue to keep it
on our potential list of new features.
Sorry if I sound pretty wishy-washy in my responses above, but the fact
is that the things you mentioned above had to take a backseat
to other more critical features. That and the usual time/resource
constraints caused them not to be implemented.
]Finally should it be possible to deploy the HTTP tunnel servlet to
]a webserver (such as iPlanet Web Server) configured to do SSL with
]client authentication as a work-around to get stronger authentication
]with the current release of the product? Or am I perhaps missing some
]obvious and important detail? :) I guess I would like to know it's been
]done already or is at least possible before I try and do it myself.
Yes, this should be possible (although I don't believe we've tried it here).
The client authentication here is really only between the JMS client and the
web server (not between the tunnel servlet and the iMQ broker) and should
be similar in setup to any other java application talking to iPlanet Web
Server.
