Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Future consideration
Workspace DataPower Gateway
Created by Guest
Created on Jan 16, 2024

RELATED IDEAS

IBM DataPower - IBM MQ v9 QueueManager Object - properties for mqclient.ini of dpSideCarMQProc

The checking of OCSP and CRL in dpSideCarMQProc for MQv9 objects is set to "required" by default.

In deprecated MQ (v8) objects the checks are not required by default and hence don't cause continuous errors for failed connection to OCSP and CRL.

We need the following properties to be persistently configurable in mqclient.ini for dpSideCarMQProc (per CLI command or in WebGUI) to be able to set both checks to optional if neccessary.

SSL:
  OCSPAuthentication=OPTIONAL
  ClientRevocationChecks=OPTIONAL

The "validation credential" for TLS Server/Client Profile has the option to use the CRL and set them to require or optional.
This option will not be considered by dpSideCarMQProc for TLS handshake.

Reasons why we need to set the checks to "optional" or "turn it off" in several scenarios:

- DataPower instances are positioned in different network zones (low level of security right up to high level security)
- Endpoint of OCSP and CRL is in positioned in high level security zone
- connections from low level security to high level security zone are not allowed (firewall exceptions are only allowed for very limited time frame / one-time operations)
- an universal firewall rule for access to OCSP and CRL from all network zones is not allowed and defined in concept of security for infrastructure
- the extension for CRL and OCSP are required in certificates by BSI (Bundesamt fuer Sicherheit in der Informationstechnik) and defined in TR-02103 [https://www.bsi.bund.de/dok/TR-02103] (section 2.3.5 CRL Distribution Points and 2.3.9 Authority Information Access) and could not be exclude at creation of certificate
- it seems there is no TLS session handling / reuse to reduce the handshake for new connections
- there is no caching of fetched information to reduce the check-requests to both endpoints
- we expect a huge traffic overhead at both endpoints because the checks of server certificate and issuer CA will be processed for each connection to queue manager (e.g. a tcp trace shows 4 connections to OCSP endpoint (2 for intermediate and root ca) for a single put/get operation cycle to request-/reply-queue)
- there would be downtimes of a large number of services if the OSCP/CRL lists should become unavailable due to network errors/maintenance etc.

We'd prefer the option to turn off the checks for known certificate authorities (CA) like in validation credential for tls profile.

Idea priority High
0 MERGED

Option to disable OCSP/CRL checking in DataPower for MQ TLS connectivity

Merged
There is a datapower version 10 instance that is trying to connect to an mq version 9.2.5 instance with Signed TLS certificates but we are getting an error 2939 on datapower on . Since there is a an AuthorityInfoAccess extension on the certificate...
11 months ago in DataPower Gateway 0 Future consideration

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.