Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Delivered
Workspace DataPower Gateway
Created by Guest
Created on Jan 16, 2024

RELATED IDEAS

IBM DataPower - IBM MQ v9 QueueManager Object - properties for mqclient.ini of dpSideCarMQProc

The checking of OCSP and CRL in dpSideCarMQProc for MQv9 objects is set to "required" by default.

In deprecated MQ (v8) objects the checks are not required by default and hence don't cause continuous errors for failed connection to OCSP and CRL.

We need the following properties to be persistently configurable in mqclient.ini for dpSideCarMQProc (per CLI command or in WebGUI) to be able to set both checks to optional if neccessary.

SSL:
  OCSPAuthentication=OPTIONAL
  ClientRevocationChecks=OPTIONAL

The "validation credential" for TLS Server/Client Profile has the option to use the CRL and set them to require or optional.
This option will not be considered by dpSideCarMQProc for TLS handshake.

Reasons why we need to set the checks to "optional" or "turn it off" in several scenarios:

- DataPower instances are positioned in different network zones (low level of security right up to high level security)
- Endpoint of OCSP and CRL is in positioned in high level security zone
- connections from low level security to high level security zone are not allowed (firewall exceptions are only allowed for very limited time frame / one-time operations)
- an universal firewall rule for access to OCSP and CRL from all network zones is not allowed and defined in concept of security for infrastructure
- the extension for CRL and OCSP are required in certificates by BSI (Bundesamt fuer Sicherheit in der Informationstechnik) and defined in TR-02103 [https://www.bsi.bund.de/dok/TR-02103] (section 2.3.5 CRL Distribution Points and 2.3.9 Authority Information Access) and could not be exclude at creation of certificate
- it seems there is no TLS session handling / reuse to reduce the handshake for new connections
- there is no caching of fetched information to reduce the check-requests to both endpoints
- we expect a huge traffic overhead at both endpoints because the checks of server certificate and issuer CA will be processed for each connection to queue manager (e.g. a tcp trace shows 4 connections to OCSP endpoint (2 for intermediate and root ca) for a single put/get operation cycle to request-/reply-queue)
- there would be downtimes of a large number of services if the OSCP/CRL lists should become unavailable due to network errors/maintenance etc.

We'd prefer the option to turn off the checks for known certificate authorities (CA) like in validation credential for tls profile.

Idea priority High
  • Admin
    Ulas Cubuk
    Reply
    |     Dec 20, 2024

    In DataPower (10.6.0.2, 10.5.0.14 and 10.6.1) we added support to IBM MQ v9+ queue managers to manage OCSP and CRL checking for TLS connectivityWhen you configure an IBM MQ v9+ queue manager, you can modify the behavior of OCSP and CRL checking for TLS connectivity. The default behavior for OCSP and CRL checks for TLS connectivity is as follows.

    • Attempt an OCSP security check against the servers in the AuthorityInfoAccess (AIA) certificate extension.

    • When the revocation status of a certificate cannot be determined from an OCSP server, the connection is closed with an error.

    • Do not run a CDP revocation check against the servers in the CrlDistributionPoint (CDP) certificate extension.

    • Attempt to load the configuration for certificate revocation from the CCDT file, and run the check as configured. If the CCDT file cannot be opened or the certificate cannot be validated, the MQCONN call fails.

    For more information, see Configuring an IBM MQ queue manager.

0 MERGED

Option to disable OCSP/CRL checking in DataPower for MQ TLS connectivity

Merged
There is a datapower version 10 instance that is trying to connect to an mq version 9.2.5 instance with Signed TLS certificates but we are getting an error 2939 on datapower on . Since there is a an AuthorityInfoAccess extension on the certificate...
over 1 year ago in DataPower Gateway 0 Delivered

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.