0

We have an application which needs to connect to 2 different WMQ queue managers. We are already connected to one manager using the 4 properties of trustStore & keyStore as mentioned in the answer here using VM arguments. But this won't work when we have different certificates for different queue managers.

Is it possible to provide different SSL properties for different queue managers or for that matter to the connection factories? I need a way where the SSL properties are not VM args or system properties but some object properties.

JoshMc
  • 10,239
  • 2
  • 19
  • 38
Mukund Jalan
  • 1,145
  • 20
  • 39
  • Are the certs for the different queue managers signed by different certificate chains? For example QM1 expects you to send a cert signed by BigCO's root cert and QM2 expects you to send a cert signed by AnotherCO's root cert? – JoshMc Apr 26 '19 at 08:09
  • @JoshMc may be, I do not know. I basically have 2 different `jks` files with 2 different passwords for both the QMs – Mukund Jalan Apr 26 '19 at 11:29
  • Any reason you can not combine them? – JoshMc Apr 26 '19 at 11:57
  • 1
    Java will send the cert that matches the CAs that the server trusts, if you have no cross over with both queue managers trusting the same signers then both certs can be in one jks with no issue. – JoshMc Apr 26 '19 at 13:07
  • Can you list the contents of the jks files to see who the certs are signed by? – Morag Hughson Apr 26 '19 at 21:56
  • @MoragHughson I have certificates being signed by authorities within our organisation so cannot list the contents here. – Mukund Jalan Apr 30 '19 at 10:09
  • @JoshMc I cannot have one jks because I have these jks files for different environments we are on. But for a typical use case I require to connect to QMs of different env from one single env. I was expecting something where I could just give paths of jks files to their respective connection factories (or something similar) instead of giving as VM arguments. – Mukund Jalan Apr 30 '19 at 10:12
  • So would the answer to my question be that the certs you use to connect to both QMs are signed by the same CA? – JoshMc Apr 30 '19 at 12:05
  • @Mukund - the contents don't matter other than for you to discover whether they are signed by the same CA. Please don't post the contents here, just the answer to Josh's question – Morag Hughson May 01 '19 at 01:39
  • I do not understand much from the contents of jks file but it says it has 8 entries each and most of them are same. Is there anything specific I should see to find this info? I used the command `keytool -list -v -keystore` – Mukund Jalan May 01 '19 at 07:31

0 Answers0