Extensions to this task

 

The use of CA-signed certificates makes it easier to add extra queue managers (which will also use SSL) to your network, because it reduces the administration of certificates in your network. Table 1 compares the number of certificates that need to be installed in each queue manager's key repository to be able to communicate with all the other queue managers, when using self-signed certificates (as described in Task 1: Using self-signed certificates) and when using CA-signed certificates.

The administration of certificates includes the copying of these certificates from system to system as well as adding them to key repositories. Table 1 shows that, as your network grows, the number of certificates that must be copied into each queue manager's key repository increases when you use self-signed certificates. When you use CA-signed certificates however, the number of certificates remains the same, making the administration much simpler.

Total number of certificates in each queue manager's key repository, both CA certificates and personal certificates, when using each scheme.

Number of queue managers in network	Using self-signed certificates	Using CA-signed certificates
2	2	2
3	3	2
4	4	2
5	5	2

We can extend this task by adding a third queue manager called QMC. QMC's key repository will contain its own certificate. The CA-signed certificate and appropriate channels can be defined to communicate with QMB, for example on QMC issue:

DEFINE CHANNEL(TO.QMB) CHLTYPE(SDR) TRPTYPE(TCP) CONNAME(QMB.MACH.COM) XMITQ(QMB)
SSLCIPH(RC2_MD5_EXPORT) DESCR('Sender channel using SSL from QMC to QMB')

The same CipherSpec must be used on the sender channels at QMA and QMC, if generic receiver definitions are used at queue manager QMB, because the CipherSpec must match on both ends of each channel.

 

Parent topic:

Task 2: Using CA-signed certificates

sy11820_