This section describes the private registry service provided by WebSphere MQ Everyplace.
Queue-based security, that uses mini-certificate based mutual authentication and message-level security, that uses digital signature, have triggered the concept of authenticatable entity. In the case of mutual authentication it is normal to think about the authentication between two users but, messaging generally has no concept of users. The normal users of messaging services are applications and they handle the user concept.
WebSphere MQ Everyplace abstracts the concept of target of authentication from user (person) to authenticatable entity. This does not exclude the possibility of authenticatable entities being people, but this would be application selected mapping.
Internally, WebSphere MQ Everyplace defines all queue managers that can either originate or be the target of mini-certificate dependent services as authenticatable entities. WebSphere MQ Everyplace also defines queues defined to use mini-certificate based authenticators as authenticatable entities. So queue managers that support these services can have one (the queue manager only), or a set (the queue manager and every queue that uses certificate based authenticator) of authenticatable entities.
WebSphere MQ Everyplace provides configurable options to enable queue managers and queues to auto-register as an authenticatable entity. WebSphere MQ Everyplace private registry service (MQePrivateRegistry) provides services that enable an WebSphere MQ Everyplace application to auto-register authenticatable entities and manage the resulting credentials.
All application registered authenticatable entities can be used as the initiator or recipient of message-level services protected using MQeMTrustAttribute.
To be useful every authenticatable entity needs its own credentials. This provides two challenges, firstly how to execute registration to get the credentials, and secondly where to manage the credentials in a secure manner. WebSphere MQ Everyplace private registry services help to solve these two problems. These services can be used to trigger auto-registration of an authenticatable entity creating its credentials in a secure manner and they can also be used to provide a secure repository.
Private registry (a descendent of base registry) adds to base registry many of the qualities of a secure or cryptographic token. For example, it can be a secure repository for public objects (mini-certificates) and private objects (private keys). It provides a mechanism to limit access to the private objects to the authorized user. It provides support for services (for example digital signature, RSA decryption) in such a way that the private objects never leave the private registry. Also, by providing a common interface, it hides the underlying device support.
WebSphere MQ Everyplace provides default services that support auto-registration. These services are automatically triggered when an authenticatable entity is configured; for example when a queue manager is started, or when a new queue is defined, or when an WebSphere MQ Everyplace application uses MQePrivateRegistry directly to create a new authenticatable entity. When registration is triggered, new credentials are created and stored in the authenticatable entity's private registry. Auto-registration steps include generating a new RSA key pair, protecting and saving the private key in the private registry; and packaging the public key in a new-certificate request to the default mini-certificate server. Assuming the mini-certificate server is configured and available, and the authenticatable entity has been pre-registered by the mini-certificate server (is authorized to have a certificate), the mini-certificate server returns the authenticatable entity's new mini-certificate, along with its own mini-certificate and these, together with the protected private key, are stored in the authenticatable entity's private registry as the entity's new credentials.
While auto-registration provides a simple mechanism to establish an authenticatable entity's credentials, in order to support message-level protection, the entity requires access to its own credentials (facilitating digital signature) and to the intended recipient's public key (mini-certificate).
The primary purpose of WebSphere MQ Everyplace's private registry is to provide a private repository for WebSphere MQ Everyplace authenticatable entity credentials. An authenticatable entity's credentials consist of the entity's mini-certificate (encapsulating the entity's public key), and the entity's (keyring protected) private key.
Typical usage scenarios need to be considered in relation to other WebSphere MQ Everyplace security features:
WebSphere MQ Everyplace Version 1 provides no support for any alternative secure repository for an authenticatable entity's credentials. If queue-based security with MQeWTLSCertAuthenticator or message-level security using MQeMTrustAttribute are used, private registry services must be used.
The selection criteria for private registry are the same as those for queue-based and message-level security.
Prior to using queue-based security, WebSphere MQ Everyplace owned authenticatable entities must have credentials. This is achieved by completing the correct configuration so that auto-registration of queue managers is triggered. This requires the following steps:
Prior to using message-level security to protect messages using MQeMTrustAttribute, the application must use private registry services to ensure that the initiating and recipient entities have credentials. This requires the following steps:
/* SIMPLE MQePrivateRegistry FRAGMENT */ MQePrivateRegistryHndl preg; MQERETURN rc; MQeExceptBlock exceptBlock; /* setup PrivateRegistry parameters */ rc = mqePrivateRegistry_new(&Block, &preg); rc = mqePrivateRegistry_activate( preg, &Block, MQeString("Bruce"), /* entity name */ MQeString(".//MQeNode_PrivateRegistry"), /* directory root */ MQeString("11111111"), /* private reg access PIN */ MQeString("It_is_a_secret"), /* private credential keyseed */ MQeString("12345678"), /* on-time-use Cert Req PIN */ MQeString("9.20.X.YYY:8082")); /* addr and port MiniCertSvr */