Public registry service

This section describes the public registry service provided by WebSphere MQ Everyplace.

WebSphere MQ Everyplace provides default services facilitating the sharing of authenticatable entity public credentials (mini-certificates) between WebSphere MQ Everyplace nodes. Access to these mini-certificates is a prerequisite for message-level security. WebSphere MQ Everyplace public registry (also a descendent of base registry) provides a publicly accessible repository for mini-certificates. This is analogous to the personal telephone directory service on a mobile phone, the difference being that it is a set of mini-certificates of the authenticatable entities instead of phone numbers. WebSphere MQ Everyplace public registry is not a purely passive service. If accessed to provide a mini-certificate that is does not hold, and if the public registry is configured with a valid home server, the public registry automatically attempts to get the requested mini-certificate from the public registry of the home server. It also provides a mechanism to share a mini-certificate with the public registry of other WebSphere MQ Everyplace nodes. Together these services provide the building blocks for an intelligent automated mini-certificate replication service that can facilitates the availability of the right mini-certificate at the right time.

Usage scenario

A typical scenario for the use of the public registry would be to use these services so that the public registry of a particular WebSphere MQ Everyplace node builds up a store of the most frequently needed mini-certificates as they are used.

A simple example of this is to setup an WebSphere MQ Everyplace client to automatically get the mini-certificates of other authenticatable entities that it needs, from its WebSphere MQ Everyplace home server, and then save them in its public registry.

Secure feature choices

It is the Solution creator's choice whether to use the public registry active features for sharing and getting mini-certificates between the public registries of different WebSphere MQ Everyplace nodes.

The alternative to this intelligent replication may be to have an out-of-band utility to initialize an WebSphere MQ Everyplace node's public registry with all required mini-certificates before enabling any secure services that uses them.

Selection criteria

Out-of-band initialization of the set of mini-certificates available in an WebSphere MQ Everyplace node's public registry may have advantages over using the public registry active features in the case where the solution is predominantly asynchronous and the synchronous connection to the WebSphere MQ Everyplace node's home server may be difficult. But in the case where this connection is more likely to be available, the public registry's active mini-certificate replication services are useful tools to automatically maintain the most useful set of mini-certificates on any WebSphere MQ Everyplace node public registry.

Usage guide

The following code segment demonstrates how to share certificates among a group of queue managers:

/*SIMPLE MQePublicRegistry shareCertificate FRAGMENT */
	MQePublicRegistryHndl pubreg;
	MQePrivateRegistryHndl preg;
	MQERETURN rc;
	MQeExceptBlock exceptBlock;
	MQeStringHndl hEntityName;
	MQeFieldsHndl hCert;
	MQEINT32 i;
 
	/*instantiate and activate PublicReg */
	rc = mqePublicRegistry_new(&exceptBlock, &pubreg);
	rc = mqePublicRegistry_activate(pubreg, &exceptBlock, 
                                   MQeString("MQeNode_PublicRegistry"),
												 MQeString(".\\"));
	/* auto-register Bruce1,Bruce2...Bruce8 */
	/* ... note that the mini-certificate issuance service must */
	/* have been configured to allow the auto-registration    */
	for (i = 1; i < 9; i++)
	{
		rc = MQeString_new(&exceptBlock, 
								 	&hEntityName, strcat("Bruce" + itoa(i)));
		rc = mqePrivateRegistry_new(&exceptBlock, &preg);
		/* activate() will initiate auto-registration */
		rc = mqePrivateRegistry_activate(
			preg,
			&exceptBlock,
			hEntityName,
			MQeString(".\\MQeNode_PrivateRegistry"),
		 	MQeString("12345678"),
			MQeString("It_is_a_secret"),
			MQeString("12345678"),
			MQeString("9.20.X.YYY:8082")
		     );
		/* save MiniCert from PrivReg in PubReg*/
		rc = mqePrivateRegistry_getCertificate(preg, &exceptBlock, 
																&hCert, hEntityName);
		rc = mqePublicRegistry_putCertificate(pubreg, &exceptBlock, 
																hEntityName, hCert);
		/* before share of MiniCert */
		rc = mqePublicRegistry_shareCertificate(pubreg,&exceptBlock, 
																hEntityName, hCert, 
																MQeString("9.20.X.YYY:8082"));
		rc = mqePrivateRegistry_close(preg, &exceptBlock);
		(void)mqePrivateRegistry_free(preg, NULL);
		(void)mqeString_free(hEntityName, NULL);
		(void)mqeFields_free(hCert, NULL);
	}
	rc = mqePublicRegistry_close(pubreg, &exceptBlock);
	(void)mqePublicRegistry_close(pubreg, NULL);

Notes:

  1. It is not possible to activate a registry instance more than once, hence the example above demonstrates the recommended practice of accessing a private registry by creating a new instance of MQePrivateRegistry, activating the instance, performing the required operations and closing the instance.

  2. If you want to share certificates using a public registry on the home-server, the public registry must be called MQeNode_PublicRegistry.


© IBM Corporation 2002. All Rights Reserved