Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
A public key infrastructure (PKI) is an arrangement that binds a public key certificate with a respective user identity through a trusted third party. The main elements in the PKI are:
Certification authority (CA): A trusted entity that issues certificates for use by other entities.
Certificate: An electronic document that includes a digital signature to bind a public key with an identity.
Public/private key: A pair of keys that are used in the asymmetric cryptographic algorithms. The public key is distributed in the certificate, which can be validated with the CA by other entities. The private key is typically stored on the certificate holder's local computer.
In the system, applications hold user certificates, and each queue manager holds two pairs of cryptography keys (signing keys and encryption keys). The system uses a Directory Service, rather than a CA, as the trusted third party to distribute the public certificates and keys.
User Certificates
A user certificate is used to sign an application message to provide the message integrity feature of the message layer security, as described in section 2.9.4.1.4.
User certificates are registered in the Directory Service to enable the sender authentication feature of the message layer security as described in section 2.9.4.1.4. The user certificates are stored in the corresponding user object in the directory and are maintained in the CertificateDigestList ADM attribute of the User ADM element ([MS-MQDMPR] section 3.1.1.15) ADM element. The registration associates the certificate with the corresponding user identity. To facilitate certificate lookup, a hash of the certificate (digest) is computed and saved together with the certificate as the CertificateDigestList ADM attribute of the User ADM element ([MS-MQDMPR] section 3.1.1.15). A user object can have multiple certificates. For more details about the user object attributes, see [MS-RDPBCGR] section 2.2.1.2.1.2.1 and [MS-ADA2] section 2.415. For more details about the user certificate and its digest, see [MS-MQDMPR] section 3.1.1.15 and [MS-MQDSSM] sections 3.1.1.4 and 3.1.6.20.6.
If an application is sending messages to a destination where the Directory Service is unavailable, the application can instead provide a user certificate from a Certification Authority trusted by both the sender and receiver to be used for signing the application message. If such a certificate is used for signing, the queue manager hosting the destination queue will still verify message integrity as described in section 2.9.4.1.4.1 before storing the message, but cannot authenticate the sender as described in section 2.9.4.1.4.2. The user certificate remains attached to the message so that the receiving application can verify the owner of the certificate if required.
The private key associated with a certificate is stored securely and has to be available to the sender.
Service Cryptography Keys
Each queue manager has two pairs of cryptography keys: one pair for signing system internal messages and one pair for encrypting messages. These keys are represented, respectively, by the PublicSigningKeyList and PublicEncryptionKeyList ADM attributes of the QueueManager ADM element ([MS-MQDMPR] section 3.1.1.1). The private keys are stored securely and have to be available to the queue manager. The public keys are published in the Directory Service under the Machine object for this queue manager. For more details about the queue manager cryptography keys, see [MS-MQDMPR] section 3.1.1.1 and [MS-MQDSSM] sections 2.2.1 and 3.1.6.20.1.