| Author |
Message
|
| zpat |
 Posted: Fri May 03, 2013 5:58 am Post subject: Adding signer cert to MQ keystore and refresh SSL |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I am planning to add a new CA signer certificate to our keystore (MQ v7019 on AIX)
My question is - to use this new signer certificate, is it necessary to issue refresh security type(ssl) or not?
Issuing refresh will break all ssl svrconn connections (which I want to avoid).
I can stop/start the sender channel that needs the new signer certificate - so are all the certs loaded at this point in time (from the keystore)?
My understanding from the infocenter is that as long as the channel process restarts (i.e. the channel was previously inactive) it will load the SSL keystore and not need the refresh.
Therefore even an active sender channel can also be stopped with status(inactive) to ensure this happens.
Can anyone confirm this is the case? |
|
| Back to top |
|
 |
| hughson |
| Posted: Thu May 09, 2013 7:56 am Post subject: Re: Adding signer cert to MQ keystore and refresh SSL |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| zpat wrote: |
| My understanding from the infocenter is that as long as the channel process restarts (i.e. the channel was previously inactive) it will load the SSL keystore and not need the refresh. |
The channel process may include many other channels - remember that we have the amqrmppa - channel pool processes. Stopping your sender channel will not necessarily end the pool process, and so the pool process will still have the old version of the cached key repository.
Also, when you start up the sender channel again, you cannot guarantee which pool process it will run in when started, so how can you know it will have a new version of the cached key repository?
The only way to be sure is to use the REFRESH command.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| zpat |
| Posted: Thu May 09, 2013 8:03 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
OK thanks, I had come to a similar conclusion by empirical means.
Now, I just have to break the bad news to the MQ client connected application owners... 
Glad to see you on here by the way, but what happened to the last 15 years?  |
|
| Back to top |
|
|
| hughson |
| Posted: Thu May 09, 2013 8:13 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| zpat wrote: |
| Glad to see you on here by the way, but what happened to the last 15 years? |
I guess I never got as far as registering on here before. About time though 
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu May 09, 2013 8:20 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| hughson wrote: |
| zpat wrote: |
| Glad to see you on here by the way, but what happened to the last 15 years? |
I guess I never got as far as registering on here before. About time though |
Better late than never. We need more people in here who know what they're talking about; I'm tired of bluffing day after day....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu May 09, 2013 12:26 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| ...I'm tired of bluffing day after day... |
You can't say that, you're my hero! When I grow up I want to be just like you 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
