| Author |
Message
|
| angka |
 Posted: Wed May 16, 2007 7:18 am Post subject: SSL cert |
 |
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
Hi all,
Does anyone know the longest number of days tt can be set for the expiry for the self signed cert for MQ SSL?
My MQ server is connected to many external systems using ssl and so is there a way to change the expiring cert without down time? Else I will need to activate all the external system administrator to change to my new cert together.
Thanks |
|
| Back to top |
|
 |
| angka |
| Posted: Thu May 17, 2007 12:21 am Post subject: |
|
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu May 17, 2007 12:28 am Post subject: Re: SSL cert |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
|
| Back to top |
|
|
| angka |
| Posted: Thu May 17, 2007 12:41 am Post subject: Re: SSL cert |
|
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
[quote="marcin.kasinski"]
oh ok. but 10 year very long time. can it be infinity? btw refresh security type(ssl) is to refresh the ssl when there is a change. but wat i need to do now is to add a new self sign cert to my Personal certificates with the same label name which MQ will not allow. if there is no way out, i ll need to remove my current cert and den replace my new cert which will cos downtime.. and besides, all the external system administrator will need to change to my new self signed cert at the same time.
Thanks |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu May 17, 2007 12:58 am Post subject: Re: SSL cert |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| angka wrote: |
oh ok. but 10 year very long time. can it be infinity?
|
You asked about max.
Setting expiry to 10 years is not reccomended in PRD environment.
It think 1 year is ok for this value.
| angka wrote: |
btw refresh security type(ssl) is to refresh the ssl when there is a change. but wat i need to do now is to add a new self sign cert to my Personal certificates with the same label name which MQ will not allow. if there is no way out, i ll need to remove my current cert and den replace my new cert which will cos downtime.. and besides, all the external system administrator will need to change to my new self signed cert at the same time.
Thanks |
If I'm wrong somebody will correct me but....
QMGR caches certs from keystore.
When QMGR i srunning you can do everything with this keystore , add, remove ,...
Then you can ask QMGR to refresh cert cache from keystore you modified by command above (without downtime).
I hope this is answer for your question.
_________________
Marcin
Last edited by marcin.kasinski on Thu May 17, 2007 1:22 am; edited 1 time in total |
|
| Back to top |
|
|
| angka |
| Posted: Thu May 17, 2007 1:18 am Post subject: |
|
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
Hi,
Ya this can work. But the biggest problem is to activate all the external system administrator to do this together. else by changing my personal cert on my side only all the channel will be down.
Thanks.. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu May 17, 2007 1:40 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| angka wrote: |
Hi,
Ya this can work. But the biggest problem is to activate all the external system administrator to do this together.
|
Do you have test environment ?
Please test this scenario ?
When you have cert pair and you would like to change expiry after changing expiry it will be the same cert.
External admins don't have to do it at the same time.
I mean :
1 before epiry of cert regenerate your cert pair and set new expiry.
2. after refresh security communication will work because there was no change inside your cert.
3. Here you can send public key to other side admins.
4. They update keystore invoke refresh security
5. Everybody is happy.
_________________
Marcin |
|
| Back to top |
|
|
| bbburson |
| Posted: Thu May 17, 2007 5:33 am Post subject: Re: SSL cert |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| marcin.kasinski wrote: |
QMGR caches certs from keystore.
When QMGR i srunning you can do everything with this keystore , add, remove ,...
Then you can ask QMGR to refresh cert cache from keystore you modified by command above (without downtime). |
REFRESH SECURITY TYPE(SSL) does cause all your currently-connected SSL channels to go down and then the clients will have to re-establish connections. This may be considered downtime in some environments, so be very careful when and how often you issue the command. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu May 17, 2007 6:11 am Post subject: Re: SSL cert |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| bbburson wrote: |
REFRESH SECURITY TYPE(SSL) does cause all your currently-connected SSL channels to go down and then the clients will have to re-establish connections. This may be considered downtime in some environments, so be very careful when and how often you issue the command. |
Of course.
You have to be careful.
That's why everything should be tested before deploying on production.
But it is better to have downtime in specific situation rather than downtime server always after updating keystore.
I like this funcionality in MQ.
_________________
Marcin |
|
| Back to top |
|
|
| angka |
| Posted: Thu May 17, 2007 7:03 pm Post subject: |
|
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
| marcin.kasinski wrote: |
When you have cert pair and you would like to change expiry after changing expiry it will be the same cert.
|
Hi,
I tested out the new cert is different..
If I get you correctly, You mean to remove my personal cert and add a new cert with new expiry? Den add it to the .kdb without the external system doing anything?
I did that and i did a "Refresh Security type(ssl)" it not working. The channel cannot be connected so I assume the cert is different.
BTW does MQ client support 2 way SSL authentication? Thanks. |
|
| Back to top |
|
|
| angka |
| Posted: Thu May 17, 2007 7:17 pm Post subject: |
|
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
Hi,
I checked out the Public key and realise it is different. Btw my ssl is 2 way authentication. |
|
| Back to top |
|
|
| angka |
| Posted: Thu May 17, 2007 7:23 pm Post subject: |
|
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
Hi,
I tested out both side change the Key without issueing "refresh security type(ssl)" command, the channel is still running but if i issue it on my end all the channel went down. All the external system need to refresh on their end too. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Fri May 18, 2007 12:56 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Fri May 18, 2007 1:02 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| angka wrote: |
BTW does MQ client support 2 way SSL authentication? Thanks. |
You can set it by SSLCAUTH attribute of chanel.
_________________
Marcin |
|
| Back to top |
|
|
| angka |
| Posted: Fri May 18, 2007 5:48 am Post subject: |
|
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
Hi,
Btw I am using self signed Cert. The Private and Public key is different from the previous one.
Thanks |
|
| Back to top |
|
|
|
|
