ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Certificate store refresh

Post new topic  Reply to topic
 Certificate store refresh « View previous topic :: View next topic » 
Author Message
hopsala
PostPosted: Tue Sep 04, 2012 12:47 am    Post subject: Certificate store refresh Reply with quote

Guardian

Joined: 24 Sep 2004
Posts: 960

Hi there

Here's a question I am unable to find an answer for either in the literature or on the interwebs - If I import a new certificate into my jks certificate store, or delete or update an old one, when does wmb load it, on EG restart? Perhaps broker restart? Is there any way to force certstore reload?
Linux 5.6, WMB 7.0.0.4, if it makes any difference.

Part of the reason I'm asking is that today we've witnessed a very odd phenomena: A service wasn't working due to an expired certificate, so we placed a new certificate in the certstore. A few hours later, without any further intervention, the service started working. However - and this is the odd part - a few hours after that, it stopped working again! At first we thought there was some maintenance service running in the backdrop (is there?), but now we don't really know what to think. However, since I wasn't personally involved in most of what occurred, I can't really guarantee that the client side didn't change anything... It might just be another WMB ghost-story.

Any help would be appreciated. Cheers!
Back to top
View user's profile Send private message
mqjeff
PostPosted: Tue Sep 04, 2012 1:51 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

If some background thread in a Broker EG had noticed that the keystore had changed, and loaded new certificates from it, it wouldn't then change it's mind later and unload those certificates.

I think it's safe to say you need to restart the EG.
Back to top
View user's profile Send private message
hopsala
PostPosted: Tue Sep 04, 2012 2:30 am    Post subject: Reply with quote

Guardian

Joined: 24 Sep 2004
Posts: 960

Hi Jeff, thanks for the reply.

mqjeff wrote:
If some background thread in a Broker EG had noticed that the keystore had changed, and loaded new certificates from it, it wouldn't then change it's mind later and unload those certificates.

Agreed, that's why it's such an odd story. I guess I'll just mark it down for human error.

mqjeff wrote:
I think it's safe to say you need to restart the EG.

And this, from your experience, is always sufficient to reload the certificate store? Keep in mind this is a broker-wide store, not a specific EG store. Oh, and is it any different on V6?

+ Is there no way to force reload certificates without restarting the EG? (I smell a feature request..)
Back to top
View user's profile Send private message
mqjeff
PostPosted: Tue Sep 04, 2012 2:43 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

I'd be surprised if it was insufficient to restart the EG.

I'd be surprised if there was any supported manner of doing this WITHOUT restarting the EG in v6.0. Even if, you know, v6.0 was still supported.
Back to top
View user's profile Send private message
hopsala
PostPosted: Fri Sep 07, 2012 12:08 am    Post subject: Reply with quote

Guardian

Joined: 24 Sep 2004
Posts: 960

Ok, an EG restart did it, at least on V6.

As for the fact that V6 has been out of support for a while, tell me about it - I've been working with a client for a year now trying to migrate to V7. Thankfully, in a few weeks we begin migrating production users.

I've opened a feature request for a reload truststore command:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=26306
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Sep 07, 2012 2:41 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

hopsala wrote:
Ok, an EG restart did it, at least on V6.

As for the fact that V6 has been out of support for a while, tell me about it - I've been working with a client for a year now trying to migrate to V7. Thankfully, in a few weeks we begin migrating production users.

I've opened a feature request for a reload truststore command:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=26306


Good luck with that. This is another of those JVM problems. Once loaded forever cached? Maybe there is another parm in the java security file for time to live of the truststore?

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
nathanw
PostPosted: Fri Sep 07, 2012 2:45 am    Post subject: Reply with quote

Knight

Joined: 14 Jul 2004
Posts: 550

I have to say that in the past I have seen issues where an EG re-start should have cleared a cached value and re-loaded the new value but failed to do so.

Sometimes I have had to carry out a Broker restart.

I suppose it does matter on whether the values are cached at EG level or Broker level
_________________
Who is General Failure and why is he reading my hard drive?

Artificial Intelligence stands no chance against Natural Stupidity.

Only the User Trace Speaks The Truth
Back to top
View user's profile Send private message MSN Messenger
hopsala
PostPosted: Fri Sep 07, 2012 4:00 am    Post subject: Reply with quote

Guardian

Joined: 24 Sep 2004
Posts: 960

saper wrote:
Good luck with that. This is another of those JVM problems. Once loaded forever cached? Maybe there is another parm in the java security file for time to live of the truststore?


Hi saper. By "java security file" you mean the jks file? Except for the ability to select a default persoanl certificate, which isn't relevant to trust store, I am unaware of any other configurable parameters for a jks file - could you elaborate?

nathanw wrote:
I have to say that in the past I have seen issues where an EG re-start should have cleared a cached value and re-loaded the new value but failed to do so.

Sometimes I have had to carry out a Broker restart.

I suppose it does matter on whether the values are cached at EG level or Broker level

I think I've had similar issues in the past, but some of them turned out to be human error. Now I'm not so sure, but I'm going to keep a close eye on whether an EG restart always does the trick or not.

This might also have to do with whether you're updating a certificate or adding a new one. Perhaps the broker cashes certificate not by store but by certificate - So if you add a new cert that you never tried verifying against, it loads immediately, but if you delete an existing one, you have to restart (or something to that effect)
In any event, I can't seem to find anything in the literature either way. I'll request a doc change.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat Sep 08, 2012 6:53 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

no I meant the JVM java.security file.
It is loaded at jvm start but can be overriden by and app.security file.
Look it up in the lit. Not sure about the exact file name.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
jeevan
PostPosted: Mon Sep 10, 2012 5:45 am    Post subject: Reply with quote

Grand Master

Joined: 12 Nov 2005
Posts: 1432

nathanw wrote:
I have to say that in the past I have seen issues where an EG re-start should have cleared a cached value and re-loaded the new value but failed to do so.

Sometimes I have had to carry out a Broker restart.

I suppose it does matter on whether the values are cached at EG level or Broker level


I think whether to restart EG or Broker depends on whether the certificate is set up at broker registry level or at Eg level.
Back to top
View user's profile Send private message
zpat
PostPosted: Mon Sep 10, 2012 5:52 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

mqsireload may be sufficient.
Back to top
View user's profile Send private message
hopsala
PostPosted: Mon Sep 10, 2012 12:05 pm    Post subject: Reply with quote

Guardian

Joined: 24 Sep 2004
Posts: 960

fjb_saper wrote:
no I meant the JVM java.security file.
It is loaded at jvm start but can be overriden by and app.security file.
Look it up in the lit. Not sure about the exact file name.

Looked it up, but I don't see any parameter that controls truststore caching. I think it's a dead end.

I've opened an RFE (Request for Feature Extension), will appreciate your vote:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=26306
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Certificate store refresh
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.