ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » PKI task

Post new topic  Reply to topic
 PKI task « View previous topic :: View next topic » 
Author Message
kordi
PostPosted: Fri Apr 01, 2016 5:08 am    Post subject: PKI task Reply with quote

Centurion

Joined: 28 May 2012
Posts: 146
Location: PL

Hello,

I have a task to replace all certificates currently being used by new certificates issued by new CA. We have approx. 30 q mamangers and 150 clients. I am planning to do that in following order:

1. Update kdb of all Queue Managers with new root certificates. It will allow Queue Managers to acccept connections of certificates issued by new CA.
2. Prepare new kdb for all mq clients. There will be only new CA certs and personal certificates issued by new CA included in this kdb. After that I will replace old kdbs with new one. Also some adjustments need to be done within mqclient.ini. Some mq clients requires upgrade as well.
3. Replace old personal certificates of Queue Managers with new one.

What do you think about this order? What would you change? Can you advise me how can I automate this work? Currently I am checking all mq client's kdb if there are more than one personal certificate. If yes I cannot simple remove old kdb and replace it with new one.

I have almost 180 servers to go accross. It is going to to be a loong spring if I will not figure out how to do that quickly and ...
Back to top
View user's profile Send private message
hughson
PostPosted: Tue May 03, 2016 1:40 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand

The difficulty of this update for your systems depends on whether your clients are anonymous, or whether they also have their own personal certificates too.

I suspect you will need two passes at this to keep everything up and running while you change over, thus:-
  1. Add new CA root certificate to QMgr KDBs. As you correctly say, "It will allow Queue Managers to acccept connections of certificates issued by new CA."
  2. Add new CA root certificate to client KDBs. Unfortunately you cannot remove the old CA until you change the QMgrs over to use their new certificates signed by the new CA.
  3. Add new Client personal certificates to the client KDBs and remove old personal certificates - do not remove old CAs. The QMgrs will be able to authenticate these because of step 1.
  4. Add new QMgr personal certificate to the QMgr and remove the old personal certificates - do not remove old CAs. Clients will be able to authenticate these because of step 2.
  5. Check and double check looking at all SSLPEER values (and SSLCERTI if your MQ version is new enough) in DIS CHSTATUS, that every client and every QMgr is successfully using its new certificate. At this point, anything you have missed will still work because the old CA is still everywhere. This is the most important step. This is where you can catch any future potential problems.
  6. Remove old personal certificates and old root certificates.
  7. Check everything again to make sure all connections are still working.
Hope that helps,
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
JosephGramig
PostPosted: Tue May 03, 2016 7:30 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA

Don't we all want an autobot to maintain all our PKI...

Tough order to fill.
  1. Each entity could put the PKI anywhere
  2. Each entity could use a different format
    1. kdb
    2. jks
  3. Built with different tools
    1. runmqckm
    2. runmqakm
    3. OpenSSL
    4. Others

And if there was one, wouldn't it be the prime place to inject a hack to gain third party access...
Back to top
View user's profile Send private message AIM Address
tczielke
PostPosted: Tue May 03, 2016 12:58 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA

Another gotcha to be aware of is if your new certs (both signer or personal certs) have an AuthInfoAccess extension that includes an OCSP entry. If so, be aware that MQ has the OCSP certificate extension checking turned on by default, and will fail the connection if MQ can not get a positive response from the OCSP server. OCSP is used for certificate revocation checking.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
kordi
PostPosted: Tue May 10, 2016 12:10 pm    Post subject: Reply with quote

Centurion

Joined: 28 May 2012
Posts: 146
Location: PL

Hi guys,

Sorry for delayed response but I was offline for a while.

hughson As I understand there cannot be two the certificates with the same label. If I am re-creating personal certificate (I cannot renew because we are changing CA) I have to first remove old personal certificate, create CSR (if I would like to create CSR with already existing label in key store runmqckm would exit with error), sign it by new CA and receive it to kdb. Assuming I am doing it for userid=kordi, the label will be ibmwebspheremqkordi. So what I was thinking about is to create completely new kdb, add new CA, add old CA, create signing request, receive signed certificate and replace kdb files.

tcziele Exactly. Thats why I mentioned I have to do some adjustments in mqclient.ini
Back to top
View user's profile Send private message
hughson
PostPosted: Tue May 10, 2016 3:40 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand

kordi wrote:
As I understand there cannot be two the certificates with the same label.

Correct, which is why my instructions never required you to have two certificates with the same label there at the same time.
kordi wrote:
If I am re-creating personal certificate (I cannot renew because we are changing CA) I have to first remove old personal certificate, create CSR (if I would like to create CSR with already existing label in key store runmqckm would exit with error), sign it by new CA and receive it to kdb. Assuming I am doing it for userid=kordi, the label will be ibmwebspheremqkordi.

Labels can be changed. You can generate the new CSR with a different label and when it comes time to remove the old and replace with the new, the replace step can be a rename of the label.

kordi wrote:
So what I was thinking about is to create completely new kdb, add new CA, add old CA, create signing request, receive signed certificate and replace kdb files.

That would also work. The key point is having both old and new CAs in place first and keeping them both in place until all old personal Certa have been removed.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
kordi
PostPosted: Wed May 11, 2016 12:17 pm    Post subject: Reply with quote

Centurion

Joined: 28 May 2012
Posts: 146
Location: PL

hughson wrote:

Correct, which is why my instructions never required you to have two certificates with the same label there at the same time.
Labels can be changed. You can generate the new CSR with a different label and when it comes time to remove the old and replace with the new, the replace step can be a rename of the label.


Oh, I didn't know labels can be renamed. I am reading this page https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.ref.adm.doc/q083840_.htm?lang=pl and cannot find any command responsible for renaming certificate. Is it some undercover feature?

Thanks a lot Morag for your help!
Back to top
View user's profile Send private message
hughson
PostPosted: Wed May 11, 2016 1:08 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand

In runmqckm and runmqakm options it shows all the options that can be used. In the table is listed the -new_label option.

I googled for runmqakm label and new_label and found this blog post that shows an example of the command:-

Did you know you can rename a certificate label?

Hope that helps.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
kordi
PostPosted: Wed May 11, 2016 1:16 pm    Post subject: Reply with quote

Centurion

Joined: 28 May 2012
Posts: 146
Location: PL

Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » PKI task
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.