Author |
Message
|
kordi |
Posted: Fri Apr 01, 2016 5:08 am Post subject: PKI task |
|
|
Centurion
Joined: 28 May 2012 Posts: 146 Location: PL
|
Hello,
I have a task to replace all certificates currently being used by new certificates issued by new CA. We have approx. 30 q mamangers and 150 clients. I am planning to do that in following order:
1. Update kdb of all Queue Managers with new root certificates. It will allow Queue Managers to acccept connections of certificates issued by new CA.
2. Prepare new kdb for all mq clients. There will be only new CA certs and personal certificates issued by new CA included in this kdb. After that I will replace old kdbs with new one. Also some adjustments need to be done within mqclient.ini. Some mq clients requires upgrade as well.
3. Replace old personal certificates of Queue Managers with new one.
What do you think about this order? What would you change? Can you advise me how can I automate this work? Currently I am checking all mq client's kdb if there are more than one personal certificate. If yes I cannot simple remove old kdb and replace it with new one.
I have almost 180 servers to go accross. It is going to to be a loong spring if I will not figure out how to do that quickly and ... |
|
Back to top |
|
 |
hughson |
Posted: Tue May 03, 2016 1:40 am Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
The difficulty of this update for your systems depends on whether your clients are anonymous, or whether they also have their own personal certificates too.
I suspect you will need two passes at this to keep everything up and running while you change over, thus:-- Add new CA root certificate to QMgr KDBs. As you correctly say, "It will allow Queue Managers to acccept connections of certificates issued by new CA."
- Add new CA root certificate to client KDBs. Unfortunately you cannot remove the old CA until you change the QMgrs over to use their new certificates signed by the new CA.
- Add new Client personal certificates to the client KDBs and remove old personal certificates - do not remove old CAs. The QMgrs will be able to authenticate these because of step 1.
- Add new QMgr personal certificate to the QMgr and remove the old personal certificates - do not remove old CAs. Clients will be able to authenticate these because of step 2.
- Check and double check looking at all SSLPEER values (and SSLCERTI if your MQ version is new enough) in DIS CHSTATUS, that every client and every QMgr is successfully using its new certificate. At this point, anything you have missed will still work because the old CA is still everywhere. This is the most important step. This is where you can catch any future potential problems.
- Remove old personal certificates and old root certificates.
- Check everything again to make sure all connections are still working.
Hope that helps,
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
JosephGramig |
Posted: Tue May 03, 2016 7:30 am Post subject: |
|
|
 Grand Master
Joined: 09 Feb 2006 Posts: 1244 Location: Gold Coast of Florida, USA
|
Don't we all want an autobot to maintain all our PKI...
Tough order to fill.
- Each entity could put the PKI anywhere
- Each entity could use a different format
- kdb
- jks
- Built with different tools
- runmqckm
- runmqakm
- OpenSSL
- Others
And if there was one, wouldn't it be the prime place to inject a hack to gain third party access... |
|
Back to top |
|
 |
tczielke |
Posted: Tue May 03, 2016 12:58 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010 Posts: 941 Location: Illinois, USA
|
Another gotcha to be aware of is if your new certs (both signer or personal certs) have an AuthInfoAccess extension that includes an OCSP entry. If so, be aware that MQ has the OCSP certificate extension checking turned on by default, and will fail the connection if MQ can not get a positive response from the OCSP server. OCSP is used for certificate revocation checking. _________________ Working with MQ since 2010. |
|
Back to top |
|
 |
kordi |
Posted: Tue May 10, 2016 12:10 pm Post subject: |
|
|
Centurion
Joined: 28 May 2012 Posts: 146 Location: PL
|
Hi guys,
Sorry for delayed response but I was offline for a while.
hughson As I understand there cannot be two the certificates with the same label. If I am re-creating personal certificate (I cannot renew because we are changing CA) I have to first remove old personal certificate, create CSR (if I would like to create CSR with already existing label in key store runmqckm would exit with error), sign it by new CA and receive it to kdb. Assuming I am doing it for userid=kordi, the label will be ibmwebspheremqkordi. So what I was thinking about is to create completely new kdb, add new CA, add old CA, create signing request, receive signed certificate and replace kdb files.
tcziele Exactly. Thats why I mentioned I have to do some adjustments in mqclient.ini  |
|
Back to top |
|
 |
hughson |
Posted: Tue May 10, 2016 3:40 pm Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
kordi wrote: |
As I understand there cannot be two the certificates with the same label. |
Correct, which is why my instructions never required you to have two certificates with the same label there at the same time.
kordi wrote: |
If I am re-creating personal certificate (I cannot renew because we are changing CA) I have to first remove old personal certificate, create CSR (if I would like to create CSR with already existing label in key store runmqckm would exit with error), sign it by new CA and receive it to kdb. Assuming I am doing it for userid=kordi, the label will be ibmwebspheremqkordi. |
Labels can be changed. You can generate the new CSR with a different label and when it comes time to remove the old and replace with the new, the replace step can be a rename of the label.
kordi wrote: |
So what I was thinking about is to create completely new kdb, add new CA, add old CA, create signing request, receive signed certificate and replace kdb files. |
That would also work. The key point is having both old and new CAs in place first and keeping them both in place until all old personal Certa have been removed.
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
kordi |
Posted: Wed May 11, 2016 12:17 pm Post subject: |
|
|
Centurion
Joined: 28 May 2012 Posts: 146 Location: PL
|
hughson wrote: |
Correct, which is why my instructions never required you to have two certificates with the same label there at the same time.
Labels can be changed. You can generate the new CSR with a different label and when it comes time to remove the old and replace with the new, the replace step can be a rename of the label. |
Oh, I didn't know labels can be renamed. I am reading this page https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.ref.adm.doc/q083840_.htm?lang=pl and cannot find any command responsible for renaming certificate. Is it some undercover feature?
Thanks a lot Morag for your help! |
|
Back to top |
|
 |
hughson |
Posted: Wed May 11, 2016 1:08 pm Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
|
Back to top |
|
 |
kordi |
Posted: Wed May 11, 2016 1:16 pm Post subject: |
|
|
Centurion
Joined: 28 May 2012 Posts: 146 Location: PL
|
|
Back to top |
|
 |
|