| Author |
Message
|
| MQMB&WAS |
 Posted: Fri May 24, 2019 9:10 am Post subject: How to quickly recover a MQ cluster from expired ssl certs? |
 |
|
Centurion
Joined: 12 Jun 2016
Posts: 130
|
Hello experts,
Lets say we have a situation where all the ssl certs have expired for all the qmgrs in a cluster. Requesting certs from CA would take lot of time, so what is the quickest way to recover my cluster while I work with the CA.
Thanks for your time. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Fri May 24, 2019 9:49 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
You mean other than disabling SSL/TLS in channel definitions?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun May 26, 2019 3:33 pm Post subject: Re: How to quickly recover a MQ cluster from expired ssl cer |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| MQMB&WAS wrote: |
Hello experts,
Lets say we have a situation where all the ssl certs have expired for all the qmgrs in a cluster...
Thanks for your time. |
That wouldn't happen to us. We have reminders set up in our email system for 30 days prior to expiry. That gives up plenty of time to request new certs and deploy them.
_________________
Glenn |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Jun 05, 2019 5:26 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| It would be nice if MQ would issue a warning on the use of SSL/TLS when the cert is going to expire in 30 days or less (and log it in the Qmgr/Client log). |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jun 05, 2019 6:06 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| JosephGramig wrote: |
| It would be nice if MQ would issue a warning on the use of SSL/TLS when the cert is going to expire in 30 days or less (and log it in the Qmgr/Client log). |
It would be nice if <insert product name here> would issue a warning on the use of SSL/TLS when the cert is going to expire in 30 days or less.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Jun 05, 2019 6:52 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Jun 05, 2019 6:59 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
@bruce2359,
Yes but that would be manual and only for the local key store. I would like to know, for example on a SVRCONN connection that did mutual authentication, if the client, server or either signer cert is going to expire in 30 days or less.
It just needs to burp a warning in the Qmgr error log like WAS does. |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Jun 05, 2019 9:07 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
With openssl s_client, you could script something that can poke the queue managers from a central location and get back the personal certificate to check. As long as you are using one personal certificate per queue manager, you can avoid the complications of CERTLABL. But that does not cover client keystores as mentioned by JosephGramig.
In my opinion, the whole concept of certs expiring causes more grief with application availability than it helps with security. A hyperbolic example, but it would be similar to a car manufacturer that ensures everyone gets a 6 month oil change by having your engine lock up when it has passed exactly 7 months since your last oil change. You can be speeding on a highway overpass as your engine locks up right at seven months. As your car tumbles over the overpass you can say to yourself "Well this might be it for me, but at least my car manufacturer made sure I paid for that missed oil change. Thank you, Honda!"
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jun 05, 2019 9:13 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| tczielke wrote: |
| As your car tumbles over the overpass you can say to yourself "Well this might be it for me, but at least my car manufacturer made sure I paid for that missed oil change. Thank you, Honda!" |
You'd be fine. No way a Honda's been driving round for 7 months without visiting a dealership for repairs; they'd do the oil change at the same time......
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Jun 05, 2019 9:53 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| Vitor wrote: |
| tczielke wrote: |
| As your car tumbles over the overpass you can say to yourself "Well this might be it for me, but at least my car manufacturer made sure I paid for that missed oil change. Thank you, Honda!" |
You'd be fine. No way a Honda's been driving round for 7 months without visiting a dealership for repairs; they'd do the oil change at the same time......
|
Not my Honda! 
Besides the fact that it kicks out heat on the lower vents when I turn the AC on, it works fine!
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jun 05, 2019 11:10 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| tczielke wrote: |
Not my Honda!
Besides the fact that it kicks out heat on the lower vents when I turn the AC on, it works fine! |
It's got to vent the excess heat it takes out somewhere 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Jun 05, 2019 11:35 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| exerk wrote: |
| tczielke wrote: |
Not my Honda!
Besides the fact that it kicks out heat on the lower vents when I turn the AC on, it works fine! |
It's got to vent the excess heat it takes out somewhere |
Not on my legs though, please! These Illinois summers are hot enough.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Jun 05, 2019 4:56 pm Post subject: Re: How to quickly recover a MQ cluster from expired ssl cer |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| MQMB&WAS wrote: |
Hello experts,
Lets say we have a situation where all the ssl certs have expired for all the qmgrs in a cluster. Requesting certs from CA would take lot of time, so what is the quickest way to recover my cluster while I work with the CA.
Thanks for your time. |
Response #2: Disable on all channels until all renewed certs are in place.
_________________
Glenn |
|
| Back to top |
|
|
|
|
