ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityHow to quickly recover a MQ cluster from expired ssl certs?

Post new topicReply to topic
How to quickly recover a MQ cluster from expired ssl certs? View previous topic :: View next topic
Author Message
MQMB&WAS
PostPosted: Fri May 24, 2019 9:10 am Post subject: How to quickly recover a MQ cluster from expired ssl certs? Reply with quote

Voyager

Joined: 12 Jun 2016
Posts: 93

Hello experts,

Lets say we have a situation where all the ssl certs have expired for all the qmgrs in a cluster. Requesting certs from CA would take lot of time, so what is the quickest way to recover my cluster while I work with the CA.

Thanks for your time.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri May 24, 2019 9:49 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8534
Location: US: west coast, almost. Otherwise, enroute.

You mean other than disabling SSL/TLS in channel definitions?
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Sun May 26, 2019 3:33 pm Post subject: Re: How to quickly recover a MQ cluster from expired ssl cer Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2040
Location: Melbourne, Australia

MQMB&WAS wrote:
Hello experts,
Lets say we have a situation where all the ssl certs have expired for all the qmgrs in a cluster...
Thanks for your time.

That wouldn't happen to us. We have reminders set up in our email system for 30 days prior to expiry. That gives up plenty of time to request new certs and deploy them.
_________________
Glenn
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Wed Jun 05, 2019 5:26 am Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1208
Location: Derby City, USA

It would be nice if MQ would issue a warning on the use of SSL/TLS when the cert is going to expire in 30 days or less (and log it in the Qmgr/Client log).
Back to top
View user's profile Send private message AIM Address
Vitor
PostPosted: Wed Jun 05, 2019 6:06 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25858
Location: Texas, USA

JosephGramig wrote:
It would be nice if MQ would issue a warning on the use of SSL/TLS when the cert is going to expire in 30 days or less (and log it in the Qmgr/Client log).



It would be nice if <insert product name here> would issue a warning on the use of SSL/TLS when the cert is going to expire in 30 days or less.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed Jun 05, 2019 6:52 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8534
Location: US: west coast, almost. Otherwise, enroute.

One could use ikeyman or the gskcmd command line equivalent to interrogate certs for not-before and not-after dates. This was on the agenda of the weekly operations meeting.

https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_9.0.0/com.ibm.websphere.ihs.doc/ihs/cihs_viewcertexpire.html
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data


Last edited by bruce2359 on Wed Jun 05, 2019 9:01 am; edited 1 time in total
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Wed Jun 05, 2019 6:59 am Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1208
Location: Derby City, USA

@bruce2359,

Yes but that would be manual and only for the local key store. I would like to know, for example on a SVRCONN connection that did mutual authentication, if the client, server or either signer cert is going to expire in 30 days or less.

It just needs to burp a warning in the Qmgr error log like WAS does.
Back to top
View user's profile Send private message AIM Address
tczielke
PostPosted: Wed Jun 05, 2019 9:07 am Post subject: Reply with quote

Sentinel

Joined: 08 Jul 2010
Posts: 849
Location: Illinois, USA

With openssl s_client, you could script something that can poke the queue managers from a central location and get back the personal certificate to check. As long as you are using one personal certificate per queue manager, you can avoid the complications of CERTLABL. But that does not cover client keystores as mentioned by JosephGramig.

In my opinion, the whole concept of certs expiring causes more grief with application availability than it helps with security. A hyperbolic example, but it would be similar to a car manufacturer that ensures everyone gets a 6 month oil change by having your engine lock up when it has passed exactly 7 months since your last oil change. You can be speeding on a highway overpass as your engine locks up right at seven months. As your car tumbles over the overpass you can say to yourself "Well this might be it for me, but at least my car manufacturer made sure I paid for that missed oil change. Thank you, Honda!"
_________________
Working with MQ since 2010.

Miami Dolphins 2019 - Tank you for the memories.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Jun 05, 2019 9:13 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25858
Location: Texas, USA

tczielke wrote:
As your car tumbles over the overpass you can say to yourself "Well this might be it for me, but at least my car manufacturer made sure I paid for that missed oil change. Thank you, Honda!"


You'd be fine. No way a Honda's been driving round for 7 months without visiting a dealership for repairs; they'd do the oil change at the same time......



_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
tczielke
PostPosted: Wed Jun 05, 2019 9:53 am Post subject: Reply with quote

Sentinel

Joined: 08 Jul 2010
Posts: 849
Location: Illinois, USA

Vitor wrote:
tczielke wrote:
As your car tumbles over the overpass you can say to yourself "Well this might be it for me, but at least my car manufacturer made sure I paid for that missed oil change. Thank you, Honda!"


You'd be fine. No way a Honda's been driving round for 7 months without visiting a dealership for repairs; they'd do the oil change at the same time......




Not my Honda!

Besides the fact that it kicks out heat on the lower vents when I turn the AC on, it works fine!
_________________
Working with MQ since 2010.

Miami Dolphins 2019 - Tank you for the memories.
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Jun 05, 2019 11:10 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6110

tczielke wrote:
Not my Honda!

Besides the fact that it kicks out heat on the lower vents when I turn the AC on, it works fine!

It's got to vent the excess heat it takes out somewhere
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
tczielke
PostPosted: Wed Jun 05, 2019 11:35 am Post subject: Reply with quote

Sentinel

Joined: 08 Jul 2010
Posts: 849
Location: Illinois, USA

exerk wrote:
tczielke wrote:
Not my Honda!

Besides the fact that it kicks out heat on the lower vents when I turn the AC on, it works fine!

It's got to vent the excess heat it takes out somewhere


Not on my legs though, please! These Illinois summers are hot enough.
_________________
Working with MQ since 2010.

Miami Dolphins 2019 - Tank you for the memories.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Wed Jun 05, 2019 4:56 pm Post subject: Re: How to quickly recover a MQ cluster from expired ssl cer Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2040
Location: Melbourne, Australia

MQMB&WAS wrote:
Hello experts,
Lets say we have a situation where all the ssl certs have expired for all the qmgrs in a cluster. Requesting certs from CA would take lot of time, so what is the quickest way to recover my cluster while I work with the CA.
Thanks for your time.

Response #2: Disable on all channels until all renewed certs are in place.
_________________
Glenn
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityHow to quickly recover a MQ cluster from expired ssl certs?
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.