| Author |
Message
|
| pcelari |
 Posted: Fri Jul 05, 2019 9:38 am Post subject: renewing certificate with modified DN fields possible? |
 |
|
Chevalier
Joined: 31 Mar 2006
Posts: 411
Location: New York
|
Greetings.
A qmgr's old certificate will expire soon, so I recreated a certificate request based on the current one. But company policy has changed, some fields in the DN need to be populated, others need to have different values. But modifying fields are not permitted using the -recreate option.
Of course, I can copy the whole kdb directory to a test environment, where I delete the original certificate and just create a new request with all fields appropriately set. Upon receiving the signed certificate, receive the signed certificate into the kdb, and then copy the kdb back to original qmgr's kdb.
While renewing a certificate causes no interruption of service, deleting and adding a new one does.
So I wonder if there is a better way of doing this than the above that doens't interrupt services.
thanks a lot for sharing any insight!
_________________
pcelari
-----------------------------------------
- a master of always being a newbie |
|
| Back to top |
|
 |
| exerk |
| Posted: Sat Jul 06, 2019 12:46 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Depending on your version of MQ, you can create a new certificate request (with a 'new' label) in the current key store, and flip the CERTLABL attribute of the queue manager to use it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jul 08, 2019 4:58 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You will need all your partners to stage the new signer chain just as you stage the new certificate. When that is all done, all you have to do is flip the cert (see certlabel field) and refresh security type(ssl).
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Jul 08, 2019 3:19 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
As the above answers indicate, you can use CERTLABL to point at the old label and then alter it to the new label when you are ready to switch. This means that both old and new certificates can co-exist in the KBD ready for use.
The CERTLABL feature was added in IBM MQ V8. So as long as you are at that version it's simple for you. If you're not, it's a longer outage.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| pcelari |
| Posted: Mon Jul 15, 2019 7:11 am Post subject: |
|
|
Chevalier
Joined: 31 Mar 2006
Posts: 411
Location: New York
|
thanks so much for the inputs. So the old label rule of ibmwebspheremqqmgrname is no longer have to be followed. It's really a convenient change.
_________________
pcelari
-----------------------------------------
- a master of always being a newbie |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Jul 15, 2019 2:56 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| pcelari wrote: |
| So the old label rule of ibmwebspheremqqmgrname is no longer have to be followed. |
Absolutely correct! It's great! 
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
