ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ Supportrenewing certificate with modified DN fields possible?

Post new topicReply to topic
renewing certificate with modified DN fields possible? View previous topic :: View next topic
Author Message
pcelari
PostPosted: Fri Jul 05, 2019 9:38 am Post subject: renewing certificate with modified DN fields possible? Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 361
Location: New York

Greetings.

A qmgr's old certificate will expire soon, so I recreated a certificate request based on the current one. But company policy has changed, some fields in the DN need to be populated, others need to have different values. But modifying fields are not permitted using the -recreate option.

Of course, I can copy the whole kdb directory to a test environment, where I delete the original certificate and just create a new request with all fields appropriately set. Upon receiving the signed certificate, receive the signed certificate into the kdb, and then copy the kdb back to original qmgr's kdb.

While renewing a certificate causes no interruption of service, deleting and adding a new one does.

So I wonder if there is a better way of doing this than the above that doens't interrupt services.

thanks a lot for sharing any insight!
_________________
pcelari
-----------------------------------------
- a master of always being a newbie
Back to top
View user's profile Send private message
exerk
PostPosted: Sat Jul 06, 2019 12:46 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6106

Depending on your version of MQ, you can create a new certificate request (with a 'new' label) in the current key store, and flip the CERTLABL attribute of the queue manager to use it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Jul 08, 2019 4:58 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20111
Location: LI,NY

You will need all your partners to stage the new signer chain just as you stage the new certificate. When that is all done, all you have to do is flip the cert (see certlabel field) and refresh security type(ssl).

Enjoy
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Mon Jul 08, 2019 3:19 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1256
Location: Bay of Plenty, New Zealand

As the above answers indicate, you can use CERTLABL to point at the old label and then alter it to the new label when you are ready to switch. This means that both old and new certificates can co-exist in the KBD ready for use.

The CERTLABL feature was added in IBM MQ V8. So as long as you are at that version it's simple for you. If you're not, it's a longer outage.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
pcelari
PostPosted: Mon Jul 15, 2019 7:11 am Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 361
Location: New York

thanks so much for the inputs. So the old label rule of ibmwebspheremqqmgrname is no longer have to be followed. It's really a convenient change.
_________________
pcelari
-----------------------------------------
- a master of always being a newbie
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Jul 15, 2019 2:56 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1256
Location: Bay of Plenty, New Zealand

pcelari wrote:
So the old label rule of ibmwebspheremqqmgrname is no longer have to be followed.

Absolutely correct! It's great!
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ Supportrenewing certificate with modified DN fields possible?
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.