| Author |
Message
|
| Inforz |
 Posted: Wed Jun 02, 2021 4:06 am Post subject: How to identify if MQ refresh security command is been issue |
 |
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
Hi,
How to identify if MQ refresh security command is been issued or not in MQ , or the last time this refresh security type(ssl) has been issued.
There has been a severe issue in our working environment where the MQ support person has did the SSL renewal on MQ server (which is used by MQ) and didnt do the refresh security type(ssl) at the time of performing the renewal
By yesterday midnight the old cert got expired and since today we are having SSL invalid cert issue thrown at MQ logs
So this was resolved by issuing refresh security type(ssl). However, by the time it was issued, there was a huge impact at the customer end and they wanted a mechanism or a command or a check that can assure if a refresh security type(ssl) has been issued or not.
Note: Since we had multiple other apps connecting to the affected MQ server, the refresh security had caused a blip for all other apps that werent affected by this cert expiry.
MQ v7.0.1.14 is used and the server is AIX 1.3 |
|
| Back to top |
|
 |
| zpat |
| Posted: Wed Jun 02, 2021 4:45 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
Your version of MQ is long since unsupported.
How any business would want to rely on that is beyond me. You do realise you are totally on your own and IBM will not help fix bugs?
The MQ event log might show the refresh. Or you could enable the command events (beforehand) and look at those.
I think I submitted an RFE for a way to display the certificates currently loaded by the QM. Not of interest to those that refuse to upgrade of course.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Jun 02, 2021 5:23 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA
|
|
| Back to top |
|
|
| Inforz |
| Posted: Wed Jun 02, 2021 5:32 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
| Quote: |
Your version of MQ is long since unsupported.
|
Right and our environment is so.
| zpat wrote: |
How any business would want to rely on that is beyond me. You do realise you are totally on your own and IBM will not help fix bugs?
|
Exactly. and we have proposed for upgrade already and waiting for nod from customer
| zpat wrote: |
The MQ event log might show the refresh. Or you could enable the command events (beforehand) and look at those.
|
Yes. A solid command and output is what the customer team are requesting
| Quote: |
I think I submitted an RFE for a way to display the certificates currently loaded by the QM. Not of interest to those that refuse to upgrade of course. |
Thanks a lot. Please share the outcome when youu get it. |
|
| Back to top |
|
|
| Inforz |
| Posted: Wed Jun 02, 2021 5:35 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
Have tried the below
| Code: |
| openssl s_client -connect localhost:2414 -showcerts |
and got
connect: Connection refused connect:errno=79
Last edited by Inforz on Wed Jun 02, 2021 7:40 am; edited 1 time in total |
|
| Back to top |
|
|
| Inforz |
| Posted: Wed Jun 02, 2021 6:02 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
Could you please share a link for the same check done locally within a server |
|
| Back to top |
|
|
| Inforz |
| Posted: Wed Jun 02, 2021 7:26 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
What I believe is if queue manager maintains a copy and checks it against each incoming connection, then there should be a way to retrieve it.
Because everytime it takes it own cert copy to validate rather it doesnt go to the keystore everytime for validation |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Jun 02, 2021 12:33 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA
|
| Inforz wrote: |
Could you please share a link for the same check done locally within a server |
openssl can be run from the same server as the queue manager.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| Inforz |
| Posted: Thu Jun 03, 2021 7:18 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
Thanks all for the inputs.
Below commands gave the output as we required.
AIX/Linux:
| Code: |
| echo | openssl s_client -connect <QMServerName>:<QMPort> -showcerts 2>&1 | openssl x509 -noout -dates |
Windows:
| Code: |
| C:\Windows\system32>"C:\Program Files\IBM\Java70\jre\bin\keytool" -printcert -sslserver <QMServerName>:<QMPort> |
|
|
| Back to top |
|
|
| kordi |
| Posted: Sun Oct 31, 2021 3:42 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 145
Location: PL
|
In order to have a control over what and who issuesd certain commands I would suggest to
| Code: |
| ALTER QMGR CONFIGEV(ENABLED) CMDEV(ENABLED) |
But what has been done has been done.
Check also the AMQERR0n logs, information about issueing REFRESH SECURITY should be there. |
|
| Back to top |
|
|
| EnigmaticCypher |
| Posted: Sat Jan 01, 2022 6:11 pm Post subject: |
|
|
Newbie
Joined: 01 Jan 2022
Posts: 5
|
| kordi wrote: |
In order to have a control over what and who issuesd certain commands I would suggest to
| Code: |
| ALTER QMGR CONFIGEV(ENABLED) CMDEV(ENABLED) |
But what has been done has been done.
Check also the AMQERR0n logs, information about issueing REFRESH SECURITY should be there. |
Just to note, enabling these events on its own does not actually help all that much. You need an application or tool that is capable of processing these messages. Later versions of MQ clients ship with the amqsevt sample which could be used as an interim solution, though of course with non-persistent messaging there's always the risk of data loss.
The sample *should* work with the older MQ versions, my workplace has many versions of MQ running due to various reasons, and I haven't personally encountered any major dramas with it. |
|
| Back to top |
|
|
| zpat |
| Posted: Sun Jan 02, 2022 5:39 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
MQ explorer with MS0P, or the MO71 product, can format event messages interactively.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| kordi |
| Posted: Sun Jan 02, 2022 9:53 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 145
Location: PL
|
| EnigmaticCypher wrote: |
Just to note, enabling these events on its own does not actually help all that much. You need an application or tool that is capable of processing these messages. Later versions of MQ clients ship with the amqsevt sample which could be used as an interim solution, though of course with non-persistent messaging there's always the risk of data loss.
The sample *should* work with the older MQ versions, my workplace has many versions of MQ running due to various reasons, and I haven't personally encountered any major dramas with it. |
You are right, it's good to have some MQ knowledge when you want to turn something on or off in Queue Manager  We have a tool to read and process events and write them to Splunk.
Happy New Year!  |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Jan 07, 2022 3:18 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
|
| Back to top |
|
|
|
|
