| Author |
Message
|
| gs |
 Posted: Thu Feb 28, 2008 2:09 am Post subject: SSL keystore expiration and effects |
 |
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
How does an expired qmgr keystore password affect channel functionality while the qmgr is running?
I'd say that all cached (already used) certificates would work but non-cached cert usage would fail, is this correct?
Thanks |
|
| Back to top |
|
 |
| LMD |
| Posted: Thu Feb 28, 2008 6:53 am Post subject: Re: SSL keystore expiration and effects |
|
|
Acolyte
Joined: 30 Oct 2002
Posts: 56
Location: Paris - France
|
| gs wrote: |
How does an expired qmgr keystore password affect channel functionality while the qmgr is running?
I'd say that all cached (already used) certificates would work but non-cached cert usage would fail, is this correct?
Thanks |
Hi,
Channels certificates are checked at channel startup. If the keystore password is expired, the qmgr will not be able to access the certificate, the channel will fail, and the production will stop (verified IRL !).
_________________
lmd_at_demey-consulting.fr - http://demey-consulting.fr - Paris, France.
WMQ, WAS & IIB Certified.
#IBMChampion |
|
| Back to top |
|
|
| gs |
| Posted: Thu Feb 28, 2008 8:16 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
| Thanks, but all cached certificates would be ok? Does the queue manager have any reason to access the keystore in case the certificate is found in the cache? |
|
| Back to top |
|
|
| JLRowe |
| Posted: Thu Feb 28, 2008 9:20 am Post subject: |
|
|
Yatiri
Joined: 25 May 2002
Posts: 664
Location: South East London
|
The REFRESH SECURITY command causes the key store to be re-examined.
And who knows about the product internals, which may change per platform/service pack. I would consider it bad practice to rely on the caching behaviour.
Last edited by JLRowe on Thu Feb 28, 2008 11:21 am; edited 1 time in total |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Feb 28, 2008 9:39 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Especially since, as far as I know, there is no documentation on any caching behavior.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| gs |
| Posted: Fri Feb 29, 2008 2:06 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Feb 29, 2008 2:23 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
At the risk of sounding like a broken record, this is another facet of the "how do you control your environment" question. This is another task, like defining/modifying queues, and you handle it according to the site administrative standards.
My 2 cents - All the expiry dates are syncronised according to system so the passwords for system A expire at the end of January, system B expire at the end of Feb, etc and we have a scheduled task to go round and change them as part of the month-end maintenance slot.
(When I say scheduled, I mean on the month end schedule docuement, not a cron job or similar).
I must point out we don't have a large number of such systems, and I can see this method getting unwieldy with a large number of queue managers.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
