| Author |
Message
|
| blovell |
 Posted: Mon Jan 05, 2009 5:01 am Post subject: MQ v5.3 Personal Certificate |
 |
|
Acolyte
Joined: 08 Feb 2006
Posts: 63
Location: Alpharetta, GA
|
I have an older MQ version running on Solaris. The Personal Certificate for the QMGR is set to expire on the 7th. I have received a new certificate and will be installing this afternoon. Since this is v5.3 will a QMGR restart be required, or can I just refresh security for SSL?
AMQ8408: Display Queue Manager details.
DESCR( ) DEADQ(SYSTEM.DEAD.LETTER.QUEUE)
DEFXMITQ( ) CHADEXIT( )
CLWLEXIT( ) CLWLDATA( )
REPOS( ) REPOSNL( )
SSLKEYR(/var/mqm/qmgrs/ELSFTS01/ssl/key)
SSLCRLNL( ) SSLCRYP( )
COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE) QMNAME(ELSFTS01)
CRDATE(2006-07-20) CRTIME(22.09.54)
ALTDATE(2006-07-20) ALTTIME(22.10.46)
QMID(ELSFTS01_2006-07-20_22.09.54) TRIGINT(999999999)
MAXHANDS(256) MAXUMSGS(10000)
AUTHOREV(DISABLED) INHIBTEV(DISABLED)
LOCALEV(DISABLED) REMOTEEV(DISABLED)
PERFMEV(DISABLED) STRSTPEV(ENABLED)
CHAD(DISABLED) CHADEV(DISABLED)
CLWLLEN(100) MAXMSGL(27262976)
CCSID(819) MAXPRTY(9)
CMDLEVEL(530) PLATFORM(UNIX)
SYNCPT DISTL(YES)
_________________
Bradley M. Lovell |
|
| Back to top |
|
 |
| Gouldmar |
| Posted: Mon Jan 05, 2009 3:55 pm Post subject: |
|
|
Novice
Joined: 03 May 2005
Posts: 11
Location: Munich, Germany
|
The REFRESH SECURITY TYPE(SSL) command was not introduced until MQ V6.
On a MQ V5.3 QMGR, to ensure a clean installation of the new certificate I would recommend a QMGR restart. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Mon Jan 05, 2009 4:07 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| v5.3, need to re-start QMGR, otherwise you are still using old expiring cert. |
|
| Back to top |
|
|
| blovell |
| Posted: Tue Jan 06, 2009 5:56 am Post subject: |
|
|
Acolyte
Joined: 08 Feb 2006
Posts: 63
Location: Alpharetta, GA
|
I apologize I am very new to MQ. When I add a new personal cert to my QMGR, will my clients that utilize SSL connection with me have to import this new cert to their QMGR's.
_________________
Bradley M. Lovell |
|
| Back to top |
|
|
| Gouldmar |
| Posted: Tue Jan 06, 2009 12:35 pm Post subject: |
|
|
Novice
Joined: 03 May 2005
Posts: 11
Location: Munich, Germany
|
The personal certificate is used to identify the QMGR and should only used by the QMGR it is generated for.
Any clients connecting to the QMGR using the new certificate will not need to have the new personal certificate imported, the clients should be using their own personal certificate to identify themselves to other SSL enabled QMGR's. |
|
| Back to top |
|
|
| blovell |
| Posted: Tue Jan 06, 2009 2:20 pm Post subject: |
|
|
Acolyte
Joined: 08 Feb 2006
Posts: 63
Location: Alpharetta, GA
|
We are having multiple clients that appear to be specifying the personal cert in their SSLPEER values on their channels. These are the clients that appear to be having the problem. We have triple checked the subject values to ensure they have not changed. Clueless at this point. Any help. 
_________________
Bradley M. Lovell |
|
| Back to top |
|
|
| blovell |
| Posted: Tue Jan 06, 2009 2:25 pm Post subject: |
|
|
Acolyte
Joined: 08 Feb 2006
Posts: 63
Location: Alpharetta, GA
|
I should ellaborate on the problem. These are all SDR-> RCVR environments. The Remote QMGR's are complaining AMQ9663, and I am locally complaining AMQ9665 with some of these connections. As stated earlier we are using MQ v.5.3. We have no difficulties with the old personal, but the new one is having issues with some clients.
_________________
Bradley M. Lovell |
|
| Back to top |
|
|
| zhanghz |
| Posted: Tue Jan 06, 2009 5:06 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| blovell wrote: |
| I should ellaborate on the problem. These are all SDR-> RCVR environments. The Remote QMGR's are complaining AMQ9663, and I am locally complaining AMQ9665 with some of these connections. As stated earlier we are using MQ v.5.3. We have no difficulties with the old personal, but the new one is having issues with some clients. |
Whose old personal cert are you refering to here? Your QMGR's? or the interfacing QMGR's?
If your QMGR is using personal cert, you need to have it in your QMGR's key repository (obviously), and the interfacing QMGR will also have to import it into its QMGR's key repository. You will also need to have the interfacing QMGR's personal cert in your key repository usually.
At any time, when your QMGR extracts your own personal cert and send it over to the interfacing QMGR for SSL handshake purpose, your QMGR can only extract one cert which is the one with the label "ibmwebspheremq<qmgr>". You will NOT be able to extract both your old expiring cert and your new cert and send over to interfacing QMGR.
Based on the error codes, it seems you are passing a cert that is not in the interfacing QMGR's key repository.
| Quote: |
AMQ9663
An invalid SSL certificate was received from the remote system.
|
|
|
| Back to top |
|
|
| Gouldmar |
| Posted: Wed Jan 07, 2009 12:34 pm Post subject: |
|
|
Novice
Joined: 03 May 2005
Posts: 11
Location: Munich, Germany
|
.
Last edited by Gouldmar on Wed Jan 07, 2009 3:32 pm; edited 1 time in total |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jan 07, 2009 12:42 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You need to install the new certificate in every place you have installed the old certificate.
This may include being added to the signer certificate keystore on client machines, if you are using a self-signed certificate. |
|
| Back to top |
|
|
| blovell |
| Posted: Thu Jan 08, 2009 11:16 am Post subject: |
|
|
Acolyte
Joined: 08 Feb 2006
Posts: 63
Location: Alpharetta, GA
|
Thanks everybody. Our new personal cert that was generated required a new Root CA due to the key length changing to 2048. Our clients still use the old root CA that only allows 1024. We were able to generate a new cert that didn't require a new root. After importing the new cert everything has worked fine.
_________________
Bradley M. Lovell |
|
| Back to top |
|
|
|
|
