| Author |
Message
|
| hopsala |
 Posted: Tue Sep 04, 2012 12:47 am Post subject: Certificate store refresh |
 |
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
Hi there
Here's a question I am unable to find an answer for either in the literature or on the interwebs - If I import a new certificate into my jks certificate store, or delete or update an old one, when does wmb load it, on EG restart? Perhaps broker restart? Is there any way to force certstore reload?
Linux 5.6, WMB 7.0.0.4, if it makes any difference.
Part of the reason I'm asking is that today we've witnessed a very odd phenomena: A service wasn't working due to an expired certificate, so we placed a new certificate in the certstore. A few hours later, without any further intervention, the service started working. However - and this is the odd part - a few hours after that, it stopped working again! At first we thought there was some maintenance service running in the backdrop (is there?), but now we don't really know what to think. However, since I wasn't personally involved in most of what occurred, I can't really guarantee that the client side didn't change anything... It might just be another WMB ghost-story.
Any help would be appreciated. Cheers!  |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Sep 04, 2012 1:51 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
If some background thread in a Broker EG had noticed that the keystore had changed, and loaded new certificates from it, it wouldn't then change it's mind later and unload those certificates.
I think it's safe to say you need to restart the EG. |
|
| Back to top |
|
|
| hopsala |
| Posted: Tue Sep 04, 2012 2:30 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
Hi Jeff, thanks for the reply.
| mqjeff wrote: |
| If some background thread in a Broker EG had noticed that the keystore had changed, and loaded new certificates from it, it wouldn't then change it's mind later and unload those certificates. |
Agreed, that's why it's such an odd story. I guess I'll just mark it down for human error.
| mqjeff wrote: |
| I think it's safe to say you need to restart the EG. |
And this, from your experience, is always sufficient to reload the certificate store? Keep in mind this is a broker-wide store, not a specific EG store. Oh, and is it any different on V6?
+ Is there no way to force reload certificates without restarting the EG? (I smell a feature request..) |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 04, 2012 2:43 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I'd be surprised if it was insufficient to restart the EG.
I'd be surprised if there was any supported manner of doing this WITHOUT restarting the EG in v6.0. Even if, you know, v6.0 was still supported. |
|
| Back to top |
|
|
| hopsala |
| Posted: Fri Sep 07, 2012 12:08 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
Ok, an EG restart did it, at least on V6.
As for the fact that V6 has been out of support for a while, tell me about it - I've been working with a client for a year now trying to migrate to V7. Thankfully, in a few weeks we begin migrating production users.
I've opened a feature request for a reload truststore command:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=26306 |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Sep 07, 2012 2:41 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| hopsala wrote: |
Ok, an EG restart did it, at least on V6.
As for the fact that V6 has been out of support for a while, tell me about it - I've been working with a client for a year now trying to migrate to V7. Thankfully, in a few weeks we begin migrating production users.
I've opened a feature request for a reload truststore command:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=26306 |
Good luck with that. This is another of those JVM problems. Once loaded forever cached? Maybe there is another parm in the java security file for time to live of the truststore?
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| nathanw |
| Posted: Fri Sep 07, 2012 2:45 am Post subject: |
|
|
Knight
Joined: 14 Jul 2004
Posts: 550
|
I have to say that in the past I have seen issues where an EG re-start should have cleared a cached value and re-loaded the new value but failed to do so.
Sometimes I have had to carry out a Broker restart.
I suppose it does matter on whether the values are cached at EG level or Broker level
_________________
Who is General Failure and why is he reading my hard drive?
Artificial Intelligence stands no chance against Natural Stupidity.
Only the User Trace Speaks The Truth  |
|
| Back to top |
|
|
| hopsala |
| Posted: Fri Sep 07, 2012 4:00 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| saper wrote: |
| Good luck with that. This is another of those JVM problems. Once loaded forever cached? Maybe there is another parm in the java security file for time to live of the truststore? |
Hi saper. By "java security file" you mean the jks file? Except for the ability to select a default persoanl certificate, which isn't relevant to trust store, I am unaware of any other configurable parameters for a jks file - could you elaborate?
| nathanw wrote: |
I have to say that in the past I have seen issues where an EG re-start should have cleared a cached value and re-loaded the new value but failed to do so.
Sometimes I have had to carry out a Broker restart.
I suppose it does matter on whether the values are cached at EG level or Broker level |
I think I've had similar issues in the past, but some of them turned out to be human error. Now I'm not so sure, but I'm going to keep a close eye on whether an EG restart always does the trick or not.
This might also have to do with whether you're updating a certificate or adding a new one. Perhaps the broker cashes certificate not by store but by certificate - So if you add a new cert that you never tried verifying against, it loads immediately, but if you delete an existing one, you have to restart (or something to that effect)
In any event, I can't seem to find anything in the literature either way. I'll request a doc change. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Sep 08, 2012 6:53 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
no I meant the JVM java.security file.
It is loaded at jvm start but can be overriden by and app.security file.
Look it up in the lit. Not sure about the exact file name.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jeevan |
| Posted: Mon Sep 10, 2012 5:45 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| nathanw wrote: |
I have to say that in the past I have seen issues where an EG re-start should have cleared a cached value and re-loaded the new value but failed to do so.
Sometimes I have had to carry out a Broker restart.
I suppose it does matter on whether the values are cached at EG level or Broker level |
I think whether to restart EG or Broker depends on whether the certificate is set up at broker registry level or at Eg level. |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Sep 10, 2012 5:52 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| mqsireload may be sufficient. |
|
| Back to top |
|
|
| hopsala |
| Posted: Mon Sep 10, 2012 12:05 pm Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| fjb_saper wrote: |
no I meant the JVM java.security file.
It is loaded at jvm start but can be overriden by and app.security file.
Look it up in the lit. Not sure about the exact file name. |
Looked it up, but I don't see any parameter that controls truststore caching. I think it's a dead end.
I've opened an RFE (Request for Feature Extension), will appreciate your vote:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=26306 |
|
| Back to top |
|
|
|
|
