| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Default Certificate Question |
« View previous topic :: View next topic » |
| Author |
Message
|
| Jeff.VT |
 Posted: Fri Mar 15, 2019 7:46 am Post subject: Default Certificate Question |
 |
|
Acolyte
Joined: 02 Mar 2017
Posts: 71
|
Several years ago, before my queue managers were exposed to the filthy internet, I saw it coming and decided to learn a bit about how Certificates work with IBM MQ.
I set up a self-signed cert, set it to default, and connected some queue managers together with it, just playing around.
Years later, I set up an inbound certificate-secured channel, created a 'real' cert, whole 9 yards... Everything was fine. But a few days ago, that 'default' self-signed certificate that I never used for any connections after I was done playing with it expired.
That caused the inbound connection that was using a completely different, non-expired cert to start giving off SSL errors and not connect. I removed the expired cert, and made the 'real' cert the default, and the problem was resolved. No non-certificate secured channels were impacted. And no outbound certificate-secured channels were impacted.
But my question is this... Sure the expired cert was 'default', but it never was used for anything. Why would the 'default' certificate expiring cause problems for a non-expired certificate? |
|
| Back to top |
|
 |
| hughson |
| Posted: Fri Mar 15, 2019 1:56 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
One question - why did you set your 'real' cert to be the default? You should need to ever set any certificate to be the default. A default certificate may well get picked up when you don't intend it to be used if no certificate of the requested label is found.
If you have a certificate for a queue manager it should be labeled in the same way that the CERTLABL field on the queue manager is set. If this is not the case, the default certificate could be used.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Jeff.VT |
| Posted: Tue Mar 19, 2019 1:04 pm Post subject: |
|
|
Acolyte
Joined: 02 Mar 2017
Posts: 71
|
| hughson wrote: |
One question - why did you set your 'real' cert to be the default? You should need to ever set any certificate to be the default. A default certificate may well get picked up when you don't intend it to be used if no certificate of the requested label is found.
If you have a certificate for a queue manager it should be labeled in the same way that the CERTLABL field on the queue manager is set. If this is not the case, the default certificate could be used.
Cheers,
Morag |
It sounds like I'm being a bit too careful and that caused this problem... Wouldn't be the first time.
The Queue Manager 'Certificate Label' QMGR CERTLABL:
Say it was, "SELFSIGNED.QMGR.NAME"
I had a self-signed cert called 'SELFSIGNED.QMGR.NAME' in the key repository, and it was set to Default.
No channels referenced SELFSIGNED.QMGR.NAME
I also have a REAL.CERT.FOR.THIRD.PARTY.PROD and REAL.CERT.FOR.THIRD.PARTY.TEST also in the key repository. And they are referenced in those respective channels (THIRDPARTY.PROD, THIRDPARTY.TEST).
SOMETHING.QMGR.NAME expired. The other certs did not expire. But yet THIRDPARTY.PROD & THIRDPARTY.TEST channels failed with Cert errors.
-----------------
I figured that if I do set up other third parties, I'm probably just going to use the same cert anyway, so to resolve it, I deleted the SOMETHING.QMGR.NAME, and renamed the REAL.CERTS to "QMGR.NAME.PROD" and "QMGR.NAME.TEST", set the Prod one to Default, and set it to the QMGR CERTLABL() value. Then refreshed SSL, and it all started working (including test).
--------------
It sounds like if I hadn't set the SELFSIGNED.QMGR.NAME to default, this wouldn't have happened?
I didn't think it would have been a problem since it wasn't really used anywhere (well... anywhere other than the CERTLABL()...)
Always new things to learn. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Mar 19, 2019 1:46 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Interesting, in your first post you suggested that the certificate that expired was the one that was set as the default. Can you check that you're describing the same problem? You now seem to be suggesting that the CERTLABL referenced certificate was the one that expired.
Is SELFSIGNED.QMGR.NAME and SOMETHING.QMGR.NAME actually the same certificate in this description? Feel free to edit your post to correct to avoid confusion for other readers. I'll remove this sentence if need be if you do.
| Jeff.VT wrote: |
| I didn't think it would have been a problem since it wasn't really used anywhere (well... anywhere other than the CERTLABL()...) |
Anyway, whatever, don't use default in queue manager key repository, use correctly labeled certificates.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
