| Author |
Message
|
| sachinramesh |
 Posted: Thu May 18, 2023 10:04 am Post subject: SUITEB property of QMgr |
 |
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
HI ,
I am trying to change my SUITEB value of the qmgr from 'none' to '128-bit' .
this is advised to do as per security baselines for me.
Do we need to do any refresh security for the changes to affect.
I tried checking google it only says to restart Mqxr service after the modification .we dont have this service.
Can someone guide me if the refresh will work or restart of the qmgr is needed. |
|
| Back to top |
|
 |
| gbaddeley |
| Posted: Thu May 18, 2023 3:55 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
https://www.ibm.com/docs/en/ibm-mq/9.3?topic=mq-configuring-suite-b
Implies qmgr restart only if MQXR (Telemetry) or AMQP (MQ Light client / open source) are being used. It is just an internal check on cipher spec compliance to particular EC signature algorithms. If an out of scope spec is attempted to be used, the MQ channel or connection will fail.
_________________
Glenn |
|
| Back to top |
|
|
| sachinramesh |
| Posted: Thu May 18, 2023 9:23 pm Post subject: |
|
|
Disciple
Joined: 20 Feb 2007
Posts: 170
|
Thanks Glenn for the reply ,we are not using telemetry or amqp service.
i just updated the suiteb value to 128 bit and done refresh security.
Just wondering if refresh security alone will be fine without any qmgr restart.
Dont see any issue with the channels till now.will have to wait and see. |
|
| Back to top |
|
|
| hughson |
| Posted: Sat May 20, 2023 1:05 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| gbaddeley wrote: |
https://www.ibm.com/docs/en/ibm-mq/9.3?topic=mq-configuring-suite-b
Implies qmgr restart only if MQXR (Telemetry) or AMQP (MQ Light client / open source) are being used. It is just an internal check on cipher spec compliance to particular EC signature algorithms. If an out of scope spec is attempted to be used, the MQ channel or connection will fail. |
| sachinramesh wrote: |
| Thanks Glenn for the reply ,we are not using telemetry or amqp service. |
Glenn's reply was telling you that the IBM docs show that you only needed to do a restart IF and ONLY IF you are using MQXR or AMQP. Since you are not, you don't need to do a queue manager refresh.
| sachinramesh wrote: |
i just updated the suiteb value to 128 bit and done refresh security.
Just wondering if refresh security alone will be fine without any qmgr restart.
Dont see any issue with the channels till now.will have to wait and see. |
It is worth knowing that the REFRESH SECURITY TYPE(SSL) command is doing the same thing that would happen on a queue manager restart when it comes to updating the SSL/TLS environment when something in that environment has changed. If you have done a refresh you shouldn't need to do a restart and vice versa.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun May 21, 2023 3:30 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| sachinramesh wrote: |
Thanks Glenn for the reply ,we are not using telemetry or amqp service.
i just updated the suiteb value to 128 bit and done refresh security.
Just wondering if refresh security alone will be fine without any qmgr restart.
Dont see any issue with the channels till now.will have to wait and see. |
Do any channel definitions have SSLCIPH set to a non-blank value? Have you reviewed that the values are all SUITEB 128 bit compliant?
_________________
Glenn |
|
| Back to top |
|
|
|
|
