App Connect

App Connect

Join this online user group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Can ACE detect keystore file change without restart

    Posted Tue September 22, 2020 07:02 AM

    Hi All,

    Using ACE we needs to handle the inbound and outbound mTLS traffic.

    We have created keystore/truststore files with all the vendors certificates and referred those in ACE.(version: 11006)

    Now the question is, if there is any change in the keystore/trustore files can ACE detect that change without any restart of integration node or integration server?

    We have tested the behavior in lower environment and saw that ACE can't detect new changes unless integration node or integration server are restarted.

    This means in Production system for any certificate related changes we need to restart the ACE components every time which will cause application downtime.

    So is there any way ACE can detect these keystore/trustore files changes without restart?

    Appreciate thoughts/suggestions from the experts.

    Regards,
    Saha



    ------------------------------
    Prosanta Saha
    ------------------------------


  • 2.  RE: Can ACE detect keystore file change without restart

    Posted Wed September 23, 2020 09:34 AM
    Maybe CRL addresses your issue.
    You can use the com.ibm.security.enableCRLDP and broker.crlFileList properties together to enable automatic loading of CRLs.

    When you use IBM Integration Bus to receive HTTP requests, you can configure the HTTP listener to use a CRL file. The validity of client certificates is then checked against the CRL file before connections are accepted. You can configure the integration node listener to use a CRL file by using the following command:mqsichangeproperties IBNODE -b httplistener -o HTTPSConnector -n crlFile -v file_path
    https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bc49114_.html

    More than 20 years ago I studied the Java Secure Socket Extension (JSSE) in more detail.
    Your observation, is not a new observation.
    By default a java application has no idea what is inside the keystore files and nobody notifies the java app about any changes.
    Given that plenty of java apps are able to work with the same keystore file the easy solution was restart the java app when a change is required.
    At an abstract level ACE is a java application.
    I guess it is save to recommend that each integration server could work with his own keystore file.
    You do not have to restart the integration node. Only the server that is impacted by a certificate change.
    You could - test - if a restart of an ace app were sufficient to reprocess the keystore.

    ------------------------------
    Matthias Jungbauer
    ------------------------------

    Original Message


  • 3.  RE: Can ACE detect keystore file change without restart

    Posted Thu September 24, 2020 03:48 PM
    Any time we needed to change a certificate inside a keystore we need to restart the integration node or integration server to take effect.
    The problem as was well explained by @Matthias Jungbauer is that the keystore is only read once when the jvm is initialized.



    ------------------------------
    Francisco A Buccafusca
    ------------------------------

    Original Message