We have an important update regarding IBM MQ 9.4.0.0. This update brings significant changes, including the discontinuation of support for the CMS keystore. If you currently depend on AMQP and MQTT channels utilizing the CMS keystore, please be aware that support for this will cease. Moving forward, PKCS will be the supported standard.
What's Changed?
From MQ 9.4.0.0, the CMS keystore will no longer be supported. This change affects AMQP and MQTT channels that rely on the CMS keystore, potentially leading to unexpected failures if not addressed beforehand. With MQ 9.4 channels will fail to start and log an appropriate error message in the AMQP error log file if a CMS keystore is detected during channel startup.
How to Migrate from CMS to PKCS12
If your MQ channels currently use the CMS keystore and you need to utilize the AMQP service/Telemetry service, a migration to the PKCS12 keystore is necessary. Follow these steps to ensure a smooth transition:
- Convert Keystore Format: Use runmqakm by specifying the parameters as below.
- Update Configuration: Modify queue manager property SSLKEYR to reference the new PKCS12 keystore for AMQP channel. For MQTT, update the SSLKEYR property on channel to point PKCS12 keystore for MQTT channel.
- Verify: Test the new keystore setup to ensure that all connections are functioning correctly with the PKCS12 keystore.
Summary
To avoid disruptions in MQ 9.4.0.0, AMQP and MQTT channels will now detect CMS keystores and prevent startup, logging an error message. The shown proactive approach allows users to migrate to the PKCS12 keystore format smoothly. Ensure you switch to PKCS12 for both MQ and AMQP/MQTT channels to continue using SSL functionality without interruption.
Useful links: