MQ

 View Only
  • 1.  MQ QMGR SSL cache refresh interval

    Posted Fri March 31, 2023 10:47 AM
    Edited by Bhushan Raut Fri March 31, 2023 11:36 AM

    Hello,

    Is there any defined time interval to which MQ SSL cache getting refreshed automatically?

    Scenario - if we add any new signer certificate to MQ QMGR SSL keystore then we need to execute - refresh security type(ssl) to take effect of new certificate added to keystore 
    - this cache also will get refreshed if we restart MQ QMGR
    - we also observed that without issuing refresh security - the new connection is able to use the new certificate i.e. MQ is able to locate new certificate from keystore, this is not immediate after adding certificate but after some time let's say 24Hrs post cert addition 

    there is no documented information on IBM site about this security cache refresh interval time etc.

    is there any default value/setting for this MQ SSL cache refresh? anyone know here please ...

    we have a PROD env which is very busy (running 24x7) and therefore just wanted to explore if we can add new cert to QMGR and leave it there for a week - is there any possibility that MQ can recognize new cert and that way we don't even need to do refresh security 

    your thought please 

    thanks !



    ------------------------------
    Bhushan
    ------------------------------



  • 2.  RE: MQ QMGR SSL cache refresh interval
    Best Answer

    IBM Champion
    Posted Sun April 02, 2023 04:57 PM

    Hi Bhushan,

    Is it possible that either:-

    • There were no channels running at the time and thus when the TLS channel using the new certificate was started it was the first channel to use TLS and so an in-memory copy of the key repository was taken at that time which included the new addition?
    • The number of channels running was such that a new amqrmppa process was started to handle this new channel, and thus this was the first channel to use TLS in that process, and so an in-memory copy of the key repository was taken at that time which included the new addition?

    The REFRESH command is required when changes are made to the contents of the key repository because MQ takes an in-memory copy of the contents and uses that. It does not go back to the 'real' key repository again unless you REFRESH or restart the queue manager.

    However, MQ channels run as threads in amqrmppa processes, and each process will take this in-memory copy the first time it finds it needs it. This means that newer copies may contain updates that older copies do not have. This can make it appear like an internal refresh has taken place, but it is just an artefact of the pattern of threads starting in new processes.

    There is no documentation about a security cache refresh interval time because that does not exist. However, the above behaviour that I have described is documented in IBM Docs here: When changes to certificates or the certificate store become effective on AIX, Linux, and Windows

    I hope that makes the behaviour you are seeing, clearer. There is no guarantee that waiting even a week will make the certificate available.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 3.  RE: MQ QMGR SSL cache refresh interval

    Posted Mon April 03, 2023 08:01 AM

    Thank you Morag for explaining!
    We will make sure to execute - REFRESH SECURITY TYPE(SSL)  which will guaranteed refresh the security cache and there is no another alternative other than just trying a luck :) 




    ------------------------------
    Bhushan Raut
    ------------------------------



  • 4.  RE: MQ QMGR SSL cache refresh interval

    IBM Champion
    Posted Mon April 17, 2023 12:00 PM

    REFRESH SECURITY TYPE(SSL)  is costly. Meaning; all connections drop and start back. Your clients can be upset if they see disconnects. Plan and execute when there is least amount of traffic; and the apps can take outage.

    There is a RFE to address this; and hoping to be out shortly in 9.3.x release. 



    ------------------------------
    om prakash
    ------------------------------