IBM Integration Community Come for answers. Stay for best practices. All we’re missing is you. Join / Log in Ask a question
Hello,Is there any defined time interval to which MQ SSL cache getting refreshed automatically?Scenario - if we add any new signer certificate to MQ QMGR SSL keystore then we need to execute - refresh security type(ssl) to take effect of new certificate added to keystore - this cache also will get refreshed if we restart MQ QMGR- we also observed that without issuing refresh security - the new connection is able to use the new certificate i.e. MQ is able to locate new certificate from keystore, this is not immediate after adding certificate but after some time let's say 24Hrs post cert addition there is no documented information on IBM site about this security cache refresh interval time etc.is there any default value/setting for this MQ SSL cache refresh? anyone know here please ...
we have a PROD env which is very busy (running 24x7) and therefore just wanted to explore if we can add new cert to QMGR and leave it there for a week - is there any possibility that MQ can recognize new cert and that way we don't even need to do refresh security your thought please thanks !
Is it possible that either:-
The REFRESH command is required when changes are made to the contents of the key repository because MQ takes an in-memory copy of the contents and uses that. It does not go back to the 'real' key repository again unless you REFRESH or restart the queue manager.
However, MQ channels run as threads in amqrmppa processes, and each process will take this in-memory copy the first time it finds it needs it. This means that newer copies may contain updates that older copies do not have. This can make it appear like an internal refresh has taken place, but it is just an artefact of the pattern of threads starting in new processes.
There is no documentation about a security cache refresh interval time because that does not exist. However, the above behaviour that I have described is documented in IBM Docs here: When changes to certificates or the certificate store become effective on AIX, Linux, and Windows
I hope that makes the behaviour you are seeing, clearer. There is no guarantee that waiting even a week will make the certificate available.
Thank you Morag for explaining!We will make sure to execute - REFRESH SECURITY TYPE(SSL) which will guaranteed refresh the security cache and there is no another alternative other than just trying a luck :)
REFRESH SECURITY TYPE(SSL) is costly. Meaning; all connections drop and start back. Your clients can be upset if they see disconnects. Plan and execute when there is least amount of traffic; and the apps can take outage.There is a RFE to address this; and hoping to be out shortly in 9.3.x release.