MQ

Hello!

I have an IBM MQ 9.1 setup with 2 queue managers on one host. Today my SSL bundle expired. I got reissued another cert because the CA said it was their fault. I am looking throughout the documentation and it looks like I have to build a pk12 certificate. But I was told I could just runmqakm and add each of the .pem certificates into my current keystore. Is this all that there is to update my SSL? It sounds to easy in an IBM MQ kind of world to believe.

Hello!

I have an IBM MQ 9.1 setup with 2 queue managers on one host. Today my SSL bundle expired. I got reissued another cert because the CA said it was their fault. I am looking throughout the documentation and it looks like I have to build a pk12 certificate. But I was told I could just runmqakm and add each of the .pem certificates into my current keystore. Is this all that there is to update my SSL? It sounds to easy in an IBM MQ kind of world to believe.

Hi Wei Mei,

I would start by taking a copy of your current CMS keystore (key.*) files. Work with the copies in case something goes wrong. Once you've got things properly in place, replace the original files with the updated copies (after taking another copy of the originals).

Depending on whether the CA issuer certificate or your queue manager personal certificate has expired, you may need to use different commands in runmqakm.

For a new issuer or root cert (if that what's in the new bundle) you need to use -cert -add.

For a replacement queue manager (personal) certificate, I think you need to use -cert -receive,

If you have received both new issuer (and perhaps root) certs as well as a new personal cert for the queue manager, you will need to extract the certificates from the certificate bundle into a separate file (normally .pem) for each certificate and either add or receive each one (depending on what type of certificate it is).

I haven't done certificate update for a while. My customers generally replace the whole certificate including the key, and so we create a new key/cert pair each time we renew. It's possible that you will need to runmqakm -certreq recreate before you can merge the new certificate into the kdb using -cert -receive.

Regards,

Hello!

I have an IBM MQ 9.1 setup with 2 queue managers on one host. Today my SSL bundle expired. I got reissued another cert because the CA said it was their fault. I am looking throughout the documentation and it looks like I have to build a pk12 certificate. But I was told I could just runmqakm and add each of the .pem certificates into my current keystore. Is this all that there is to update my SSL? It sounds to easy in an IBM MQ kind of world to believe.

Thank you. Our personal cert did not expire yet, it was an expiration of the ssl.com root ca and subsequent change from ssl.com to stop using a cross signed ca. They were provided to me as one bundle, I broke them up into two separate certs as suggested by mq support and added them each individually with the same command below.

What I did to add the new ca and subca provided to me by ssl.com.

runmqckm -cert -add -db 

I then ran the validate and got an "ok" printed on the screen.

runmqakm -cert -validate -label

Hi Wei Mei,

I would start by taking a copy of your current CMS keystore (key.*) files. Work with the copies in case something goes wrong. Once you've got things properly in place, replace the original files with the updated copies (after taking another copy of the originals).

Depending on whether the CA issuer certificate or your queue manager personal certificate has expired, you may need to use different commands in runmqakm.

For a new issuer or root cert (if that what's in the new bundle) you need to use -cert -add.

For a replacement queue manager (personal) certificate, I think you need to use -cert -receive,

If you have received both new issuer (and perhaps root) certs as well as a new personal cert for the queue manager, you will need to extract the certificates from the certificate bundle into a separate file (normally .pem) for each certificate and either add or receive each one (depending on what type of certificate it is).

I haven't done certificate update for a while. My customers generally replace the whole certificate including the key, and so we create a new key/cert pair each time we renew. It's possible that you will need to runmqakm -certreq recreate before you can merge the new certificate into the kdb using -cert -receive.

Regards,

Hello!

I have an IBM MQ 9.1 setup with 2 queue managers on one host. Today my SSL bundle expired. I got reissued another cert because the CA said it was their fault. I am looking throughout the documentation and it looks like I have to build a pk12 certificate. But I was told I could just runmqakm and add each of the .pem certificates into my current keystore. Is this all that there is to update my SSL? It sounds to easy in an IBM MQ kind of world to believe.

Just a usability note. runmqckm is a Java tool. runmqakm is a C executable. I prefer to use runmqakm as it runs a lot faster than runmqckm.

Thank you. Our personal cert did not expire yet, it was an expiration of the ssl.com root ca and subsequent change from ssl.com to stop using a cross signed ca. They were provided to me as one bundle, I broke them up into two separate certs as suggested by mq support and added them each individually with the same command below.

What I did to add the new ca and subca provided to me by ssl.com.

runmqckm -cert -add -db 

I then ran the validate and got an "ok" printed on the screen.

runmqakm -cert -validate -label

Hi Wei Mei,

I would start by taking a copy of your current CMS keystore (key.*) files. Work with the copies in case something goes wrong. Once you've got things properly in place, replace the original files with the updated copies (after taking another copy of the originals).

Depending on whether the CA issuer certificate or your queue manager personal certificate has expired, you may need to use different commands in runmqakm.

For a new issuer or root cert (if that what's in the new bundle) you need to use -cert -add.

For a replacement queue manager (personal) certificate, I think you need to use -cert -receive,

If you have received both new issuer (and perhaps root) certs as well as a new personal cert for the queue manager, you will need to extract the certificates from the certificate bundle into a separate file (normally .pem) for each certificate and either add or receive each one (depending on what type of certificate it is).

I haven't done certificate update for a while. My customers generally replace the whole certificate including the key, and so we create a new key/cert pair each time we renew. It's possible that you will need to runmqakm -certreq recreate before you can merge the new certificate into the kdb using -cert -receive.

Regards,

Hello!

I have an IBM MQ 9.1 setup with 2 queue managers on one host. Today my SSL bundle expired. I got reissued another cert because the CA said it was their fault. I am looking throughout the documentation and it looks like I have to build a pk12 certificate. But I was told I could just runmqakm and add each of the .pem certificates into my current keystore. Is this all that there is to update my SSL? It sounds to easy in an IBM MQ kind of world to believe.

Hello!

I have an IBM MQ 9.1 setup with 2 queue managers on one host. Today my SSL bundle expired. I got reissued another cert because the CA said it was their fault. I am looking throughout the documentation and it looks like I have to build a pk12 certificate. But I was told I could just runmqakm and add each of the .pem certificates into my current keystore. Is this all that there is to update my SSL? It sounds to easy in an IBM MQ kind of world to believe.

Hello!

I have an IBM MQ 9.1 setup with 2 queue managers on one host. Today my SSL bundle expired. I got reissued another cert because the CA said it was their fault. I am looking throughout the documentation and it looks like I have to build a pk12 certificate. But I was told I could just runmqakm and add each of the .pem certificates into my current keystore. Is this all that there is to update my SSL? It sounds to easy in an IBM MQ kind of world to believe.

Hello!

I have an IBM MQ 9.1 setup with 2 queue managers on one host. Today my SSL bundle expired. I got reissued another cert because the CA said it was their fault. I am looking throughout the documentation and it looks like I have to build a pk12 certificate. But I was told I could just runmqakm and add each of the .pem certificates into my current keystore. Is this all that there is to update my SSL? It sounds to easy in an IBM MQ kind of world to believe.