IBM Integration Community Come for answers. Stay for best practices. All we’re missing is you. Join / Log in Ask a question
I have an IBM MQ 9.1 setup with 2 queue managers on one host. Today my SSL bundle expired. I got reissued another cert because the CA said it was their fault. I am looking throughout the documentation and it looks like I have to build a pk12 certificate. But I was told I could just runmqakm and add each of the .pem certificates into my current keystore. Is this all that there is to update my SSL? It sounds to easy in an IBM MQ kind of world to believe.
Hi Wei Mei,
Once you have added the certificates into your keystore you will need to tell the queue manager to take a new look at the contents of its keystore. You can do this either by recycling the queue manager or by issuing the MQSC command REFRESH SECURITY TYPE(SSL).
REFRESH SECURITY TYPE(SSL)
I would start by taking a copy of your current CMS keystore (key.*) files. Work with the copies in case something goes wrong. Once you've got things properly in place, replace the original files with the updated copies (after taking another copy of the originals).
Depending on whether the CA issuer certificate or your queue manager personal certificate has expired, you may need to use different commands in runmqakm.
For a new issuer or root cert (if that what's in the new bundle) you need to use -cert -add.
For a replacement queue manager (personal) certificate, I think you need to use -cert -receive,
If you have received both new issuer (and perhaps root) certs as well as a new personal cert for the queue manager, you will need to extract the certificates from the certificate bundle into a separate file (normally .pem) for each certificate and either add or receive each one (depending on what type of certificate it is).
I haven't done certificate update for a while. My customers generally replace the whole certificate including the key, and so we create a new key/cert pair each time we renew. It's possible that you will need to runmqakm -certreq recreate before you can merge the new certificate into the kdb using -cert -receive.
Thank you. Our personal cert did not expire yet, it was an expiration of the ssl.com root ca and subsequent change from ssl.com to stop using a cross signed ca. They were provided to me as one bundle, I broke them up into two separate certs as suggested by mq support and added them each individually with the same command below.
What I did to add the new ca and subca provided to me by ssl.com.
runmqckm -cert -add -db
I then ran the validate and got an "ok" printed on the screen.
runmqakm -cert -validate -label
Just a usability note. runmqckm is a Java tool. runmqakm is a C executable. I prefer to use runmqakm as it runs a lot faster than runmqckm.
Thanks, I run everything from the command line and wait for changes so speed is not an issue to me. I ran what was specified of me from my MQ engineer. If there is no difference other than preference, I'll likely just run what is directed of me in the future as well.
Do you have the syntax for inserting a pem file in the key database?
I normally use runmqckm commands.
Just a suggestion:
Create a label for each cert which includes the CA name and the expiration date.
Sort of like: baltimoretrustrootca_08202025
Then when you list the certs in the kdb file you can easily see the expiration date.
Procedure I use:
Thanks everyone, I was able to upload the new CA and subCA. Luckily in this instance my Personal certificate has not expired yet so I did not need to update that one. I will be back when that time nears.