If you would have interest in how to build a certificate expiry report for your MQ client and queue manager certificates and also improve your TLS authentication, you may find the following blog post helpful.

https://community.ibm.com/community/user/middleware/blogs/tim-zielke1/2020/04/25/using-serialnumber-with-tls-authentication-in-ibm

------------------------------
Tim Zielke
------------------------------

This is good info. I have been looking into how to monitor our AMS certificates expiration dates so that admins can get notified 90/60/30 days in advanced. Would it be similar to this? Do you have any information regarding monitoring certs for AMS?

------------------------------
Gwen Buzynski
------------------------------

Original Message:
Sent: Tue January 26, 2021 09:55 AM
From: Tim Zielke
Subject: Building a Certificate Expiry Report for MQ

If you would have interest in how to build a certificate expiry report for your MQ client and queue manager certificates and also improve your TLS authentication, you may find the following blog post helpful.

https://community.ibm.com/community/user/middleware/blogs/tim-zielke1/2020/04/25/using-serialnumber-with-tls-authentication-in-ibm

------------------------------
Tim Zielke
------------------------------

Hi Gwen,

I am not familiar with what AMS is, but assuming we are talking about a Certificate Authority then yes this would work. The basic idea here is only use sslpeer channel authentication rules that validate both the serialnumber and issuer of a certificate. Once you do this, you are now only validating for unique certificates. Since your sslpeer channel authentication rules now each represent a unique certificate, you can document the expiration date for that certificate in the description of the channel authentication rule. Now you have a source of truth for all the certificates that you allow to authenticate in your MQ environment (i.e. queue manager, client, business partner, etc.) and you can build a report from your sslpeer channel authentication rules for when they expire.

Thanks,
Tim

------------------------------
Tim Zielke
------------------------------

Original Message:
Sent: Wed January 27, 2021 01:58 PM
From: Gwen Buzynski
Subject: Building a Certificate Expiry Report for MQ

This is good info. I have been looking into how to monitor our AMS certificates expiration dates so that admins can get notified 90/60/30 days in advanced. Would it be similar to this? Do you have any information regarding monitoring certs for AMS?

------------------------------
Gwen Buzynski

Original Message:
Sent: Tue January 26, 2021 09:55 AM
From: Tim Zielke
Subject: Building a Certificate Expiry Report for MQ

If you would have interest in how to build a certificate expiry report for your MQ client and queue manager certificates and also improve your TLS authentication, you may find the following blog post helpful.

https://community.ibm.com/community/user/middleware/blogs/tim-zielke1/2020/04/25/using-serialnumber-with-tls-authentication-in-ibm

------------------------------
Tim Zielke
------------------------------

If we're talking about Advanced Messaging Security i.e. at rest encryption, Tim's way won't work because there is no chlauth entry for those.
You will need to use the old way or looking for the cert store and running either runmqakm or runmqckm with the cert details and doing a grep on the labels then the expiry...

------------------------------
Francois Brandelik
------------------------------

Original Message:
Sent: Thu January 28, 2021 05:52 PM
From: Tim Zielke
Subject: Building a Certificate Expiry Report for MQ

Hi Gwen,

I am not familiar with what AMS is, but assuming we are talking about a Certificate Authority then yes this would work. The basic idea here is only use sslpeer channel authentication rules that validate both the serialnumber and issuer of a certificate. Once you do this, you are now only validating for unique certificates. Since your sslpeer channel authentication rules now each represent a unique certificate, you can document the expiration date for that certificate in the description of the channel authentication rule. Now you have a source of truth for all the certificates that you allow to authenticate in your MQ environment (i.e. queue manager, client, business partner, etc.) and you can build a report from your sslpeer channel authentication rules for when they expire.

Thanks,
Tim

------------------------------
Tim Zielke

Original Message:
Sent: Wed January 27, 2021 01:58 PM
From: Gwen Buzynski
Subject: Building a Certificate Expiry Report for MQ

This is good info. I have been looking into how to monitor our AMS certificates expiration dates so that admins can get notified 90/60/30 days in advanced. Would it be similar to this? Do you have any information regarding monitoring certs for AMS?

------------------------------
Gwen Buzynski

Original Message:
Sent: Tue January 26, 2021 09:55 AM
From: Tim Zielke
Subject: Building a Certificate Expiry Report for MQ

If you would have interest in how to build a certificate expiry report for your MQ client and queue manager certificates and also improve your TLS authentication, you may find the following blog post helpful.

https://community.ibm.com/community/user/middleware/blogs/tim-zielke1/2020/04/25/using-serialnumber-with-tls-authentication-in-ibm

------------------------------
Tim Zielke
------------------------------

I figured so, thank you. Does anyone have a good script that they are currently utilizing that will retrieve information from AMS MQ keystore and grep for cert expiring dates?

------------------------------
Gwen Buzynski
------------------------------

Original Message:
Sent: Fri January 29, 2021 03:30 AM
From: Francois Brandelik
Subject: Building a Certificate Expiry Report for MQ

If we're talking about Advanced Messaging Security i.e. at rest encryption, Tim's way won't work because there is no chlauth entry for those.
You will need to use the old way or looking for the cert store and running either runmqakm or runmqckm with the cert details and doing a grep on the labels then the expiry...

------------------------------
Francois Brandelik

Original Message:
Sent: Thu January 28, 2021 05:52 PM
From: Tim Zielke
Subject: Building a Certificate Expiry Report for MQ

Hi Gwen,

I am not familiar with what AMS is, but assuming we are talking about a Certificate Authority then yes this would work. The basic idea here is only use sslpeer channel authentication rules that validate both the serialnumber and issuer of a certificate. Once you do this, you are now only validating for unique certificates. Since your sslpeer channel authentication rules now each represent a unique certificate, you can document the expiration date for that certificate in the description of the channel authentication rule. Now you have a source of truth for all the certificates that you allow to authenticate in your MQ environment (i.e. queue manager, client, business partner, etc.) and you can build a report from your sslpeer channel authentication rules for when they expire.

Thanks,
Tim

------------------------------
Tim Zielke

Original Message:
Sent: Wed January 27, 2021 01:58 PM
From: Gwen Buzynski
Subject: Building a Certificate Expiry Report for MQ

This is good info. I have been looking into how to monitor our AMS certificates expiration dates so that admins can get notified 90/60/30 days in advanced. Would it be similar to this? Do you have any information regarding monitoring certs for AMS?

------------------------------
Gwen Buzynski

Original Message:
Sent: Tue January 26, 2021 09:55 AM
From: Tim Zielke
Subject: Building a Certificate Expiry Report for MQ

If you would have interest in how to build a certificate expiry report for your MQ client and queue manager certificates and also improve your TLS authentication, you may find the following blog post helpful.

https://community.ibm.com/community/user/middleware/blogs/tim-zielke1/2020/04/25/using-serialnumber-with-tls-authentication-in-ibm

------------------------------
Tim Zielke
------------------------------

Unfortunately the SET POLICY command does not provide a DESCRiption field in the same way as the SET CHLAUTH command does, so there is nowhere to store the expiry date against each AMS policy. Suggest you raise an RFE for this. There was a recently raised RFE asking for a DESCRiption on DEFINE SUB, so might be worth adding a comment on that one too.

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
------------------------------

Original Message:
Sent: Wed January 27, 2021 01:58 PM
From: Gwen Buzynski
Subject: Building a Certificate Expiry Report for MQ

This is good info. I have been looking into how to monitor our AMS certificates expiration dates so that admins can get notified 90/60/30 days in advanced. Would it be similar to this? Do you have any information regarding monitoring certs for AMS?

------------------------------
Gwen Buzynski

Original Message:
Sent: Tue January 26, 2021 09:55 AM
From: Tim Zielke
Subject: Building a Certificate Expiry Report for MQ

If you would have interest in how to build a certificate expiry report for your MQ client and queue manager certificates and also improve your TLS authentication, you may find the following blog post helpful.

https://community.ibm.com/community/user/middleware/blogs/tim-zielke1/2020/04/25/using-serialnumber-with-tls-authentication-in-ibm

------------------------------
Tim Zielke
------------------------------

Hi,

For reference, the MQ Appliance includes a certificate monitor that can be configured to generate log events when certificates have expired, or are due to expire within a configurable number of days. Prior to MQ 9.2 the appliance certificate monitor only supports certificates used for system configuration, such as the web UI, but from the MQ 9.2 firmware the certificate monitor also logs alerts for certificates in queue manager key repositories.


See https://www.ibm.com/support/knowledgecenter/SS5K6E_9.2.0/com.ibm.mqa.doc/security/se00290_.htm

When developing your own scripts you might find the runmqakm -cert -list command (listcert on the appliance) useful, which has a -expiry [days] option that can be used to report similar information. If you set the timezone (e.g. TZ environment variable on Linux/UNIX) to UTC before running the command then this should also help you parse the expiry dates by avoiding daylight savings time adjustments.

------------------------------
Jamie Squibb
------------------------------

Original Message:
Sent: Tue January 26, 2021 09:55 AM
From: Tim Zielke
Subject: Building a Certificate Expiry Report for MQ

If you would have interest in how to build a certificate expiry report for your MQ client and queue manager certificates and also improve your TLS authentication, you may find the following blog post helpful.

https://community.ibm.com/community/user/middleware/blogs/tim-zielke1/2020/04/25/using-serialnumber-with-tls-authentication-in-ibm

------------------------------
Tim Zielke
------------------------------