MQ

Hello,

I am working on a Queue Manager deployed in the "MQ on Cloud" offer.
It is a SaaS offering deployed on containers, all administration is done via a web console, and there are some differences with a classic Queue Manager.

One difference is that the certificate store is not exposed, you add or remove certificates via the console.
I created a new certificate for the Queue Manager, I have 3 files: the root certificate, the Queue Manager certificate, and the secret key.

I was able to import the root certificate via the "Trust Store" choice. When I try to import the Queue Manager certificate via the "Key Store" choice, I get an error:
PEM Certificate Scan Failed: A certificate uploaded to the key store cannot contain a private key.
Problem: My certificate is in PEM format, and does not contain a private key.

I haven't found much documentation on this topic, all KCs are about "MQ on premise" or "MQ in containers". There is no information about the specifics of "MQ on Cloud", especially for certificate management.
Would you have a pointer for me?

Bonus question: The default certificate (qmgrcert.pem) is signed by Let's Encrypt and valid for 90 days. What happens after 90 days? It is automatically renewed I hope?

Thank you.

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

Hi Luc-Michel,

Our documentation regarding administering certificates in MQ on Cloud should be of help and can be found here https://cloud.ibm.com/docs/mqcloud?topic=mqcloud-mqoc_qm_certs
If you have any issues with the documentation then you can raise a github issue and we can address it.
If you feel there is an issue with the service please raise an IBM Cloud support ticket https://cloud.ibm.com/unifiedsupport/cases/form?type=01037c41-adce-4bb5-8b45-0c06004916c4

Regards,
Phil
IBM MQ on Cloud

------------------------------
Philip Norton
------------------------------

Original Message:
Sent: Fri November 04, 2022 03:20 PM
From: Luc-Michel Demey
Subject: Changing the certificate of a Queue Manager in "MQ on Cloud"

Hello,

I am working on a Queue Manager deployed in the "MQ on Cloud" offer.
It is a SaaS offering deployed on containers, all administration is done via a web console, and there are some differences with a classic Queue Manager.

One difference is that the certificate store is not exposed, you add or remove certificates via the console.
I created a new certificate for the Queue Manager, I have 3 files: the root certificate, the Queue Manager certificate, and the secret key.

I was able to import the root certificate via the "Trust Store" choice. When I try to import the Queue Manager certificate via the "Key Store" choice, I get an error:
PEM Certificate Scan Failed: A certificate uploaded to the key store cannot contain a private key.
Problem: My certificate is in PEM format, and does not contain a private key.

I haven't found much documentation on this topic, all KCs are about "MQ on premise" or "MQ in containers". There is no information about the specifics of "MQ on Cloud", especially for certificate management.
Would you have a pointer for me?

Bonus question: The default certificate (qmgrcert.pem) is signed by Let's Encrypt and valid for 90 days. What happens after 90 days? It is automatically renewed I hope?

Thank you.

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

Hi Phil,
Thank you for your answer. I had not found the link for this documentation.
(Maybe because the section "Queue manager certificate administration" is classified in the chapter "Administrating a Queue Manager", while all the other sections dealing with TLS are under the chapter "Securing data in Transit").

Now I have the necessary information, I can continue my tests, thanks.

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

Original Message:
Sent: Fri November 11, 2022 04:49 AM
From: Philip Norton
Subject: Changing the certificate of a Queue Manager in "MQ on Cloud"

Hi Luc-Michel,

Our documentation regarding administering certificates in MQ on Cloud should be of help and can be found here https://cloud.ibm.com/docs/mqcloud?topic=mqcloud-mqoc_qm_certs
If you have any issues with the documentation then you can raise a github issue and we can address it.
If you feel there is an issue with the service please raise an IBM Cloud support ticket https://cloud.ibm.com/unifiedsupport/cases/form?type=01037c41-adce-4bb5-8b45-0c06004916c4

Regards,
Phil
IBM MQ on Cloud

------------------------------
Philip Norton

Original Message:
Sent: Fri November 04, 2022 03:20 PM
From: Luc-Michel Demey
Subject: Changing the certificate of a Queue Manager in "MQ on Cloud"

Hello,

I am working on a Queue Manager deployed in the "MQ on Cloud" offer.
It is a SaaS offering deployed on containers, all administration is done via a web console, and there are some differences with a classic Queue Manager.

One difference is that the certificate store is not exposed, you add or remove certificates via the console.
I created a new certificate for the Queue Manager, I have 3 files: the root certificate, the Queue Manager certificate, and the secret key.

I was able to import the root certificate via the "Trust Store" choice. When I try to import the Queue Manager certificate via the "Key Store" choice, I get an error:
PEM Certificate Scan Failed: A certificate uploaded to the key store cannot contain a private key.
Problem: My certificate is in PEM format, and does not contain a private key.

I haven't found much documentation on this topic, all KCs are about "MQ on premise" or "MQ in containers". There is no information about the specifics of "MQ on Cloud", especially for certificate management.
Would you have a pointer for me?

Bonus question: The default certificate (qmgrcert.pem) is signed by Let's Encrypt and valid for 90 days. What happens after 90 days? It is automatically renewed I hope?

Thank you.

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------