Hi, Here is something we have bumped into when deploying WMQ SSL onto MSCS clustered Windows servers.
We started by deploying our PKCS 12 files to a key repository on a none-shared volume (the default sslkeyr - 'c:\Program Files\IBM\WebSphere MQ\qmgrs\<qm>\ssl\key'). That worked fine, we then failed over in the cluster and had to re-do the deploy to the backup's local volume. This worked fine too, and subsequent fail-overs worked a treat. So far, so good, but we then made the mistake of trying to be clever... We wanted to deploy the PKI stuff on the active system in such a way that would be picked up upon fail-over, without the hassle of a fail-over. The obvious approach was to locate the key store on a shared volume, i.e. sslkeyr of e:\WebSphere MQ\qmgrs\<qm>\ssl\key'. We tried that, and deployed the PKI - OK on the active server. We then failed over and tried our SSL channels... oops - no certificate assigned to the queue manager. It would work on the 'backup' system if we wiped the key store and then re-deployed our PKI files, but would then fail when we reverted to the original. The key store has some sort of relationship with the local system - the registry perhaps? Can anyone recommend a technique for sharing a key store across an MSCS cluster without failing over? Many thanks in advance for any suggestions / comments. In the meantime, we have reverted to using local key stores and deploying by install+failover+install - more work but it works! Alan Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
