Mike, When the certificate expires, the channel will go into a 'retrying' state.
To prepare for the certificate expiring, using our WMQ monitoring package based on date, I set an alert to be sent via my pager and email two weeks prior to the expiration date. That gives me time to secure a new certificate. HTH, John Dawson -----Original Message----- From: Ward, Mike S [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 7:23 AM To: [EMAIL PROTECTED] Subject: Re: SSL certificate management Does MQ tell you when the certificate is near expiration? Or does the channel just stop working? -----Original Message----- From: Nigel Pentland [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 7:36 AM To: [EMAIL PROTECTED] Subject: Re: SSL certificate management Neil, So far I have only had to replace z/OS MQ certs. This requires renewing the cert, and if a new cert updating the key ring, refreshing RACF and then ultimately restarting MQ. We haven't found any way to avoid an MQ restart. You will not be able to do it without disabling the existing certificate. Either you renew the certificate where the new cert will overwrite the previous one, or you have to generate a new one and add it to the keyring. At this point you would have to make the new one the default, effectively disabling the old one. Nigel... ----- Original Message ----- From: "Neil Casey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 09, 2004 2:33 AM Subject: SSL certificate management > Has anyone got to the point where their MQ SSL certificate (on any > platform) is about to expire? > > I have (or will have) MQ SSL channels running on Windows, various unixes > and zOS, and I am trying to get my head around exactly what needs to be > done in order to get a certificate renewed, and then inserted into the > certificate store correctly so that MQSeries can use it. I can't find > anything in the Security manual which discusses this issue. > > My preference would be to find a way to handle this without having to > restart the queue manager, although I am doubtful that I can achieve that > objective. I would also like to be able to do it without disabling the > existing certificate (Web Servers can do this, so MQ should be able to), > and without having to create a new key repository. > > Thanks, > > Neil Casey > National Australia Bank > Southern Star Technology > WebSphere MQ Support > 1/122 Lewis Rd Wantirna South > office. +61 3 9886 2375 (x82375) > mobile. +61 414 615 334 > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
