ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Building a Certificate Expiry Report for MQ

Post new topic  Reply to topic
 Building a Certificate Expiry Report for MQ « View previous topic :: View next topic » 
Author Message
tczielke
PostPosted: Tue Jan 26, 2021 6:26 am    Post subject: Building a Certificate Expiry Report for MQ Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

If you would have interest in how to build a certificate expiry report for your MQ client and queue manager certificates and also improve your TLS authentication, you may find the following blog post helpful.

https://community.ibm.com/community/user/middleware/blogs/tim-zielke1/2020/04/25/using-serialnumber-with-tls-authentication-in-ibm
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Jan 27, 2021 2:32 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Is this a new blog post? Just odd that it is not at the top of the list.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Wed Jan 27, 2021 5:32 am    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

No, this is an existing blog post where I added more content for examples/tools on how to build a certificate expiry report through channel authentication rules that validate the serialnumber and issuer of a certificate.

I find it interesting how this certificate expiry report naturally falls out of channel authentication rules that check both the serialnumber and issuer of a certificate. There are numerous RFEs asking for this functionality to help with warning/tracking certificate expiration, and this functionality has been in the product since channel authentication rules have been able to do this validation. Sometimes you are looking for something, and it has been there all along (or at least for awhile).
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Wed Jan 27, 2021 3:44 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

We rely on our CA / signer informing us of impending cert expiry. However, its worth having more than one source of information. There is nothing worse than a prod cert actually expiring and bringing MQ messaging to a grinding halt, especially if external business partners are involved.
_________________
Glenn
Back to top
View user's profile Send private message
tczielke
PostPosted: Wed Jan 27, 2021 4:46 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

We have a CA that sends out reminders, too. However, the reminders would just be for the queue manager certs that we own. What is nice about implementing channel authentication sslpeer rules that validate both the serialnumber and issuer is you now control what certificates you allow to operate in your MQ environment on both the client and queue manager side. So your channel authentication sslpeer rules become a source of truth for all the certificates that are allowed to operate in your MQ environment (e.g. queue manager, client, business partners, etc.).
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Building a Certificate Expiry Report for MQ
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.