refreshing SSL certificates in websphere MQ

The first project I was given when I started at Evergreen Investments involved IBM’s WebSphere MQ messaging application. I took a development instance of the application and translated that to the requirements for a production deployment of the application.

It has been completely bulletproof. Set up correctly and sized appropriately, it just works. Eventually all good things come to an end, and you must maintain the service. SSL certificates expire, and must be replaced with new certificates.

In WebSphere versions prior to 6.0, you had to restart the queue manager, the local god of the application, to have the new certificate information deploy. That was somewhat disruptive, but it ensured that the information you were using for bringing up encrypted channels of communication was the new information, not the old.

With version 6.0, there is a command you can run in runmqsc (the WebSphere MQ command line shell and script interface) –


REFRESH SECURITY TYPE(SSL)

The same command run as


REFRESH SECURITY

will touch USER security, but leave the SSL certificate information untouched and unrefreshed. Thus leaving you with an invalid certificate in place, even though you have replaced and refreshed (you think) the information…

This is obvious in hindsight. And completely baffling, until you find it, while trying to get the application to come back up after replacing an expired certificate.

—dsm