Refreshing TLS security

You can make changes to the key repository without restarting a channel. However, the copy of the key repository that is held in memory while a channel is running will not be affected. When you refresh the cached copy of the key repository, the TLS channels that are currently running on the queue manager are updated with the new information.

About this task

When a channel is secured using TLS, the digital certificates and their associated private keys are stored in the key repository. A copy of the key repository is held in memory while a channel is running. If you make a change to the key repository the changes do not become active in the in-memory copy of the key repository while a channel is running.

When you refresh the cached copy of the key repository, using the REFRESH SECURITY TYPE(SSL) MQSC command, all running TLS channels are stopped and restarted:

  • The channels then run the SSL handshake again with the refreshed view of the key repository.
  • All other channel types that use TLS are stopped. If the partner end of the stopped channel has retry values defined, the channel retries and runs the SSL handshake again. The new SSL handshake uses the refreshed view of the contents of the key repository, the location of the LDAP server to be used for the Certificate Revocation Lists, and the location of the key repository. In the case of server-connection channel, the client application loses its connection to the queue manager and has to reconnect to continue.

To refresh the cached copy of the key repository, complete the following steps.

Procedure

  1. In the Navigator view, right-click the queue manager for which you want to refresh the cached copy of the key repository, then click Security > Refresh SSL.
  2. When prompted, click Yes.

Results

The TLS channels that are currently running on the queue manager are updated with the new information. The queue manager FIPS configuration (SSLFipsRequired) is also refreshed by this command on AIX®, Linux®, and Windows.