When changes to certificates or the certificate store become effective on UNIX, Linux, and Windows
When we change the certificates in a certificate store, or the location of the certificate store, the changes take effect depending on the type of channel and how the channel is running.
Changes to the certificates in the key database file and to the key repository attribute become effective in the following situations:- When a new outbound single channel process first runs a TLS channel.
- When a new inbound TCP/IP single channel process first receives a request to start a TLS channel.
- When the MQSC command REFRESH SECURITY TYPE(SSL) is issued to refresh the TLS environment.
- For client application processes, when the last TLS connection in the process is closed. The next TLS connection will pick up the certificate changes.
- For channels that run as threads of a process pooling process (amqrmppa), when the process pooling process is started or restarted and first runs a TLS channel. If the process pooling process has already run a TLS channel, and we want the change to become effective immediately, run the MQSC command REFRESH SECURITY TYPE(SSL).
- For channels that run as threads of the channel initiator, when the channel initiator is started or restarted and first runs a TLS channel. If the channel initiator process has already run a TLS channel, and we want the change to become effective immediately, run the MQSC command REFRESH SECURITY TYPE(SSL).
- For channels that run as threads of a TCP/IP listener, when the listener is started or restarted and first receives a request to start a TLS channel. If the listener has already run a TLS channel, and we want the change to become effective immediately, run the MQSC command REFRESH SECURITY TYPE(SSL).
We can also refresh the IBM MQ TLS environment using the IBM MQ Explorer or PCF commands.
Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows