Home

 

Usage notes

 

When you issue the REFRESH SECURITY TYPE(SSL) MQSC command, all running SSL channels are stopped and restarted. Sometimes SSL channels can take a long time to shut down and this means that the refresh operation takes some time to complete. There is a time limit of 10 minutes for an SSL refresh to complete (or 1 minute on z/OS), so it can potentially take 10 minutes for the command to finish. This can give the appearance that the refresh operation has "frozen". The refresh operation will fail with an MQSC error message of AMQ9710 or PCF error MQRCCF_COMMAND_FAILED if the timeout is exceeded before all channels have stopped. This is likely to happen if the following conditions are true:

• The queue manager has many SSL channels running simultaneously when the refresh command is invoked

• The channels are handling large numbers of messages

If a refresh fails under these conditions, retry the command later when the queue manager is less busy. In the case where many channels are running, we can choose to stop some of the channels manually before invoking the REFRESH command.

When using TYPE(SSL):

1. On z/OS, the command server and channel initiator must be running.

2. On z/OS, WebSphere MQ determines whether a refresh is needed due to one, or more, of the following reasons:

   • The contents of the key repository have changed

   • The location of the LDAP server to be used for Certification Revocation Lists has changed

   • The location of the key repository has changed

   If no refresh is needed, the command completes successfully and the channels are unaffected.

3. On platforms other than z/OS, the command updates all SSL channels regardless of whether a security refresh is needed.

4. If a refresh is to be performed, the command updates all SSL channels currently running, as follows:

   • Sender, server and cluster-sender channels using SSL are allowed to complete the current batch. In general they then run the SSL handshake again with the refreshed view of the SSL key repository. However, manually restart a requester-server channel on which the server definition has no CONNAME parameter.

   • All other channel types using SSL are stopped with a STOP CHANNEL MODE(FORCE) STATUS(INACTIVE) command. If the partner end of the stopped MCA channel has retry values defined, the channel retries and the new SSL handshake uses the refreshed view of the contents of the SSL key repository, the location of the LDAP server to be used for Certification Revocation Lists, and the location of the key repository. In the case of a server-connection channel, the client application loses its connection to the queue manager and has to reconnect in order to continue.

 

Parent topic:

REFRESH SECURITY

sc12740_

 

Home