Ensuring expired certificates do not cause an outage with IBM Mobile Connect
Brian Erle (IBM) 1200008FU8 Visits (6991)
The use of certificates in IBM Mobile Connect (IMC) is prevalent. From securing incoming device requests, to securing connections to databases, authentication servers and application servers certificates are a part of the everyday operation of an IBM Mobile Connect deployment. When everything is working perfectly no one really worries about those certificates securing sessions until they expire and everything comes to a grinding halt. This can happen literally in the blink of an eye. What was a perfectly valid incoming device request a millisecond ago, is now an expired request. In the wg.log from IMC you will see a message which will look like this:
[ERROR] SSLPort: failed to attach secure connection, fd=21: [10.10.10.10:33622] GSK_ERROR_BAD_DATE (rc=401,ec=401)
Using the IBM Key Manager an administrator can examine the certificates used to secure incoming devices. By examining the certificate in the Personal Certificates view and then using the VIEW action you can check for the expiration date for the certificate and then execute on a plan to ensure that a new certificate to replace an expiring one is in place and ready to go prior to the expiration date of the present certificate. The ACTIVE certificate is the one with the asterisk '*' symbol next to it. When it comes time to use the new certificate select the certificate and View it, then choose the option near the bottom of that dialogue which allows you to set it to the Default certificate. In order for IMC to begin using this certificate a Stop and Start of the Connection Manager is required.
324:745822528 (Apr 18 2016
Please Note - the LOG and DEBUG logging levels are required to be active to see these messages. IBM IMC support and development recommend that only ERROR and WARNING log levels are used during normal production operation for optimal performance.
The above message indicates that a secure request was received, and accepted, and there was no error, and the last message will also indicate which HTTP Service (if there are multiple services configured) handled the request.