Refreshing the queue manager TLS security

If you make a change to the queue manager key store or trust store, or change channel certificate configuration, a TLS security refresh is required for the new configuration to take effect.

A TLS security refresh updates the in-memory copy of the key store and trust store. All channels that are enabled for TLS are stopped and use the refreshed configuration to recreate a secure connection. A client's secure connection is only re-established if the client application has retry logic to re-initiate a broken connection.

When to refresh TLS security

  • If you add a client or queue manager certificate to the trust store, they are not trusted to make a secure connection until a TLS security refresh has been performed
  • If you add a certificate to the key store and configure it for use with TLS or AMS, the affected channels will not use the certificate to create a secure connection until a TLS security refresh has been performed
  • If you change the certificate configured on a TLS enabled channel, the certificate is not used to create a secure connection until a TLS security refresh has been performed

How to refresh TLS security

Using the web console
  1. Launch the queue manager web console using steps described in Administering a queue manager using IBM MQ Console.
  2. On the queue manager page, select Configuration.
    Shows the queue manager page
  3. Select the Security tab.
    Shows the security tab
  4. Select the three dots, then Refresh SSL.
    Shows the Refresh SSL item
  5. Confirm by clicking Refresh.
Using runmqsc
  1. Connect to the queue manager using steps described in Administering a queue manager using IBM MQ Explorer and the runmqsc command line.
  2. Run REFRESH SECURITY TYPE(SSL).
  3. Run end.
Using IBM MQ Explorer
  1. Connect to the queue manager using steps described Administering a queue manager using IBM MQ Explorer and the runmqsc command line.
  2. In the Navigator view, right-click the queue manager for which you want to refresh the cached copy of the key repository, then click Security > Refresh SSL.
  3. When prompted, click Yes.