Extending the MQ security certificate
You can extend the life of the IBM® MQ security certificate that is used for replication from the default three years to 100 years to ensure that the certificate does not expire and prevent replication from continuing.
Before you begin
- It is advisable to perform this task during a maintenance window or during a time of lower database activity.
- Make sure that all replication sets are active and the last consistency point is current.
About this task
Self-signed MQ SSL certificates are used internally to transport data from sources to targets. By default, the expiration date for the MQ certificate is three years to coincide with Db2® Warehouse SSL certificate. However, if the MQ certificate expires while replication is active, data in MQ queues is not recoverable and you would be required to perform a full refresh of all replication target tables.
The following procedure extends the life of the MQ certificate to prevent this situation from occurring.
Procedure
- Disable the Wolverine high-availability monitoring process on both the source and
target:
wvcli system disable -m renew_mq_cert
- Stop all send queues on the source system by following these steps:
- Set the state of the send queues in the replication metadata to inactive (I) by using
the following SQL statement:
update qasn.ibmqrep_sendqueues set state='I'
- Find the name of the capture program
thread:
In the following example, the thread (ps -ef|grep asnqcap
capture_server
) name is FRKJKKDZ:dsadm 1576952 1576022 1 10:22 pts/3 00:01:08 /opt/ibm/db2/V11.5.0.0/bin/asnqcap capture_server=FRKJKKDZ capture_schema=QASN capture_path=/mnt/blumeta0/bludr/logs/replication xf_del_file=y qfull_retry_delay=60000 qfull_num_retries=1000 max_capstarts_intload=5 term=n use_stream_trans=y startallq=n
- Reinitialize the capture program to enable the send queue state change:
asnqccmd capture_server=FRKJKKDZ capture_schema=QASN reinit
- Set the state of the send queues in the replication metadata to inactive (I) by using
the following SQL statement:
- On the target system, verify that all receive queues are empty by following these
steps:
- Find the name of the queue manager by running the MQ command
dspmq
.In this output, the queue manager name is
AOMTDBXP_AQM
:QMNAME(AOMTDBXP_AQM) STATUS(Running)
- Run the following commands to check that the current depth (number of messages) in all
receive queues is 0:
runmqc AOMTDBXP_AQM DISPLAY QLOCAL(*) CURDEPTH
The output shows CURDEPTH values of 0:
20 : DISPLAY QLOCAL(*) CURDEPTH AMQ8409I: Display Queue details. QUEUE(SET10001_RECVQ) TYPE(QLOCAL) CURDEPTH(0) AMQ8409I: Display Queue details. QUEUE(SET10001_RECVQ_FT) TYPE(QLOCAL) CURDEPTH(0) AMQ8409I: Display Queue details. QUEUE(SET10001_RECVQ_FT.2) TYPE(QLOCAL) CURDEPTH(0) AMQ8409I: Display Queue details. QUEUE(SET10001_RECVQ_FT.3) TYPE(QLOCAL) CURDEPTH(0) AMQ8409I: Display Queue details. QUEUE(SET10001_RECVQ_FT.4) TYPE(QLOCAL) CURDEPTH(0)
- Find the name of the queue manager by running the MQ command
- On the source system, verify that the ADMINQ, ACKFT, and XMITQ queues are empty by
following these steps:
- Find the name of the queue manager by running the IBM MQ command
dspmq
.In this output, the queue manager name is
FRKJKKDZ_CQM
:QMNAME(FRKJKKDZ_CQM) STATUS(Running)
- Run the following commands to check that the current depth (number of messages) in all
local queues is 0:
runmqsc FRKJKKDZ_CQM DISPLAY QLOCAL(*) CURDEPTH
The output shows CURDEPTH values of 0 for the ADMINQ, ACKFT, and XMITQ queues, as well as other local queues:
1 : DISPLAY QLOCAL(*) CURDEPTH AMQ8409I: Display Queue details. QUEUE(FRKJKKDZ_ADMINQ) TYPE(QLOCAL) CURDEPTH(0) AMQ8409I: Display Queue details. QUEUE(SET10001_ACKFT) TYPE(QLOCAL) CURDEPTH(0) AMQ8409I: Display Queue details. QUEUE(SET10001_TXQ) TYPE(QLOCAL) CURDEPTH(0) AMQ8409I: Display Queue details. QUEUE(SET10001_TXQ_FT) TYPE(QLOCAL) CURDEPTH(0) AMQ8409I: Display Queue details. QUEUE(SET10001_TXQ_FT.2) TYPE(QLOCAL) CURDEPTH(0) AMQ8409I: Display Queue details. QUEUE(SET10001_TXQ_FT.3) TYPE(QLOCAL) CURDEPTH(0) AMQ8409I: Display Queue details. QUEUE(SET10001_TXQ_FT.4) TYPE(QLOCAL) CURDEPTH(0)
- Find the name of the queue manager by running the IBM MQ command
-
Stop the capture program at the source database
- Stop the capture process:
asnqccmd capture_server=FRKJKKDZ capture_schema=QASN stop
- Verify that the asnqcap thread no longer exists:
ps -ef|grep asnqcap
- Stop the capture process:
-
Stop the apply program at the target database by following these steps.
- Find the name of the apply
server:
In the following example, the server name is AOMTDBXP:ps -ef|grep asnqapp
dsadm 1614543 1614088 0 10:28 pts/3 00:00:18 /opt/ibm/db2/V11.5.0.0/bin/asnqapp apply_server=AOMTDBXP apply_schema=QASN apply_path=/mnt/blumeta0/bludr/logs/replication CDE_FILE_MISSING_TIMEOUT=600 term=n et_load_named_pipe_group_id=3000 startallq=y
- Stop the apply process:
asnqacmd apply_server=AOMTDBXP apply_schema=QASN stop
- Verify that the asnqapp thread no longer exists:
ps -ef|grep asnqapp
- Find the name of the apply
server:
- Create a shell script file with the following content and save it as
bludr-mq-renew-cert.sh.
#/bin/bash DECRYPT_PW=$(/opt/ibm/dsserver/scripts/decrypt.sh $(cat ~dsadm/.mqs/kdb.pass)) DIST_NAME=`grep "MQ_DIST_NAME" /opt/ibm/apiserver/wlp/usr/servers/bludr/server.env` DIST_NAME=${DIST_NAME#*=} CN_NAME=`grep "MQ_CN_NAME" /opt/ibm/apiserver/wlp/usr/servers/bludr/server.env` CN_NAME=${CN_NAME#*=} GSKIT_CMD="$(ls -1d /opt/ibm/db2/V*)/gskit/bin/gsk8capicmd_64" openssl x509 -in ${BLUDR_SHARED_DIR}/certificates/mq_public_cert.arm -text -noout | head -n 10 > ~dsadm/openssl.backup.txt cat ~dsadm/openssl.backup.txt cp -r ~dsadm/.mqs ~dsadm/.mqsbackup rm -f ~dsadm/.mqs/dsadm* ${GSKIT_CMD} -keydb -create -db ~/.mqs/dsadmkey.kdb -pw ${DECRYPT_PW} -stash ${GSKIT_CMD} -cert -create -db ~dsadm/.mqs/dsadmkey.kdb -pw ${DECRYPT_PW} -expire 36500 -label ${CN_NAME} -dn ${DIST_NAME} -default_cert yes mv ${BLUDR_SHARED_DIR}/certificates/mq_public_cert.arm ${BLUDR_SHARED_DIR}/certificates/mq_public_cert.arm.backup ${GSKIT_CMD} -cert -extract -db ~/.mqs/dsadmkey.kdb -pw ${DECRYPT_PW} -label ${CN_NAME} -target ${BLUDR_SHARED_DIR}/certificates/mq_public_cert.arm openssl x509 -in ${BLUDR_SHARED_DIR}/certificates/mq_public_cert.arm -text -noout | head -n 10
- Run the bludr-mq-renew-cert.sh script on both the source and target.
In the output, check the second
Validity
section and verify that the theNot After
value is about 100 years (2121 or later).$ ./bludr-mq-renew-cert.sh Certificate: Data: Version: 3 (0x2) Serial Number: 3686575169745515400 (0x33295895a674f388) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=IBM, CN=4818ff96-c9ec-4316-be2a-78ac79d2838d Validity Not Before: Dec 2 08:20:43 2021 GMT Not After : Dec 2 08:20:43 2024 GMT Subject: C=US, O=IBM, CN=4818ff96-c9ec-4316-be2a-78ac79d2838d Certificate: Data: Version: 3 (0x2) Serial Number: 3382945298641481939 (0x2ef2a2d3541a70d3) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=IBM, CN=4818ff96-c9ec-4316-be2a-78ac79d2838d Validity Not Before: Dec 4 11:50:32 2021 GMT Not After : Nov 11 11:50:32 2121 GMT Subject: C=US, O=IBM, CN=4818ff96-c9ec-4316-be2a-78ac79d2838d
- On the source system, run the bludr-trust-targets.sh script:
/opt/ibm/bludr/scripts/bin/bludr-trust-targets.sh add 9.30.43.143 bluadmin bluadmin 9.30.161.62 9444
- Run the bludr-restart.sh script on both source and target to restart
the capture and apply programs.
/opt/ibm/bludr/scripts/bin/bludr-restart.sh
- Run the bludr-status.sh script on both source and target to verify
that the replication REST server is active.
/opt/ibm/bludr/scripts/bin/bludr-status.sh
- Start all send queues on the source system by following these steps:
- Set the state of the send queues in the replication metadata to active (A) by using
the following SQL statement:
update qasn.ibmqrep_sendqueues set state='A'
- Reinitialize the capture program to enable the send queue state change:
asnqccmd capture_server=FRKJKKDZ capture_schema=QASN reinit
- Set the state of the send queues in the replication metadata to active (A) by using
the following SQL statement:
- Enable Wolverine on both the source and target:
wvcli system enable -m renew_mq_cert_complete