- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
在我们将更新的证书部署到 keystore 之后,是否需要refresh security type(ssl)
命令。我通常在证书续订后执行此命令,但我看到了未执行此命令但 channel 仍然获取新证书的情况。放入 keystore 的证书是立即生效还是我们需要执行 ssl 刷新。
最佳答案
为确保所有进出队列管理器的连接都使用 keystore 中的当前信息,您应该始终在进行任何更新后运行 REFRESH SECURITY TYPE(SSL)
(例如私钥甚至添加新的可信 CA 证书)。
任何 MQ 进程第一次需要访问 keystore 时,该进程将读取 keystore 并将其缓存在内存中。在默认配置中,与队列管理器的连接由持续运行的进程处理,因此在与需要 key 存储的队列管理器的第一个入站连接之后,它们将保留该 key 存储缓存。在默认配置中,出站 channel 连接使用单独的 runmqchl 进程,这些进程在 channel 启动时启动,因此它们每次总是读取当前 key 存储。
这意味着在某些情况下,即使没有 REFRESH SECURITY TYPE(SSL)
也可以正常工作,例如:
MCATYPE(PROCESS)
的 SDR channel 启动,则会启动一个新的 runmqchl 进程,并将读取 key 存储并获取任何更改。Morag Hughson 在 Capitalware 的 MQ 技术 session v2.0.1.4 上发表了题为“MQ SSL/TLS Channels Including V8 changes”的演讲。 PDF 第 10 页的注释部分很好地总结了 REFRESH SECURITY TYPE(SSL)
的作用。
Refreshing SSL on WebSphere MQ - Notes
- This feature was introduced in WebSphere MQ V6.
- The SSL environment set up to run SSL channels in a channel process has a cached view of the key repository made at initialization time. If you make changes to your key repository, i.e. add, remove or update certificates, for example, because your are replacing a certificate that is about to expire, this cached view needs to be refreshed in order for the SSL channels to start using the new certificates.
- In order to refresh this cached view of the SSL environment, without disrupting any non-SSL channels, use the REFRESH SECURITY TYPE(SSL) command. This will stop all the SSL channels on the queue manager, new cached view(s) of the key repository will be made and all the sending type channels will be started again. Receiving type channels will get restarted as the partner end retries the connection.
- Non-SSL channels will be unaffected by this command and will continue to run.
- Also use this command to pick up other changes, such as a new Key Repository locations, or new LDAP CRL/ARL locations.
IBM 在 IBM MQ 知识中心对此进行了记录,下面是包含有关该主题的信息的两页:
IBM MQ v7.5 KC 页面“Refreshing SSL or TLS security”
About this task
When a channel is secured using Secure Sockets Layer (SSL) or TLS, the digital certificates and their associated private keys are stored in the key repository. A copy of the key repository is held in memory while a channel is running. If you make a change to the key repository, you can refresh the copy of the key repository that is held in memory without restarting the channel.
When you refresh the cached copy of the key repository, all SSL or TLS channels that are currently running are updated:
- Sender, server, and cluster-sender channels that use SSL or TLS are allowed to complete the current batch of messages. The channels then run the SSL handshake again with the refreshed view of the key repository.
- All other channel types that use SSL or TLS are stopped. If the partner end of the stopped channel has retry values defined, the channel retries and runs the SSL handshake again. The new SSL handshake uses the refreshed view of the contents of the key repository, the location of the LDAP server to be used for the Certificate Revocation Lists, and the location of the key repository. In the case of server-connection channel, the client application loses its connection to the queue manager and has to reconnect to continue.
MQ v7.5 KC 页面“REFRESH SECURITY”指出:
Usage notes for REFRESH SECURITY
When you issue the REFRESH SECURITY TYPE(SSL) MQSC command, all running SSL channels are stopped and restarted. Sometimes SSL channels can take a long time to shut down and this means that the refresh operation takes some time to complete. There is a time limit of 10 minutes for an SSL refresh to complete (or 1 minute on z/OS), so it can potentially take 10 minutes for the command to finish. This can give the appearance that the refresh operation has "frozen". The refresh operation will fail with an MQSC error message of AMQ9710 or PCF error MQRCCF_COMMAND_FAILED if the timeout is exceeded before all channels have stopped. This is likely to happen if the following conditions are true:
- The queue manager has many SSL channels running simultaneously when the refresh command is invoked
- The channels are handling large numbers of messages
If a refresh fails under these conditions, retry the command later when the queue manager is less busy. In the case where many channels are running, you can choose to stop some of the channels manually before invoking the REFRESH command.
...
When using TYPE(SSL):
- On platforms other than z/OS, the command updates all SSL channels regardless of whether a security refresh is needed.
- If a refresh is to be performed, the command updates all SSL channels currently running, as follows:
- Sender, server and cluster-sender channels using SSL are allowed to complete the current batch. In general they then run the SSL handshake again with the refreshed view of the SSL key repository. However, you must manually restart a requester-server channel on which the server definition has no CONNAME parameter.
- All other channel types using SSL are stopped with a STOP CHANNEL MODE(FORCE) STATUS(INACTIVE) command. If the partner end of the stopped message channel has retry values defined, the channel retries and the new SSL handshake uses the refreshed view of the contents of the SSL key repository, the location of the LDAP server to be used for Certification Revocation Lists, and the location of the key repository. In the case of a server-connection channel, the client application loses its connection to the queue manager and has to reconnect in order to continue.
关于ibm-mq - 将证书部署到 keystore 后是否需要 "refresh security type(ssl)"命令,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46443298/
请帮助我的建议。 我需要通过 xml 文件中的某个变量在我的应用程序上禁用/启用 spring 安全性。 我的 spring-security.xml 文件
我做了很多研究,对我来说一切看起来都是正确的......但我无法让它发挥作用!有人有什么想法吗? 无论我做什么,相关映射仍然对任何人公开(匿名或登录,无论他们具有什么角色)。 理想情况下,我希望所有请
我们正在考虑为我们网站的一部分启用 SSL,但某些页面包含来自第三方供应商(如 Google AdSense)的广告。 我认为这会给我们的用户带来一个恼人的问题,因为他们在查看带有广告的页面时会看到类
我正在开发一个休息服务,它将通过浏览器提供 浏览器单页应用程序和移动应用程序。目前我的服务正在运行 根本没有 Spring 。 oauth2 客户端是在过滤器内部实现的,所以可以说是“手动”。 我正在
我正在为我公司的网站添加 Content-Security-Policy-Report-Only 标题。在我研究它时,我发现一些页面已经设置了 Content-Security-Policy head
在 XML 配置中,我可以使用 security 命名空间来启用对安全性的支持,例如: 我尝试使用没有 XML 的 Spring,只有 @Configuration 类。与上述 XM
我正在使用 Spring Security 3.0.2,但找不到从数据库加载匿名用户角色的方法(我有动态角色,可以将角色分配给每个人)。 我尝试使用自定义的anonymousAuthenticatio
我有那个代码。但是当我在浏览器中进入 app_dev.php/login浏览器说:该页面进行了太多重定向 安全.yml安全: 编码器: Symfony\Component\Security\Core\
我正在使用SSH Secure Shell客户端,这是一个连接服务器的好工具。 但是,我想知道是否可以记录通过SSH Secure Shell客户端运行的程序中所有即将出现的消息。例如:./ test
我有那个代码。但是当我在浏览器中进入 app_dev.php/login浏览器说:该页面进行了太多重定向 安全.yml安全: 编码器: Symfony\Component\Security\Core\
如何为表单例份验证提供程序设置 success_handler(和 failure_handler)? Silex 使用此配置忽略我: register(new Silex\Provider\Secu
新手问题...我已成功实现自定义处理程序和服务(自定义用户详细信息服务、身份验证成功、身份验证失败)并且一切正常。我现在还实现了如果 3 次并发身份验证失败将锁定帐户(一定时间)的功能。 我现在继续处
我正在使用 Spring security java 配置,我想知道一种实现多个 url 注销的方法。即 logout().logoutRequestMatcher(new AntPathReques
我正在为我的 SP 使用 Spring Security SAML 扩展。用户通过 IDP 身份验证后,SP 使用某种方法允许后续调用不必通过 IDP 重新进行身份验证。这是如何在 Spring Se
spring security 有没有办法防止下面的最后一点?我正在使用 3.0.5 - 用户登录我的网站 - 用户转到网站中的任何页面并单击注销 -注销链接使用户 session 无效并将它们发送到
要么我迟到了,要么我做错了什么。我正在使用 Visual Studio 2013,但是我试图使用 Membership 类,using System.Web.Security;我的程序集中不存在命名空
我有一个具有依赖性的oauth2客户端spring-boot应用程序: - Spring 靴1.2.0.RC1 -spring-security-oauth2 2.0.4.RELEASE - Spri
我想在控制台应用程序中生成 HashPasswordForStoringInConfigFile。 它是在 Web 应用程序中使用以下类完成的 System.Web.Security.FormsAut
我需要有多个 PRE_AUTH Spring 安全过滤器。特别是我需要使用 PRE_AUTH除了配置为 PRE_AUTH 的两个过滤器之外的过滤器在 Spring Security 3.0 的 SAM
我猜这里没有答案,但我想知道是否有办法创建这样的自定义注释: @Documented @Inherited @Retention(RetentionPolicy.RUNTIME) @Target({E
我是一名优秀的程序员,十分优秀!