mqcertck (certify TLS setup)

Use the mqcertck command to diagnose potential TLS problems with your queue managers.


Purpose

The command can be used as a first check to determine why a connection using TLS has been unable to successfully connect on queue managers within your enterprise, and works with multiple certificates.


Syntax

mqcertck QmgrName -clientkeyrclient_key_repository -clientchannel channel_name -clientuserclient_username-clientlabelclient_certlabl-clientportclient_port


Required parameters

    QmgrName
    Name of the queue manager to check for TLS errors.
    -clientchannel channel_name
    Name of the channel on the referenced queue manager to check for TLS errors.


Optional parameters

    -clientkeyr client_key_repository
    Required if you supplied the -clientuser, -clientlabel, or -clientport parameters.Location of the client key repository that would be used by a client application connecting to the referenced queue manager.Important: You must supply the name without the .kdb extension.
    -clientuser client_username
    Cannot be used if you supplied the -clientlabel parameter.

    User running the client application, connecting to the referenced queue manager, if the client application is not using the client CERTLABL attribute to supply a certificate label.

    -clientlabel client_certlabl
    Cannot be used if you supplied the -clientuser parameter.

    Certificate label that is given to the client, connecting to the referenced queue manager, using one of the IBM MQ MQI client CERTLABL methods.

    -clientport client_port
    Specify a specific port to use when testing the client.The value must be:

    • An integer value between 1 and 65535 inclusive.
    • A port number, which must be a free port that mqcertck can use during its client checks.
    • Not be a port that is in use by the queue manager, or any other process on the machine running mqcertck.

    If we do not specify a value, port 5857 is used.


Examples

Example 1

After configuring an IBM MQ queue manager for TLS connections, we can use mqcertck to verify that no mistakes have been made, prior to attempting to start your channels.

To do this, run the command: 
mqcertck QmgrName
where Qmgrname is the name of your queue manager, and check the output for any problems identified with your configuration. Example 2

After creating a key repository, certificate, and exchanging certificates for a client application, we can use mqcertck to verify that a client application is able to connect to a queue manager.

To do this, you need to run mqcertck on the machine where the IBM MQ queue manager is running, and have access to the client key repository.

We can do this in a variety of ways, for example, a file system mount. After we have set up your machine, run the following command: 
mqcertck QMGR Name -clientkeyr Location of Client Key Repository 
                     -clientlabel Client certificate label

Check the output for any problems identified with your configuration.

Note, that if you are planning on having your clients connect anonymously, we can run the preceding command without the -clientlabel parameter.