Verify the TLS configuration of our queue manager with mqcertck
The MQCERTCK command is a tool to look for common mistakes in the TLS configuration of our queue manager, and provides some suggestions for resolving problems.
Introduction
The mqcertck command checks the:
- Existence and permissions of the key repository of the queue manager, referenced in the queue manager SSLKEYR attribute.
- Existence and validity of the certificate for the queue manager certificate, referenced in the queue manager CERTLABL attribute.
- Existence and validity of any certificates referenced in the CERTLABL attributes of the TLS enabled channel.
- Key repository and certificates of the client applications, including checking the certificates are authorized with the queue manager.
Note: The mqcertck command is not available on z/OS or IBM i.
Usage
To use the mqcertck command, run the command mqcertck, together with its required parameters, and any optional parameters you require, from a command line.
See mqcertck for a description of the command and the parameters the command takes.
Example
We have just finished setting up your queue manager QM1 to allow TLS connections from clients connecting to the SVRCONN channel of our queue manager.
You are using the multiple certificates feature and so both your queue manager and channel have a certificate label specified in their CERTLABL attributes. While creating the channel you made a mistake in the CERTLABL attribute of the channel, so when a client attempts to connect, the queue manager returns a 2393 return code of MQRC_SSL_INITIALIZATION_ERROR.
Before activating the queue manager, we use the mqcertck command to verify the TLS configuration of the queue manager.
You run the command mqcertck QM1 and receive the following output:5724-H72 (C) Copyright IBM Corp. 1994, 2020. +---------------------------------------------------------- | IBM MQ TLS Configuration Test tool +---------------------------------------------------------- | Problem identified: | No certificate could be found for the channel | MQCERTCK.CHANNEL | This tool looked in the Queue Manager's key repository | located at: 'C:\MQ Data\qmgrs\QM1\ssl\key.kdb' | for a certificate with label 'chacert', | which is the certificate specified in the channel's | CERTLABL attribute, but was unable to find one. | | Possible resolution: | A valid certificate with the label chacert | needs to be added to the key repository. | | Alternatively, alter the channel definition to remove | the CERTLABL value. This can be done by executing the | following command in runmqsc: | ALTER CHANNEL(<Name>) CHLTYPE(<TYPE>) CERTLABL(' ') +---------------------------------------------------------- | mqcertck has ended. See above for any problems found. | If there are problems then resolve these and run this | tool again. | +----------------------------------------------------------This output prompts you to check your channel definition for the server connection channel MQCERTCK.CHANNEL. Here, you see the error you made, and can correct the error before running the mqcertck command again to verify that we have resolved the problem.
Verify client connections
The mqcertck command has the ability to verify client key repositories, as well as the TLS configuration of the queue manager. To do this, mqcertck needs to be able to access the key repository of the client from the machine running the queue manager.
When running the mqcertck command, if you supply the -clientkeyr parameter with the location of the client key repository (excluding the extension) mqcertck checks this key repository against the queue manager.
If you know which channel the client will be using to connect to the queue manager, we can specify this with the -clientchannel flag.
If the client is using mutual authentication to connect to the queue manager we can use the -clientusername or -clientlabel parameter, to tell the mqcertck command which certificate to use in the client key repository.
If we are using the default certificate, and not supplying a certificate label to the client application, we can use -clientusername and the username parameters which run this application.
During the operation of the mqcertck command, the command generates the certificate label ibmwebspheremqXXXX where XXXX is the value passed in the -clientusername parameter.
In order to fully verify the client key repository, the mqcertck command creates a dummy connection using GSKit. To do this, the command needs to have a port available that it can bind to during its client tests. The default port used is 5857, however, if this is already in use we can specify a different port to be used during the client tests.Note: Although the mqcertck command binds to a port, no external communications are used by mqcertck, and all tests are performed locally. Parent topic: TLS security protocols in IBM MQ