Monday, 24 April 2017

Validating SSL configuration for IBM MQ using mqcertck

In the past in order to perform SSL checking we would have been required to verify manually that the key repository was in the correct location with the correct permissions. We would also have needed to verify the correct CHECKLABL parameter was being used.

As of IBM MQ version 8.0.0.4 (Not on the appliance) we can instead use the mqcertck command. This does the above testing from a previous MQ support pack. The command requires a queue manager is defined but also optionally allows the channel, key repository, port, a specific user or checklabl parameter to be defined and checked.

For full details see the knowledge centre;
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q120895_.htm

I began to use this command for my Pure Application MQ and IIB testing to coincide with legacy verification tests used after the success of a deploy.. The first usage gave me the following output based on scripts that had been ported to Pure from legacy stand alone scripts.

  [mqm@XXXXXXXXXX root]$ mqcertck MQXXX01
  5724-H72 (C) Copyright IBM Corp. 1994, 2015.
  +----------------------------------------------------------
  | IBM MQ TLS Configuration Test tool                       
  +----------------------------------------------------------
  | mqcertck has ended. See above for any problems found. 
  | If there are problems then resolve these and run this   
  | tool again.                                             
  |                                                         

  +----------------------------------------------------------

This appears to suggest that there were no SSL/TLS configuration issues, thought there isn't a "successful completion" message. Being a firm believer that nobody is perfect, I wanted to test that all was well in the deploy configuration and that the above outcome is expected.

First I altered the queue manager CHECKLABL to a generic 'my labels' and got the following output when the command was rerun.

  echo "ALTER QMGR CERTLABL( 'mylabels' )" | runmqsc MQXXX01
  echo "REFRESH SECURITY TYPE(SSL)" | runmqsc MQXXX01

  [mqm@XXXXXXXXXX root]$ mqcertck MQXXX01
  5724-H72 (C) Copyright IBM Corp. 1994, 2015.
  +----------------------------------------------------------
  | IBM MQ TLS Configuration Test tool                       
  +----------------------------------------------------------
  | Problem identified:                                      
  |  No certificate could be found for the queue manager     
  |  MQXBK01 
  |                                                          
  | Advice:                                                  
  |  Queue managers will use a certificate with the label    
  |  set in the Queue Manager's CERTLABL attribute.          
  |  There is no certificate with the label mylabels 
  |  in the key repository being used by the queue manager   
  |  (/var/mqm/qmgrs/MQXXX01/ssl/MQXXX01.kdb) 
  |                                                          
  | Possible resolution:                                     
  |  A valid certificate with the label mylabels 
  |  needs to be added to the key repository.                
  |                                                          
  | Exceptions:                                              
  |  SSL channels being used to connect to another queue     
  |  manager do not need a personal certificate if the remote
  |  end of the channel at that queue manager has SSLCAUTH   
  |  (SSL client authentication) set to OPTIONAL.            
  |  This is true for channels which initiate the connection 
  |  e.g. sender or requester channels                       
  +----------------------------------------------------------
  | mqcertck has ended. See above for any problems found. 
  | If there are problems then resolve these and run this   
  | tool again.                                             
  |                                                         
  +---------------------------------------------------------- 

A certificate with the stated label - as expected - couldn't be found. So I reverted back to the original labels.

  echo "alter qmgr certlabl( ‘Original Label’ )" | runmqsc MQXXX01
  echo "REFRESH SECURITY TYPE(SSL)" | runmqsc MQXXX01

  [mqm@XXXXXXXXXX root]$ mqcertck MQXXX01
  5724-H72 (C) Copyright IBM Corp. 1994, 2015.
  +----------------------------------------------------------
  | IBM MQ TLS Configuration Test tool                       
  +----------------------------------------------------------
  | mqcertck has ended. See above for any problems found. 
  | If there are problems then resolve these and run this   
  | tool again.                                             
  |                                                         
  +----------------------------------------------------------

I then wanted to test if the command couldn't find the correct .kdb file so I went to the relevant directory and "mv"ed the .kdb to another name in the same location.

  cd /var/mqm/qmgrs/MQXXX01/ssl
  mv MQXXX01.kdb MQAAA01.kdb

  [mqm@XXXXXXXXXX root]$ mqcertck MQXXX01
  5724-H72 (C) Copyright IBM Corp. 1994, 2015.
  +----------------------------------------------------------
  | IBM MQ TLS Configuration Test tool                       
  +----------------------------------------------------------
  | Problem identified:                                      
  |  No key repository could be found for the queue manager  
  |  MQXBK01 
  |                                                          
  | Advice:                                                  
  |  Queue managers use the SSLKEYR attribute to identify the
  |  location of the SSL key repository to use.              
  |  No key repository file could be found at the location   
  |  specified in the queue manager's SSLKEYR attribute      
  |  (/var/mqm/qmgrs/MQXXX01/ssl/MQXXX01.kdb) 
  |                                                          
  | Possible resolution:                                     
  |  Alter the queue manager's SSLKEYR attribute to point at 
  |  the correct key repository and/or create a key          
  |  repository at the specified location.                   
  +----------------------------------------------------------
  | mqcertck has ended. See above for any problems found. 
  | If there are problems then resolve these and run this   
  | tool again.                                             
  |                                                          
  +----------------------------------------------------------

The output for this failure clearly states that the key repository as defined on the queue manager could not be found. When I moved the file back and ran the command again. The command again confirmed the SSL setup was correct.

mv MQAAA01.kdb MQXXX01.kdb

  [mqm@XXXXXXXXXX root]$ mqcertck MQXXX01
  5724-H72 (C) Copyright IBM Corp. 1994, 2015.
  +----------------------------------------------------------
  | IBM MQ TLS Configuration Test tool                       
  +----------------------------------------------------------
  | mqcertck has ended. See above for any problems found. 
  | If there are problems then resolve these and run this   
  | tool again.                                             
  |                                                         
  +----------------------------------------------------------

To conclude, when it comes to mqcertck: no news is good news.