MQ

 View Only
  • 1.  Display SSL server certificate information for MQTT channel

    Posted Tue February 27, 2024 09:01 AM

    We recently had an issue where an SSL certificate was updated for the MQTT channel. I did the 'REFRESH SECURITY TYPE(SSL)' then stopped and started the MQTTS channel. We had some servers where the new cert was in the TrustStore but the old one was still being used. Seems like a race condition between the refresh and the stop/start.

    What method can I use to hit the MQTTS channel and display the certificate information so I can verify the change took hold? Can openssl be used to query the certificate information?



    ------------------------------
    Earle Ake
    ------------------------------


  • 2.  RE: Display SSL server certificate information for MQTT channel

    Posted Tue February 27, 2024 05:11 PM
    Edited by Tim Zielke Wed February 28, 2024 10:42 AM

    I don't work with MQTT channels, but as long as you can poke an IBM MQ TLS port, you should be able to use openssl s_client to get the IBM MQ cert for the given channel. The following blog post goes into more details with using openssl s_client and talks about things like CERTLABL which needs to be taken into consideration when using this approach.

    https://community.ibm.com/community/user/integration/blogs/tim-zielke1/2020/04/24/using-openssl-s-client-with-ibm-mq



    ------------------------------
    Tim Zielke
    ------------------------------



  • 3.  RE: Display SSL server certificate information for MQTT channel

    Posted Wed February 28, 2024 04:33 AM
    Edited by SAVITHA JOSHI Wed February 28, 2024 05:39 AM

    For MQTT channels, key repository has to be specified in the properties file  mqxr_win/mqxr_unix properties file . REFRESH SECURITY TYPE(SSL) may not be applicable to MQTT channels. Ideally restart of the MQTT channels should have picked the new certificate. If problem is still there, check if there are any errors logged in mqxr error logs.



    ------------------------------
    SAVITHA JOSHI
    ------------------------------



  • 4.  RE: Display SSL server certificate information for MQTT channel

    Posted Wed February 28, 2024 10:28 AM

    Unfortunately, since the client did not like my server cert, it was throwing errors and the MQXR logs rolled. All I saw was:

    2/16/24 21:16:32.384  AMQCO1010E: An SSL Exception occurred when a client at '/10.192.4.7' attempted to connect to channel 'MQTTSChannel': javax.net.ssl.SSLException: Received fatal alert: certificate_unknown.
    2/16/24 21:16:32.384  AMQXR0021W: Client '' at network address '10.192.4.7' disconnected abnormally with exception 'Received fatal alert: certificate_unknown'.



    ------------------------------
    Earle Ake
    ------------------------------



  • 5.  RE: Display SSL server certificate information for MQTT channel

    Posted Wed February 28, 2024 10:37 AM

    Looks like the openssl s_client -connect localhost:8883 -showcerts command works and gives me back the server cert and CAs. I will just run that through openssl to get the information needed. Thanks!



    ------------------------------
    Earle Ake
    ------------------------------



  • 6.  RE: Display SSL server certificate information for MQTT channel

    Posted Wed February 28, 2024 10:45 AM

    FYI, this seems to work printing out the first cert and the information needed for port 8883.

    openssl s_client -connect localhost:8883 -showcerts 2>/dev/null | awk '/BEGIN CERTIFICATE/{flag=1;print;next}/END CERTIFICATE/{flag=0;print;exit}flag' | openssl x509 -noout -issuer -subject -startdate -enddate



    ------------------------------
    Earle Ake
    ------------------------------