Monitoring TLS/SSL Configuration and Connections

There are a number of show commands that you can use to validate and monitor TLS/SSL configuration and connections on Solace PubSub+ event brokers:

Show SSL Certificate Files

To view the certificate files that have been loaded to the /certs directory in the event broker file system, and whether these files contain a private key and/or a certificate so that they can be installed as the event broker’s server certificate, enter the following command:

solace> show ssl certificate-files [filename <filename>] [detail]

Where:

<filename> is the name of a certificate file in the /certs directory. The wildcards “*” or “?” may be used.

detail specifies that detailed output be shown. In addition to the certificate file name and whether it contains a private key and/or a certificate, the detail output also displays the contents of each certificate file.

:  The detail version of this command is not fully supported with SEMP over the message bus.

Show SSL Server Certificate

To view the filename of the TLS/SSL server certificate used by the event broker and when that server certificate was configured, enter the following command:

solace> show ssl server-certificate [detail]

Where:

detail specifies to also display the contents of each certificate file.

Show SSL Supported Cipher Suites

To view all cipher or cipher suites the event broker supports, enter the following command:

solace> show ssl supported-cipher-suites [{management | msg-backbone | ssh}]

Where:

management specifies to view the full list of cipher suites the event broker supports for management connections.

msg-backbone specifies to view the full list of cipher suites the event broker supports for message backbone connections.

ssh specifies to view the full list of ciphers the event broker supports for SSH connections.

:  If you do not specify a keyword, the event broker displays the full list of supported cipher suites for all inbound and outbound connections.

Show SSL Cipher Suite List

To view the current cipher or cipher suite list that is used for management, message backbone, or SSH connections, or the default cipher suite list for all inbound and outbound connection types, enter the following command:

solace> show ssl cipher-suite-list {default | management [default]| msg-backbone [default]| ssh [default]}

Where:

default specifies to view the default cipher suite list the event broker supports for all inbound and outbound connections.

management specifies to view the current cipher suite list the event broker uses for management connections.

management default specifies to view the default cipher suite list the event broker uses for management connections.

msg-backbone specifies to view the current cipher suite list the event broker uses for message backbone connections.

msg-backbone default specifies to view the default cipher suite list the event broker uses for message backbone connections.

ssh specifies to view the current cipher list the event broker uses for SSH connections.

ssh default specifies to view the default cipher list the event broker uses for SSH connections.

Show Stats SSL

To view the current running system-level TLS/SSL service statistics for the event broker, enter the following command:

solace> show stats ssl

  • To clear the current TLS/SSL statistics, enter the clear stats ssl Privileged EXEC command. When this command is entered, all of the TLS/SSL statistic counters are reset to 0, and TLS/SSL statistics begin to be recorded again from this point.
  • To view descriptions of the output fields for the show stats ssl User EXEC command, enter show stats ssl ?

Show Allowed TLS Versions

To view the currently allowed TLS versions, enter the following command:

solace> show ssl allow-tls-version

Show TLS Session Timeout

To view the current TLS session timeout value, enter the following command:

solace> show ssl tls-session-timeout

Show Allow SSL Downgrade Status

To show whether SSL/SSL Downgrades are allowed on a given Message VPN, enter the following command:

solace>show message-vpn <message-vpn>

Where:

<message-vpn> is the name of the Message VPN to view