Monitoring TLS/SSL Configuration and Connections

There are a number of show commands that you can use to validate and monitor TLS/SSL configuration and connections on Solace PubSub+ event brokers:

Show SSL Certificate Files

To view the certificate files that have been loaded to the /usr/sw/jail/certs directory in the event broker file system, and whether these files contain a private key and/or a certificate so that they can be installed as the event broker’s server certificate, enter the following command:

solace> show ssl certificate-files [filename <filename>] [detail]

Where:

<filename> is the name of a certificate file in the /usr/sw/jail/certs directory. The wildcards “*” or “?” may be used.

detail specifies that detailed output be shown. In addition to the certificate file name and whether it contains a private key and/or a certificate, the detail output also displays the contents of each certificate file.

The detail version of this command is not fully supported with SEMP over the message bus.

solace> show ssl certificate-files
Flags Legend:
C: Certificate (Y=yes, N=no)
K: Private Key (Y=yes, N=no)
                                                 Contents
Filename                                              C K
------------------------------------------------ --------
mycert.pem                                            Y Y
depth3server-rsa.pem                                  Y Y
depth4server-rsa.pem                                  Y Y
expired_selfSigned.pem                                Y Y
expired-rsa.pem                                       Y Y
future-rsa.pem                                        Y Y
noRootInChainDepth3server-rsa.pem                     Y Y
noRootInChainDepth4server-rsa.pem                     Y Y
selfSigned.pem                                        Y Y
server1-rsa.pem                                       Y Y
signedByExpiredLevel2Ca-rsa.pem                       Y Y
signedByExpiredRootCa-rsa.pem                         Y Y
untrusted-rsa.pem                                     Y Y

Show SSL Server Certificate

To view the filename of the TLS/SSL server certificate used by the event broker and when that server certificate was configured, enter the following command:

solace> show ssl server-certificate [detail]

Where:

detail specifies to also display the contents of each certificate file.

solace> show ssl server-certificate
Filename:             cert24.pem
Configured at:        Sep 21 2014 09:47:53 EDTsho

Show SSL Supported Cipher Suites

To view all cipher or cipher suites the event broker supports, enter the following command:

solace> show ssl supported-cipher-suites [{management | msg-backbone | ssh}]

Where:

management specifies to view the full list of cipher suites the event broker supports for management connections.

msg-backbone specifies to view the full list of cipher suites the event broker supports for message backbone connections.

ssh specifies to view the full list of ciphers the event broker supports for SSH connections.

If you do not specify a keyword, the event broker displays the full list of supported cipher suites for all inbound and outbound connections.

solace> show ssl supported-cipher-suites

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA

Show SSL Cipher Suite List

To view the current cipher or cipher suite list that is used for management, message backbone, or SSH connections, or the default cipher suite list for all inbound and outbound connection types, enter the following command:

solace> show ssl cipher-suite-list {default | management [default]| msg-backbone [default]| ssh [default]}

Where:

default specifies to view the default cipher suite list the event broker supports for all inbound and outbound connections.

management specifies to view the current cipher suite list the event broker uses for management connections.

management default specifies to view the default cipher suite list the event broker uses for management connections.

msg-backbone specifies to view the current cipher suite list the event broker uses for message backbone connections.

msg-backbone default specifies to view the default cipher suite list the event broker uses for message backbone connections.

ssh specifies to view the current cipher list the event broker uses for SSH connections.

ssh default specifies to view the default cipher list the event broker uses for SSH connections.

solace> show ssl cipher-suite-list default

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA

Show Stats SSL

To view the current running system-level TLS/SSL service statistics for the event broker, enter the following command:

solace> show stats ssl

solace> show stats ssl

Active Client Connections:                  25
  Incoming Connections:                     12
    Service Web Transport                    0
    Service SMF:                            11
    Service REST:                            0
    Service MQTT:                            0
  Outgoing Connections:                     13
    Service SMF:                             6
    Service REST:                            7
Active TCP Connections:                      0
Too Many Connections:                        0

Incoming:
  Connections Accepted:                  12125
  Connections Rejected:                      2
    Peer certificate verification failed:    0
    Unsupported Cipher Suite:                0
    SSL not operational:                     2
    Other failure:                           0

Outgoing:
  Connections Established:                  13
  Connections Failed:                        1
    Peer certificate verification failed:    0
    Other failure:                           0

  • To clear the current TLS/SSL statistics, enter the clear stats ssl Privileged EXEC command. When this command is entered, all of the TLS/SSL statistic counters are reset to 0, and TLS/SSL statistics begin to be recorded again from this point.
  • To view descriptions of the output fields for the show stats ssl User EXEC command, enter show stats ssl ?

Show Allowed TLS Versions

To view the currently allowed TLS versions, enter the following command:

solace> show ssl allow-tls-version

solace> show ssl allow-tls-version
Allowed TLS versions: 1.0. 1.1, 1.2

Show TLS Session Timeout

To view the current TLS session timeout value, enter the following command:

solace> show ssl tls-session-timeout

solace> show ssl tls-session-timeout
Tls Session Timeout (secs): 10000

Show Allow SSL Downgrade Status

To show whether SSL/SSL Downgrades are allowed on a given Message VPN, enter the following command:

solace>show message-vpn <message-vpn>

Where:

<message-vpn> is the name of the Message VPN to view

solace> show message-vpn default
Message VPN:                          default
Configuration Status:                 Enabled
Local Status:                         Up
Distributed Cache Management:         Enabled
SSL to plain text downgrade allowed:  No
Total Local Unique Subscriptions:     6
Total Remote Unique Subscriptions:    0
Total Unique Subscriptions:           6
Maximum Subscriptions:                5000000
Export Subscriptions:                 No (100% complete)
Active Incoming Connections:          1
   Service SMF:                       1
   Service Web-Transport:             0
   Service REST:                      0
   Service MQTT:                      0
Active Outgoing Connections:
   Service REST:                      0
   Max Incoming Connections:          1000
   Service SMF:                       1000
   Service Web-Transport:             1000
   Service REST:                      1000
   Service MQTT:                      1000