IBM Support

QMGTOOLS: System SSL Test Client (SSLTSTCON)

Troubleshooting


Problem

The System SSL Test Client (QMGTOOLS/SSLTSTCON) command allows the user to test IP Address or host name and port to perform an SSL handshake based on the application ID in the *SYSTEM store.  This can be useful in testing DCM Application IDs after making changes in the SSL protocols or cipher specifications and/or changes in QSSL* system values.  This is a method of testing "System SSL" rather than JSSE or OpenSSL.

Resolving The Problem

1. If the QMGTOOLS toolkit has not yet been installed, you should refer to the following document for information on how to download and install the QMGTOOLS toolkit on your IBM i server. The following URL contains additional information: http://www-01.ibm.com/support/docview.wss?uid=nas8N1011297
Note: If you just downloaded the tool, this can be ignored. GO QMGTOOLS/MG and take option 12. Please make sure the build date is 04/17/2019 or later. If older than 04/17/2019,  download the current version of QMGTOOLS by following the steps in : http://www.ibm.com/support/docview.wss?uid=nas8N1020468
2. The QMGTOOLS/SSLTSTCON command is as follows:
QMGTOOLS/SSLTSTCON HOST_NAME(localhost) PORT(992) APP_ID(QIBM_QTV_TELNET_CLIENT)  TRCCNN(Y)  OUT_FILE('SslClientOut.txt')                                                                
image-20190419100732-1

SSLTSTCON Parameters
Parameter Description
HOST NAME (HOST_NAME) IP Address or Host Name for the connection
Port Number (PORT) IP Port for the connection
APPLICATION ID (APP_ID) The application ID found in DCM.  This determines which SSL or CIPHERS will be used. If blank, it uses the QSSL* system values.
Debug Option (DEBUG_OPT) This enables javax.net.debug=all or javax.net.debug=handshake trace events that will be output to the output file
TRCCNN (TRCCNN() If Y, it will perform both a TRCCNN and TRCINT based on the port value.  This will produce an <OUT_FILE>.pcap file and TRCINT* txt file.
Output File (OUT_FILE) The name of the output file that resides in directory /tmp/collectorscripts/data/SSLTSTCON/ directory.
Java Home (JAVA_HOME) The version of Java used to call the java class performing the SSL Connection.

Application Identifier Listing (Partial)
Application Application ID Port Number Server/Client
FTP Client QIBM_QTMF_FTP_CLIENT na Client
SMTP Client QIBM_QTMS_SMTP_CLIENT na Client
LDAP Client QIBM_GLD_DIRSRV_CLIENT na Client
Telnet Client QIBM_QTV_TELNET_CLIENT na Client
Telnet Server QIBM_QTV_TELNET_SERVER 992 Server
Database QIBM_OS400_QZBS_SVR_DATABASE 9471 Server
File Server QIBM_OS400_QZBS_SVR_FILE 9473 Server
FTP Server QIBM_QTMF_FTP_SERVER 989/990 Server
SMTP QIBM_QTMS_SMTP_SERVER 465 Server
LDAP Server QIBM_DIRECTORY_SERVER_QUSRDIR 636 Server
Command outputs data to
 /tmp/collectorscripts/data/SSLTSTCON/
image-20190424115420-1
Usage Example #1:  User changed the Telnet Client application to only support TLSv1.1 and TLSv1.2
The application definition in DCM for the Telnet Client shows the following properties:
image-20190423142545-1

Running the SSLTSTCON command above and specifying the QIBM_QTV_TELNET_CLIENT application ID will be reflected in the /tmp/collectorscripts/data/SSLTSTCON/SslClientOut.txt file:
image-20190424121122-1
The TRCINT.txt file will also show info about the SSL Connection:
image-20190424121528-2
Usage Example #2 : Which SSL settings are the FTP Client application using?
We would want to use the SSLTSTCON command with the QIBM_QTMF_FTP_CLIENT application ID
QMGTOOLS/SSLTSTCON HOST_NAME(localhost) PORT(992) APP_ID(QIBM_QTMF_FTP_CLIENT)  +
DEBUG_OPT(ALL)  TRCCNN(Y) OUT_FILE('FTPClientOut.txt')                                
/tmp/collectorscripts/data/SSLTSTCON/FTPClientOut.txt   shows:
image-20190423144506-3
The wireshark trace (/tmp/collectorscripts/data/SSLTSTCON/FTPClientOut.txt.pcap) shows TLSv1:
image-20190423144649-4
Running this command will gather the three pieces of data (java trace, wireshark trace and TRCINT).  It will zip this data to
 /tmp/collectorscripts/data/SSLTSTCON.zip .  This .zip file can be uploaded to the PMR. 
*Note each SSLTSTCON will output more data to the /tmp/collectorscripts/data/SSLTSTCON directory, and will overwrite the data if the output file is the same (SslClientOut.txt is the default value).  It is advisable to clear out the directory /tmp/collectorscripts/data/SSLTSTCON periodically if this is used often.

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
18 December 2019

UID

ibm10881936

Page Feedback