How to test ssl after ssl is enabled

We have moved the cert to the solace and enabled it, now when we try to perform the test connection
on TIBCO BW tool using smfs://<>:55443 we are getting the error

Can some one advise what is the issue and how enable loglevel to debug as the doc suggest to use the java systemproperties:
Dsun.security.krb5.debug=true.
How to set this to see more logs on this. It would be helpful. Thank you in adavance.

Comments

  • arih
    arih Member, Employee Posts: 125 Solace Employee

    hi @Manikanta532 ,
    My guess is that you have not change the BW part yet. If that's right, then you will basically need to setup trust store just like Java apps in general. Take a look here https://docs.solace.com/Developer-Tools/Integration-Guides/Solace-JMS-Integration-TIBCO-ActiveMatrix-BusinessWorks.pdf in chapter 7.

  • Manikanta532
    Manikanta532 Member Posts: 13
    edited December 2020 #3

    Hi Arih,
    I have added the java.property.TIBCO_SECURITY_VENDOR=j2se in bwdesign.tra and bwagent.tra
    And JNDI propertis in JNDI Configuration still am facing issue below issue.

    AS per show Service command from CLI , port 55443 is up , but we are not able to do telnet, can you suggest anything from that point.
    Note: This is TIBCO BW6.
    Thank you
    Manikanta.

  • Aaron
    Aaron Member, Administrator, Moderator, Employee Posts: 496 admin

    Does it work with non-TLS? That would simplify debugging? Solace default unsecure port is 55555. Just to verify you can connect?

    I'm not sure how exactly to enable debug logging in BW. Can you find out from Tibco community? Typically for Java applications using Solace, if there is log4j or Apache Commons Logging (jal) then you just need to add the appropriate loggers/appenders for com.solacesystems.jcsmp and set the log level to debug. Is there a log4j configuration file or something in BW?

  • arih
    arih Member, Employee Posts: 125 Solace Employee

    Oh okay, BW6 is not the same as how BW5 would work. So the link I provided may not be usable for BW6.
    If you were able to connect your BW6 to plain text port (55555) before, then it should be more on how to do similar steps for BW5 in your BW6. A bit tough for me to try since I don't have the BW6 environment :(

  • Manikanta532
    Manikanta532 Member Posts: 13
    edited December 2020 #6

    Thank you both ,i can connnect to unsecured port 55555 using the same BW6. I will just look at the place where we can add the property to enable loglevel to debug , presently i dont have idea on that. firewall is disabled in our machine, will that cause issue ? for the interaction with the port 55443 ?
    Any pointers on that?

  • Manikanta532
    Manikanta532 Member Posts: 13

    After enabling port on 55443 , issue is resolve, and document has helped to add the JNDI properties. Thank you !!

  • Aaron
    Aaron Member, Administrator, Moderator, Employee Posts: 496 admin

    Ah, so you just needed to enable the port on the broker?? Haha easy fix. Sorry we didn't think of that. And I'm guessing you figured out that you need to upload a server certificate and stuff in order for that port to become Operational.

    Anyhow, let us know how your testing goes. We have lots of customers using BW5 with Solace, but I don't know too many using BW6.

  • uherbst
    uherbst Member, Employee Posts: 121 Solace Employee

    If you want to test any TLS connection, try openssl:
    openssl s_client -connect broker:55443
    In the output you can see:

    • if port is open :-)
    • if tls server certificate is configured
    • content of tls server certificate (like: Common Name, issuer,...)
    • expiry date of tls server certificate

    With the issuer data, you can e.g. configure the validation / certificate authorities on client side.

    Obviously, this openssl command is NOT restricted to connect to Solace brokers :-)

  • Aaron
    Aaron Member, Administrator, Moderator, Employee Posts: 496 admin

    @uherbst you should post that in the Tips and Tricks section!

This Month's Leaders