C# - SSL 与 Websphere MQ 版本 7.0.1
使用 C# 连接到启用 SSL 的队列管理器时,需要设置哪些值才能使队列正常工作?
我目前收到此错误: 原因代码:2393 MQRC_SSL_INITIALIZATION_ERROR
在我的代码中,我正在设置 MQEnvironment.SSLKeyRepository 和 MQEnvironment.SSLCipherSpec
是否还需要使用 C# 设置其他内容才能使其工作?我见过一些设置密钥库密码和类型之类的 Java 示例。
我也看到过设置系统环境变量的示例,但这似乎也没有任何区别。
When connecting to an SSL enabled queue manager using C#, what values do I need to set to get the queues to work?
I currently get this error:
Reason Code: 2393
MQRC_SSL_INITIALIZATION_ERROR
In my code I am setting the MQEnvironment.SSLKeyRepository and MQEnvironment.SSLCipherSpec
Is there something else I need to set with C# to make this work? I have seen some Java examples that set keystore passwords and types and things.
I have also seen examples setting system environment variables too, but that hasn't seemed to make any difference either.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
调试 WMQ SSL 的一般模式如下...
如果连接尝试被 QMgr 拒绝,客户端的错误将故意隐藏起来。详细消息可以在 QMgr 的 AMQERR??.LOG 文件中找到。如果故障发生在客户端,这些消息将在客户端的错误日志中找到,或者您可以启用跟踪。
使用 strmqtrc 启用跟踪 命令并使用 endmqtrc。 WMQ 客户端手册有 描述客户端跟踪文件结束位置的部分以及另一部分专门用于一般 Windows 上的跟踪。这对于确定客户端配置问题(例如找不到私钥、找不到密钥库等)非常有用。
在您的情况下,2393 表示客户端配置中的某些内容出现故障。由于您不再收到密钥库密码的错误,我猜测可能是在查找私钥时遇到问题或不信任 QMgr 提供的证书。在第一种情况下,设置 SSLCAUTH(OPTIONAL) 将起作用,因为客户端不需要它的私钥。但是,如果问题是信任 QMgr 或其他配置问题,SSLCAUTH(OPTIONAL) 将无济于事,但跟踪应该解决这个问题。
顺便说一句,由于需要在客户端进行跟踪和诊断,因此 IBM 不支持复制 jar 或 lib 的客户端安装,而不是运行完整的客户端安装。尽管您可以通过复制一些 lib 文件和类来让客户端运行,但这并不能提供用于跟踪和诊断的所有功能。如果您尚未执行完整的客户端安装,我在此描述的某些内容将无法实现。如果是这种情况,请从 SupportPac MQC7 下载并安装客户端。
The general pattern for debugging WMQ SSL is as follows...
If the connection attempt is refused by the QMgr, the errors at the client will purposely be cryptic. The detailed messages will be found in the QMgr's AMQERR??.LOG files. If the failure is at the client, these messages will be found in the client's error logs or you can enable trace.
Enable trace using the strmqtrc command and stop it with endmqtrc. The WMQ Clients manual has a section describing where client trace files end up and another section dedicated to tracing on Windows in general. This can be very useful in determining client-side configuration problems such as failing to find a private key, failing to find a keystore, etc.
In your case, the 2393 indicates that something in the client configuration is failing. Since you are no longer getting the error with the keystore password, I'm guessing it may be having problems finding a private key or not trusting the cert provided by the QMgr. In the first case, setting SSLCAUTH(OPTIONAL) will work because the client' won't need it's private key. However if the problem is trusting the QMgr or other configuration issues, SSLCAUTH(OPTIONAL) won't help but tracing should sort that out.
Incidentally, the need to trace and diagnose on the client side is why IBM does not support client installations where the jars or libs were copied over rather than running the full client install. Although you can get the client to run by copying a few lib files and classes, this does not provide all the facilities for tracing and diagnostics. If you have not performed a full client install, some of what I've described here will not be possible. If that is the case, download and install the client from SupportPac MQC7.