在 IBM MQ 和 JMS 客户端之间建立 SSL 时,收到“com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: 通道协商失败”错误
我正在尝试使用名为“KAU.CONN”的服务器连接通道在 JMS 客户端和 IBM MQ 之间启用双向 SSL 加密,我已经使用两个不同的自签名者生成了客户端证书和队列管理器证书。以下是我用来生成存储在双方的证书和密钥的步骤。当 MQ 通道 SSLCAUTH 选项设置为 OPTIONAL 时,连接工作正常。感谢任何可能原因的线索。
IBM MQ 版本 = 9.2(试用版) JDK( jms client ) = 1.8
Eclipse 中的错误:
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=KAU.CONN]
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4464)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:3199)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1274)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:895)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:416)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:312)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1761)
... 61 more
SSL 实施
队列管理器
用于创建 CA 证书的命令
runmqckm -keydb -create -db myCA.kdb -type cms -pw mycakeypassword -stash
runmqckm -cert -create -db myCA.kdb -type cms -label "myCAcertificate" -dn "CN=demmoCA,O=DemmoOrg,OU=DemmoDepartment,L=DemmoLocation,C=UK" -expire 1000 -size 1024
runmqckm -cert -extract -db myCA.kdb -type cms -label "myCAcertificate" -target myCAcertfile.cer -format ascii -stashed
向队列管理器颁发证书
runmqckm -keydb -create -db myqmgr.kdb -type cms -pw kautstpassword -stash
runmqckm -certreq -create -db myqmgr.kdb -type cms -dn "CN=KAU.TST,O=IBM,OU=WMQ,L=Hursley,C=UK" -label "ibmwebspheremqmyqmgr" -file kauqmgercsr.req -stashed
runmqckm -cert -sign -db myCA.kdb -label "myCAcertificate" -expire 365 -format ascii -file kauqmgercsr.req -target kauqmgr.cer -stashed
runmqckm -cert -receive -db myqmgr.kdb -type cms -file kauqmgr.cer -stashed
JMS 客户端
将队列管理器的证书(上面生成的)添加到客户端的密钥库(创建客户端的密钥库后)
keytool -keystore kautstclient.jks -genkey -alias winclientcert -storepass clientpassword
keytool -import -keystore kautstclient.jks -file myCAcertfile.cer -alias myCAcertificate
创建另一个 CA 的密钥、jms 客户端的证书
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
为客户端生成证书
keytool -certreq -v -alias winclientcert -file kauclient.csr -keypass clientpassword -storepass clientpassword -keystore kautstclient.jks
openssl x509 -req -in kauclient.csr -CA cert.pem -CAkey key.pem -CAcreateserial -out kauclientown.crt
keytool -import -v -alias kauclientowncert -file kauclientown.crt -keystore kautstclient.jks -keypass clientpassword -storepass clientpassword
最后添加客户端证书的签名者队列管理器 kdb 的证书
runmqckm -cert -add -db myqmgr.kdb -file cert.pem -label kauclientsignercertificate
这些是我的 JMS 客户端的 SSL 属性设置
System.setProperty("javax.net.ssl.trustStorePassword", "clientpassword" );
System.setProperty("javax.net.ssl.keyStorePassword", "clientpassword" );
System.setProperty("javax.net.ssl.keyStore", "D:\\mq-message-handler-1.0\\ssl\\kautstclient.jks" );
System.setProperty("com.ibm.mq.cfg.useIBMCipherMappings", "false" );
System.setProperty("jdk.security.allowNonCaAnchor","true");
System.setProperty("javax.net.ssl.trustStore","D:\\mq-message-handler-1.0\\ssl\\kautstclient.jks");
cf.setStringProperty(WMQConstants.WMQ_SSL_CIPHER_SUITE, "TLS_RSA_WITH_AES_256_GCM_SHA384");
客户端密钥库和 qmgr 密钥库中的证书详细信息
- 请注意,我的 jms 客户端在 Windows 中运行,但我使用 Linux 服务器生成密钥/证书文件,并且我'我对linux命令更加熟悉了。
Certificates in database /tmp/client/kautstclient.jks:
winclientcert
kauclientowncert
mycacertificate
Certificates in database /var/mqm/qmgrs/KAU!TST/ssl/myqmgr.kdb:
ibmwebspheremqmyqmgr
"CN=demmoCA, O=DemmoOrg, OU=DemmoDepartment, L=DemmoLocation, C=UK"
kauclientsignercertificate
[mqm@192 ssl]$ runmqakm -cert -list -db myqmgr.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "CN=demmoCA, O=DemmoOrg, OU=DemmoDepartment, L=DemmoLocation, C=UK"
! kauclientsignercertificate
- ibmwebspheremqmyqmgr
I'm trying to enable two way SSL encryption between JMS client and IBM MQ using a server conn channel called "KAU.CONN" , I have already generated client certificate and queue manager certificates using two different self signers. below are the steps I used to generate certificate and key stored in both side. when the MQ channels SSLCAUTH option set to OPTIONAL connectivity works fine. Appreciate any leads for the possible cause.
IBM MQ version = 9.2 (trial version)
JDK( jms client ) = 1.8
Error in eclipse:
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=KAU.CONN]
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4464)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:3199)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1274)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:895)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:416)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:312)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1761)
... 61 more
SSL inplementation
QUEUE MANAGER
Commands used to create CA's certificate
runmqckm -keydb -create -db myCA.kdb -type cms -pw mycakeypassword -stash
runmqckm -cert -create -db myCA.kdb -type cms -label "myCAcertificate" -dn "CN=demmoCA,O=DemmoOrg,OU=DemmoDepartment,L=DemmoLocation,C=UK" -expire 1000 -size 1024
runmqckm -cert -extract -db myCA.kdb -type cms -label "myCAcertificate" -target myCAcertfile.cer -format ascii -stashed
Issuing a certificate to a queue manager
runmqckm -keydb -create -db myqmgr.kdb -type cms -pw kautstpassword -stash
runmqckm -certreq -create -db myqmgr.kdb -type cms -dn "CN=KAU.TST,O=IBM,OU=WMQ,L=Hursley,C=UK" -label "ibmwebspheremqmyqmgr" -file kauqmgercsr.req -stashed
runmqckm -cert -sign -db myCA.kdb -label "myCAcertificate" -expire 365 -format ascii -file kauqmgercsr.req -target kauqmgr.cer -stashed
runmqckm -cert -receive -db myqmgr.kdb -type cms -file kauqmgr.cer -stashed
JMS CLIENT SIDE
Adding the queue manager's certificate(generated above) to client's keystore (after creating client's keystore)
keytool -keystore kautstclient.jks -genkey -alias winclientcert -storepass clientpassword
keytool -import -keystore kautstclient.jks -file myCAcertfile.cer -alias myCAcertificate
creating a another CA's keys,certificate for jms client
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
generating certificate for client
keytool -certreq -v -alias winclientcert -file kauclient.csr -keypass clientpassword -storepass clientpassword -keystore kautstclient.jks
openssl x509 -req -in kauclient.csr -CA cert.pem -CAkey key.pem -CAcreateserial -out kauclientown.crt
keytool -import -v -alias kauclientowncert -file kauclientown.crt -keystore kautstclient.jks -keypass clientpassword -storepass clientpassword
Finally Adding client certificate's signer certificate to the queue manager's kdb
runmqckm -cert -add -db myqmgr.kdb -file cert.pem -label kauclientsignercertificate
These are my JMS client's SSL property settings
System.setProperty("javax.net.ssl.trustStorePassword", "clientpassword" );
System.setProperty("javax.net.ssl.keyStorePassword", "clientpassword" );
System.setProperty("javax.net.ssl.keyStore", "D:\\mq-message-handler-1.0\\ssl\\kautstclient.jks" );
System.setProperty("com.ibm.mq.cfg.useIBMCipherMappings", "false" );
System.setProperty("jdk.security.allowNonCaAnchor","true");
System.setProperty("javax.net.ssl.trustStore","D:\\mq-message-handler-1.0\\ssl\\kautstclient.jks");
cf.setStringProperty(WMQConstants.WMQ_SSL_CIPHER_SUITE, "TLS_RSA_WITH_AES_256_GCM_SHA384");
Certificate details in client's keystore and qmgr's keystore
- please note my jms client is running in windows but I have used linux server to generate key/cert files and I'm more familiar with linux commands.
Certificates in database /tmp/client/kautstclient.jks:
winclientcert
kauclientowncert
mycacertificate
Certificates in database /var/mqm/qmgrs/KAU!TST/ssl/myqmgr.kdb:
ibmwebspheremqmyqmgr
"CN=demmoCA, O=DemmoOrg, OU=DemmoDepartment, L=DemmoLocation, C=UK"
kauclientsignercertificate
[mqm@192 ssl]$ runmqakm -cert -list -db myqmgr.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "CN=demmoCA, O=DemmoOrg, OU=DemmoDepartment, L=DemmoLocation, C=UK"
! kauclientsignercertificate
- ibmwebspheremqmyqmgr
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
也许它没有找到你的trustStore。
显然,您可以使用以下属性检查 JVM 是否正在使用配置的
trustStore:-Djavax.net.debug=all,这将打开调试消息。应用程序启动后,它将打印出如下消息:
Perhaps it is not finding your trustStore.
Apparently, you can check whether the JVM is using the configured
trustStoreby using the following property:-Djavax.net.debug=all, which will turn on a debug message.After the app starts, it will print out a message like: