Java 通过JMS/JNDI连接到WebSphere MQ时出现SSLHandshakeException
我正在配置WebSphereMQ和SSL,然后使用Java和JMS/JNDI连接到它。我使用的版本是6.0.1.1。以下是我遵循的步骤,但我无法使其运行,因为我遇到了SSL异常 步骤1:为MQ系列配置SSLJava 通过JMS/JNDI连接到WebSphere MQ时出现SSLHandshakeException,java,ssl,ibm-mq,Java,Ssl,Ibm Mq,我正在配置WebSphereMQ和SSL,然后使用Java和JMS/JNDI连接到它。我使用的版本是6.0.1.1。以下是我遵循的步骤,但我无法使其运行,因为我遇到了SSL异常 步骤1:为MQ系列配置SSL export JAVA_HOME=/opt/mqm/ssl cd /var/mqm/qmgrs/MYQMGR/ssl # Set up the key repository gsk7cmd -keydb -create -db keydb.kdb -pw password -type cms
export JAVA_HOME=/opt/mqm/ssl
cd /var/mqm/qmgrs/MYQMGR/ssl
# Set up the key repository
gsk7cmd -keydb -create -db keydb.kdb -pw password -type cms -expire 1500 -stash
# Create a self-signed personal certificate
gsk7cmd -cert -create -db keydb.kdb -pw password -label ibmwebspheremqmyqmgr -dn "CN=My Queue Manager,O=My Company,C=UK" -size 1024 -x509version 3 -expire 365
# Export your personal certificate
gsk7cmd -cert -extract -db filename -pw password -label ibmwebspheremqmyqmgr -target myqmgr.cert.arm -format ascii
# Generate the private/public key pair
# keypass option is the password to protect the private key
# storepass option is the password to protect the keystore
keytool -genkey -keystore keystore -storepass storepass -keypass keypass -dname "cn=My Java Client,O=My Company,C=UK" -alias ClientMQ -keyalg RSA -keysize 2048
# Export the public key if you need 2-way authentification
keytool -export -keystore keystore -storepass storepass -alias ClientMQ -file client.cer
# Import MQ public certificate into the truststore
# storepass option is the password to protect the keystore
keytool -import -keystore truststore -storepass trustpass -keypass keypass -alias ibmwebspheremqmyqmgr -file myqmgr.cert.arm
export JAVA_HOME=/opt/mqm/ssl
cd /var/mqm/qmgrs/MYQMGR/ssl
# Set up the key repository
gsk7cmd -keydb -create -db keydb.kdb -pw password -type cms -expire 1500 -stash
# Create a self-signed personal certificate
gsk7cmd -cert -create -db keydb.kdb -pw password -label ibmwebspheremqmyqmgr -dn "CN=My Queue Manager,O=My Company,C=UK" -size 1024 -x509version 3 -expire 365
# Export your personal certificate
gsk7cmd -cert -extract -db filename -pw password -label ibmwebspheremqmyqmgr -target myqmgr.cert.arm -format ascii
SSL.CHANNELDEFINE CHANNEL(SSL.CHANNEL)CHLTYPE(SVRCONN)TRPTYPE(TCP)SSLCIPH(RC4_SHA_US)SSLCAUTH(可选)DESCR('CHANNEL using SSL')INITIAL_CONTEXT_FACTORY=com.sun.jndi.fscontext.RefFSContextFactory
PROVIDER_URL=file:///opt/mqm/java/bin/JNDI
SECURITY_AUTHENTICATION=none
cd /opt/mqm/java/bin
. setjmsenv
./JMSAdmin -v -cfg JMSAdmin.config
DEFINE QCF(QCF_NAME) SYNCPOINTALLGETS(YES) HOSTNAME(HOST) PORT(1414) TRANSPORT(client) QMANAGER(MYQMGR) CHANNEL(SSL.CHANNEL) SSLCIPHERSUITE(SSL_RSA_WITH_RC4_128_SHA)
DEFINE Q(MYQNAME) QMANAGER(MYQMGR) QUEUE(LOCALQUEUE)
connectionFactory.createQueueConnection()时出现以下异常::
以下是SSL跟踪:
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: c:\home\doc\jsse\truststore
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=My Queue Manager,O=My Company,C=UK
Issuer: CN=My Queue Manager,O=My Company,C=UK
Algorithm: RSA; Serial number: 0x5072a61a
Valid from Sun Oct 07 12:08:26 CEST 2012 until Tue Oct 08 12:08:26 CEST 2013
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1349707178 bytes = { 204, 18, 167, 43, 13, 107, 252, 221, 191, 41, 25, 59, 207, 92, 67, 219, 251, 104, 195, 209, 7, 129, 104, 171, 139, 47, 163, 71 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 45
0000: 01 00 00 29 03 01 50 73 E6 AA CC 12 A7 2B 0D 6B ...)..Ps.....+.k
0010: FC DD BF 29 19 3B CF 5C 43 DB FB 68 C3 D1 07 81 ...).;.\C..h....
0020: 68 AB 8B 2F A3 47 00 00 02 00 05 01 00 h../.G.......
Thread pool thread #0, WRITE: TLSv1 Handshake, length = 45
[write] MD5 and SHA1 hashes: len = 44
0000: 01 03 01 00 03 00 00 00 20 00 00 05 50 73 E6 AA ........ ...Ps..
0010: CC 12 A7 2B 0D 6B FC DD BF 29 19 3B CF 5C 43 DB ...+.k...).;.\C.
0020: FB 68 C3 D1 07 81 68 AB 8B 2F A3 47 .h....h../.G
Thread pool thread #0, WRITE: SSLv2 client hello message, length = 44
[Raw write]: length = 46
0000: 80 2C 01 03 01 00 03 00 00 00 20 00 00 05 50 73 .,........ ...Ps
0010: E6 AA CC 12 A7 2B 0D 6B FC DD BF 29 19 3B CF 5C .....+.k...).;.\
0020: 43 DB FB 68 C3 D1 07 81 68 AB 8B 2F A3 47 C..h....h../.G
Thread pool thread #0, received EOFException: error
Thread pool thread #0, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Thread pool thread #0, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread pool thread #0, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28 ......(
Thread pool thread #0, called closeSocket()
Finalizer, called close()
Finalizer, called closeInternal(true)
在MQ
端:
AMQ9660: SSL key repository: password stash file absent or unusable.
EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to
access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the
location configured for the key repository,
(b) the key database file exists in the correct place but that no password
stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them,
(d) one or both of the files are corrupt.
但这些都不适用于我
ls -ltr /var/mqm/qmgrs/MYQMGR/ssl/
total 235
-rw-r--r-- 1 mqm mqm 129 Oct 8 12:00 keydb.sth
-rw-r--r-- 1 mqm mqm 115080 Oct 8 12:08 keydb.kdb
-rw-r--r-- 1 mqm mqm 80 Oct 8 12:08 keydb.rdb
-rw-r--r-- 1 mqm mqm 80 Oct 8 12:08 keydb.crl
愚蠢的错误:alter qmgr SSLKEYR('/var/mqm/qmgrs/MYQMGR/ssl/keydb')
修复了问题。并且,如果qmgr以前访问过其KDB,刷新安全类型(ssl)
或重新启动qmgr。这一次它工作了,因为QMgr以前从未加载过它的kdb。显示痕迹的荣誉。不过,我希望看到通道和QMgr对象定义。