Java WMQ JMS API SSL Sun JDK和SSL_RSA_与_AES_128_CBC_SHA
如何让使用SSL_RSA_和_AES_128_CBC_SHA(在队列连接工厂中)的JMS客户端使用TLS_RSA_和_AES_128_CBC_SHA连接到服务器Java WMQ JMS API SSL Sun JDK和SSL_RSA_与_AES_128_CBC_SHA,java,ibm-mq,Java,Ibm Mq,如何让使用SSL_RSA_和_AES_128_CBC_SHA(在队列连接工厂中)的JMS客户端使用TLS_RSA_和_AES_128_CBC_SHA连接到服务器 客户Sun JDK 7 win IBM Power服务器(i) 服务器上的MQ版本7.1 客户端上的MQ版本7.5.0.4 与MQ资源管理器的连接工作正常 以下代码适用于ibm JDK C:\Program Files\ibm\WebSphere MQ Explorer\jre\jre\bin 以下代码不适用于“C:\Program
- 客户Sun JDK 7 win
- IBM Power服务器(i)
- 服务器上的MQ版本7.1
- 客户端上的MQ版本7.5.0.4
- 与MQ资源管理器的连接工作正常
- 以下代码适用于ibm JDK C:\Program Files\ibm\WebSphere MQ Explorer\jre\jre\bin
- 以下代码不适用于“C:\Program Files\Java\jdk1.7.0\U 67\bin with”
// Instantiate the initial context
String contextFactory = "com.sun.jndi.fscontext.RefFSContextFactory";
Hashtable environment = new Hashtable();
environment.put(Context.INITIAL_CONTEXT_FACTORY, contextFactory);
environment.put(Context.PROVIDER_URL, initialContextUrl);
Context context = new InitialDirContext(environment);
System.out.println("Initial context found!");
String keystoreName = System.getProperty("javax.net.ssl.keyStore");
System.out.println("keystoreName " + keystoreName + " canRead " + new File(keystoreName).canRead());
String truststoreName = System.getProperty("javax.net.ssl.trustStore");
System.out.println("truststoreName " + keystoreName + " canRead " + new File(truststoreName).canRead());
// Lookup the connection factory
JmsConnectionFactory cf = (JmsConnectionFactory) context.lookup(connectionFactoryFromJndi);
System.out.println("CF = " + cf.getClass().getName());
MQConnectionFactory mqcf = (MQConnectionFactory) cf;
System.out.println("getSSLCipherSuite:" + mqcf.getSSLCipherSuite());
System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory());
// Lookup the destination
destination = (JmsDestination) context.lookup(destinationFromJndi);
System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory());
// Create JMS objects
connection = cf.createConnection();
System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory());
session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory());
consumer = session.createConsumer(destination);
System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory());
// Start the connection
connection.start();
System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory());
给我:
Initial context found!
keystoreName C:/Users/...key.jks canRead true
truststoreName C:/Users/.../key.jks canRead true
CF = com.ibm.mq.jms.MQConnectionFactory
getSSLCipherSuite:SSL_RSA_WITH_AES_128_CBC_SHA
getSSLSocketFactory:null
getSSLSocketFactory:null
keyStore is : C:/Users/.../key.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : ibmwebspheremquserid
.....
Valid from Mon May 14 23:59:46 CEST 2012 until Thu May 14 23:59:46 CEST 2015
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'qm' with connection mode 'Client' and host name 'host(1414)'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
Inner exception(s):
com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2393' ('MQRC_SSL_INITIALIZATION_ERROR').
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'host(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA],3=host/host:1414 (10.20.28.12),4=SSLSocket.createSocket,5=default]],3=host(1414),5=RemoteTCPConnection.makeSocketSecure]
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA],3=host/host:1414 (10.20.28.12),4=SSLSocket.createSocket,5=default]
java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA
FAILURE
切换到IBM JRE/JDK,它就会工作。使用Oracle JVM(JSSE)中的SSL 另见“ 在MQ客户端版本8.0.0.2中,包含了一个补丁,用于将TLS与Oracle JVM一起使用,这与上面的答案一起使用 要使其正常工作,您将需要最新的MQ客户端,该客户端包含 :WMQ V7 JAVA/JMS:在以下情况下添加对选定TLS CipherSpec的支持 在非IBM JAVA运行时环境中运行
() 根据您的位置,您可能还需要安装 Java加密扩展(JCE)无限强度权限策略文件8() 要使用它,必须使用JVM参数进行配置:
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
请注意,Oracle和IBM JVM之间的默认安全实现行为:
报告说:
如果KeyManager[]参数为null,则将显示一个空的KeyManager
必须为此上下文定义
报告说:
如果KeyManager[]参数为null,则安装的安全性
将搜索提供商,以查找实现的最高优先级
KeyManagerFactory,将从中创建适当的KeyManager
获得
这意味着您必须进行设置
然后将其提供给MQ JMS客户端:
JmsConnectionFactory cf = ...
MQConnectionFactory mqcf = (MQConnectionFactory) cf;
mqcf.setSSLSocketFactory(sslcontext.getSocketFactory());
如果使用应用服务器,这可能由您的应用服务器来处理。您是否可以选择让客户端使用TLS而不是SSL?客户端正在使用JNDI队列工厂,根据此链接,SSL_RSA_WITH_AES_128_CBC_SHA与TLS_RSA_WITH_AES_128_CBC_SHA等同。这是windows…不再受支持?是的。MQ Exprorer使用IBMJRE,因此它是受支持的,您应该使用它。
JmsConnectionFactory cf = ...
MQConnectionFactory mqcf = (MQConnectionFactory) cf;
mqcf.setSSLSocketFactory(sslcontext.getSocketFactory());