Fatal编程技术网
  • java/
  • Java 在Websphere App Server和Websphere MQ之间配置SSL

Java 在Websphere App Server和Websphere MQ之间配置SSL

java spring ssl websphere ibm-mq

Java 在Websphere App Server和Websphere MQ之间配置SSL,java,spring,ssl,websphere,ibm-mq,Java,Spring,Ssl,Websphere,Ibm Mq,我尝试从WebSphereAppServer上启动的简单web服务连接到WMQ 在WMQ上,我有带SSL的通道。我现在使用自签名证书 对于glassfish,我只需将此证书添加到域中的密钥存储中,所有证书都可以正常工作(因为我配置了MQQueueConnectionFactory) 但在WebSphere上,此技巧不起作用: [5/13/13 14:00:25:058 FET] 00000060 SystemOut O %% Invalidated: [Session-94, SSL_

我尝试从WebSphereAppServer上启动的简单web服务连接到WMQ

在WMQ上,我有带SSL的通道。我现在使用自签名证书

对于glassfish,我只需将此证书添加到域中的密钥存储中,所有证书都可以正常工作(因为我配置了MQQueueConnectionFactory)

但在WebSphere上,此技巧不起作用:

[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O %% Invalidated:  [Session-94, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, SEND SSLv3 ALERT:  fatal, description = certificate_unknown
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, WRITE: SSLv3 Alert, length = 2
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O [Raw write]: length = 7
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O 0000: 15 03 00 00 02 02 2e                               .......

[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, called closeSocket()
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
[5/13/13 14:00:25:058 FET] 00000060 DefaultMessag E org.springframework.jms.listener.DefaultMessageListenerContainer refreshConnectionUntilSuccessful Could not refresh JMS Connection for destination 'fromESB' - retrying in 5000 ms. Cause: JMSWMQ0018: Failed to connect to queue manager 'qm1' with connection mode 'Client' and host name '192.168.56.101(1414)'.; nested exception is com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
如何配置WebSphere app server以使用ssl(如何将服务器(WMQ)证书添加到信任存储?或者信任存储在哪里?

确定。我自己解决这个问题

配置WMQ:

<bean id="mqConnectionFactory" class="com.ibm.mq.jms.MQQueueConnectionFactory">
    <property name="hostName" value="${queue_hostname}"/>
    <property name="port" value="${queue_port}"/>
    <property name="queueManager" value="${queue_manager}"/>
    <property name="transportType" value="1"/>
    <property name="SSLCipherSuite" value="SSL_RSA_EXPORT_WITH_RC4_40_MD5"/>
    <property name="channel" value="ssl_channel"/>
</bean>
  • 创建密钥库

    runmqckm-keydb-create-db“c:\dev\sslqm001\sslqm001.kdb”-pw serverpass-类型cms-过期365-隐藏

  • 创建证书并将其添加到密钥库

    runmqckm-cert-create-db“c:\dev\sslqm001\sslqm001.kdb”-pw serverpass-标签ibmwebspheremqssl_qm001-dn“CN=SSL_qm001,OU=IT,O=SomeCompany,L=明斯克,ST=白俄罗斯,C= 截止到365

  • 将此证书从密钥库导出到文件

    runmqckm-cert-extract-db“c:\dev\sslqm001\sslqm001.kdb”-pw serverpass-标签ibmwebspheremqssl_qm001-目标SSL_qm001.crt-格式ascii

  • 在队列管理器设置中,选项卡“SSL”将不带.kdb的密钥库路径和FIPS设置为No:

    ALTER QMGR SSLKEYR('c:\dev\sslqm001\sslqm001') 更改QMGR SSLFIPS(否)

  • 创建新频道

  • 在通道设置中,选项卡“SSL”将密码设置为某个值(对我来说适用:DES_SHA_EXPORT),并将身份验证设置为可选

    定义通道(“SSL_通道”)CHLTYPE(SVRCONN)TRPTYPE(TCP)SSLCIPH(DES_SHA_导出)SSLCAUTH(可选)替换

  • 在队列管理器中刷新SSL:

    刷新安全类型(SSL)

    • 更改您的appcontex:

    <bean id="mqConnectionFactory" class="com.ibm.mq.jms.MQQueueConnectionFactory">
    <property name="hostName" value="${queue_hostname}"/>
    <property name="port" value="${queue_port}"/>
    <property name="queueManager" value="${queue_manager}"/>
    <property name="transportType" value="1"/>
    <property name="SSLCipherSuite" value="SSL_RSA_EXPORT_WITH_RC4_40_MD5"/>
    <property name="channel" value="ssl_channel"/>
</bean>
    将SSL设置为打开状态

  • 转到:

    保安→ SSL证书和密钥管理→ SSL配置→ 节点故障设置→ 密钥存储和证书→ 店名→ 签名者证书

  • 添加我们在步骤3中导出的证书