从 .Net MQ 客户端的 Windows 证书存储区获取时的证书标签
Certificate Label when fetching from Windows Cert Store for .Net MQ Client
我已将 KeyStore 设置为 *User 以从 windows 证书中获取证书 store.The Mq 客户端应用程序正在尝试使用标签名称查找证书,如日志中所示客户端跟踪。我尝试从 client.ini 和代码中设置 CertificateLabel,但它并没有覆盖该值。
我应该怎么改?即使我可以覆盖我如何更改直接导入到我的证书存储中的证书标签?
请帮忙
000001B6 12:23:39.868134 4236.8 Created store object to access certificates
000001B7 12:23:39.868134 4236.8 Opened store
000001B8 12:23:39.868134 4236.8 Accessing certificate - **ibmwebspheremq(username)**
How should i change the lable in the certificate store for the existing certificate
And then it throws the below exception
000001B9 12:23:39.868134 4236.8 TLS12 supported - True
000001BA 12:23:39.868134 4236.8 Setting SslProtol as Tls
000001BB 12:23:39.868134 4236.8 Starting SSL Authentication
000001BC 12:23:39.868134 4236.8 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
000001BD 12:23:39.868134 4236.8 Client callback has been invoked to find client certificate
000001BE 12:23:39.868134 4236.8 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
000001BF 12:23:40.507601 4236.8 System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
在过去的 2 天里,我刚刚用 MQ v.8 解决了这个完全相同的问题,发现 Shashi 的 link 很有帮助,但它并没有完全解决我的问题。除了 link 上的说明之外,您还需要确保商店中证书的 "Friendly name" 符合 MQ 证书标签命名约定,即 ibmwebspheremqlogonuserID.
例如,假设您当前已登录并且您的登录 ID 是 jdoe。当您 运行 您的 MQ 客户端时,MQ 客户端库将查找具有与 ibmwebspheremqjdoe 匹配的友好名称的证书。最后我只需要添加下面两个属性就可以连接成功了:
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA");
请记住,我将 CA 签名证书安装到 "Local computer" 密钥库而不是用户密钥库。这就是我在 SSL_CERT_STORE_PROPERTY.
中指定 *SYSTEM 的原因
以下是我使用的所有属性:
properties = new Hashtable();
properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
properties.Add(MQC.HOST_NAME_PROPERTY, hostName);
properties.Add(MQC.PORT_PROPERTY, port);
properties.Add(MQC.CHANNEL_PROPERTY, channelName);
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA");
我已将 KeyStore 设置为 *User 以从 windows 证书中获取证书 store.The Mq 客户端应用程序正在尝试使用标签名称查找证书,如日志中所示客户端跟踪。我尝试从 client.ini 和代码中设置 CertificateLabel,但它并没有覆盖该值。
我应该怎么改?即使我可以覆盖我如何更改直接导入到我的证书存储中的证书标签?
请帮忙
000001B6 12:23:39.868134 4236.8 Created store object to access certificates
000001B7 12:23:39.868134 4236.8 Opened store
000001B8 12:23:39.868134 4236.8 Accessing certificate - **ibmwebspheremq(username)**
How should i change the lable in the certificate store for the existing certificate
And then it throws the below exception
000001B9 12:23:39.868134 4236.8 TLS12 supported - True
000001BA 12:23:39.868134 4236.8 Setting SslProtol as Tls
000001BB 12:23:39.868134 4236.8 Starting SSL Authentication
000001BC 12:23:39.868134 4236.8 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
000001BD 12:23:39.868134 4236.8 Client callback has been invoked to find client certificate
000001BE 12:23:39.868134 4236.8 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
000001BF 12:23:40.507601 4236.8 System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
在过去的 2 天里,我刚刚用 MQ v.8 解决了这个完全相同的问题,发现 Shashi 的 link 很有帮助,但它并没有完全解决我的问题。除了 link 上的说明之外,您还需要确保商店中证书的 "Friendly name" 符合 MQ 证书标签命名约定,即 ibmwebspheremqlogonuserID.
例如,假设您当前已登录并且您的登录 ID 是 jdoe。当您 运行 您的 MQ 客户端时,MQ 客户端库将查找具有与 ibmwebspheremqjdoe 匹配的友好名称的证书。最后我只需要添加下面两个属性就可以连接成功了:
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA");
请记住,我将 CA 签名证书安装到 "Local computer" 密钥库而不是用户密钥库。这就是我在 SSL_CERT_STORE_PROPERTY.
中指定 *SYSTEM 的原因以下是我使用的所有属性:
properties = new Hashtable();
properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
properties.Add(MQC.HOST_NAME_PROPERTY, hostName);
properties.Add(MQC.PORT_PROPERTY, port);
properties.Add(MQC.CHANNEL_PROPERTY, channelName);
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA");