如何在启用 SSL 时更正 IBM MQ 错误
How to correct IBM MQ Error when SSL is enabled
我们已在
上启用 SSL
- MQ 版本“7.1.0.7”
- OS->'Linux 2.6.32-642.11.1.el6.x86_64'
- 两个月前 [2016 年 8 月],它在 SSL 启用和禁用模式下工作正常
Java 客户端使用
- jdk1.7.0_21
- 工作 cipher/suite ->
SSL_RSA_WITH_RC4_128_SHA <> RC4_SHA_US
当我尝试连接到 MQ v7.1.0.7 队列管理器时,应用程序抛出以下错误:
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:228)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:95)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:882)
在队列管理器错误日志中 AMQERR01.LOG 我看到了这个:
AMQ9616: The CipherSpec proposed is not enabled on the server.
EXPLANATION: The SSL or TLS subsystem at the server end of a channel
been configured in such a way that it has rejected the CipherSpec
proposed by an SSL or TLS client. This rejection occurred during the
secure socket handshake (i.e. it happened before the proposed
CipherSpec was compared with the CipherSpec in the server channel
definition).
我们有一个 MQ v6.0.2.12 队列管理器,它工作正常。
有人可以提供帮助吗系统出了什么问题,之前是工作的?
通过在 qm.ini 文件中添加以下行解决
SSL:
AllowSSLV3=Y
AllowWeakCipherSpec=Y
Updated (2017/01/27) with additional questions:
低于 TLSv1
TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA TLSv1 TRUETLS_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLSv1 TRUE
TLSv1.2
失败
TLS_RSA_WITH_RC4_128_SHA256 SSL_RSA_WITH_RC4_128_SHA TLSv1.2 FALSE
我试过这些设置:
SSLContext sslContext = SSLContext.getInstance("TLSv1");-Dcom.ibm.mq.cfg.preferTLS=true-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
错误是com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'
在AMQERR01.LOG
There is a mismatch between the CipherSpecs on the local and remote ends
of channel 'TEST.CH'. The channel will not run until this mismatch is
resolved.The CipherSpec required in the local channel definition is
'TLS_RSA_WITH_RC4_128_SHA256'. The name of the CipherSpec negotiated during
the SSL handshake is 'RC4_SHA_US'. A code is displayed if the name of the
negotiated CipherSpec cannot be determined
Updated (2017/01/29) with additional questions:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");MQEnvironment.sslFipsRequired = true;MQEnvironment.sslCipherSuite ="SSL_RSA_WITH_AES_256_CBC_SHA256";ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)REFRESH SECURITY TYPE(SSL)- 客户端执行
/apps/java/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar:com.ibm.ws.webservices.thinclient_8.5.0.jar MQProducerSSL
获取错误 MQJE001: Completion Code '2', Reason '2400'
MQRC_UNSUPPORTED_CIPHER_SUITE (2400)
Updated (2017/01/30) with additional questions:
仍然是同样的错误,但在我的客户端中 java prg 已启用 System.setProperty("javax.net.debug", "all"); 在执行客户端时查看所有活动。其打印 TLS_RSA_WITH_AES_256_CBC_SHA256 为 Ignoring unavailable cipher suite 如下
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
调用前
MQJE001: Completion Code '2', Reason '2400'.
MQJE001: Completion Code '2', Reason '2400'.
使用 IBM 测试-JDK-71 相同异常
SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA<><>ECDHE_ECDSA_3DES_EDE_CBC_SHA256
SSL_ECDHE_RSA_WITH_NULL_SHA<><>ECDHE_RSA_NULL_SHA256
Updated (2017/01/31) with additional questions:
com.ibm.mq.jar
Specification-Version: 7.1.0.1
Specification-Vendor: IBM Corporation
Implementation-Title: WebSphere MQ classes for Java
Implementation-Version: 7.1.0.1 - k710-001-120424
com.ibm.mq.jmqi.jar
Specification-Version: 7.1.0.1
Specification-Vendor: IBM Corporation
Implementation-Title: WebSphere MQ Interface for Java
Implementation-Version: 7.1.0.1 - k710-001-120424
Updated (2017/01/31 A) with additional questions:
由于 MQ 和客户端 运行 在同一台机器上,得到 Specification-Version: 7.1.0.7 jars
通过更改类路径
完成了 2 个场景的测试
- 无
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL
得到异常MQJE001: Completion Code '2', Reason '2400'
- 与
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
/apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=true -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL
得到异常 MQJE001: Completion Code '2', Reason '2393'
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2393'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674)
at MQProducerSSL.main(MQProducerSSL.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]],3=localhost(2017),5=RemoteTCPConnection.makeSocketSecure]
Updated (2017/01/31 B) with additional questions:
MQEnvironment.sslFipsRequired = false;
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256";
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
/apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL
MQJE001:完成代码“2”,原因“2397”。
MQJE001: Completion Code '2', Reason '2397'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674)
at MQProducerSSL.main(MQProducerSSL.java:89)
在 TLSv1 以下工作
----规格---- TLS_RSA_WITH_DES_CBC_SHA
---套房---- SSL_RSA_WITH_DES_CBC_SHA
TLSv1 真
Not working , when given below parameters , throwing **MQJE001: Completion Code '2', Reason '2400'**
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
-Dcom.ibm.mq.cfg.preferTLS=true
对 TLSv1 有疑问,如果 TLSv1 在没有上述参数的情况下工作,为什么需要为 TLSv2 提供 -Dcom.ibm.mq.cfg.preferTLS=true?
即使使用 IBM-JDK 7.1 也无法使用 TLSv2,这可能是什么问题?
需要尝试使用 MQ8?
Updated (2017/02/01) with additional questions:
在控制台中完成异常
MQJE001: Completion Code '2', Reason '2397'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674)
at MQProducerSSL.main(MQProducerSSL.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.startHandshake,5=default]],3=localhost(2017),5=RemoteTCPConnection.protocolConnect]
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2098)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1347)
at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:924)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:221)
... 10 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.startHandshake,5=default]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1310)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:714)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:356)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:265)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:144)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1709)
... 13 more
Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:987)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:285)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.run(RemoteTCPConnection.java:1280)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.run(RemoteTCPConnection.java:1273)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1271)
... 18 more
Caused by: java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available
at java.security.Signature.getInstance(Signature.java:224)
at sun.security.ssl.JsseJce.getSignature(JsseJce.java:241)
at sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1552)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:982)
... 29 more
从AMQERR01.LOG
----- amqrmrsa.c : 930 --------------------------------------------------------
01/31/2017 08:45:00 PM - Process(14444.328) User(mqm) Program(amqrmppa)
Host(testvm) Installation(Installation1)
VRMF(7.1.0.7) QMgr(TLSTEST.QM)
AMQ9665: SSL connection closed by remote end of channel '????'.
EXPLANATION:
The SSL or TLS connection was closed by the remote host 'localhost (127.0.0.1)'
during the secure socket handshake. The channel is '????'; in some cases its
name cannot be determined and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL and TLS errors. Fix them and
restart the channel.
----- amqccisa.c : 6478 -------------------------------------------------------
01/31/2017 08:45:00 PM - Process(14444.328) User(mqm) Program(amqrmppa)
Host(testvm) Installation(Installation1)
VRMF(7.1.0.7) QMgr(TLSTEST.QM)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
The host name was 'localhost (127.0.0.1)'; in some cases the host name cannot
be determined and so is shown as '????'.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 930 --------------------------------------------------------
从类路径中删除了旧的 jar,但仍然是相同的异常
控制台输出为算法打印了以下行
matching alias: ibmwebspheremqtlstest.qm
*** Certificate chain
chain [0] = [
[
Version: V3
Signature Algorithm: SHA1withRSA,
在客户端中,传递 key.jks 文件,该文件是在 MQ 级别使用 'runmqckm'
创建的
是否需要在创建 TLSv2 时指定不同的算法?
TLSV2 WORKED WITH JDK8 and ibm/java-x86_64-71
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
甲骨文JDK8
MQEnvironment.sslFipsRequired = false;
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256";
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
IBM-JDK7.1
MQEnvironment.sslFipsRequired = false;
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_NULL_SHA256";
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
但是关于如何使用低于 8 的 Oracle java 版本的任何 TLSv2 密码的问题?
对resolve/work-around问题:会一一尝试
1) 使用 IBM JVM
2) 使用 Oracle Java v8
进行测试
3) 尝试 MQ v8
4) 其他设置 SSLCAUTH=OPTIONAL 且不需要客户端证书的选项。
Trying with JDK8 and MQ8
现在尝试对安装的 JDK8 + MQ8、MQServer8 和 MQSeriesGSKit-8.0.0-4.x86_64 执行相同的操作,但现在使用 runmqckm 命令创建证书时出现问题
export LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64
export PATH=$PATH:/opt/mqm/gskit8/bin
runmqckm
bash: runmqckm: command not found
部分使用 runmqakm
但是未能创建如下 jks 文件
runmqakm -keydb -create -db /var/mqm/qmgrs/TLSTEST\!QM/ssl/key.jks -pw password -type jks
CTGSK3017W The database type "jks" is not recognized.
已解决
无需在路径下方设置
export LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64
export PATH=$PATH:/opt/mqm/gskit8/bin
2015 年 11 月 19 日发布的 IBM MQ Fix Pack 7.1.0.7 包括以下 APAR:
IV73396: DEPRECATION OF SSLV3 CIPHERSPECS IN WEBSPHERE MQ V7 QUEUE MANAGERS
PROBLEM DESCRIPTION:
Once this change is applied, any queue managers created will disallow the use of the following CipherSpecs on channel definitions associated with the queue manager:
AES_SHA_US
RC4_SHA_US
RC4_MD5_US
TRIPLE_DES_SHA_US
DES_SHA_EXPORT1024
RC4_56_SHA_EXPORT1024
RC4_MD5_EXPORT
RC2_MD5_EXPORT
DES_SHA_EXPORT
NULL_SHA
NULL_MD5
FIPS_WITH_DES_CBC_SHA
FIPS_WITH_3DES_EDE_CBC_SHA
Attempting to use or configure one of these CipherSpecs will result in one or more of the following messages in the queue manager error log: AMQ8242, AMQ9616, AMQ9635.
这是 SSLv3 在 2015 年 6 月因 IETF 批准和发布而被正式弃用的结果 RFC7568
- Introduction
Since it was released in 1996, the SSLv3 protocol [RFC6101] has been subject to a long series of attacks, both on its key exchange mechanism and on the encryption schemes it supports. Despite being replaced by TLS 1.0 [RFC2246] in 1999, and subsequently TLS 1.1 in 2002 [RFC4346] and 1.2 in 2006 [RFC5246], availability of these replacement versions has not been universal. As a result, many implementations of TLS have permitted the negotiation of SSLv3.
The predecessor of SSLv3, SSL version 2, is no longer considered sufficiently secure [RFC6176]. SSLv3 now follows.
有一个非常好的 IBM developerWorks 博客 post “SSL and TLS Cipher Specification Deprecations for the MQ Product” posted 2016 年 5 月 19 日,由 Miguel A. Rodriguez 详细介绍了哪些密码在各种修复包。
我建议您找到一个受支持的 TLSv1.2 密码来使用,它与 Java 客户端和 IBM MQ SVRCONN 通道兼容。由于 SSLv3 被弃用,有许多更新为使用 IBM 或 Non-IBM JRE 的 Java 客户端开放了更多 TLS 密码。
IBM developerWorks 博客 post“MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE!”post于 2016 年 6 月 9 日编辑了一篇关于 IBM 对 Java 客户端密码支持所做更改的精彩文章汤姆·利恩德。
您对 IBM MQ v6.0.2.12 没有问题的原因是该版本已经停止支持四年多了(自 2012 年 9 月 30 日起),并且 IBM 不会发布任何安全更新服务终止版本与支持的版本一样。
我建议您改用受支持的 IBM MQ 版本。在考虑升级到哪个版本时,请注意 当前 支持的两个版本将在未来 16 个月内停止支持:
- MQ v7.1 在 2017 年 4 月 30 日 .
不到四个月的时间内停止支持
- MQ v7.5 于 2018 年 4 月 30 日.
停止支持
- MQ v8.0 和 v9.0 目前没有宣布终止支持日期。
IBM developerWorks 博客 post“MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE!”指出添加了 useIBMCipherMappings 设置的 APAR IV66840 包含在 7.1.0.7 中,这应该允许使用带有 Oracle JRE 的 TLSv1.2 Cipherspecs。
APAR IV66840 中的 table 有此信息:
The following WebSphere MQ CipherSuite to CipherSpec mappings have
been enabled by this APAR for WebSphere MQ v7.1 and v7.5 where the
classes for Java and classes for JMS support SHA-2:
Oracle CipherSuite IBM MQ CipherSpec
TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
如果将其与 v7.1 知识中心页面 Specifying CipherSpecs 进行比较,您会发现这三个页面都是 TLSv1.2 Cipherspecs。
为了与 IBM JRE Ciphersuite 名称进行比较,v7.1 知识中心页面 SSL CipherSpecs and CipherSuites in WebSphere MQ classes for Java 列出了类似的映射:
IBM CipherSuite IBM MQ CipherSpec
SSL_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256
SSL_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
UPDATE (2017/01/27) to address further questions
MQ CipherSpec TLS_RSA_WITH_RC4_128_SHA256 不是 APAR IV66840 中列出的那些之一,已在 MQ v7.1 下为 non-IBM JRE 启用,它仅在 v8 下列出。 0。上面我列出了添加到 MQ v7.1 的三个 TLSv1.2 CipherSpecs。
我建议您尝试将 TLS_RSA_WITH_AES_256_CBC_SHA256 作为 MQ 通道上的 CipherSpec,将 TLS_RSA_WITH_AES_256_CBC_SHA256 作为 Java CipherSuite。
下面的设置应该适用于我建议的 CipherSpec/CipherSuite,请注意我将它从 TLSv1 更改为 TLSv1.2
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
-Dcom.ibm.mq.cfg.preferTLS=true
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
UPDATE (2017/01/30) to try and address further questions
在您的问题中,您在类路径中提到了这些 jar 文件:/tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar
请确认其中每一个来自哪个版本的 IBM MQ 产品,您可以在 linux 上使用解压缩实用程序执行此操作:
unzip -p com.ibm.mq.jar META-INF/MANIFEST.MF|grep Implementation-Version
输出将是:
Implementation-Version: x.x.x.x - pxxx-xxx-YYMMDD
UPDATE (2017/01/31) to address further questions
包含 -Dcom.ibm.mq.cfg.useIBMCipherMappings=false 设置的 APAR IV66840 直到 v7.1.0.7 才包含在 MQ 中,这是您声明正在使用的版本。
根据您提供的输出,您引用的 jar 文件来自 v7.1.0.1 安装 不 在 non-IBM JRE 上包含对 TLS 的支持例如 Oracle JRE。
您还注意到 jar 文件位于 /tmp/mqssl,请注意,在 MQ v8 之前,IBM 不支持将 jar 文件复制到默认安装位置之外。
IBM 技术说明“Supported way to install WebSphere MQ Java jar files, JMS jar files, or C/C++ libraries”指出:
+++ Section 1: MQ 7.x
The only supported way to get the MQ jar files or the MQ C/C++ library files onto a system is to install either:
- the WebSphere MQ product or
- the WebSphere MQ Client SupportPacs.
To legally download and use a client you must first accept the terms and conditions specified in the License Agreement.
Do not copy the WebSphere MQ jar files to application EAR or WAR files.
Do not copy the WebSphere MQ jar or MQ C/C++ library files from other machines:
- Fix Packs cannot be applied to an "installation" where jar or C/C++ library files have been copied from another machine, and this makes it much more difficult to ensure that all of these jar/library files are kept in step with each other, and are at compatible levels.
- Copying jar/library files between machines can also result in multiple copies of the files residing on the same machine, which can cause problems servicing the code and debugging problems.
如果您的应用程序与 MQ v7.1.0.7 队列管理器在同一台服务器上,那么您可以只引用目录 /opt/mqm/java/lib.
中的 jar 文件
如果您的应用程序不在同一台服务器上,并且您打算继续使用 v7.1 或使用 v7.5,我建议您安装最新的完整客户端安装,请参阅我上面关于基于时间的版本建议的注释他们是服务结束。
如果您决定使用 v8 或 v9,IBM 技术说明“Supported way to install WebSphere MQ Java jar files, JMS jar files, or C/C++ libraries”还指出:
b) Starting with MQ 8.0.0.4, you can use Redistributable files:
- Installation scenarios for MQ 8.0 and 9.0 in Linux and Windows - Chapter 8: You need to redistribute MQ runtime libraries with your application.
- How to download the MQ 8.0.0.4+ and MQ 9.0.0.x redistributable client images for Linux x86-64 and Windows 64-bit
- Bitesize Blogging: MQ 8.0.0.4 Redistributable Clients
这意味着使用 v8.0.0.4 及更高版本,您可以下载 MQ JMS 和 Java 仅重新分发 table 客户端。
MQ JMS 和 Java 只有 redistributable 客户端客户端包可从 FixCentral here。
UPDATE (2017/01/31 A) to address further questions
在搜索您收到的错误后,我找到了这个 dW 答案 post“Why do I get AMQ9771, 2393 SSL Initialization error from a MQ Java/JMS application when trying to use an TLS AES 256 cipher?”。它指出以下内容:
In this case, the issue is caused by attempting to use AES 256 strong
cipher algorithms.
Most Java JREs, including Oracle/Sun and IBM's have Import Limits on
Cryptographic Algorithms enabled. This limits the maximum key sizes
and also some algorithms.
When trying to use a AES 256 cipher, such as
ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a
MQ Java/JMS application, you need to ensure your JRE supports this
cipher. In most cases, when the stronger cipher algorithms are needed,
such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction
Policy Files must be obtained and installed in the JDK/JRE.
This is noted in the JDK/JRE documentation: For Oracle 1.7:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
oracle 站点上面的 link 指出:
If stronger algorithms are needed (for example, AES with 256-bit
keys), the JCE Unlimited Strength Jurisdiction Policy Files must be
obtained and installed in the JDK/JRE.
It is the user's responsibility to verify that this action is
permissible under local regulations.
我建议您要么使用较低的 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256,要么按照上面的建议获取并安装 JCE Unlimited Str第 ng 个管辖政策文件.
UPDATE (2017/02/01) to address further questions
引起我注意的错误是 Caused by: java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available。
我在 google 上搜索此内容并找到以下 dW 答案 post“How to resolve issue with MQ v7.x Java client getting SSL error NoSuchAlgorithmException: SHA224withRSA Signature not available?”,其中说明如下:
Assuming using Oracle JVM:
We have found that the root cause of the issue is the signature
algorithm SHA224withRSA is not supported by Oracle JRE 1.7, see
signature algorithms available:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
在上面的 link 中,感兴趣的 table 在“The SunRsaSign Provider”下,它列出了以下支持的签名算法:
MD2withRSA
MD5withRSA
SHA1withRSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
请注意 SHA224withRSA 不在 列表中。
相同的 dW 回答 post 继续声明:
This signature algorithm is available in the IBM JVM and also in
Oracle JVM 1.8.
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
在上面的 link 中,感兴趣的 table 在“The SunRsaSign Provider”下,其中列出了以下支持的签名算法:
MD2withRSA
MD5withRSA
SHA1withRSA
SHA224withRSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
请注意 SHA224withRSA 在列表中 。
dW 的推荐post:
- 尝试使用 Oracle Java 8 (1.8)
- 尝试使用 IBM Java
UPDATE (2017/02/01 B) to address further questions
考虑到通过上述故障排除收集的所有信息,答案是使用 MQ v7.1.0.7 无法将 TLSv1.2 密码与 Oracle Java 小于 8 一起使用MQ Java 客户端.
根据我提供的最后一个 dW 答案 post,IBM 建议尝试使用 MQ v8,但我认为他们没有测试过此配置,因此它也可能不起作用。
如果您确实想尝试使用 MQ v8,我建议您使用最新的 v8.0.0.5 Java 仅 redistributable 我提供的客户端客户端包 link已经.
我们已在
上启用 SSL- MQ 版本“7.1.0.7”
- OS->'Linux 2.6.32-642.11.1.el6.x86_64'
- 两个月前 [2016 年 8 月],它在 SSL 启用和禁用模式下工作正常
Java 客户端使用
- jdk1.7.0_21
- 工作 cipher/suite ->
SSL_RSA_WITH_RC4_128_SHA <> RC4_SHA_US
当我尝试连接到 MQ v7.1.0.7 队列管理器时,应用程序抛出以下错误:
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:228)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:95)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:882)
在队列管理器错误日志中 AMQERR01.LOG 我看到了这个:
AMQ9616: The CipherSpec proposed is not enabled on the server.
EXPLANATION: The SSL or TLS subsystem at the server end of a channel
been configured in such a way that it has rejected the CipherSpec
proposed by an SSL or TLS client. This rejection occurred during the
secure socket handshake (i.e. it happened before the proposed
CipherSpec was compared with the CipherSpec in the server channel
definition).
我们有一个 MQ v6.0.2.12 队列管理器,它工作正常。
有人可以提供帮助吗系统出了什么问题,之前是工作的?
通过在 qm.ini 文件中添加以下行解决
SSL:
AllowSSLV3=Y
AllowWeakCipherSpec=Y
Updated (2017/01/27) with additional questions:
低于 TLSv1
TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA TLSv1 TRUETLS_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLSv1 TRUE
TLSv1.2
失败TLS_RSA_WITH_RC4_128_SHA256 SSL_RSA_WITH_RC4_128_SHA TLSv1.2 FALSE
我试过这些设置:
SSLContext sslContext = SSLContext.getInstance("TLSv1");-Dcom.ibm.mq.cfg.preferTLS=true-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
错误是com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'
在AMQERR01.LOG
There is a mismatch between the CipherSpecs on the local and remote ends
of channel 'TEST.CH'. The channel will not run until this mismatch is
resolved.The CipherSpec required in the local channel definition is
'TLS_RSA_WITH_RC4_128_SHA256'. The name of the CipherSpec negotiated during
the SSL handshake is 'RC4_SHA_US'. A code is displayed if the name of the
negotiated CipherSpec cannot be determined
Updated (2017/01/29) with additional questions:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");MQEnvironment.sslFipsRequired = true;MQEnvironment.sslCipherSuite ="SSL_RSA_WITH_AES_256_CBC_SHA256";ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)REFRESH SECURITY TYPE(SSL)- 客户端执行
/apps/java/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar:com.ibm.ws.webservices.thinclient_8.5.0.jar MQProducerSSL
获取错误 MQJE001: Completion Code '2', Reason '2400'
MQRC_UNSUPPORTED_CIPHER_SUITE (2400)
Updated (2017/01/30) with additional questions:
仍然是同样的错误,但在我的客户端中 java prg 已启用 System.setProperty("javax.net.debug", "all"); 在执行客户端时查看所有活动。其打印 TLS_RSA_WITH_AES_256_CBC_SHA256 为 Ignoring unavailable cipher suite 如下
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
调用前
MQJE001: Completion Code '2', Reason '2400'.
MQJE001: Completion Code '2', Reason '2400'.
使用 IBM 测试-JDK-71 相同异常
SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA<><>ECDHE_ECDSA_3DES_EDE_CBC_SHA256
SSL_ECDHE_RSA_WITH_NULL_SHA<><>ECDHE_RSA_NULL_SHA256
Updated (2017/01/31) with additional questions:
com.ibm.mq.jar
Specification-Version: 7.1.0.1
Specification-Vendor: IBM Corporation
Implementation-Title: WebSphere MQ classes for Java
Implementation-Version: 7.1.0.1 - k710-001-120424
com.ibm.mq.jmqi.jar
Specification-Version: 7.1.0.1
Specification-Vendor: IBM Corporation
Implementation-Title: WebSphere MQ Interface for Java
Implementation-Version: 7.1.0.1 - k710-001-120424
Updated (2017/01/31 A) with additional questions:
由于 MQ 和客户端 运行 在同一台机器上,得到 Specification-Version: 7.1.0.7 jars
通过更改类路径
- 无
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL
得到异常MQJE001: Completion Code '2', Reason '2400'
- 与
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
/apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=true -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL
得到异常 MQJE001: Completion Code '2', Reason '2393'
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2393'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674)
at MQProducerSSL.main(MQProducerSSL.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]],3=localhost(2017),5=RemoteTCPConnection.makeSocketSecure]
Updated (2017/01/31 B) with additional questions:
MQEnvironment.sslFipsRequired = false;
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256";
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
/apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL
MQJE001:完成代码“2”,原因“2397”。
MQJE001: Completion Code '2', Reason '2397'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674)
at MQProducerSSL.main(MQProducerSSL.java:89)
在 TLSv1 以下工作
----规格---- TLS_RSA_WITH_DES_CBC_SHA
---套房---- SSL_RSA_WITH_DES_CBC_SHA
TLSv1 真
Not working , when given below parameters , throwing **MQJE001: Completion Code '2', Reason '2400'**
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
-Dcom.ibm.mq.cfg.preferTLS=true
对 TLSv1 有疑问,如果 TLSv1 在没有上述参数的情况下工作,为什么需要为 TLSv2 提供 -Dcom.ibm.mq.cfg.preferTLS=true?
即使使用 IBM-JDK 7.1 也无法使用 TLSv2,这可能是什么问题?
需要尝试使用 MQ8?
Updated (2017/02/01) with additional questions:
在控制台中完成异常
MQJE001: Completion Code '2', Reason '2397'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674)
at MQProducerSSL.main(MQProducerSSL.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.startHandshake,5=default]],3=localhost(2017),5=RemoteTCPConnection.protocolConnect]
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2098)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1347)
at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:924)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:221)
... 10 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.startHandshake,5=default]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1310)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:714)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:356)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:265)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:144)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1709)
... 13 more
Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:987)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:285)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.run(RemoteTCPConnection.java:1280)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.run(RemoteTCPConnection.java:1273)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1271)
... 18 more
Caused by: java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available
at java.security.Signature.getInstance(Signature.java:224)
at sun.security.ssl.JsseJce.getSignature(JsseJce.java:241)
at sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1552)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:982)
... 29 more
从AMQERR01.LOG
----- amqrmrsa.c : 930 --------------------------------------------------------
01/31/2017 08:45:00 PM - Process(14444.328) User(mqm) Program(amqrmppa)
Host(testvm) Installation(Installation1)
VRMF(7.1.0.7) QMgr(TLSTEST.QM)
AMQ9665: SSL connection closed by remote end of channel '????'.
EXPLANATION:
The SSL or TLS connection was closed by the remote host 'localhost (127.0.0.1)'
during the secure socket handshake. The channel is '????'; in some cases its
name cannot be determined and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL and TLS errors. Fix them and
restart the channel.
----- amqccisa.c : 6478 -------------------------------------------------------
01/31/2017 08:45:00 PM - Process(14444.328) User(mqm) Program(amqrmppa)
Host(testvm) Installation(Installation1)
VRMF(7.1.0.7) QMgr(TLSTEST.QM)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
The host name was 'localhost (127.0.0.1)'; in some cases the host name cannot
be determined and so is shown as '????'.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 930 --------------------------------------------------------
从类路径中删除了旧的 jar,但仍然是相同的异常
控制台输出为算法打印了以下行
matching alias: ibmwebspheremqtlstest.qm
*** Certificate chain
chain [0] = [
[
Version: V3
Signature Algorithm: SHA1withRSA,
在客户端中,传递 key.jks 文件,该文件是在 MQ 级别使用 'runmqckm'
创建的
是否需要在创建 TLSv2 时指定不同的算法?
TLSV2 WORKED WITH JDK8 and ibm/java-x86_64-71
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
甲骨文JDK8
MQEnvironment.sslFipsRequired = false;
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256";
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
IBM-JDK7.1
MQEnvironment.sslFipsRequired = false;
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_NULL_SHA256";
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
但是关于如何使用低于 8 的 Oracle java 版本的任何 TLSv2 密码的问题?
对resolve/work-around问题:会一一尝试
1) 使用 IBM JVM
2) 使用 Oracle Java v8
进行测试
3) 尝试 MQ v8
4) 其他设置 SSLCAUTH=OPTIONAL 且不需要客户端证书的选项。
Trying with JDK8 and MQ8
现在尝试对安装的 JDK8 + MQ8、MQServer8 和 MQSeriesGSKit-8.0.0-4.x86_64 执行相同的操作,但现在使用 runmqckm 命令创建证书时出现问题
export LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64
export PATH=$PATH:/opt/mqm/gskit8/bin
runmqckm
bash: runmqckm: command not found
部分使用 runmqakm
但是未能创建如下 jks 文件
runmqakm -keydb -create -db /var/mqm/qmgrs/TLSTEST\!QM/ssl/key.jks -pw password -type jks
CTGSK3017W The database type "jks" is not recognized.
已解决
无需在路径下方设置
export LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64
export PATH=$PATH:/opt/mqm/gskit8/bin
2015 年 11 月 19 日发布的 IBM MQ Fix Pack 7.1.0.7 包括以下 APAR:
IV73396: DEPRECATION OF SSLV3 CIPHERSPECS IN WEBSPHERE MQ V7 QUEUE MANAGERS
PROBLEM DESCRIPTION:
Once this change is applied, any queue managers created will disallow the use of the following CipherSpecs on channel definitions associated with the queue manager:
AES_SHA_US
RC4_SHA_US
RC4_MD5_US
TRIPLE_DES_SHA_US
DES_SHA_EXPORT1024
RC4_56_SHA_EXPORT1024
RC4_MD5_EXPORT
RC2_MD5_EXPORT
DES_SHA_EXPORT
NULL_SHA
NULL_MD5
FIPS_WITH_DES_CBC_SHA
FIPS_WITH_3DES_EDE_CBC_SHAAttempting to use or configure one of these CipherSpecs will result in one or more of the following messages in the queue manager error log: AMQ8242, AMQ9616, AMQ9635.
这是 SSLv3 在 2015 年 6 月因 IETF 批准和发布而被正式弃用的结果 RFC7568
- Introduction
Since it was released in 1996, the SSLv3 protocol [RFC6101] has been subject to a long series of attacks, both on its key exchange mechanism and on the encryption schemes it supports. Despite being replaced by TLS 1.0 [RFC2246] in 1999, and subsequently TLS 1.1 in 2002 [RFC4346] and 1.2 in 2006 [RFC5246], availability of these replacement versions has not been universal. As a result, many implementations of TLS have permitted the negotiation of SSLv3.
The predecessor of SSLv3, SSL version 2, is no longer considered sufficiently secure [RFC6176]. SSLv3 now follows.
有一个非常好的 IBM developerWorks 博客 post “SSL and TLS Cipher Specification Deprecations for the MQ Product” posted 2016 年 5 月 19 日,由 Miguel A. Rodriguez 详细介绍了哪些密码在各种修复包。
我建议您找到一个受支持的 TLSv1.2 密码来使用,它与 Java 客户端和 IBM MQ SVRCONN 通道兼容。由于 SSLv3 被弃用,有许多更新为使用 IBM 或 Non-IBM JRE 的 Java 客户端开放了更多 TLS 密码。
IBM developerWorks 博客 post“MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE!”post于 2016 年 6 月 9 日编辑了一篇关于 IBM 对 Java 客户端密码支持所做更改的精彩文章汤姆·利恩德。
您对 IBM MQ v6.0.2.12 没有问题的原因是该版本已经停止支持四年多了(自 2012 年 9 月 30 日起),并且 IBM 不会发布任何安全更新服务终止版本与支持的版本一样。
我建议您改用受支持的 IBM MQ 版本。在考虑升级到哪个版本时,请注意 当前 支持的两个版本将在未来 16 个月内停止支持:
- MQ v7.1 在 2017 年 4 月 30 日 . 不到四个月的时间内停止支持
- MQ v7.5 于 2018 年 4 月 30 日. 停止支持
- MQ v8.0 和 v9.0 目前没有宣布终止支持日期。
IBM developerWorks 博客 post“MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE!”指出添加了 useIBMCipherMappings 设置的 APAR IV66840 包含在 7.1.0.7 中,这应该允许使用带有 Oracle JRE 的 TLSv1.2 Cipherspecs。
APAR IV66840 中的 table 有此信息:
The following WebSphere MQ CipherSuite to CipherSpec mappings have been enabled by this APAR for WebSphere MQ v7.1 and v7.5 where the classes for Java and classes for JMS support SHA-2:
Oracle CipherSuite IBM MQ CipherSpec TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
如果将其与 v7.1 知识中心页面 Specifying CipherSpecs 进行比较,您会发现这三个页面都是 TLSv1.2 Cipherspecs。
为了与 IBM JRE Ciphersuite 名称进行比较,v7.1 知识中心页面 SSL CipherSpecs and CipherSuites in WebSphere MQ classes for Java 列出了类似的映射:
IBM CipherSuite IBM MQ CipherSpec
SSL_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256
SSL_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
UPDATE (2017/01/27) to address further questions
MQ CipherSpec TLS_RSA_WITH_RC4_128_SHA256 不是 APAR IV66840 中列出的那些之一,已在 MQ v7.1 下为 non-IBM JRE 启用,它仅在 v8 下列出。 0。上面我列出了添加到 MQ v7.1 的三个 TLSv1.2 CipherSpecs。
我建议您尝试将 TLS_RSA_WITH_AES_256_CBC_SHA256 作为 MQ 通道上的 CipherSpec,将 TLS_RSA_WITH_AES_256_CBC_SHA256 作为 Java CipherSuite。
下面的设置应该适用于我建议的 CipherSpec/CipherSuite,请注意我将它从 TLSv1 更改为 TLSv1.2
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
-Dcom.ibm.mq.cfg.preferTLS=true
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
UPDATE (2017/01/30) to try and address further questions
在您的问题中,您在类路径中提到了这些 jar 文件:/tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar
请确认其中每一个来自哪个版本的 IBM MQ 产品,您可以在 linux 上使用解压缩实用程序执行此操作:
unzip -p com.ibm.mq.jar META-INF/MANIFEST.MF|grep Implementation-Version
输出将是:
Implementation-Version: x.x.x.x - pxxx-xxx-YYMMDD
UPDATE (2017/01/31) to address further questions
包含 -Dcom.ibm.mq.cfg.useIBMCipherMappings=false 设置的 APAR IV66840 直到 v7.1.0.7 才包含在 MQ 中,这是您声明正在使用的版本。
根据您提供的输出,您引用的 jar 文件来自 v7.1.0.1 安装 不 在 non-IBM JRE 上包含对 TLS 的支持例如 Oracle JRE。
您还注意到 jar 文件位于 /tmp/mqssl,请注意,在 MQ v8 之前,IBM 不支持将 jar 文件复制到默认安装位置之外。
IBM 技术说明“Supported way to install WebSphere MQ Java jar files, JMS jar files, or C/C++ libraries”指出:
+++ Section 1: MQ 7.x
The only supported way to get the MQ jar files or the MQ C/C++ library files onto a system is to install either:
- the WebSphere MQ product or
- the WebSphere MQ Client SupportPacs.
To legally download and use a client you must first accept the terms and conditions specified in the License Agreement.
Do not copy the WebSphere MQ jar files to application EAR or WAR files.
Do not copy the WebSphere MQ jar or MQ C/C++ library files from other machines:
- Fix Packs cannot be applied to an "installation" where jar or C/C++ library files have been copied from another machine, and this makes it much more difficult to ensure that all of these jar/library files are kept in step with each other, and are at compatible levels.
- Copying jar/library files between machines can also result in multiple copies of the files residing on the same machine, which can cause problems servicing the code and debugging problems.
如果您的应用程序与 MQ v7.1.0.7 队列管理器在同一台服务器上,那么您可以只引用目录 /opt/mqm/java/lib.
如果您的应用程序不在同一台服务器上,并且您打算继续使用 v7.1 或使用 v7.5,我建议您安装最新的完整客户端安装,请参阅我上面关于基于时间的版本建议的注释他们是服务结束。
如果您决定使用 v8 或 v9,IBM 技术说明“Supported way to install WebSphere MQ Java jar files, JMS jar files, or C/C++ libraries”还指出:
b) Starting with MQ 8.0.0.4, you can use Redistributable files:
- Installation scenarios for MQ 8.0 and 9.0 in Linux and Windows - Chapter 8: You need to redistribute MQ runtime libraries with your application.
- How to download the MQ 8.0.0.4+ and MQ 9.0.0.x redistributable client images for Linux x86-64 and Windows 64-bit
- Bitesize Blogging: MQ 8.0.0.4 Redistributable Clients
这意味着使用 v8.0.0.4 及更高版本,您可以下载 MQ JMS 和 Java 仅重新分发 table 客户端。
MQ JMS 和 Java 只有 redistributable 客户端客户端包可从 FixCentral here。
UPDATE (2017/01/31 A) to address further questions
在搜索您收到的错误后,我找到了这个 dW 答案 post“Why do I get AMQ9771, 2393 SSL Initialization error from a MQ Java/JMS application when trying to use an TLS AES 256 cipher?”。它指出以下内容:
In this case, the issue is caused by attempting to use AES 256 strong cipher algorithms.
Most Java JREs, including Oracle/Sun and IBM's have Import Limits on Cryptographic Algorithms enabled. This limits the maximum key sizes and also some algorithms.
When trying to use a AES 256 cipher, such as ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a MQ Java/JMS application, you need to ensure your JRE supports this cipher. In most cases, when the stronger cipher algorithms are needed, such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.
This is noted in the JDK/JRE documentation: For Oracle 1.7:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
oracle 站点上面的 link 指出:
If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.
It is the user's responsibility to verify that this action is permissible under local regulations.
我建议您要么使用较低的 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256,要么按照上面的建议获取并安装 JCE Unlimited Str第 ng 个管辖政策文件.
UPDATE (2017/02/01) to address further questions
引起我注意的错误是 Caused by: java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available。
我在 google 上搜索此内容并找到以下 dW 答案 post“How to resolve issue with MQ v7.x Java client getting SSL error NoSuchAlgorithmException: SHA224withRSA Signature not available?”,其中说明如下:
Assuming using Oracle JVM:
We have found that the root cause of the issue is the signature algorithm SHA224withRSA is not supported by Oracle JRE 1.7, see signature algorithms available:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
在上面的 link 中,感兴趣的 table 在“The SunRsaSign Provider”下,它列出了以下支持的签名算法:
MD2withRSA
MD5withRSA
SHA1withRSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
请注意 SHA224withRSA 不在 列表中。
相同的 dW 回答 post 继续声明:
This signature algorithm is available in the IBM JVM and also in Oracle JVM 1.8.
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
在上面的 link 中,感兴趣的 table 在“The SunRsaSign Provider”下,其中列出了以下支持的签名算法:
MD2withRSA
MD5withRSA
SHA1withRSA
SHA224withRSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
请注意 SHA224withRSA 在列表中 。
dW 的推荐post:
- 尝试使用 Oracle Java 8 (1.8)
- 尝试使用 IBM Java
UPDATE (2017/02/01 B) to address further questions
考虑到通过上述故障排除收集的所有信息,答案是使用 MQ v7.1.0.7 无法将 TLSv1.2 密码与 Oracle Java 小于 8 一起使用MQ Java 客户端.
根据我提供的最后一个 dW 答案 post,IBM 建议尝试使用 MQ v8,但我认为他们没有测试过此配置,因此它也可能不起作用。
如果您确实想尝试使用 MQ v8,我建议您使用最新的 v8.0.0.5 Java 仅 redistributable 我提供的客户端客户端包 link已经.