IBM MQ.Net CertificateLabel、CipherSpec
IBM MQ.Net CertificateLabel, CipherSpec
我正在尝试连接到远程 IBM MQ 服务器 (v.8.0),但收到以下错误。我在 Windows 10 上使用 .Net 4.5.2。
我修改了客户端安装附带的 SimplePut.exe 程序。我想我可能遗漏了与我颁发并按照他们的说明安装的客户端证书有关的内容。可能是 CertificateLabel 设置?我是 IBM MQ 的新手,非常感谢任何帮助。
-h <host> -p 1434 -s TLS_RSA_WITH_AES_256_CBC_SHA256 -q INS -l connection -k *SYSTEM
我运行程序在队列管理器显示的错误如下:
Cause . . . . . :
There is a mismatch between the CipherSpecs on the local and remote ends of
channel ''. The channel will not run until this mismatch is resolved.
The local CipherSpec is 'TLS_RSA_WITH_AES_256_CBC_SHA256' and the remote
CipherSpec is 'TLS_RSA_WITH_AES_128_CBC_SHA256'.
Recovery . . . :
Change the channel definition for '' so that both ends have matching
CipherSpecs and restart the channel.
MQ v8.0 知识中心页面“Configuring SSL for managed IBM MQ .NET”说明如下:
c. If needed, edit the Windows Group Policy to set the CipherSpec, then, for the Windows Group Policy updates to take effect, restart the computer.
和
a. Set the MQEnvironment or the SSLCipherSpec value to denote the connection as a secured connection. The value that you specify is used to identify the SSL protocol being used (SSL or TLS) and must match with any preference that you have specified in the Windows Group Policy.
MQ v8.0 知识中心页面“CipherSpec support for the managed .NET client”更详细:
For the IBM MQ.NET managed client, the SSL settings are for the Microsoft.NET SSLStream class. For SSLStream, a CipherSpec, or a preference list of CipherSpecs, can be set only in the Windows group policy, which is a computer-wide setting. SSLStream then uses the specified CipherSpec or preference list during the handshake with the server. In case of other IBM MQ clients, the CipherSpec property can be set in the application on the IBM MQ channel definition and the same setting is used for SSL negotiation. As a result of this restriction, the SSL/TLS handshake might negotiate any supported CipherSpec regardless of what is specified in the IBM MQ channel configuration. Therefore, it is likely that this will result in error AMQ9631 on the queue manager. To avoid this error, set the same CipherSpec as the one that you have set in the application as the SSL configuration in the Windows group policy.
Windows group policy
When a CipherSpec is set on the Windows group policy, the same CipherSpec must be set for the SSLCipherSpec property value on the SVRCONN channel and in the application. If the Windows group policy is set to the default, that is the group policy is not enabled/edited for CipherSpec setting, applications must set the same default value of the CipherSpec from the Windows group policy SSL configuration in the MQEnvironment class or in the MQQueueManager constructor hashtable properties.
有关使用 Managed .NET 指定证书标签的更新
MQ v8.0 知识中心页面“Using certificates for the managed .NET client”详细介绍了允许 MQ 查找证书的两个选项:
Matching certificates by certificate label
If you set the certificate label, the IBM MQ managed .NET client searches the Windows certificate store with the given label name to identify the client certificate. It loads all matching certificates and uses the first certificate on the list. There are two options for setting the certificate label:
- The certificate label can set on the MQEnvironment class accessing MQEnvironment.CertificateLabel.
- The certificate label can also be set in a hash table properties, supplied as input parameter with MQQueueManager constructor as shown in the following example.
Hashtable properties = new Hashtable();
properties.Add("CertificateLabel", "mycert");
The name("CertificateLabel") and the value are case sensitive.
Matching certificates by string
If certificate label is not set, then the certificate that matches the string "ibmwebspheremq" and the current logged on user (in lower case) is searched for and used.
更新更多有用的博客 post
@renz 找到了 Sudhanshu Pant post编辑的 IBM developerWorks MQdev 博客“
MQ v8:Managed MQ .NET 中的 SSL 连接”,其中也有很好的屏幕截图信息。
我正在尝试连接到远程 IBM MQ 服务器 (v.8.0),但收到以下错误。我在 Windows 10 上使用 .Net 4.5.2。 我修改了客户端安装附带的 SimplePut.exe 程序。我想我可能遗漏了与我颁发并按照他们的说明安装的客户端证书有关的内容。可能是 CertificateLabel 设置?我是 IBM MQ 的新手,非常感谢任何帮助。
-h <host> -p 1434 -s TLS_RSA_WITH_AES_256_CBC_SHA256 -q INS -l connection -k *SYSTEM
我运行程序在队列管理器显示的错误如下:
Cause . . . . . :
There is a mismatch between the CipherSpecs on the local and remote ends of
channel ''. The channel will not run until this mismatch is resolved.
The local CipherSpec is 'TLS_RSA_WITH_AES_256_CBC_SHA256' and the remote
CipherSpec is 'TLS_RSA_WITH_AES_128_CBC_SHA256'.
Recovery . . . :
Change the channel definition for '' so that both ends have matching
CipherSpecs and restart the channel.
MQ v8.0 知识中心页面“Configuring SSL for managed IBM MQ .NET”说明如下:
c. If needed, edit the Windows Group Policy to set the CipherSpec, then, for the Windows Group Policy updates to take effect, restart the computer.
和
a. Set the MQEnvironment or the SSLCipherSpec value to denote the connection as a secured connection. The value that you specify is used to identify the SSL protocol being used (SSL or TLS) and must match with any preference that you have specified in the Windows Group Policy.
MQ v8.0 知识中心页面“CipherSpec support for the managed .NET client”更详细:
For the IBM MQ.NET managed client, the SSL settings are for the Microsoft.NET SSLStream class. For SSLStream, a CipherSpec, or a preference list of CipherSpecs, can be set only in the Windows group policy, which is a computer-wide setting. SSLStream then uses the specified CipherSpec or preference list during the handshake with the server. In case of other IBM MQ clients, the CipherSpec property can be set in the application on the IBM MQ channel definition and the same setting is used for SSL negotiation. As a result of this restriction, the SSL/TLS handshake might negotiate any supported CipherSpec regardless of what is specified in the IBM MQ channel configuration. Therefore, it is likely that this will result in error AMQ9631 on the queue manager. To avoid this error, set the same CipherSpec as the one that you have set in the application as the SSL configuration in the Windows group policy.
Windows group policy
When a CipherSpec is set on the Windows group policy, the same CipherSpec must be set for the SSLCipherSpec property value on the SVRCONN channel and in the application. If the Windows group policy is set to the default, that is the group policy is not enabled/edited for CipherSpec setting, applications must set the same default value of the CipherSpec from the Windows group policy SSL configuration in the MQEnvironment class or in the MQQueueManager constructor hashtable properties.
有关使用 Managed .NET 指定证书标签的更新
MQ v8.0 知识中心页面“Using certificates for the managed .NET client”详细介绍了允许 MQ 查找证书的两个选项:
Matching certificates by certificate label
If you set the certificate label, the IBM MQ managed .NET client searches the Windows certificate store with the given label name to identify the client certificate. It loads all matching certificates and uses the first certificate on the list. There are two options for setting the certificate label:
- The certificate label can set on the MQEnvironment class accessing MQEnvironment.CertificateLabel.
- The certificate label can also be set in a hash table properties, supplied as input parameter with MQQueueManager constructor as shown in the following example.
Hashtable properties = new Hashtable();
properties.Add("CertificateLabel", "mycert");
The name("CertificateLabel") and the value are case sensitive.
Matching certificates by string
If certificate label is not set, then the certificate that matches the string "ibmwebspheremq" and the current logged on user (in lower case) is searched for and used.
更新更多有用的博客 post
@renz 找到了 Sudhanshu Pant post编辑的 IBM developerWorks MQdev 博客“ MQ v8:Managed MQ .NET 中的 SSL 连接”,其中也有很好的屏幕截图信息。