IBM MQ8.0 - AMQ9503 通道协商失败
IBM MQ8.0 - AMQ9503 Channel negotiation failed
当客户端通道 (SVRCONN) 启用 SSL 时,我从 Java 客户端连接到 IBM MQ8.0 时遇到问题。当通道禁用 SSL(SSLAUTH 到可选)时,流程工作正常。
客户端 java 使用 JRE1.7。 MQ服务器版本为IBM MQ8.0
创建自签名证书并根据 MQ 设置参考正确交换。
javax.net.debug=ssl 选项在日志中确认证书交换和 SSL 握手成功。
但是当 java 客户端代码试图获取 MQManager 对象时,抛出了 MQ 异常。
com.ibm.mq.MQException: MQJE001: Completion code '2', reason '2059' ...
caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host '1.2.3.4(1414)' rejected. [1=com.ibm.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]],3=1.2.3.4(1414), 5=RemoteConnection.analyseSegment] ...
caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]
我已配置为在客户端和 MQ 客户端通道 (SVRCONN) 中使用 TLS_RSA_WITH_AES_256_CBC_SHA256 作为密码规范。
尝试使用 TLS_RSA_WITH_AES_128_CBC_SHA 等其他密码规范,错误仍然存在。
MQ server error log has AMQ9665: SSL connection closed by remote end of channel '????'
Explanation: The SSL or TLS connection was closed by the remote host '5.6.7.8' during the secure socket handshake. The channel is '????', in some cases its name can not be determined and so is shown as '????'. The chanel didn't start.
ACTION: Check the remote end of for SSL and TLS errors. Fix them and restart the channel.
但是在远程端,我只有 java 客户端,它使用 MQ 库连接到 MQ 服务器。
SSLLog Page-4
SSLLog Page-5
无法从服务器获取数据,因此从 SSL 日志中添加了最后 2 页的图像。
上面已经给出了MQ服务器端日志。连同默认日志 AMQ9999: Channel '????' to host 1.2.3.4异常结束。
使用 重复记录相同的错误。没有找到任何其他日志。
下面是 MQ 客户端代码片段。
void connect2MQ()
{
MQEnvironment.hostname=1.2.3.4
MQEnvironment.port=1414
MQEnvironment.channel=CLIENT.SVRCONN.SSL
if(SSLEnabled.equals("Y") // It is set to 'Y' in main method
{
MQEnvironment.sslCipherSuit="TLS_RSA_WITH_AES_128_CBC_SHA";
System.setProperty("javax.net.ssl.truststore","trustStoreCertFilePath");
System.setProperty("javax.net.ssl.keyStore","keyStoreCertFilePath");
System.setProperty("javax.net.ssl.trustStorePassword","Pass");
System.setProperty("javax.net.ssl.keyStorePassword","Pass");
System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.keyStoreType","JKS");
}
try {
MQQueueManager qmgr = new MQQueueManager("QMGR.TEST.SSL"); // Exception is thrown from here
...
}
您似乎遇到了 APAR IT10837 中描述的问题。这在 8.0.0.5 和更高版本的 MQ 类 for Java 和 MQ 类 for JMS client jar files 中得到修复,我建议移动到最新的 v8 版本 8.0.0.7。
错误消息不匹配,但它与 SSLCAUTH(OPTIONAL) 和不与 SSLCAUTH(REQUIRED) 一起工作的症状与您 运行 没有修复的版本相匹配.
Tom Leend 有一篇标题为“MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE! 的 IBM developerWorks MQdev 博客,它描述了一种变通方法,如果您的 MQ 级别不具有修复。
---- Code Snippet Start ----
KeyStore keyStore = KeyStore.getInstance("JKS");
java.io.FileInputStream keyStoreInputStream = new java.io.FileInputStream("/home/tom/myKeyStore.jks");
keyStore.load (keyStoreInputStream, password_char_array);
KeyStore trustStore trustStore = KeyStore.getInstance ("JKS");
java.io.FileInputStream trustStoreInputStream = new java.io.FileInputStream("/home/tom/myTrustStore.jks");
trustStore.load (trustStoreInputStream, password_char_array);
keyStoreInputStream.close();
trustStoreInputStream.close();
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore,password);
trustManagerFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(keyManagerFactory.getKeyManagers(),
trustManagerFactory.getTrustManagers(),
null);
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
// classes for JMS
//myJmsConnectionFactory.setObjectProperty(
// WMQConstants.WMQ_SSL_SOCKET_FACTORY, sslSocketFactory);
// classes for Java
MQEnvironment.sslSocketFactory = sslSocketFactory;
---- Code Snippet End ----
当客户端通道 (SVRCONN) 启用 SSL 时,我从 Java 客户端连接到 IBM MQ8.0 时遇到问题。当通道禁用 SSL(SSLAUTH 到可选)时,流程工作正常。
客户端 java 使用 JRE1.7。 MQ服务器版本为IBM MQ8.0
创建自签名证书并根据 MQ 设置参考正确交换。
javax.net.debug=ssl 选项在日志中确认证书交换和 SSL 握手成功。
但是当 java 客户端代码试图获取 MQManager 对象时,抛出了 MQ 异常。
com.ibm.mq.MQException: MQJE001: Completion code '2', reason '2059' ...
caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host '1.2.3.4(1414)' rejected. [1=com.ibm.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]],3=1.2.3.4(1414), 5=RemoteConnection.analyseSegment] ...
caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]
我已配置为在客户端和 MQ 客户端通道 (SVRCONN) 中使用 TLS_RSA_WITH_AES_256_CBC_SHA256 作为密码规范。
尝试使用 TLS_RSA_WITH_AES_128_CBC_SHA 等其他密码规范,错误仍然存在。
MQ server error log has AMQ9665: SSL connection closed by remote end of channel '????'
Explanation: The SSL or TLS connection was closed by the remote host '5.6.7.8' during the secure socket handshake. The channel is '????', in some cases its name can not be determined and so is shown as '????'. The chanel didn't start.
ACTION: Check the remote end of for SSL and TLS errors. Fix them and restart the channel.
但是在远程端,我只有 java 客户端,它使用 MQ 库连接到 MQ 服务器。
SSLLog Page-4 SSLLog Page-5
无法从服务器获取数据,因此从 SSL 日志中添加了最后 2 页的图像。
上面已经给出了MQ服务器端日志。连同默认日志 AMQ9999: Channel '????' to host 1.2.3.4异常结束。 使用 重复记录相同的错误。没有找到任何其他日志。
下面是 MQ 客户端代码片段。
void connect2MQ()
{
MQEnvironment.hostname=1.2.3.4
MQEnvironment.port=1414
MQEnvironment.channel=CLIENT.SVRCONN.SSL
if(SSLEnabled.equals("Y") // It is set to 'Y' in main method
{
MQEnvironment.sslCipherSuit="TLS_RSA_WITH_AES_128_CBC_SHA";
System.setProperty("javax.net.ssl.truststore","trustStoreCertFilePath");
System.setProperty("javax.net.ssl.keyStore","keyStoreCertFilePath");
System.setProperty("javax.net.ssl.trustStorePassword","Pass");
System.setProperty("javax.net.ssl.keyStorePassword","Pass");
System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.keyStoreType","JKS");
}
try {
MQQueueManager qmgr = new MQQueueManager("QMGR.TEST.SSL"); // Exception is thrown from here
...
}
您似乎遇到了 APAR IT10837 中描述的问题。这在 8.0.0.5 和更高版本的 MQ 类 for Java 和 MQ 类 for JMS client jar files 中得到修复,我建议移动到最新的 v8 版本 8.0.0.7。
错误消息不匹配,但它与 SSLCAUTH(OPTIONAL) 和不与 SSLCAUTH(REQUIRED) 一起工作的症状与您 运行 没有修复的版本相匹配.
Tom Leend 有一篇标题为“MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE! 的 IBM developerWorks MQdev 博客,它描述了一种变通方法,如果您的 MQ 级别不具有修复。
---- Code Snippet Start ---- KeyStore keyStore = KeyStore.getInstance("JKS"); java.io.FileInputStream keyStoreInputStream = new java.io.FileInputStream("/home/tom/myKeyStore.jks"); keyStore.load (keyStoreInputStream, password_char_array); KeyStore trustStore trustStore = KeyStore.getInstance ("JKS"); java.io.FileInputStream trustStoreInputStream = new java.io.FileInputStream("/home/tom/myTrustStore.jks"); trustStore.load (trustStoreInputStream, password_char_array); keyStoreInputStream.close(); trustStoreInputStream.close(); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore,password); trustManagerFactory.init(trustStore); SSLContext sslContext = SSLContext.getInstance("TLSv1"); sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null); SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); // classes for JMS //myJmsConnectionFactory.setObjectProperty( // WMQConstants.WMQ_SSL_SOCKET_FACTORY, sslSocketFactory); // classes for Java MQEnvironment.sslSocketFactory = sslSocketFactory; ---- Code Snippet End ----