为什么我需要为与 IBM MQ 的 SSL 连接提供密钥库和信任库
Why I need to provide both key store and trust store for an SSL connection to IBM MQ
我创建了一个使用 SSL 连接到 IBM MQ 的轻型应用程序。
如果我同时设置 javax.net.ssl.trustStore 和 javax.net.ssl.keyStore,一切都会按预期进行。
密钥库 (jks) 包含两个条目:
TrustedCertEntry
PrivateKeyEntry
我有这样的感觉,考虑到我是这个连接的客户端,而 MQ 是服务器,应该只使用 trustStore,但事实并非如此,因为如果我只设置信任库。
谁能解释一下为什么两者都需要?
根据 SSL configuration of the Websphere MQ Java/JMS client 指南,点 2。创建 keyStore 您很可能使用证书进行客户端身份验证。此身份验证设置需要密钥库:
Complete this section only if you wish to have client authentication when a connection is made to a Queue Manager. If client authentication has not been specified on the channel, you do not need to complete this section.
The keyStore is essentially the same as a trustStore, except that it holds the client's personal certificate, and the JSSE requires a password for access. You can in fact add your personal certificate to the trustStore created earlier and it will act as both trustStore and keyStore, but the password that was not required before will now need to be passed to the JSSE in order for it to access your personal certificate.
您可以在服务器上验证这一点,如 所示
使用自签名证书进行客户端和队列管理器的相互身份验证 运行:
指南
DISPLAY CHSTATUS(<your channel name>) SSLPEER SSLCERTI
我创建了一个使用 SSL 连接到 IBM MQ 的轻型应用程序。
如果我同时设置 javax.net.ssl.trustStore 和 javax.net.ssl.keyStore,一切都会按预期进行。
密钥库 (jks) 包含两个条目:
TrustedCertEntry
PrivateKeyEntry
我有这样的感觉,考虑到我是这个连接的客户端,而 MQ 是服务器,应该只使用 trustStore,但事实并非如此,因为如果我只设置信任库。
谁能解释一下为什么两者都需要?
根据 SSL configuration of the Websphere MQ Java/JMS client 指南,点 2。创建 keyStore 您很可能使用证书进行客户端身份验证。此身份验证设置需要密钥库:
Complete this section only if you wish to have client authentication when a connection is made to a Queue Manager. If client authentication has not been specified on the channel, you do not need to complete this section.
The keyStore is essentially the same as a trustStore, except that it holds the client's personal certificate, and the JSSE requires a password for access. You can in fact add your personal certificate to the trustStore created earlier and it will act as both trustStore and keyStore, but the password that was not required before will now need to be passed to the JSSE in order for it to access your personal certificate.
您可以在服务器上验证这一点,如 所示 使用自签名证书进行客户端和队列管理器的相互身份验证 运行:
指南DISPLAY CHSTATUS(<your channel name>) SSLPEER SSLCERTI