IBM MQIPT SSL 握手问题
IBM MQIPT SSL Handshake issue
我们正在将 javaMQ 客户端连接到客户 IBM MQ 服务器,为了连接我们在云场所有一个 MQIPT 实例,在非云场所有一个 MQIPT 实例。一旦在非云场所禁用 SSL 安全性,我们就可以连接它。然而,一旦非云场所启用 SSL,我们就会面临 SSL 握手问题。我们共享证书。
我们无法访问该非云环境。
我们正在通过 Java 客户端连接 MQIPT。以下是我们在 mqipt 跟踪中获得的跟踪。
- 当我们没有在 mq java 客户端设置密码时,我们会得到以下错误
在这种情况下,为所有密码启用 MQIPT。
Issuer: 'CN=********* TEST CA ****,OU=*****,O=******** AG,C=******'
12:45:13.799 27 1414-2s Processing keyType: RSA
12:45:13.800 27 1414-2s No RSA certificates in keyring
12:45:13.800 27 1414-2s Processing keyType: DSA
12:45:13.800 27 1414-2s No DSA certificates in keyring
12:45:13.800 27 1414-2s Processing keyType: EC
12:45:13.800 27 1414-2s No EC certificates in keyring
12:45:13.800 27 1414-2s WARNING: No suitable certificate to send to the remote server
12:45:13.800 27 1414-2s --------} IPTX509KeyManager.chooseClientAlias() rc=0
12:45:14.184 27 1414-2s SSLHandshakeException handshaking:com.ibm.jsse2.k.a(k.java:7)
- 但是当我们在 java MQ 客户端中设置 CipherSuite 时,我们会在 mqipt
中获取错误日志
MQCPI014 Protocol eyecatcher (16030300) not recognized
MQIPT 版本 --> IBM MQ Internet Pass-Thru V9.2.0.1
MQIPT 配置如下
[global]
CommandPort=1884
RemoteShutDown=true
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
HTTP=true
HTTPChunking=false
Trace=5
ConnectionLog=true
MaxLogFileSize=50
[route]
Name=Route_1
Active=true
ListenerPort=1414
Destination=mq-dmz-************
DestinationPort=********
HTTP=true
HTTPS=true
SSLClient=true
SSLClientProtocols=TLSv1.2
SSLClientKeyRing="path of key ring PFX file"
SSLClientKeyRingPW="path of password file"
HTTPServer=<Http Server name>
HTTPServerPort=443
URIName=<URI name>
SSLClientCAKeyRing="same as SSLClientKeyRing"
SSLClientCAKeyRingPW="same as SSLClientKeyRingPW"
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
用于接受来自 MQ 客户端的连接、解密、然后 re-encrypting 并发送到下一跃点的设置应该如下所示:
[route]
Name=Route_1
Active=true
ListenerPort=1414
Destination=mq-dmz-************
DestinationPort=********
HTTP=true
HTTPS=true
SSLClient=true
SSLClientProtocols=TLSv1.2
SSLClientKeyRing="path of key ring PFX file"
SSLClientKeyRingPW="path of password file"
HTTPServer=<Http Server name>
HTTPServerPort=443
URIName=<URI name>
SSLClientCAKeyRing="same as SSLClientKeyRing"
SSLClientCAKeyRingPW="same as SSLClientKeyRingPW"
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLServer=true
SSLServerProtocols=TLSv1.2
SSLServerKeyRing="path of key ring PFX file"
SSLServerKeyRingPW="path of password file"
SSLServerCAKeyRing="same as SSLServerKeyRing"
SSLServerCAKeyRingPW="same as SSLServerCAKeyRing"
SSLServerCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
您缺少的是路由是从 TLS 会话的角度配置的,您是:
- TLS 服务器(您正在接收入站连接并对其进行解密)
- TLS 客户端(您正在连接到另一个队列管理器或 MQIPT 并进行加密)
要接受来自您的 MQ 客户端应用程序的 TLS 连接,您需要配置 SSLServer* 等同于已配置的 SSLClient* 设置。
我们正在将 javaMQ 客户端连接到客户 IBM MQ 服务器,为了连接我们在云场所有一个 MQIPT 实例,在非云场所有一个 MQIPT 实例。一旦在非云场所禁用 SSL 安全性,我们就可以连接它。然而,一旦非云场所启用 SSL,我们就会面临 SSL 握手问题。我们共享证书。
我们无法访问该非云环境。
我们正在通过 Java 客户端连接 MQIPT。以下是我们在 mqipt 跟踪中获得的跟踪。
- 当我们没有在 mq java 客户端设置密码时,我们会得到以下错误
在这种情况下,为所有密码启用 MQIPT。
Issuer: 'CN=********* TEST CA ****,OU=*****,O=******** AG,C=******'
12:45:13.799 27 1414-2s Processing keyType: RSA
12:45:13.800 27 1414-2s No RSA certificates in keyring
12:45:13.800 27 1414-2s Processing keyType: DSA
12:45:13.800 27 1414-2s No DSA certificates in keyring
12:45:13.800 27 1414-2s Processing keyType: EC
12:45:13.800 27 1414-2s No EC certificates in keyring
12:45:13.800 27 1414-2s WARNING: No suitable certificate to send to the remote server
12:45:13.800 27 1414-2s --------} IPTX509KeyManager.chooseClientAlias() rc=0
12:45:14.184 27 1414-2s SSLHandshakeException handshaking:com.ibm.jsse2.k.a(k.java:7)
- 但是当我们在 java MQ 客户端中设置 CipherSuite 时,我们会在 mqipt 中获取错误日志
MQCPI014 Protocol eyecatcher (16030300) not recognized
MQIPT 版本 --> IBM MQ Internet Pass-Thru V9.2.0.1
MQIPT 配置如下
[global]
CommandPort=1884
RemoteShutDown=true
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
HTTP=true
HTTPChunking=false
Trace=5
ConnectionLog=true
MaxLogFileSize=50
[route]
Name=Route_1
Active=true
ListenerPort=1414
Destination=mq-dmz-************
DestinationPort=********
HTTP=true
HTTPS=true
SSLClient=true
SSLClientProtocols=TLSv1.2
SSLClientKeyRing="path of key ring PFX file"
SSLClientKeyRingPW="path of password file"
HTTPServer=<Http Server name>
HTTPServerPort=443
URIName=<URI name>
SSLClientCAKeyRing="same as SSLClientKeyRing"
SSLClientCAKeyRingPW="same as SSLClientKeyRingPW"
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
用于接受来自 MQ 客户端的连接、解密、然后 re-encrypting 并发送到下一跃点的设置应该如下所示:
[route]
Name=Route_1
Active=true
ListenerPort=1414
Destination=mq-dmz-************
DestinationPort=********
HTTP=true
HTTPS=true
SSLClient=true
SSLClientProtocols=TLSv1.2
SSLClientKeyRing="path of key ring PFX file"
SSLClientKeyRingPW="path of password file"
HTTPServer=<Http Server name>
HTTPServerPort=443
URIName=<URI name>
SSLClientCAKeyRing="same as SSLClientKeyRing"
SSLClientCAKeyRingPW="same as SSLClientKeyRingPW"
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLServer=true
SSLServerProtocols=TLSv1.2
SSLServerKeyRing="path of key ring PFX file"
SSLServerKeyRingPW="path of password file"
SSLServerCAKeyRing="same as SSLServerKeyRing"
SSLServerCAKeyRingPW="same as SSLServerCAKeyRing"
SSLServerCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
您缺少的是路由是从 TLS 会话的角度配置的,您是:
- TLS 服务器(您正在接收入站连接并对其进行解密)
- TLS 客户端(您正在连接到另一个队列管理器或 MQIPT 并进行加密)
要接受来自您的 MQ 客户端应用程序的 TLS 连接,您需要配置 SSLServer* 等同于已配置的 SSLClient* 设置。