无法使用 TLS 证书向 IBM MQ C# 进行身份验证
Unable to autheticate to IBM MQ C# with TLS-certificate
我正在尝试使用 .net 核心 ("IBMMQDotnetClient" Version="9.2.0.1"
) 连接到 IBM MQ,并在 linux 容器 (mcr.microsoft.com/dotnet/core/runtime:3.1
).
配置哈希表:
new Hashtable {
{
MQC.HOST_NAME_PROPERTY, "localhost"
},
{
MQC.CHANNEL_PROPERTY, "DEV.SVRCONN"
},
{
MQC.PORT_PROPERTY, 1419
},
{
MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA"
},
{
MQC.SSL_CERT_STORE_PROPERTY, "*USER"
}}
跟踪揭示了这个异常:
0000702 17:37:10.738499 1.1 KeyStore is *USER
00000703 17:37:10.738530 1.1 KeyResetCount is 0
00000704 17:37:10.738543 1.1 CertificationCheck = False
00000705 17:37:10.738553 1.1 CipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA
00000706 17:37:10.738562 1.1 SSLPEERNAME value is
00000707 17:37:10.738570 1.1 -----------} MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK
00000708 17:37:10.738625 1.1 -----------{ MQEncryptedSocket.MakeSecuredConnection()
00000709 17:37:10.738653 1.1 Created an instance of SSLStreams
0000070A 17:37:10.738662 1.1 Setting current certificate store as 'User'
0000070B 17:37:10.738676 1.1 Linux so use My & CurrentUser
0000070C 17:37:10.738683 1.1 Created store object to access certificates
0000070D 17:37:10.738740 1.1 Opened store
0000070E 17:37:10.738750 1.1 Accessing certificate - ibmwebspheremqroot
0000070F 17:37:10.748556 1.1 Number of certificates in the store:6
00000710 17:37:10.748629 1.1 TLS12 supported - True
00000711 17:37:10.748648 1.1 Setting SslProtol as Tls
00000712 17:37:10.748655 1.1 Starting SSL Authentication
00000713 17:37:10.748738 1.1 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
00000714 17:37:10.748754 1.1 Client callback has been invoked to find client certificate
00000715 17:37:10.748766 1.1 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
00000716 17:37:10.766153 1.1 ------------{ MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) inputs [11]
00000717 17:37:10.766190 1.1 SSL Server Certificate validation failed - RemoteCertificateNameMismatch, RemoteCertificateChainErrors
00000718 17:37:10.766196 1.1 ------------} MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK
00000719 17:37:10.766662 1.1 System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
- 相同的代码适用于 Windows
- 我已经安装了签署证书的根 CA。
编辑 1
@Morag Hughson - 关于证书,我已经安装了组织根 CA,已签署 IBM MQ 证书的子 CA:
COPY ssl/ /usr/local/share/ca-certificates/
RUN update-ca-certificates --fresh --verbose
也尝试在代码中这样做:
var root = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
root.Open(OpenFlags.ReadWrite);
root.Add(theAppCert);
collection.Add(new X509Certificate2("./ssl/root.crt"));
root.AddRange(collection);
这是我添加 IBM MQ 证书的方式
var collection = new X509Certificate2Collection();
collection.Import(File.ReadAllBytes("./ssl/key.p12"), "123456", X509KeyStorageFlags.PersistKeySet);
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
var theAppCert = collection.Find(X509FindType.FindBySubjectName, "app_test", false)[0];
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
theAppCert.FriendlyName ="ibmwebspheremq{Environment.UserName.ToLower()}";
}
store.Open(OpenFlags.ReadWrite);
store.Add(theAppCert);
编辑 2
这够了吗?
0000049D 17:51:51.929051 1.1 Data:- IBM.WMQ.MQTCPConnection#02EED1CA
0000049D 17:51:51.929051 1.1 0x00000000 54 53 48 20 00 00 00 24 02 05 0A 00 00 00 00 00 : TSH ...$......
0000049D 17:51:51.929051 1.1 0x00000010 00 00 00 00 22 02 00 00 E4 04 00 00 08 00 00 00 : ...."..?....
0000049D 17:51:51.929051 1.1 0x00000020 1A 00 00 00 : ...
0000049E 17:51:51.929066 1.1 Data Length --> 36
0000049F 17:51:51.929071 1.1 ------------} MQTCPConnection.Receive(ref byte [ ],ref int,ref int) rc=OK
000004A0 17:51:51.929076 1.1 Bytes Read from Socket = 36
000004A1 17:51:51.929083 1.1 ------------{ MQTSH.ReadStruct(Byte [ ],int) inputs [System.Byte[]] [0]
000004A2 17:51:51.929106 1.1 ------------} MQTSH.ReadStruct(Byte [ ],int) rc=OK returns [28]
000004A3 17:51:51.929120 1.1 ------------{ MQTSH.CheckTSH(byte [ ]) inputs [System.Byte[]]
000004A4 17:51:51.929127 1.1 ------------} MQTSH.CheckTSH(byte [ ]) rc=OK returns [True]
000004A5 17:51:51.929134 1.1 ------------{ MQFAPConnection.AnalyseErrorSegment(MQTSH) inputs [IBM.WMQ.MQTSH#039490E2]
000004A6 17:51:51.929140 1.1 -------------{ MQTSH.GetLength()
000004A7 17:51:51.929145 1.1 -------------} MQTSH.GetLength() rc=OK returns [28]
000004A8 17:51:51.929196 1.1 Constructing IBM.WMQ.MQERD#003917F2 MQMBID sn=p920-001-200918 su=_tqsBSQMcEeuBJdh7_yjHsA pn=basedotnet/nmqi/MQERD.cs
000004A9 17:51:51.929208 1.1 -------------{ MQERD.ReadStruct(Byte [ ],int) inputs [System.Byte[]] [28]
000004AA 17:51:51.929216 1.1 -------------} MQERD.ReadStruct(Byte [ ],int) rc=OK returns [8]
000004AB 17:51:51.929231 1.1 New MQException CompCode: 2 Reason: 2059```
我设法通过仅将 .p12 文件中的三个证书中的一个 (CN=app_test
) 安装到我的本地用户存储中来使其工作。
文件包含:
CN=Root CA v2, DC=corp1, DC=ad1, DC=xxx, DC=net
CN=Appl Sub CA v2, DC=corp1, DC=ad1, DC=xxx, DC=net
CN=app_test
如果我安装这三个证书的整个集合,我会收到来自 MQ 的代码 2059 的失败。
我正在尝试使用 .net 核心 ("IBMMQDotnetClient" Version="9.2.0.1"
) 连接到 IBM MQ,并在 linux 容器 (mcr.microsoft.com/dotnet/core/runtime:3.1
).
配置哈希表:
new Hashtable {
{
MQC.HOST_NAME_PROPERTY, "localhost"
},
{
MQC.CHANNEL_PROPERTY, "DEV.SVRCONN"
},
{
MQC.PORT_PROPERTY, 1419
},
{
MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA"
},
{
MQC.SSL_CERT_STORE_PROPERTY, "*USER"
}}
跟踪揭示了这个异常:
0000702 17:37:10.738499 1.1 KeyStore is *USER
00000703 17:37:10.738530 1.1 KeyResetCount is 0
00000704 17:37:10.738543 1.1 CertificationCheck = False
00000705 17:37:10.738553 1.1 CipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA
00000706 17:37:10.738562 1.1 SSLPEERNAME value is
00000707 17:37:10.738570 1.1 -----------} MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK
00000708 17:37:10.738625 1.1 -----------{ MQEncryptedSocket.MakeSecuredConnection()
00000709 17:37:10.738653 1.1 Created an instance of SSLStreams
0000070A 17:37:10.738662 1.1 Setting current certificate store as 'User'
0000070B 17:37:10.738676 1.1 Linux so use My & CurrentUser
0000070C 17:37:10.738683 1.1 Created store object to access certificates
0000070D 17:37:10.738740 1.1 Opened store
0000070E 17:37:10.738750 1.1 Accessing certificate - ibmwebspheremqroot
0000070F 17:37:10.748556 1.1 Number of certificates in the store:6
00000710 17:37:10.748629 1.1 TLS12 supported - True
00000711 17:37:10.748648 1.1 Setting SslProtol as Tls
00000712 17:37:10.748655 1.1 Starting SSL Authentication
00000713 17:37:10.748738 1.1 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
00000714 17:37:10.748754 1.1 Client callback has been invoked to find client certificate
00000715 17:37:10.748766 1.1 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
00000716 17:37:10.766153 1.1 ------------{ MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) inputs [11]
00000717 17:37:10.766190 1.1 SSL Server Certificate validation failed - RemoteCertificateNameMismatch, RemoteCertificateChainErrors
00000718 17:37:10.766196 1.1 ------------} MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK
00000719 17:37:10.766662 1.1 System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
- 相同的代码适用于 Windows
- 我已经安装了签署证书的根 CA。
编辑 1 @Morag Hughson - 关于证书,我已经安装了组织根 CA,已签署 IBM MQ 证书的子 CA:
COPY ssl/ /usr/local/share/ca-certificates/
RUN update-ca-certificates --fresh --verbose
也尝试在代码中这样做:
var root = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
root.Open(OpenFlags.ReadWrite);
root.Add(theAppCert);
collection.Add(new X509Certificate2("./ssl/root.crt"));
root.AddRange(collection);
这是我添加 IBM MQ 证书的方式
var collection = new X509Certificate2Collection();
collection.Import(File.ReadAllBytes("./ssl/key.p12"), "123456", X509KeyStorageFlags.PersistKeySet);
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
var theAppCert = collection.Find(X509FindType.FindBySubjectName, "app_test", false)[0];
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
theAppCert.FriendlyName ="ibmwebspheremq{Environment.UserName.ToLower()}";
}
store.Open(OpenFlags.ReadWrite);
store.Add(theAppCert);
编辑 2
这够了吗?
0000049D 17:51:51.929051 1.1 Data:- IBM.WMQ.MQTCPConnection#02EED1CA
0000049D 17:51:51.929051 1.1 0x00000000 54 53 48 20 00 00 00 24 02 05 0A 00 00 00 00 00 : TSH ...$......
0000049D 17:51:51.929051 1.1 0x00000010 00 00 00 00 22 02 00 00 E4 04 00 00 08 00 00 00 : ...."..?....
0000049D 17:51:51.929051 1.1 0x00000020 1A 00 00 00 : ...
0000049E 17:51:51.929066 1.1 Data Length --> 36
0000049F 17:51:51.929071 1.1 ------------} MQTCPConnection.Receive(ref byte [ ],ref int,ref int) rc=OK
000004A0 17:51:51.929076 1.1 Bytes Read from Socket = 36
000004A1 17:51:51.929083 1.1 ------------{ MQTSH.ReadStruct(Byte [ ],int) inputs [System.Byte[]] [0]
000004A2 17:51:51.929106 1.1 ------------} MQTSH.ReadStruct(Byte [ ],int) rc=OK returns [28]
000004A3 17:51:51.929120 1.1 ------------{ MQTSH.CheckTSH(byte [ ]) inputs [System.Byte[]]
000004A4 17:51:51.929127 1.1 ------------} MQTSH.CheckTSH(byte [ ]) rc=OK returns [True]
000004A5 17:51:51.929134 1.1 ------------{ MQFAPConnection.AnalyseErrorSegment(MQTSH) inputs [IBM.WMQ.MQTSH#039490E2]
000004A6 17:51:51.929140 1.1 -------------{ MQTSH.GetLength()
000004A7 17:51:51.929145 1.1 -------------} MQTSH.GetLength() rc=OK returns [28]
000004A8 17:51:51.929196 1.1 Constructing IBM.WMQ.MQERD#003917F2 MQMBID sn=p920-001-200918 su=_tqsBSQMcEeuBJdh7_yjHsA pn=basedotnet/nmqi/MQERD.cs
000004A9 17:51:51.929208 1.1 -------------{ MQERD.ReadStruct(Byte [ ],int) inputs [System.Byte[]] [28]
000004AA 17:51:51.929216 1.1 -------------} MQERD.ReadStruct(Byte [ ],int) rc=OK returns [8]
000004AB 17:51:51.929231 1.1 New MQException CompCode: 2 Reason: 2059```
我设法通过仅将 .p12 文件中的三个证书中的一个 (CN=app_test
) 安装到我的本地用户存储中来使其工作。
文件包含:
CN=Root CA v2, DC=corp1, DC=ad1, DC=xxx, DC=net
CN=Appl Sub CA v2, DC=corp1, DC=ad1, DC=xxx, DC=net
CN=app_test
如果我安装这三个证书的整个集合,我会收到来自 MQ 的代码 2059 的失败。