使用以下sslCipherSuite创建MQQueueManager对象时:
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA";
MQEnvironment.hostname = host;
MQEnvironment.channel = channel;
MQEnvironment.port = port;
iMQQueueManager = new MQQueueManager(queueMgr);
经理init提出:
MQJE001:完成代码'2',原因'2400'
这应该意味着“JSSE报告它不支持应用程序指定的CipherSuite”(http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.tro.doc/q044280_.htm)
我配置了我的队列管理器 - >频道(属性) - > SSL - > CipherSpec:TLS_RSA_WITH_AES_128_CBC_SHA(TLS 1.0,安全散列算法,128位AES加密)。
二手平台是:
JAVA 7 (1.7.0_75-b13)
MQ 7.1 client libs (7.1.0.6-k710-006-141112)
MQ 8.0 server (8.0.0.5)
这是堆栈细节:
Exception in thread "main" com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2400'.
at com.ibm.mq.MQManagedConnectionJ11.constructMQCD(MQManagedConnectionJ11.java:1434)
at com.ibm.mq.MQManagedConnectionJ11.constructCNO(MQManagedConnectionJ11.java:1537)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:233)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:588)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:630)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:107)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:205)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:911)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:799)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:750)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:157)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:681)
我想问题是在MQ配置方面,因为我的jre
SSLContext.getInstance("TLS")
.init(null, trustAllCerts, new SecureRandom())
.getSupportedSSLParameters()
.getCipherSuites()
将“TLS_RSA_WITH_AES_128_CBC_SHA”作为CipherSuites之一返回。但是我不确定QMgr配置到底是什么问题。感谢任何提示。
答案 0 :(得分:1)
您应该阅读以下2个IBM MQ公告:
答案 1 :(得分:0)
当我仅过滤SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS
中列出的MQ支持的密码时并检查所有Java版本:1.7.0_75支持的从上面的链接支持的MQ过滤的密码我收到以下结果:
public class SSLSupported {
// http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm
static String[] MQ_SUPPORTED = { "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"SSL_ECDHE_ECDSA_WITH_NULL_SHA",
"SSL_ECDHE_ECDSA_WITH_RC4_128_SHA",
"SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"SSL_ECDHE_RSA_WITH_NULL_SHA",
"SSL_ECDHE_RSA_WITH_RC4_128_SHA",
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
"SSL_RSA_FIPS_WITH_DES_CBC_SHA",
"SSL_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_RSA_WITH_AES_128_CBC_SHA",
"SSL_RSA_WITH_AES_128_CBC_SHA256",
"SSL_RSA_WITH_AES_128_GCM_SHA256",
"SSL_RSA_WITH_AES_256_CBC_SHA",
"SSL_RSA_WITH_AES_256_CBC_SHA256",
"SSL_RSA_WITH_AES_256_GCM_SHA384",
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_RSA_WITH_NULL_MD5",
"SSL_RSA_WITH_NULL_SHA",
"SSL_RSA_WITH_NULL_SHA256",
"SSL_RSA_WITH_RC4_128_MD5",
"SSL_RSA_WITH_RC4_128_SHA" };
public static void main(String[] args) throws NoSuchAlgorithmException, KeyManagementException {
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs,
String authType) {
}
public void checkServerTrusted(X509Certificate[] certs,
String authType) {
}
} };
context.init(null, trustAllCerts, new SecureRandom());
SSLParameters params = context.getSupportedSSLParameters();
String[] suites = params.getCipherSuites();
System.out.println("Java version : " + System.getProperty("java.runtime.version"));
System.out.println("Connecting with " + suites.length + " cipher suites supported:");
List<String> mqSupported= Arrays.asList(MQ_SUPPORTED);
for (int i = 0; i < suites.length; i++)
if (mqSupported.contains(suites[i]))
System.out.println(suites[i]);
}
}
Java version : 1.7.0_75-b13
Connecting with 63 cipher suites supported:
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
我使用了以下cipherSuite:
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_3DES_EDE_CBC_SHA"
问题是MQ QueueManager将上述所有这些报告为“Weak CipherSpec”,例如:
(警告弱CipherSpec)SSL 3.0,安全哈希算法,168位三重DES加密
所以我不得不在MQ安装中进行配置更改: [mq.ini]
SSL:
AllowSSLV3=Y
AllowWeakCipherSpec=ALL
以及(Roger注意到his response): [java.security]
# jdk.tls.disabledAlgorithms=SSLv3
它开始通过TLSv1进行通信,但是我想使用TLSv1.2密码并且它仍然不起作用,我使用Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files(jre7)并且还:
SSLContext context = SSLContext.getInstance("TLSv1.2");
SSLContext.setDefault(context);
或
MQEnvironment.sslSocketFactory = new SSLSocketFactoryEx();
通过this发布的SSLSocketFactoryEx实现。
但是没有什么效果好,所以我还在使用TLSv1。