我试图通过SSL使用IBM JRE-8连接MQ7.5。在MQ系统中,他们配置了 TRIPLE_DES_SHA_US ,我们在java程序中使用 SSL_RSA_WITH_3DES_EDE_CBC_SHA 密码套件来连接MQ。
但它给出了以下给定的错误。
MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect
Closure reason = 2009
Steps i have followed
Certificated imported to truststore
executed java program with actual channel details of MQ.
Certificate Import to truststore:
/opt/ibm/java-i386-80/jre/bin/keytool -import -alias jre_cert -file qms1.arm -keystore /opt/ibm/java-i386-80/jre/lib/security/cacerts
Enter keystore password:
Owner: CN="XXX, O=XXX, OU=XXX, C=IN"
Issuer: CN="XXX, O=XXX, OU=XXX, C=IN"
Serial number: 115d214a64b03f04
Valid from: 1/17/17 12:36 PM until: 1/13/18 12:36 PM
Certificate fingerprints:
MD5: 1B:F1:6D:D1:88:5B:69:C0:B1:21:07:9C:FA:89:EC:2C
SHA1: 77:DE:4A:66:72:77:34:CC:67:D1:3B:46:D5:1D:E3:B0:20:70:0E:5B
SHA256: DE:F6:1C:96:4A:DE:9F:0C:AF:BF:73:52:1F:23:1A:49:E1:84:AE:3D:FD:97:0D:CF:FF:F3:C3:C7:D4:C0:9B:2E
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
Sample Program we are using.
import com.ibm.mq.MQEnvironment;
import com.ibm.mq.MQQueueManager;
import com.ibm.mq.MQC;
import javax.net.ssl.SSLContext;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import java.security.cert.*;
import java.util.ArrayList;
import java.util.Collection;
public class MQTest {
private static MQQueueManager _queueManager = null;
public static void main(String[] args) throws Exception {
MQEnvironment.hostname = "XX.XX.XX.XX";
MQEnvironment.channel = "CHANNEL.SVRCONN"; // With SSL
MQEnvironment.port = XXXX;
System.setProperty("javax.net.debug", "ssl");
String cacerts="/opt/jdk1.8.0_121/jre/lib/security/cacerts";
System.setProperty("javax.net.ssl.trustStore", cacerts);
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
MQEnvironment.sslCipherSuite = args[0];
System.out.println("\t using ssl Cipher suite :: " + MQEnvironment.sslCipherSuite);
System.out.println("\t MQEnvironment.version_notice :: " + MQEnvironment.version_notice);
MQEnvironment.properties.put(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES);
MQEnvironment.sslFipsRequired=false;
_queueManager = new MQQueueManager("QUEUE_NAME");
System.out.println("\t _queueManager : " + _queueManager);
}
}
调试日志:
/opt/ibm/java-i386-80/jre/bin/java -Dcom.ibm.jsse2.disableSSLv3=false -jar MQ_Testing.jar TLS_RSA_WITH_3DES_EDE_CBC_SHA
using ssl Cipher suite :: TLS_RSA_WITH_3DES_EDE_CBC_SHA
MQEnvironment.version_notice :: Websphere MQ classes for Java V6.0.0
IBMJSSE2 will allow protocol SSLv3 per com.ibm.jsse2.disableSSLv3 set to FALSE
IBMJSSEProvider2 Build-Level: -20160616
Installed Providers =
IBMJSSE2
IBMJCE
IBMJGSSProvider
IBMCertPath
IBMSASL
IBMXMLCRYPTO
IBMXMLEnc
IBMSPNEGO
SUN
jdk.tls.client.protocols is defined as null
SUPPORTED: [SSLv3, TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [SSLv3, TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [SSLv3, TLSv1, TLSv1.1, TLSv1.2]
keyStore is: /opt/ibm/java-i386-80/jre/lib/security/cacerts
keyStore type is: jks
keyStore provider is:
init keystore
init keymanager of type IbmX509
trustStore is: /opt/jdk1.8.0_121/jre/lib/security/cacerts
trustStore type is: jks
trustStore provider is:
init truststore
adding as trusted cert:
Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
Algorithm: RSA; Serial number: 0xc3517
Valid from Mon Jun 21 09:30:00 IST 1999 until Mon Jun 22 09:30:00 IST 2020
adding as trusted cert:
Subject: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007
GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US Issuer: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007
GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Algorithm: EC; Serial number: 0x3cb2f4480a00e2feeb243b5e603ec36b
Valid from Mon Nov 05 05:30:00 IST 2007 until Tue Jan 19 05:29:59 IST 2038
------
------
-------
our certificate info
---
-----
------
adding as trusted cert:
Subject: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0x33af1e6a711a9a0bb2864b11d09fae5
Valid from Thu Aug 01 17:30:00 IST 2013 until Fri Jan 15 17:30:00 IST 2038
SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.aw
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.aA
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8 trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.8
JsseJCE: Using signature SHA1withECDSA from provider TBD via init
JsseJCE: Using signature NONEwithECDSA from provider TBD via init
JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.8
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJce: EC is available
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake
per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default
IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
Is initial handshake: true
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1473994730 bytes = { 238, 137, 89, 128, 139, 82, 93, 119, 12, 104, 3, 150, 104, 218, 146, 252, 106, 230, 104, 227, 220, 195, 133, 177, 224, 70, 52, 127 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null } ***
main, WRITE: TLSv1 Handshake, length = 52
main, READ: TLSv1 Handshake, length = 856
*** ServerHello, TLSv1
RandomCookie: GMT: 0 bytes = { 236, 88, 151, 94, 111, 9, 167, 185, 94, 81, 181, 148, 189, 136, 212, 113, 209, 109, 13, 193, 221, 127, 237, 75, 111, 58, 203, 130 }
Session ID: {75, 215, 26, 41, 91, 78, 235, 37, 238, 153, 145, 133, 191, 24, 212, 43, 48, 183, 29, 255, 224, 52, 234, 162, 108, 152, 170, 224, 17, 94, 63, 154}
Cipher Suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Compression Method: 0
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null } ***
JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.8
JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.8
%% Initialized: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
** SSL_RSA_WITH_3DES_EDE_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN="XXX, O=XXX, OU=VIL, C=IN"
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
29520274597059884884525162797844309564564740860314317076363623205590330620665285960098203994430649948452267736624734060083888254808645851791784899893187301774015459836549786877052861001494184226379092315448710377951407842057987341460256107051853392995727416012224181106667030239052484951915573460835538842193183692008554795370126435248099845779739150211076745709763656203626931710137691863377966754291466123511621939080200053832041159491199213401094161487450139611524627709969107242299349846233668554767700637296506799788156861380576834589242935902127652273390577803901208287815787363344752279450721968318806451327069
public exponent:
65537
Validity: [From: Tue Jan 17 12:36:21 IST 2017,
To: Sat Jan 13 12:36:21 IST 2018]
Issuer: CN="XXX, O=XXX, OU=VIL, C=IN"
SerialNumber: [1251192874879434500]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 9c 7c 69 77 7b 26 59 e0 d3 10 0c d8 ae 10 b8 29 ..iw..Y......... 0010: 3d a8 3e 63 e5 e0 49 aa 73 71 14 68 a1 5e a8 c3 ...c..I.sq.h.... 0020: 8e 55 ca f2 2f b2 21 00 c9 ac 6f 6e 9a 36 6a 39 .U........on.6j9 0030: 51 68 62 e5 23 e6 49 4a 8f d0 f5 25 16 a0 37 d5 Qhb...IJ......7. 0040: a4 99 ed c4 84 73 61 23 88 76 e7 d4 8e 1b d9 f0 .....sa..v...... 0050: dd b8 e1 8f 21 c3 92 d7 8f b0 3c cc 42 98 17 50 ............B..P 0060: db 09 27 f9 1f 8b c1 29 68 e4 66 00 e2 9e b2 d3 ........h.f..... 0070: bd 98 8e 95 00 80 eb d1 3b cf 24 1a 86 ad 35 67 ..............5g 0080: 59 3a 3f e0 20 e7 f0 94 c6 4a 0c 5c 1a de 2b 22 Y........J...... 0090: 6f 1c cb 23 08 55 1c 61 72 29 14 d8 7c 7b bf 31 o....U.ar......1 00a0: 0d d3 0a 38 e1 98 af 65 e5 7d 0f 9c d5 a5 3f 00 ...8...e........ 00b0: f4 b1 dd 89 89 9b 57 42 46 80 a5 7e 30 62 bd cf ......WBF...0b.. 00c0: d5 4b d1 33 df 10 55 ac 3a 46 6e d0 e6 df 7c 35 .K.3..U..Fn....5 00d0: b1 c2 81 ef d0 7b 6d f3 cc ff d1 ea 40 9f 6e 6c ......m.......nl 00e0: 5d c6 8f 45 2a dd 7a 9d 47 de b4 6c 33 0d cf 51 ...E..z.G..l3..Q 00f0: ad 68 54 aa 35 77 39 ed 4b 90 6e ee 46 f3 e0 81 .hT.5w9.K.n.F... ]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN="XXX, O=XXX, OU=VIL, C=IN"
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
29520274597059884884525162797844309564564740860314317076363623205590330620665285960098203994430649948452267736624734060083888254808645851791784899893187301774015459836549786877052861001494184226379092315448710377951407842057987341460256107051853392995727416012224181106667030239052484951915573460835538842193183692008554795370126435248099845779739150211076745709763656203626931710137691863377966754291466123511621939080200053832041159491199213401094161487450139611524627709969107242299349846233668554767700637296506799788156861380576834589242935902127652273390577803901208287815787363344752279450721968318806451327069
public exponent:
65537
Validity: [From: Tue Jan 17 12:36:21 IST 2017,
To: Sat Jan 13 12:36:21 IST 2018]
Issuer: CN="XXX, O=XXX, OU=VIL, C=IN"
SerialNumber: [1251192874879434500]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 9c 7c 69 77 7b 26 59 e0 d3 10 0c d8 ae 10 b8 29 ..iw..Y......... 0010: 3d a8 3e 63 e5 e0 49 aa 73 71 14 68 a1 5e a8 c3 ...c..I.sq.h.... 0020: 8e 55 ca f2 2f b2 21 00 c9 ac 6f 6e 9a 36 6a 39 .U........on.6j9 0030: 51 68 62 e5 23 e6 49 4a 8f d0 f5 25 16 a0 37 d5 Qhb...IJ......7. 0040: a4 99 ed c4 84 73 61 23 88 76 e7 d4 8e 1b d9 f0 .....sa..v...... 0050: dd b8 e1 8f 21 c3 92 d7 8f b0 3c cc 42 98 17 50 ............B..P 0060: db 09 27 f9 1f 8b c1 29 68 e4 66 00 e2 9e b2 d3 ........h.f..... 0070: bd 98 8e 95 00 80 eb d1 3b cf 24 1a 86 ad 35 67 ..............5g 0080: 59 3a 3f e0 20 e7 f0 94 c6 4a 0c 5c 1a de 2b 22 Y........J...... 0090: 6f 1c cb 23 08 55 1c 61 72 29 14 d8 7c 7b bf 31 o....U.ar......1 00a0: 0d d3 0a 38 e1 98 af 65 e5 7d 0f 9c d5 a5 3f 00 ...8...e........ 00b0: f4 b1 dd 89 89 9b 57 42 46 80 a5 7e 30 62 bd cf ......WBF...0b.. 00c0: d5 4b d1 33 df 10 55 ac 3a 46 6e d0 e6 df 7c 35 .K.3..U..Fn....5 00d0: b1 c2 81 ef d0 7b 6d f3 cc ff d1 ea 40 9f 6e 6c ......m.......nl 00e0: 5d c6 8f 45 2a dd 7a 9d 47 de b4 6c 33 0d cf 51 ...E..z.G..l3..Q 00f0: ad 68 54 aa 35 77 39 ed 4b 90 6e ee 46 f3 e0 81 .hT.5w9.K.n.F... ]
*** CertificateRequest
Cert Types: RSA
Cert Authorities:
*** ServerHelloDone
ClientHandshaker: KeyManager com.ibm.jsse2.aw
*** Certificate chain
***
JsseJCE: Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init
JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider TBD via init
PreMasterSecret: Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.8
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 269
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 ca e5 e2 4f f5 ba fc e5 ef e7 f0 ce 11 41 .....O.........A 0010: 1c 4f 8e b0 8b b0 1e 0f 25 96 85 a4 18 64 f4 22 .O...........d.. 0020: ba 99 3c b2 08 64 b0 c0 0a 72 09 23 fe e8 67 48 .....d...r....gH
javax.crypto.spec.SecretKeySpec@13e668a
JsseJCE: Choose KeyGenerator for IbmTlsMasterSecret.
JsseJCE: Using KeyGenerator IbmTlsMasterSecret from provider TBD via init
JsseJCE: Using KeyGenerator IbmTlsKeyMaterial from provider TBD via init
CONNECTION KEYGEN:
Client Nonce:
0000: 58 db 60 ea ee 89 59 80 8b 52 5d 77 0c 68 03 96 X.....Y..R.w.h.. 0010: 68 da 92 fc 6a e6 68 e3 dc c3 85 b1 e0 46 34 7f h...j.h......F4.
Server Nonce:
0000: 00 00 00 00 ec 58 97 5e 6f 09 a7 b9 5e 51 b5 94 .....X..o....Q.. 0010: bd 88 d4 71 d1 6d 0d c1 dd 7f ed 4b 6f 3a cb 82 ...q.m.....Ko...
Master Secret:
0000: 0a ca f1 d7 05 94 2e 07 1d 2a 27 bb e9 6a a2 dd .............j.. 0010: a1 70 32 ee 4c da 20 df c2 95 aa bd 2c e9 cd 02 .p2.L........... 0020: 6b c7 17 9d bc 02 1f 22 31 a7 9b 78 ce 42 5b cf k.......1..x.B..
Client MAC write Secret:
0000: 5f 22 6c 73 aa 0c 89 b5 8c 55 f4 c2 2c 67 6a 83 ..ls.....U...gj. 0010: 56 c4 00 c6
V... Server MAC write Secret:
0000: 3e d4 16 07 87 f4 75 73 bc 76 6a 78 2c 3e b5 3a ......us.vjx.... 0010: 4e 45 ad e9
NE.. Client write key:
0000: cd d0 2d 55 ca a3 62 92 78 13 a4 2d 9c 3a 79 a9 ...U..b.x.....y. 0010: 5b 3f 03 97 06 33 3d ff .....3..
Server write key:
0000: e1 e8 89 c1 85 f5 09 32 25 75 19 dd 62 7a b2 c9 .......2.u..bz.. 0010: 7f 63 ab 28 2d 6d 5d 45 .c...m.E
Client write IV:
0000: db 7f 8f 71 11 c5 1e b3 ...q.... Server write IV:
0000: 9c 74 e2 ae d6 62 56 3f .t...bV.
JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.8
main, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using cipher DESede/CBC/NoPadding from provider TBD via init
CipherBox: Using cipher DESede/CBC/NoPadding from provider from init IBMJCE
version 1.8 JsseJCE: Using MAC HmacSHA1 from provider TBD via init
MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.8
*** Finished
verify_data: { 194, 19, 125, 188, 103, 19, 170, 48, 12, 172, 132, 24 } ***
main, WRITE: TLSv1 Handshake, length = 40
main, READ: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using cipher DESede/CBC/NoPadding from provider TBD via init
CipherBox: Using cipher DESede/CBC/NoPadding from provider from init IBMJCE
version 1.8
JsseJCE: Using MAC HmacSHA1 from provider TBD via init
MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.8
main, READ: TLSv1 Handshake, length = 40
*** Finished
verify_data: { 0, 3, 116, 83, 135, 81, 160, 25, 151, 242, 17, 213 }
***
JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.8
%% Cached client session: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
main, setSoTimeout(120000) called
main, WRITE: TLSv1 Application Data, length = 184
main, READ: TLSv1 Application Data, length = 64
main, WRITE: TLSv1 Application Data, length = 24
main, WRITE: TLSv1 Application Data, length = 48
main, called close()
main, called closeInternal(true)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 24
main, called closeSocket(true)
MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect Closure reason = 2009
MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect Closure reason = 2009
Exception in thread "main" com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect Closure reason = 2009
at com.ibm.mq.MQManagedConnectionJ11.(MQManagedConnectionJ11.java:212)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:318)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:338)
at com.ibm.mq.StoredManagedConnection.(StoredManagedConnection.java:84)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:168)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:772)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:697)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:657)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:153)
at com.ibm.mq.MQQueueManager.(MQQueueManager.java:451)
at com.apalya.main.MQTest.main(MQTest.java:129)
Caused by: com.ibm.mqservices.MQInternalException: MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect Closure reason = 2009
at com.ibm.mq.MQv6InternalCommunications.checkControlFlags(MQv6InternalCommunications.java:740)
at com.ibm.mq.MQv6InternalCommunications.establishChannel(MQv6InternalCommunications.java:656)
at com.ibm.mq.MQv6InternalCommunications.initialize(MQv6InternalCommunications.java:206)
at com.ibm.mq.MQv6InternalCommunications.(MQv6InternalCommunications.java:102)
at com.ibm.mq.MQSESSIONClient.MQCONNX(MQSESSIONClient.java:1337)
at com.ibm.mq.MQSESSIONClient.MQCONN(MQSESSIONClient.java:1246)
at com.ibm.mq.MQManagedConnectionJ11.(MQManagedConnectionJ11.java:184)
... 10 more
有人可以帮助/建议吗