IBM MQ8.0 - AMQ9503通道协商失败

时间:2017-09-25 15:34:58

标签: java ssl-certificate ibm-mq

在客户端通道(SVRCONN)启用SSL时,从Java客户端连接到IBM MQ8.0时遇到问题。在通道上禁用SSL(SSLAUTH为OPTIONAL)时,流程正常。

客户端是带有JRE1.7的java。 MQ服务器版本是IBM MQ8.0

创建自签名证书并根据MQ设置引用正确交换。

javax.net.debug = ssl选项cofirms在日志中证书交换和SSL握手成功。

但是当java客户端代码试图获取MQManager对象时,抛出MQ Exception。

com.ibm.mq.MQException: MQJE001: Completion code '2', reason '2059' ...

caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host '1.2.3.4(1414)' rejected. [1=com.ibm.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]],3=1.2.3.4(1414), 5=RemoteConnection.analyseSegment] ...

caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]

我已配置在客户端和MQ客户端通道(SVRCONN)中使用TLS_RSA_WITH_AES_256_CBC_SHA256作为cipherspec。
尝试使用其他密码,如TLS_RSA_WITH_AES_128_CBC_SHA,错误保持不变。

MQ server error log has AMQ9665: SSL connection closed by remote end of channel '????'  

Explanation: The SSL or TLS connection was closed by the remote host '5.6.7.8' during the secure socket handshake. The channel is '????', in some cases its name can not be determined and so is shown as '????'. The chanel didn't start. 

ACTION: Check the remote end of for SSL and TLS errors. Fix them and restart the channel. 

但是远程方面,我只有使用MQ库连接到MQ服务器的java客户端。

SSLLog Page-4 SSLLog Page-5

无法从服务器获取数据,因此从SSL日志添加了最后2页的图像。

上面已经给出了MQ服务器端日志。除此之外还有默认日志AMQ9999:频道' ????'主持人1.2.3.4异常结束。 重复记录相同的错误。没有找到任何其他日志。

下面的MQ客户端代码段。

void connect2MQ()
{
    MQEnvironment.hostname=1.2.3.4
    MQEnvironment.port=1414
    MQEnvironment.channel=CLIENT.SVRCONN.SSL
    if(SSLEnabled.equals("Y") // It is set to 'Y' in main method
    {
        MQEnvironment.sslCipherSuit="TLS_RSA_WITH_AES_128_CBC_SHA";
        System.setProperty("javax.net.ssl.truststore","trustStoreCertFilePath");
        System.setProperty("javax.net.ssl.keyStore","keyStoreCertFilePath");
        System.setProperty("javax.net.ssl.trustStorePassword","Pass");
        System.setProperty("javax.net.ssl.keyStorePassword","Pass");
        System.setProperty("javax.net.ssl.trustStoreType","JKS");
        System.setProperty("javax.net.ssl.keyStoreType","JKS");
    }

    try {
        MQQueueManager qmgr = new MQQueueManager("QMGR.TEST.SSL"); // Exception is thrown from here
        ...
    }

1 个答案:

答案 0 :(得分:2)

您似乎遇到了APAR IT10837中描述的问题。这已在8.0.0.5及更高版本的MQ Jlasses for Java和MQ Classes for JMS客户端jar文件中修复,我建议移至8.0.0.7,这是最新的v8版本。

错误消息不匹配,但使用SSLCAUTH(OPTIONAL)而不使用SSLCAUTH(REQUIRED)的错误消息与正在运行但没有修复的版本相匹配。

Tom Leend的IBM developerWorks MQdev博客标题为“MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE!,它描述了一个解决方法,如果你不在具有该修复的MQ级别。

---- Code Snippet Start ----
KeyStore keyStore = KeyStore.getInstance("JKS");
java.io.FileInputStream keyStoreInputStream = new java.io.FileInputStream("/home/tom/myKeyStore.jks");
keyStore.load (keyStoreInputStream, password_char_array);

KeyStore trustStore trustStore = KeyStore.getInstance ("JKS");
java.io.FileInputStream trustStoreInputStream = new java.io.FileInputStream("/home/tom/myTrustStore.jks");
trustStore.load (trustStoreInputStream, password_char_array);

keyStoreInputStream.close();
trustStoreInputStream.close();

KeyManagerFactory keyManagerFactory = 
  KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
TrustManagerFactory trustManagerFactory = 
  TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore,password);
trustManagerFactory.init(trustStore);

SSLContext sslContext = SSLContext.getInstance("TLSv1"); 
sslContext.init(keyManagerFactory.getKeyManagers(), 
  trustManagerFactory.getTrustManagers(), 
  null);
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); 

// classes for JMS
//myJmsConnectionFactory.setObjectProperty(
//  WMQConstants.WMQ_SSL_SOCKET_FACTORY, sslSocketFactory);

// classes for Java
MQEnvironment.sslSocketFactory = sslSocketFactory;
---- Code Snippet End ----