我有一个使用PRIVACY质量加密进行加密的队列。我配置了密钥库,并在源和目标之间交换证书,并且目标能够安全地写入源队列。队列在源上,并用源的密钥加密。目标使用源公共密钥写入源。
当我尝试添加第二个目标编写器时,我执行相同的步骤。在两个节点之间交换源和目标公钥。当新目标尝试写入队列时,它将收到AMQ9021E错误。看来源无法找到目标CN。但是,我可以在用于第一个目标的同一KDB中看到CN,并且我知道它可以找到此证书,因为在source和target2之间共享的NEW队列可以正常工作。
我尝试在源上使用REFRESH SECURITY TYPE(SSL),以便它刷新其缓存并允许目标2读取新消息。似乎还是行不通。
有人知道我可能会缺少什么吗? 从日志中:
AMQ9021E: An error occured during the certificate import for the following DN:
CN=3a04d052-1e48-430b-8e2c-de8da6644ea0,O=IBM,C=US, result: 57
EXPLANATION:
The distinguished name is not present in the keystore or invalid.
ACTION:
Consult the GSKit appendix in the Information Center for the explanation
of the GSKit reason code and take corrective action. If the problem persists,
contact your IBM service representative.
AMQ9017E: IBM MQ security policy internal error: message could not be unprotected: GSKit
error code 851968, reason 62.
EXPLANATION:
The IBM MQ security policy interceptor could not verify or decrypt a message
because the indicated GSKit error occurred. This can happen for several
reasons, all of which are internal failures: (1) the message is not a valid
PKCS#7 message; (2) the sender's certificate does not have the required key
usage bit to be able to encrypt the message; (3) the sender's certificate was
not recognized as a trusted certificate; (4) receiver is not among the
recipients of the message
ACTION:
Consult the GSKit information in the Information Center for the explanation of
the GSKit reason code and take corrective action. If the problem persists,
contact your IBM service representative.
policy Definition
[dsadm@kobe1 - Db2wh /]$ /opt/mqm/bin/dspmqspl -m IJPYQVAD_CQM
Policy Details:
Policy name: IJPYQVAD_ADMINQ
Quality of protection: PRIVACY
Signature algorithm: SHA256
Encryption algorithm: AES256
Signer DNs: -
Recipient DNs:
CN=996804c4-2fa6-4625-a4fd-acb8ab698b7f,O=IBM,C=US
Key reuse count: 0
Toleration: 0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -