我已经为队列管理器名称“ QMA”和通道“ QMACLCHL”配置了ssl。只需设置证书标签和芯片名称。对于队列管理器,还设置密钥存储路径(默认值)。在该目录中生成.kbd文件和隐藏的密码文件。通过以下命令:
cd /var/mqm/qmgrs/QMA/ssl
runmqakm -keydb -create -db key.kdb -pw ********* -stash
runmqakm -cert -create -db key.kdb -label certqma -stashed -size 2048 -sigalg SHA512WithRSA -dn CN=QMA
runmqakm -cert -extract -db key.kdb -label certqma -file qma.arm -stashed
runmqakm -cert -add -db key.kdb -lable "QMA" -file /var/mqm/qmgrs/QMA/ssl/qma.arm -format ascii -stashed
然后将这些文件复制到另一台PC上,并尝试通过SSL连接到队列管理器。我的.net代码如下:
Hashtable properties = new Hashtable();
properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
properties.Add(MQC.MQCA_SSL_KEY_REPOSITORY, "E:\\workspace ttttt\\test_projects\\IBMMQ\\Receiver\\ssl\\key");
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "E:\\workspace ttttt\\test_projects\\IBMMQ\\Receiver\\ssl"); ;
properties.Add(MQC.MQCACH_SSL_CIPHER_SUITE, "TLS_RSA_WITH_AES_128_CBC_SHA256");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA256");//TLS_RSA_WITH_AES_128_CBC_SHA
properties.Add(MQC.MQCACH_SSL_PEER_NAME, "net_client");
properties.Add(MQC.SSL_RESET_COUNT_PROPERTY, 400000);
properties.Add(MQC.USER_ID_PROPERTY, "mqm");
properties.Add(MQC.HOST_NAME_PROPERTY, "172.19.165.167");
properties.Add(MQC.CHANNEL_PROPERTY, "QMACLCHL");
properties.Add(MQC.CONNECTION_NAME_PROPERTY, "172.19.165.167(1414)");
// create connection
Console.Write("Connecting to queue manager.. ");
MQEnvironment.SSLCertRevocationCheck = false;
//MQEnvironment.SSLCipherSpec = "TLS_RSA_WITH_AES_128_CBC_SHA256";
MQEnvironment.CertificateLabel = "certqma";
queueManager = new MQQueueManager("QMA", properties);
我还为选项卡配置文件配置了环境变量(MQCHLLIB,MQCHLTAB)。上面的代码生成如下所示的跟踪,并且enven不会尝试连接:
Remote Address:172.19.165.167:1414
000001BC 19:37:21.374097 11208.4 Local Address:0.0.0.0:0
000001BD 19:37:21.374139 11208.4 Bind
000001BE 19:37:21.380208 11208.4 Bind returned 0.0.0.0:17040
000001BF 19:37:21.380256 11208.4 Connect
000001C0 19:37:21.382369 11208.4 Connect returned True
000001C1 19:37:21.383946 11208.4 TCP/IP LINGER disabled
000001C2 19:37:21.383997 11208.4 Using socket send buffer size 32768
000001C3 19:37:21.384409 11208.4 Using socket receive buffer size 32768
000001C4 19:37:21.384450 11208.4 -----------} MQTCPConnection.ConnectUsingLocalAddr(ParsedLocalAddr,IPAddress,int) rc=OK
000001C5 19:37:21.384959 11208.4 Constructing IBM.WMQ.Nmqi.MQEncryptedSocket#004CACA0 MQMBID sn=p912-L190313.DE su=_FGqKtkWOEemwVcDgaesw_A pn=basedotnet/nmqi/NmqiObject.cs
000001C6 19:37:21.384986 11208.4 Constructing IBM.WMQ.Nmqi.MQEncryptedSocket#004CACA0 MQMBID sn=p912-L190313.DE su=_FGqKtkWOEemwVcDgaesw_A pn=basedotnet/nmqi/MQEncryptedSocket_s.cs
000001C7 19:37:21.386449 11208.4 -----------{ MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions)
000001C8 19:37:21.387062 11208.4 IBM.WMQ.Nmqi.MQEncryptedSocket#004CACA0 throwing MQException: cc=2 rc=2381
000001C9 19:37:21.388522 11208.4 New MQException CompCode: 2 Reason: 2381
000001CA 19:37:21.399370 11208.4 -----------}! MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=(Unknown(2381))
000001CB 19:37:21.401318 11208.4 CompCode: 2, Reason: 2381
000001CC 19:37:21.401693 11208.4 New MQException CompCode: 2 Reason: 2538
000001CD 19:37:21.405884 11208.4 -----------{ ManagedCommonServices.GetMessage(string objectId,uint returncode,uint control,out string basicmessage,out string extendedmessage,out string replymessage,MQLONG basicLength,MQLONG
当我删除属性 MQC.SSL_CIPHER_SPEC_PROPERTY 时,应用尝试连接到服务器,但服务器拒绝连接,并出现错误:
AMQ9639E: Remote channel 'QMACLCHL' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'QMACLCHL' did not specify a CipherSpec when the local channel
expected one to be specified.
我不明白我做错了什么。请帮我。谢谢。